Our specific audit objectives, based on the requirements of the Federal Information Security Management Act of 2002 (FISMA), were to evaluate the effectiveness of the Consumer Financial Protection Bureau's (CFPB) security controls and techniques as well as compliance by the CFPB with FISMA and related information security policies, procedures, standards, and guidelines. Our scope and methodology are detailed in appendix A.
FISMA provides a framework for ensuring the effectiveness of information security controls over federal operations and assets and a mechanism for oversight of federal information security programs.1 FISMA requires agencies to develop, document, and implement an agency-wide information security program for the information and information systems that support the operations and assets of the agency, including those provided by another agency, contractor, or other source. FISMA also requires each agency Inspector General (IG) to perform an annual independent evaluation of the information security program and practices of its respective agency, including testing controls for select systems.
In support of FISMA's independent evaluation requirements, the U.S. Department of Homeland Security (DHS) has issued guidance to IGs on FISMA reporting for 2014.2 This guidance directs IGs to evaluate the performance of agency information security programs across a variety of attributes grouped into 11 areas. These areas are continuous monitoring, configuration management, identity and access management, incident response and reporting, risk management, security training, plan of action and milestones, remote access management, contingency planning, contractor systems, and security capital planning.
As noted in our 2013 FISMA audit report, when the CFPB began operations in July 2011, it relied on the information security program and systems of the U.S. Department of the Treasury (Treasury). While the CFPB's information security program is now operating largely independent of Treasury, the agencies continue to share operational responsibilities for several security functions, including information security continuous monitoring (ISCM), remote access, security awareness and training, and incident reporting. CFPB officials informed us that as the agency transitions away from Treasury's wide area network and infrastructure by the end of 2014, these security functions will be performed solely by the CFPB.
