A 2012 report on the Consumer Financial Protection Bureau’s Information Security Program found that more action is necessary in order for the program to come into compliance with the Federal Information Security Management Act of 2002.
The audit, conducted by the Federal Reserve Board’s Office of Inspector General, was intended to evaluate the effectiveness of the federal watchdog’s security controls and compliance with FISMA and other information security regulations.
The OIG found that the CFPB had “taken several steps to develop, document and implement an information security program,” though the program was not fully in compliance with FISMA, and provided the agency with three recommendations.
The OIG recommended that Chris Willey, the CFPB’s chief information officer, “develop and implement a comprehensive information security strategy that identifies specific goals…to establish a FISMA-based information security program,” “finalize the CFPB’s…information security policy and develop procedures to facilitate [its] implementation” and “analyze the CFPB’s contractor oversight processes and information security controls…and take actions, as necessary, to ensure that FISMA and CFPB information security requirements are met.”
The OIG said in the report that Willey agreed with the recommendations and provided an outline of steps that would be taken to strengthen the agency’s information security program.