The security controls within the tool used by the Bureau of Consumer Financial Protection to accept and manage consumer complaints are “operating effectively,” but the agency “can strengthen controls in the area of identity and access management to ensure that the security control environment for” the portal remain effective, according to a report from the Federal Reserve Board’s Office of the Inspector General.
A summary of the report can be accessed here. The full report is not being made available because of security concerns should that information fall into the wrong hands, according to a published report.
The audit did identify one suggestion to bolster the system’s identity management capabilities, and the BCFP is already working on strengthening that portion of the system. Identity management is a process through which a system attempts to confirm an individual accessing the system is who he or she says they are. From the report:
Poor identity management can make it easier for hackers to impersonate someone with legitimate access to a system. It can also make it easier for legitimate users of one portion of a system or one set of data to access and remove information they shouldn’t.
The consumer complaint database and the information that the BCFP has access to has been a hot topic of conversation from Mick Mulvaney, the agency’s acting director. He has come out and said he does not believe that the agency needs to make the consumer complaint database available to the public and temporarily froze data collection by the agency in order to review policies and procedures.