rowid,report_id,rec_number,significant,text,questioned_costs,funds_for_better_use
33,2025-audit-cfpbs-information-security-program,1,No,"Determine what enterprise risk management roles, responsibilities, and strategy components should be defined and leveraged for the development and maintenance of cybersecurity profiles.",0,0
34,2025-audit-cfpbs-information-security-program,2,No,"Develop and maintain cybersecurity risk registers to aggregate, normalize, and prioritize cybersecurity risks.",0,0
35,2025-audit-cfpbs-information-security-program,3,Yes,Develop policies and procedures to create and maintain cybersecurity profiles.,0,0
36,2025-audit-cfpbs-information-security-program,4,No,"Perform a review of previously granted risk acceptance memorandums to determine whether they were based on a complete review of the system or common controls (as required by National Institute of Standards and Technology Special Publication 800-37, Revision 2) and perform additional risk analysis and/or compensating controls as needed for affected systems.",0,0
37,2025-audit-cfpbs-information-security-program,5,No,"Ensure that risk acceptance memorandums reflect an assessment of qualitative and quantitative cybersecurity risks, as applicable.",0,0
38,2025-audit-cfpbs-information-security-program,6,No,Evaluate options to perform ongoing information continuous monitoring activities commensurate with the current threat environment.,0,0