Information Security Top Priority for CFPB According to Internal Watchdog

Recently, the CFPB’s Office of inspector General (“OIG”) released a report detailing the major management challenges facing the Bureau over the next year.  Topping the list of items that pose the greatest threat to the CFPB’s strategic objectives was the Bureau’s Information Security Program, ranking ahead of three other areas of concern identified by the OIG.  Citing the recent string of foreign cyber interventions, along with the infancy of the Bureau’s own information security program, the OIG report strongly encouraged CFPB Director Richard Cordray to make increased security his top priority.

When first created, the CFPB held its information technology infrastructures with the Department of Treasury.  It has since transitioned its infrastructure internally and is currently implementing its information security monitoring program, which includes a comprehensive data loss prevention system and overseeing the security of contractor-operated information systems.

According to the report, the Bureau collects and stores sensitive consumer information covering confidential supervisory and personally identifiable information that is used to support many of its “mission-critical” activities.  Currently, the Bureau works with its network partner and a variety of contractor-services to monitor potential external and internal breaches of its information security system.  As of yet, the Bureau has not set up internal network detection protocols that would enable the agency to detect unauthorized entry into its systems. Additionally, many of its tools for storing and monitoring information security are manual rather than automated.  This means that a designated human agent, rather than an automated computer program, must always be monitoring the system for breaches.  This can lead to inconsistency and potential lapses in security monitoring.

Some of the steps the Bureau has taken to mature its information security program include implementing a centralized logging information tool and evaluating additional solutions to centralize and automate its information security.  The Bureau is also assessing its information security contractors to ensure their compliance with Bureau security requirements.

To read the OIG’s full report, including the other challenges facing the Bureau, follow this link: https://oig.federalreserve.gov/reports/cfpb-major-management-challenges-sep2016.pdf.