A latest report on FISMA compliance (Federal Information Security Management Act) from the Office of the Inspector General (OIG) for the U.S. Board of Governors of the Federal Reserve System and the CFPB (Consumer Financial Protection Bureau) found that the bureau has consistently executed its information security programs but also called on CFPB to bolster its enterprise risk management program, amid other recommendations.
The report stated that OIG rated CFBP with a level 3 on FISMA’s maturity scale. The report noted that the bureau improved its capabilities in the Respond area, and remained average ahead of the Federal government, although it remains beneath the DHS’ bar of level 4 for an effective level of security. The report underlines some of the sturdy areas for the bureau’s Cybersecurity posture. The bureau’s information security continuous monitoring process is effective and operating at level 4, with the agency reporting on performance measures related to supporting activities. In addition, the bureau’s incident response process is similarly effective, with the agency utilizing tools to detect and analyze incidents and track performance metrics.
However, OIG recommended for improvement, including in the bureau’s ERM program (Enterprise Risk Management). The report cited that the bureau’s risk management program is operating at a level-3 maturity; they identified opportunities to mature the program in the areas of ERM, use of automation to support risk management activities, and insider risk management. OIG found that the bureau had not yet found out impacts and mitigation strategies for recognized risks, defined risk tolerance levels, or defined how it will use technology to offer a centralized view of risks. It also outlined the need to reinforce insider risk programs, an effort that is underway at CFPB.
With the other suggestions in the report, OIG calls for advanced tools in the areas of data loss prevention, automated monitoring of database security configurations, and an expanded phishing exercise program. It pointed out that the bureau also needs to advance processes for patching, applying its existing identity management policies, and using contingency testing results to notify decisions at the enterprise level.