The Office of Inspector General (OIG) for the Fed and CFPB recently completed its review of the information system security controls for the CFPB’s Data Team (DT) Complaint Database. The DT Complaint Database supports the CFPB’s Consumer Response System through which the CFPB collects and responds to consumer complaints and is the source of consumer complaint information published on the CFPB’s website. The OIG did not release a full audit report. Instead, it only issued an executive summary in which it stated that because of “the sensitivity of information security review work, [OIG] reports in this area are generally restricted.”
The OIG found that overall, the CFPB has taken steps to secure the DT Complaint Database in accordance with the Federal Information Security Management Act of 2002, as amended by the Federal Information Security Modernization Act of 2014 (FISMA), and the CFPB’s information security policies and procedures. However, the OIG identified several control deficiencies related to configuration management, access control, and audit logging and review. Specifically, the OIG identified improvements that are needed in the timely installation of database level patches, the enforcement of password expiration and user access requirements, and the logging and review of security events.
The OIG’s full report included seven recommendations to strengthen controls for the DT Complaint Database in these areas. The CFPB’s Chief Information Officer has agreed with those recommendations and outlined actions that have been or will be taken to address them.