The Office of Inspector General for the Fed and CFPB has completed a report setting forth its findings from an audit in which it evaluated “selected security controls for protecting the [CFPB’s] website from compromise.”  Instead of releasing the full report, the OIG only released an executive summary, stating that “given the sensitivity of our information security work, our reports in this area generally are restricted.”

In the executive summary, the OIG stated that while the CFPB “has taken a number of positive steps to secure its website, several control deficiencies need to be mitigated to protect the website from compromise. Those deficiencies have to do with configuration management, system and information integrity, and contingency planning.  If not addressed, these deficiencies could adversely affect the confidentiality, integrity, and availability of [the website] and the information it contains.”

The OIG indicated that its report included eight recommendations to strengthen the website’s security and that it also identified additional risks needing attention that relate to system and communication protection, audit and accountability, identification and authentication, system and information integrity, and configuration management.  The OIG stated that although the CFPB recognized these risks before the OIG’s audit, it included them in the report because “they had not been remediated as of the end of our field work.”