2013 Audit of the CFPB's Information Security Program

December 2, 2013

Memorandum

The Office of Inspector General is pleased to present its report on the 2013 audit of the information security program of the Consumer Financial Protection Bureau (CFPB). We performed this audit pursuant to requirements in the Federal Information Security Management Act of 2002, title III, Public Law 107-347 (December 17, 2002), which requires each agency Inspector General to conduct an annual independent evaluation of the agency's information security program and practices.

We provided a draft of our report to you for review and comment. In your response, included as appendix A, you concurred with our recommendations and outlined actions that have been taken, are underway, and are planned to strengthen CFPB's information security program. As part of the audit, we also reviewed security controls for a contractor-operated system. The results of our review of security controls for this system will be transmitted under separate, restricted cover. In addition, we will utilize the results of our review of the CFPB's information security program and practices to respond to specific questions in the U.S. Department of Homeland Security's FY 2013 Inspector General Federal Information Security Management Act Reporting Metrics.

We appreciate the cooperation we received from CFPB personnel during our review. Please contact me if you would like to discuss this report or any related issues.

Attachment