Our specific audit objectives were to evaluate the effectiveness of the CFPB's security controls and techniques as well as compliance by the CFPB with FISMA and related information security policies, procedures, standards, and guidelines. To accomplish our objectives, we reviewed the effectiveness of the CFPB's information security program across the 11 areas outlined in DHS's 2014 FISMA reporting guidance for IGs. These areas are continuous monitoring, configuration management, identity and access management, incident response and reporting, risk management, security training, plan of action and milestones, remote access management, contingency planning, contractor systems, and security capital planning. To assess the CFPB's information security program in these areas, we interviewed CFPB management, staff, and contractors; analyzed security policies, procedures, and documentation; and observed and tested specific security processes and controls. We also assessed the implementation of select security controls for two agency systems on the CFPB's FISMA inventory and performed vulnerability scanning at the operating system, network, and application levels on select system devices.
We utilized the results of our review of the CFPB's information security program and testing of controls for select systems to evaluate the implementation of specific attributes outlined in DHS's 2014 FISMA reporting guidance for IGs. As noted in our report, the CFPB's information security program is operating largely independently; however, the agency relies on Treasury for specific information security program services, including in the areas of remote access, security training, incident reporting, and identity and access management. To evaluate specific attributes outlined in DHS's FISMA reporting guidance for these areas, we relied on the work performed by the Treasury Office of Inspector General (OIG) as part of its 2014 FISMA review of Treasury's information security program. We performed sufficient, appropriate procedures to meet requirements outlined in generally accepted government auditing standards for relying on the work of other audit organizations, including the following:
We performed our fieldwork from June 2014 to October 2014. We conducted this audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence we obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.
