Review of the Department of Justice’s Reporting Procedures for Loss of Sensitive Electronic Information

Evaluation and Inspections Report I-2007-005
June 2007
Office of the Inspector General

Appendix XI
Component Policies
  • Computer Security Incident Response Capability Incident Response Plan, July 24, 2006
  • Automated Information System Security Program, ATF Policy H 7250.1, July 26, 2006 Computer Security
  • Incident Response Capability, ATF Order O 7500.4A, April 12, 2005
  • Incident Response Plan, December 2006
  • Information Resources Protection, BOP Directive 1237.12, February 20, 2001
  • Information Security Programs for Sensitive But Unclassified (SBU) Information,
    BOP Directive 1237.13, March 31, 2006
  • Property Management Manual, BOP Directive 4400.05, May 26, 2004
  • Release of Information, BOP Directive 1351.05, September 19, 2002
  • Incident Response Plan, December 1, 2006
  • Criminal Division Administrative Policy Memorandum 80-8, Classified Processing, January 14, 2003
  • Criminal Division Security Acknowledgement Statement for System Administrators and Privileged Users, November 2006
  • Computer Incident Response Plan, December 29, 2006
  • DEA Policy: Control and Decontrol of DEA Sensitive Information, REF 99-001, June 2, 1999
  • Broadcast E-mail Message to all DEA employees: Personally Identifiable Information (PII) Media Loss Reporting Requirements and Procedures, October 12, 2006
  • Safeguarding Personally Identifiable and Other Sensitive Information, Chief Inspector’s Bulletin, DEA Inspection Division, October 20, 2006
  • Memorandum to DEA Deputy Assistant Administrator, Office of Information Systems, Amendment to the Interim Information Technology Rules of Behavior – Protecting Sensitive and Personally Identifiable Information, November 6, 2006
  • Employee Responsibilities and Conduct
  • Incident Response Plan, December 13, 2006
  • Memorandum to Anti-Terrorism Task Force Officials, Limited Official Use (Sensitive) Information Designation, January 14, 2003
  • U.S. Attorney’s Manual, Chapter 3-15, Security Programs Management, August 2004
  • U.S. Attorneys’ Procedures (USAP 3-13.300.001), Records Management and Case File Disposition, October 24, 2006
  • U.S. Attorneys’ Procedures (USAP 3-16.000.001), Computer Assisted Legal Research, October 4, 2006
  • U.S. Attorneys’ Procedures (USAP 3-16-200.003), Access to Sensitive But Unclassified (SBU) IT Resources, January 13, 2006
  • U.S. Attorneys’ Procedures (USAP 3-16.200.008), Sensitive But Unclassified Laptop Computer Security, January 26, 2006
  • U.S. Attorneys’ Procedures (USAP 3-16.300.006), Personal Digital Assistants (PDAs), September 13, 2006
  • U.S. Attorneys’ Procedures (USAP 3-15.120.002), Handling and Safeguarding Federal Tax Information, November 7, 2006
  • U.S. Attorneys’ Manual, Chapter 3-13, Procurement/Property Management, July 2000
  • EOUSA Resource Manual, Sections 119-126
  • Incident Response Plans for the Criminal Justice Information Services Division; SCI Operational Network; FBI Secret; and Unclassified Network, all updated December 2006
  • FBI Security Policy Manual, Chapters 17, 21, 22, and Appendix A, April 2006
  • Systems User Rules of Behavior
  • Memorandum to All FBI Divisions, Reiterating Policy for the Safeguarding of Government Property Outside of FBI Office Space, FBI Finance Division, August 23, 2002
  • Memorandum to All FBI Divisions, Reiterate Policy Requirement to Place Property on the Property Management Application Upon Receipt, FBI Finance Division, August 23, 2002
  • Memorandum to All FBI Divisions, Policy Change for Submission of FD-500s, Report of Lost or Stolen Property, FBI Finance Division, November 4, 2005
  • Procedures for Reporting Lost or Stolen Property, Accountable Property Manual
  • Memorandum to All FBI Divisions, Reiterating Mandatory Policy for the Assignment and Charge-Out of Laptop Computers, FBI Finance Division, March 15, 2006
  • Memorandum to All FBI Divisions, Security Incident Program, Security Compliance Unit, Security Division, FBI Security Division, February 9, 2006
  • Manual of Investigative Operational Guidelines, Part 1, Section 52, Government Property – Theft, Robbery, Embezzlement
  • Manual of Administrative Operations and Procedures, Part 2, Section 6-7.5, Lost or Stolen Government Property/Lost or Stolen Personal Property in Government Space
  • Incident Response Plan for Systems Operated by the Personnel Staff, December 1, 2006
  • Rules of Behavior for Systems Operated by the Personnel Staff
  • Incident Response Plan for Systems Operated by the Security and Emergency Planning Staff, November 2006
  • Incident Response Plan, December 20, 2006
  • Tax Division Directive No. 101, Physically Protecting Portable Computers While On Official Travel
  • Tax Division Directive No. 130, Use of Mass Storage Devices Within The Tax Division, March 9, 2006
  • Tax Information Security Guidelines for Federal, State, and Local Agencies: Safeguards for Protecting Federal Tax Returns and Return Information, IRS Publication 1075
  • Memorandum to Members of the Tax Division, Computer Security, November 17, 2005
  • Tax Division Security Features User Guide for JCON II/TaxDoc, October 3, 2006
  • Memorandum to All Tax Division Personnel, Personally Identifiable Information: Safeguarding It and Reporting Its Loss, September 5, 2006
  • Incident Response Plan, December 8, 2005
  • USMS Directive 2.34 and Attachments B and C, Security Programs Manager, November 9, 2005
  • USMS Directive 7.1, Management of Personal Property, October 6, 2003
  • Broadcast e-mail from USMS Security Programs Manager, Notice from OSD re: Reporting Incidents Involving Data Loss and Personally Identifiable Information, August 29, 2006
  • Memorandum from the Director, Reporting Losses of USMS Property, November 5, 2002
  • USMS Directive 12, Information Resources Management, effective October 6, 2003, updated April 3, 2006

  1. Each subcomponent within JMD develops its own Incident Response Plan and other policies for responding to computer security incidents. The policies identified in this table were provided to the OIG as examples of the types of policies developed by all subcomponents of JMD.

« Previous Table of Contents Next »