The CFPB’s latest report card on its information security system, delivered last week by the Bureau’s Office of Inspector General (OIG), indicates that the system still needs improvement.  In May 2012, the Government Accountability Office issued a report that identified various problems with the CFPB’s internal controls and accounting systems that included the absence of an agency-wide information security program for the information and information systems that support the CFPB’s financial reporting, operations, and assets. (That report prompted a letter to Director Cordray from worried Senators asking how the CFPB planned to address the problems identified in the GAO report.) 

The OIG report found that the CFPB  has not yet developed, documented or implemented an agency-wide information security program that is consistent with FISMA, The Federal Information Security Management Act of 2002 (FISMA), which requires agencies to develop, document and implement an agency-wide information security program that meet certain standards.  According to the report, because the CFPB lacks final information security policy and procedures, there are “inconsistent information security processes, undefined roles and responsibilities, and limited documentation to support risk-based decisions.”  

Ironically, given how much emphasis the CFPB has placed on financial institutions ensuring that their third-party service providers be placed under constant, consistent and extensive monitoring, the OIG found “management, operational, and technical control weaknesses” in the CFPB’s management of its third-party service providers who manage information on the CFPB’s behalf.  

The OIG report recommends that the CFPB’s Chief Information Officer (1) develop and implement a comprehensive information security strategy for establishing a FISMA-based information security program, (2) finalize the CFPB’s agency-wide information security policy and develop procedures to implement that policy, and (3) analyze the CFPB’s oversight processes and information security controls for its third-party service providers and take steps to ensure that those providers meet FISMA and CFPB information security requirements. 

Also included in the OIG report is the response of the CFPB’s Chief Information Officer to a draft of the report, which outlines the CFPB’s plans for addressing the OIG’s recommendations.