The Office of the Inspector General (OIG) has released the “2015 list of major management challenges” faced by the CFPB that the OIG believes will hamper the CFPB’s ability to accomplish the CFPB’s strategic objectives. Like the 2014 list, one of the challenges identified by the OIG is the need to ensure that the CFPB has an effective information security program. Due to the advanced persistent threats faced by the federal government, the OIG concluded that the CFPB needs to strengthen its defenses against attacks from outside governments, organized groups, and other threats. The OIG identified four high-priority security risk areas for CFPB improvement:
- Continuous monitoring to assess security controls and system configurations
- Configuration management of CFPB systems
- Role-based security training for individuals with significant security responsibilities
- Incident response and reporting
The OIG applauded the CFPB’s efforts to build out its Cybersecurity Program Management Office, but the OIG recommended that the CFPB should continue improving its information security program, overseeing the security of contractor-operated information systems, transitioning IT resources from the Treasury Department, and ensuring that personally identifiable information (PII) is properly protected, including the PII that the CFPB receives from consumer complaints about credit card accounts, mortgage loans, and other consumer financial products and services.