This story appeared in Bank Digest.
The Office of Inspector General for the Consumer Financial Protection Bureau and the Federal Reserve Board has released the executive summary of a report evaluating the effectiveness of certain of the bureau's information security controls and techniques, in accordance with the Federal Information Security Modernization Act of 2014. Specifically, the report evaluated the administration and security design effectiveness of the CFPB's Active Directory implementation. The CFPB's Active Directory is used to manage user access to information technology resources and is a key component of the bureau's general support system.
The OIG found that, overall, the CFPB is effectively administering and protecting its Active Directory implementation, but the report determined that the bureau can strengthen Active Directory controls in the areas of identity and access management and risk management. In addition, improvements are needed in the management of access agreements for Active Directory users, according to the OIG.
The report includes one recommendation to help ensure effective account management and one issue for management consideration related to risk management documentation.