Review of the Department of Justice’s Reporting Procedures for Loss of Sensitive Electronic Information

Evaluation and Inspections Report I-2007-005
June 2007
Office of the Inspector General

Appendix XII
Seven Categories of Security Incidents and
Required Timeframes for Reporting Incidents
Category Name Description Reporting timeframe


Exercise/ Network Defense Testing

This category is used during Department exercises activity testing of internal/external network defenses or responses.

As defined in the exercise requirements.


Unauthorized Access

In this category an individual gains logical or physical access without permission to a federal agency network, system, application, data, or other resource.

Within 1 hour of discovery/detection, followed by written report within 24 hours.


Denial of Service (DoS)

An attack that successfully prevents or impairs the normal authorized functionality of networks, systems or applications by exhausting resources. This activity includes being the victim or participating in the DoS.

Within 2 hours of discovery/detection if the successful attack is still ongoing and the agency is unable to successfully mitigate activity, followed by written report within 24 hours.


Malicious Code

Successful installation of malicious software (e.g., virus, worm, Trojan horse, or other code-based malicious entity) that infects an operating system or application. Components are NOT required to report malicious logic that has been successfully quarantined by antivirus software.


Note: Within 1 hour of discovery/detection if widespread across agency, followed by written report within 24 hours.


Improper Usage

A person violates acceptable computing use policies.



Scans/Probes/ Attempted Access

This category includes any activity that seeks to access or identify a Department computer, open ports, protocols, service, or any combination for later exploit. This activity does not directly result in a compromise or denial of service.


Note: If system is classified, report within 1 hour of discovery.



Unconfirmed incidents that are potentially malicious or anomalous activity deemed by the reporting entity to warrant further review.

Periodically as information is developed. This category is for each component’s use in categorizing a potential incident that is currently being investigated.



Commercial advertising, inappropriate content, or other non-phishing spam.


« Previous Table of Contents Next »