MAY 25, 2007

MEMORANDUM

TO:	Paul A. Price Assistant Inspector General Evaluations and Inspections Office of the Inspector General
FROM:	Gary W. Oetjen (signature) Deputy Chief Inspector Office of Inspections
SUBJECT:	DEA’s response to the OIG Draft Report: Review of the Department of Justice's Reporting Procedures for Loss of Sensitive Information

The Drug Enforcement Administration (DEA) has reviewed the Department of Justice (DOJ) Office of the Inspector General's (OIG) Draft Report titled, Review of the Department of Justice's Reporting Procedures for Loss of Sensitive Electronic Information.

DEA concurs with the majority of the OIG audit results and subsequent recommendations made to DOJ. Upon review of the aforementioned document, DEA wishes to address several aspects of the report that are not accurately reflected.

OIG reported on page 59, that DEA reported six incidents of PII losses and two incidents involving loss of classified information. DEA determined via internal documents and DOJCERT and SEPS records that one incident involving classified information occurred during the reviewed time frame, not two, and of the six incidents cited by OIG involving potential PII loss, only two were actual or suspected losses of PII. DEA requests that the above information be incorporated in the report.

On page 61, OIG cited a "DEA official" as stating “…in practice the Information Security Section Reports classified incidents to DOJCERT, not SEPS, and relies on DOJCERT to report those incidents to SEPS.” DEA is unable to attribute this statement to any DEA officials interviewed; however, OIG was told by the Office of Security Programs, Information Security Section (ISI) Section Chief that the loss of classified information must be reported to SEPS and DOJCERT, and SEPS should receive reports from both DOJCERT and DEA regarding suspected or confirmed compromises of classified information. Sensitive information losses were reported, as required, to DOJCERT, who shared this information with SEPS. The one classified information incident occurred on June 28,2006, and involved the transfer of information from a Merlin computer system to Firebird, thus providing the opportunity for someone without a "need to know" to become exposed to classified information. This incident did not result in the loss of information and the employee who transferred the data maintains a national level security clearance commensurate with level of classification. This incident was inadvertently not reported directly to SEPS, but was reported to DOJCERT (who in turn provided the report to SEPS). During this same time frame, DEA began using the ARCHER system and also transferred the responsibility of reporting security incidents from one employee to another. DEA acknowledges that this incident should have been reported directly to SEPS, but does not concur with the inference that DEA willfully does not follow policies and procedures as a course of practice. DEA requests that all references on pages 61 and 62 to DEA’s "practice" of reporting loss of classified information to DOJCERT and not to SEPS be removed.

The chart on page 62, labeled Chart 14: Flowchart of DEA’s Reporting Procedures for Loss of Classified Information, erroneously depicts DEA, as a course of “practice,” bypassing SEPS and reporting the loss of classified information only to DOJCERT. DEA requests that the dashed line with the word "Practice" connecting Information Security Section to DOJCERT be changed to a solid line and also that the words "Practice" and "Policy" be removed entirely. As previously stated, while the one incident was not reported directly to SEPS, it was as a result of an oversight and not out of "practice."

DEA uses the definition of classified information contained in Executive Order 12958, as Amended, Classified National Security Information, dated March 25, 2003, not the definition contained in Executive Order 12958, Classified National Security Information, dated April 17, 1995.

Regarding the eight recommendations made by OIG, DEA offers the following:

• Recommendation number six should precede recommendation number five, and the definition of PII should be issued by the Department before the policy on notification is issued.
• DEA would not concur with recommendation number five unless the definition of PII or the notification policy itself provided for an exception to notification, where notification would compromise an ongoing law enforcement investigation or matters of national security.

Thank you in advance for considering the comments provided by DEA. DEA looks forward to reviewing the formal draft report. If you have any questions regarding this response, please contact Janice Hewitt, Audit Liaison, on 202-307-5411.

cc:	Michele Leonhart Deputy Administrator Rogelio E. Guevara Chief Inspector Inspection Division