Review of the Department of Justice’s Reporting Procedures for Loss of Sensitive Electronic Information

Evaluation and Inspections Report I-2007-005
June 2007
Office of the Inspector General


Appendix XIII
Office of the Chief Information Officer Response
  U. S. Department of Justice
Washington, D.C. 20530


May 25, 2007

MEMORANDUM FOR GLENN A. FINE
INSPECTOR GENERAL

FROM: Vance E. Hitch (Signature)
Chief Information Officer

SUBJECT: Response to Draft Audit Report - Review of the Department of Justice's Reporting Procedures for Loss of Sensitive Electronic Information

We have received and reviewed your Draft Audit Report as captioned above, dated May 2, 2007. At the exit conference on May 16, 2007, the Office of Inspector General personnel agreed that this response would be coordinated through the Office of the Chief Information Officer (OCIO). We have coordinated the draft report with the Office of Privacy and Civil Liberties of the Office of the Deputy Attorney General. Also, based on discussions with your staff at the Exit Conference on May 16, 2007, it was agreed that the Office of the Chief Information Officer would be responsible for implementing the recommendations contained in the report.

Each of the report's recommendations is addressed below:

Recommendation #1 -Require all components to ensure their procedures cover reporting of after-hours incidents.

ITSS Response -We concur. The Department of Justice Computer Emergency Readiness Team (DOJCERT) will update the Incident Response Plan (IRP) guidance document with procedures to cover reporting of after-hours incidents. We expect that this process will be completed within 120 days.

Recommendation #2 -Review each component's procedures for reporting classified incidents to ensure those procedures comply with the standards in the Department's Security Program Operating Manual (SPOM).

ITSS Response -We concur. Incidents involving classified material are to be reported to the Security and Emergency Planning Staff (per the Security Program Operating Manual). The OCIO will issue clarification to the components to ensure their procedures for reporting classified incidents comply with the standards in the Department's SPOM. We expect that this process will be completed within 120 days.

Recommendation #3 - Clarify the requirement that all losses of PII be reported within 1 hour and to whom so that all Department employees understand who to report to and when the 1-hour timeframe begins and ends.

ITSS Response - We concur. The OCIO will work with OMB and USCERT on the one hour reporting requirement for loss of PII. The outcome will be used to update the existing DOJ documentation, so that Department employees understand who to report to and when. We expect that this process will be completed within 120 days.

Recommendation #4 - Ensure all components meet the established reporting time frames.

ITSS Response - We concur. Once the requirement is clarified (see #3 above) the OCIO will develop reporting metrics within the Archer database. We expect that this process will be completed within 120 days.

Recommendation #5 - Promptly implement a Department-wide policy for notifying affected individuals in the event of a loss of PII.

ITSS Response -We concur. The OCIO is working with the DOJ Office of Privacy and Civil Liberties to develop data breach notification procedures in the event of loss of PII. We expect that this will be completed within 90 days.

Recommendation #6 -Develop a Department-specific definition of PII.

ITSS Response - We concur, with reservations. Currently, the Department utilizes the explanation of PII as defined by the Office of Management and Budget (OMB). The Chief Office of Privacy and Civil Libertiesr for the Department asked OMB specifically whether the Department could create its own definition of PII based on this OIG recommendation. OMB expressed reservations about this idea. The CPCLO and I will work with OMB to resolve this issue.

Recommendation #7 - Consider whether any 05 the procedures described as "Best Practices” should be implemented across the Department.

ITSS Response -We concur. The OCIO will look at the best practices in the report as well as other best practices throughout the Government and evaluate the feasibility of implementing them across the Department. We expect that this process will be completed within 90 days.

Recommendation #8 -Ensure that components update their internal policies to reflect correct reporting procedures in conformance with the DOJCERT Incident Response Plan template and contain up-to-date titles of internal departments and staff.

ITSS Response - We concur. The OCIO will work with components to update their internal policies to reflect correct reporting procedures and current personnel. We expect that this process will be completed within 120 days.

Thank you for the opportunity to comment on the draft report. If you have any questions or need additional information, please contact Suzanne Acosta of ITSS at (202) 307-6816 or by e-mail at Suzanne.T.Acosta@usdoj.gov.



« Previous Table of Contents Next »