US CFPB's infosec posture crumbles amid staff exodus

US CFPB's infosec posture crumbles amid staff exodus

Briefly

"The infosec program run by the US' Consumer Financial Protection Bureau (CFPB) "is not effective," according to a fresh audit published by the Office of the Inspector General (OIG). A summary of the report, dated October 31 and published on Monday, stated that since the OIG's previous audit, the CFPB's overall cybersecurity posture has decreased from level-4 maturity, defined as "managed and measurable," to level-2 maturity - "defined.""

"The two main factors adversely affecting the efficacy of its infosec management are sub-par maintenance of system authorizations and its failure to establish cybersecurity risk profiles. Cybersecurity risk profiles describe an organization's current and target cybersecurity posture and help prioritize security outcomes based on its policies, risk priorities, and requirements. Multiple profiles may be created for different divisions or data types - for example, systems handling personal or supervisory information."

"Noting the fact that the CFPB is responsible for safeguarding data such as personal information, confidential investigative information, and confidential supervisory information, the requirement to maintain up-to-date system authorizations is key. Each system must be authorized by management, after considering the risk exposure of each against established controls, before entering production. The OIG's audit found 35 systems running either with expired ATOs or ATUs (authorizations to operate/use) or without ever undergoing an authorization process."