Skip to Navigation
Skip to Main content
OIG Home
OIG Home


Skip SHARE THIS PAGE section Skip STAY CONNECTED section

CFPB Report: 2014-IT-C-020 November 14, 2014

2014 Audit of the CFPB's Information Security Program

available formats

Summary of Findings

The CFPB continues to take steps to mature its agency-wide information security program. For instance, we found that the Chief Information Officer (CIO) has implemented ongoing security controls testing for the CFPB's systems and improved patch management practices. We found that the CFPB's information security program is generally consistent with attributes identified in DHS's FISMA reporting guidance for IGs in 9 out of 11 information security areas: continuous monitoring, configuration management, identity and access management, incident response and reporting, risk management, plan of action and milestones, remote access, contractor systems, and security capital planning. Although corrective actions are underway, further improvements are needed to implement the attributes outlined in DHS's FISMA reporting guidance for the remaining two information security areas: security training and contingency planning. The improvement opportunities related to contingency planning result from system testing that we performed to support our FISMA work, the results of which will be transmitted under separate, restricted cover.

While we found that the CFPB's information security program is generally consistent with the requirements for ISCM, configuration management, and incident response, we identified opportunities to strengthen these areas through automation and centralization. Specifically, in our 2013 FISMA audit report, we recommended that the CIO strengthen the CFPB's ISCM program by defining and implementing performance measures, and identifying additional automated tools to support ISCM processes. This year, we found that the CIO has taken actions to address our 2013 recommendation; however, the CFPB's ISCM program continues to depend on manual, labor-intensive processes. As such, we are closing our 2013 recommendation for ISCM and issuing two additional recommendations to further strengthen the CFPB's ISCM program through additional automation.

In addition, our 2013 FISMA audit report included recommendations to develop and implement (1) an organization-wide configuration management plan and consistent process for patch management, (2) a capability to centrally track and analyze audit logs and security incident information, and (3) a role-based training program. Corrective actions to address these recommendations have not been finalized. As such, we are leaving these recommendations open and will continue to monitor the CFPB's progress in these areas as part of future FISMA audits. This year, we also identified an additional opportunity to strengthen the CFPB's vulnerability management practices for database and application-level security configurations, and we are issuing a new recommendation in this area.