In its work plan updated as of March 27, 2015, the Office of Inspector General (OIG) has moved back the estimated completion dates of several ongoing projects previously estimated to be completed in the first quarter of 2015. Those projects, which include an audit of the CFPB’s headquarters renovation and an audit of the CFPB’s public consumer complaint database, now have an estimated completion date of second quarter 2015.
In addition, the OIG completed its audit of the CFPB’s Tableau system but did not release the full audit report. Instead, it only issued an executive summary in which it stated that because of “the sensitivity of information security review work, [OIG] reports in this area are generally restricted.” The summary describes Tableau as “a commercial-off-the-shelf tool deployed on the CFPB’s cloud computing–based [general support system or] GSS that provides business intelligence capabilities, such as data analysis and integration, for multiple CFPB systems. The CFPB has classified Tableau as a moderate-risk system that is a component of the cloud computing–based GSS on the agency’s [Federal Information Security Management Act of 2002 or] FISMA inventory.”
The OIG found that the CFPB has taken steps to secure the Tableau system in accordance with FISMA and the CFPB’s information security policies and procedures and has developed baseline security configurations for Tableau and its supporting technology components. However, the OIG also found that the CFPB needs to improve its implementation and monitoring of baseline security configurations to ensure that components of Tableau are securely configured. The OIG’s report included three recommendations to strengthen configuration management processes for Tableau and identified ways for the CFPB to improve security controls related to the auditing and contingency planning capabilities for the system.
According to the summary, the CFPB agreed with the OIG’s recommendations and outlined actions that it has or will take to address the OIG’s recommendations