OIG offers criticism, praise of bureau information security

The Consumer Financial Protection Bureau could be better at handling its enterprise risk management, although it is adequate in other information security areas, according to an OIG report.

The Consumer Financial Protection Bureau could be better at handling its enterprise risk management, although it is adequate in other information security areas. That’s according to a Federal Information Security Management Act audit from the Office of the Inspector General.

The OIG rated the CFPB as a level three out of five on the FISMA maturity model scale, “with the agency performing several activities indicative of a higher maturity level.”

There are five cybersecurity framework security functions: identify, protect, detect, respond, and recover. The bureau improved its capabilities in the respond area, and remained ahead of the Federal government average, although it remains below the Department of Homeland Security’s bar of level 4 for an effective level of security, the report said. The CFPB could also improve its processes related to database security, timely remediation of vulnerabilities, and patching of mobile phone operating systems, the report said.

Another noted flaw is that access to one of the bureau’s internal collaboration tools, which contains sensitive information (including personally identifiable information), was not restricted to individuals with a need to know.

In a repeat from last year’s report, the OIG said the the agency could “strengthen its enterprise risk management program by defining a risk appetite statement and associated risk tolerance levels.”

The report includes four new recommendations designed to strengthen the bureau’s information security program in the areas of configuration management, identity and access management, and data protection and privacy.

The report also highlights some of the strong areas for the bureau’s cybersecurity posture. The bureau sufficiently implemented 3 of the 10 recommendations from the prior FISMA audits that remained open at the start of this audit. The closed recommendations relate to identity and access management, incident response, and contingency planning.

“The bureau’s information security continuous monitoring process is effective and operating at level 4 (managed and measurable), with the agency reporting on performance measures related to supporting activities,” the report said. “Further, the bureau’s incident response process is similarly effective, with the agency using tools to detect and analyze incidents and track performance metrics.”