An audit of the CFPB made public yesterday by the Office of Inspector General (OIG) of the determined that “Improvements are needed in four high-priority security risk areas” in order to be properly protect its massive amounts of consumer private data. The four areas that do not meet the Federal Information Security Management Act of 2002 are continuous monitoring, configuration management, security training, and incident response and reporting.
Similar concerns were raised by the Government Accountability Office last month.
According to the OIG report that CFPB employees were granted access to information beyond those that were required and that no security tools had been implemented to check these configurations, making potentially sensitive data improperly available.
Further, the CFPB had not developed sufficient procedures for detecting, reporting and responding to security incidents, or for “mitigating risks before substantial damage is done.” The absence of such procedures left the CFPB unable to “fully detect and respond to information security incidents in a timely manner.”
The IG also determined that the CFPB’s security training program was insufficient to “provide assurance that employees and contractor staff with significant security responsibilities have adequate knowledge and expertise” to implement its information security program.
Read the full OIG report here.