The Consumer Financial Protection Bureau got to experience what it’s like to go through an examination.

The Office of Inspector General (OIG) within the Federal Reserve recently released findings and recommendations of its 2024 audit of the CFPB’s information security program.

OIG officials said the CFPB’s information security program continues to operate effectively at a level 4 (managed and measurable) maturity.

“We found that the CFPB has taken several steps to strengthen its information security program since our 2023 Federal Information Security Modernization Act of 2014 (FISMA) review,” they said in the audit report. “For instance, the CFPB improved its security training program by incorporating threat intelligence to update its workforce on a near-real-time basis.”

To ensure that its information security program remains effective, the OIG said the CFPB can

—Mature data loss prevention (DLP) processes by developing data classification policies and procedures and by configuring its DLP tool accordingly

—Strengthen processes to ensure timely remediation of critical and high-risk vulnerabilities

—Ensure that system users are periodically reinvestigated to maintain access authorizations and privileges

—Improve incident processes to effectively respond to a potential ransomware incident

—Strengthen organizational resiliency by conducting a comprehensive test of its continuity of operations plan

—Ensure the accuracy of the information in its cybersecurity governance, risk, and compliance tool

In addition, of the seven open recommendations made in our prior years’ FISMA audit reports, OIG official said the CFPB has taken sufficient actions to close four.

“We will continue to monitor the CFPB’s progress in addressing our open recommendations as part of future FISMA audits,” they said.

OIG officials then shared eight new recommendations designed to strengthen the CFPB’s information security program in the areas of DLP, vulnerability management, personnel security, incident management, contingency planning, and risk management. They included:

—Complete finalization of an agency-wide data classification policy that accounts for the sensitivity of the data maintained by the CFPB.

—Ensure that data classification and sensitivity labels are incorporated into the CFPB’s DLP program.

—Strengthen flaw remediation processes by developing and implementing a process to clearly map identified vulnerabilities to system IP addresses, host names, and remediation owners within the CFPB’s configuration management database.

—Ensure that adequate resources are allocated to reinvestigate CFPB systems users as required.

—Develop and maintain a ransomware strategy and specific procedures that provide a formal, focused, and coordinated approach to responding to ransomware attacks.

—Ensure that testing of mission-essential functions identified in the CFPB’s continuity of operations planning is periodically performed.

—Renew the authority to use for the CFPB’s governance, risk and compliance (GRC) tool.

—Implement a process that ensures the cyber risk information in the CFPB’s GRC tool is accurate and maintained.

“In its response to a draft of our report, the CFPB concurs with our recommendations and outlines actions to address each recommendation,” OIG officials said. “We will monitor the CFPB’s progress in addressing these recommendations as part of future FISMA audits.”

The complete audit report is available via this website.