- About Us
- Information Technology
- Contact Us
Report Fraud, Waste, or Abuse
CFPB Report: 2015-IT-C-007 March 31, 2015
The Federal Information Security Management Act of 2002 (FISMA) requires the Office of Inspector General (OIG) to evaluate the effectiveness of the information security controls and techniques for a subset of the agency's information systems, including those provided or managed by another agency, a contractor, or another organization. To meet FISMA requirements, we reviewed the information system security controls for the Consumer Financial Protection Bureau's (CFPB) Tableau system.
The CFPB's strategic plan emphasizes the need for a flexible, scalable infrastructure that is capable of meeting its current needs and sustaining the agency's future growth. To support this need, the CFPB invested in a cloud computing–based general support system (GSS) that provides an infrastructure to support the agency's applications and enterprise common services. Tableau is a commercial-off-the-shelf tool deployed on the CFPB's cloud computing–based GSS that provides business intelligence capabilities, such as data analysis and integration, for multiple CFPB systems. The CFPB has classified Tableau as a moderate-risk system that is a component of the cloud computing–based GSS on the agency's FISMA inventory.
Overall, we found that the CFPB has taken a number of steps to secure the Tableau system in accordance with FISMA and the agency's information security policies and procedures. For example, we found that the CFPB has implemented risk assessment, planning, security assessment and authorization, and system services and acquisition controls for Tableau, in accordance with FISMA requirements. In addition, the agency has developed baseline security configurations for Tableau and its supporting technology components. However, we found that improvements are needed in the implementation and monitoring of baseline security configurations to ensure that components of Tableau are securely configured. Our report includes three recommendations to strengthen configuration management processes for Tableau.
We also identified opportunities to improve security controls related to the auditing and contingency planning capabilities for the system. The improvement opportunities in these areas were previously identified by the CFPB, and steps to strengthen these areas were being tracked on Tableau's plan of action and milestones. As a result, we are not issuing recommendations in these areas and will continue to monitor the CFPB's progress to improve auditing and contingency planning capabilities for Tableau as part of future FISMA audits.
In response to our report, the Chief Information Officer concurred with our recommendations and outlined actions that have been or will be taken to address our recommendations. We will follow up on the implementation of each recommendation in this report as part of our future audit activities related to the CFPB's continuing implementation of FISMA. Given the sensitivity of information security review work, our reports in this area are generally restricted. Such is the case for this audit report.