Review of the Department of Justice’s Reporting Procedures for Loss of Sensitive Electronic Information

Evaluation and Inspections Report I-2007-005
June 2007
Office of the Inspector General


Appendix II
BOP Reporting Procedures

Introduction

Between December 2005 and November 2006, the BOP reported 252 security incidents to DOJCERT, including 24 incidents involving potential PII loss.73 None of the incidents involved the loss of classified information.74 According to BOP officials we interviewed, a reportable computer security incident or a reportable data loss includes the loss of PII, data lost due to a corrupted data system, violation of the Privacy Act, or an unauthorized release of information. A computer security incident or “violation” is defined by the BOP in its Information Security policy as an event such as password sharing, social engineering, computer hacking, software viruses, or other unauthorized information or system access, theft, or loss of automatic data processing equipment.75

The BOP defines sensitive information as information that, if released to the public, would pose an unacceptable risk to the BOP, its employees, or its inmate population. The BOP considers the term “sensitive” to be synonymous with Sensitive But Unclassified. All of the BOP’s databases are considered Sensitive But Unclassified. The BOP does not have a policy that specifically defines PII as it is treated as synonymous with sensitive information.

Reporting Procedures

The BOP relies on two documents, in addition to the DOJCERT Incident Response Plan template, when reporting incidents of data loss:

  1. BOP Information Security Policy, which provides primarily for the security and maintenance of information, computers, terminals, telecommunications, and data communications systems. This policy also provides incident response and reporting procedures, describes staff responsibilities related to information and computer security (including the BOP’s Rules of Behavior), and sets annual training requirements to meet those responsibilities; and
  2. BOP Incident Response Plan, which is consistent with the DOJCERT Incident Response Plan template and was updated to reflect DOJCERT’s most recent November 2006 changes that incorporate reporting procedures for loss of PII.

The BOP’s Information Security Policy instructs employees in all institutions, Regional Offices, and Community Corrections Centers to report computer security violations to the facility Information Security Officer as soon as possible. Employees are also required to report loss or theft to the Property Officer. The Information Security Officer is required to then notify the BOP’s Central Office Information Security Programs Section. Employees at the BOP’s Central Office are to notify the Information Security Programs Section directly rather than reporting through an Information Security Officer. If PII is involved, notification is required to be made to the Information Security Programs Section within 1 hour. The Information Security Programs Section should then notify DOJCERT within the timeframes specified in the BOP Incident Response Plan. The BOP’s Incident Response Plan, revised in December 2006, reflects timeframes in which to notify DOJCERT depending on the category and severity of the incident.

The Information Security policy further states that relevant supervisors, managers, executive staff, and Regional Administrators should also be notified. The Information Security Officer therefore notifies the appropriate chain of command (facility executive staff and regional personnel), including the Information Security Programs Section at the Central Office. The Information Security Officer, upon verification of the security threat, is encouraged to notify other facilities or localities that may be similarly susceptible to a particular security violation. Chart 8 shows the BOP’s reporting procedures for loss of sensitive information.

Although the BOP’s processing of classified information is very limited, a BOP official told us that if a computer security incident occurred involving classified information, they would follow the Department’s SPOM and report the incident to the Department’s Security Officer.

Chart 8: Flowchart of the BOP’s Reporting Procedures for Loss of Sensitive Information

[Image Not Available Electronically]

If a computer security incident occurs after hours at one of the BOP facilities, the employee should call the facility’s Control Center, which is manned 24 hours a day. The Control Center then calls the Information Security Officer at home. The Information Security Officer should then follow the procedures described above. Chart 9 shows the BOP’s procedures for after-hours reporting of loss of sensitive information.

Chart 9: Flowchart of BOP Facility Staff After-Hours Reporting
Procedures for Loss of Sensitive Information

From left to right: Facility Employee, Facility Control Center, Facility Information Security Officer, Central Office Information Security Program Section, (If PII within 1 hour) DOJCERT.

In the event of a theft of a laptop or BlackBerry device at the Central Office, the BOP is required to report the theft to Federal Protective Service.76 If a theft or other computer security crime occurs at a facility, the FBI should be notified because it has jurisdiction to investigate crimes occurring in federal prisons. Employees should contact the local police department in the event of a laptop or BlackBerry device theft off-site. Any of these law enforcement officials should enter the theft into the NCIC database. Additionally, if employee negligence is suspected, the incident should be referred to the BOP Office of Internal Affairs and the OIG for possible investigation.

Indications of Compliance with Reporting Procedures

BOP officials told us that they believed their employees were following the correct reporting procedures. While we did not validate this statement, our analysis of the Archer Database showed that the BOP was not always reporting computer security incidents, including PII, within the required timeframes specified in both the DOJCERT and BOP Incident Response Plans. Between December 2005 and November 2006, BOP reported only 37 percent of its computer security incidents to DOJCERT within the required timeframes. Further, only 14 percent of the PII incidents that occurred on or after July 12, 2006 were reported to DOJCERT within the required 1-hour timeframe.77 Table 8 shows the BOP’s reporting in each category.78

Table 8: The BOP’s Timeliness in Reporting Incidents to DOJCERT

Category Reporting timeframe* Incidents reported Reported within timeframe Reported after timeframe Could not compute timeliness**

Category 0 (Exercise/Test)

None

4

N/A

N/A

4

Category 1
(Unauthorized Access)

1 hour

19

2

17

0

Category 2
(Denial of Service)

2 hours

2

0

2

0

Category 3
(Malicious Code)

1 day

144

34

98

12

Category 4
(Improper Usage)

1 week

34

17

17

0

Category 5 (Scans/Probes)

1 month

19

15

2

2

Category 6 (Investigation)

None

14

N/A

N/A

14

Category 7
(Spam)

1 month

16

12

1

3

Total

 

252

80

137

35

PII incidents occurring on or after 7/12/06***

1 hour

7

1

6

0

* For purposes of this table, reporting timeframes for Categories 0-7 refer to the timeframes defined in the Incident Response Plan. Reporting timeframe for PII incidents refers to the timeframe defined in OMB Memorandum M-06-19.

** Some records did not include information to indicate when DOJCERT received the reports. Category 0 and 6 incidents, for which there are no reporting timeframes, are also included in this category.

*** PII incidents were reported in varying incident categories.

Source: Archer Database

Ensuring All Incidents Are Reported

The BOP relies on several methods to ensure that all computer security incidents are reported: training, program reviews, and policies. The BOP administers annual computer security training to all staff to educate them on their reporting responsibilities. The BOP also said that it conducts program reviews to ensure reporting procedures are being followed in the program area of information security. A BOP program or operational review is required annually for each facility’s Information Security program.79 Program reviews are a system of internal reviews conducted by BOP staff who are subject matter experts in the program under review. These reviews ensure that programs are in compliance with applicable laws, regulations, and policies.

The BOP Property Management Manual also establishes employee responsibilities for the management and control of government-owned personal property such as laptops and BlackBerry devices.80 Designated Property Officers are responsible for maintaining up-to-date computer inventories of all accountable government-owned personal property and reconciling that property list against required quarterly and annual physical inventories conducted in all BOP facilities. According to policy, if a lost or stolen electronic device was not reported, both the Property Officer and the employee are held liable for the property. The Property Management Manual states that it is the employee’s duty to report loss, theft, or damage to accountable property and requires that reports be made to the Property Officer upon discovery (but no later than the next working day).

This policy also establishes the Board of Survey, a BOP committee that investigates the circumstances surrounding lost, stolen, missing, damaged, or destroyed government-owned personal property. The board makes recommendations consistent with the findings disclosed by its review and, if applicable, may refer cases to the Office of Internal Affairs, which can refer cases to the OIG or the Criminal Division for prosecution.

The BOP also has Rules of Behavior concerning the use and security of computer systems.81 The rules notify employees that sensitive information is to be protected from disclosure to unauthorized individuals and that they will be sanctioned for unauthorized use, disclosure, destruction, or misuse of information resources. The rules also state that security violations and system vulnerabilities are to be immediately reported to the appropriate authorities.

Notification to Affected Parties

The BOP has not developed policies concerning notification to affected parties in the event of a loss of PII.

Determining the Type of Data Lost

The BOP said that it determines the type of data lost by having the Information Security Officer interview the employee involved in the computer security incident. The BOP Information Security policy states that the Information Security Officer may perform a preliminary review to confirm that a computer security violation has occurred.

In addition, the BOP also said that it has instituted controls to restrict employee access to sensitive data. The head of a facility is required to give written approval to employees before they remove laptops (or other devices) to process sensitive data off-site, such as while at home or traveling on official business. According to policy, a written request from the employee must include the type of device (such as a laptop), a description of the contents, and the purpose of the data removal.82 However, in practice, according to interviews, it is up to the head of each facility whether the contents are actually described in the request.



Footnotes
  1. As of January 31, 2007, the loss of PII has been confirmed in 4 of these 24 incidents. The remaining 20 incidents involve potential losses of PII.

  2. The BOP processes classified information on a very limited basis as its networks are not authorized to process classified information. The BOP has only one stand-alone laptop computer that is authorized for classified processing, located at BOP Central Office. A second networked laptop, also physically located at BOP Central Office, is owned by the FBI who must approve all system access.

  3. BOP, Information Security, P1237.13, March 31, 2006, Chapter 2, pp. 24-25.

  4. The Department of Homeland Security’s Federal Protective Service provides law enforcement and security services to federal government agencies who occupy federally owned and leased facilities nationwide.

  5. We did not analyze incidents for timeliness that occurred before OMB established the 1-hour timeframe in July 2006.

  6. Our calculations are based on Categories 1 through 5 and Category 7. We did not include incidents found in Categories 0 and 6 because they had no associated time criteria, nor did we include incidents for which the Archer Database contained no information to indicate when DOJCERT received the report that an incident had occurred.

  7. BOP, Information Security, P1237.13, March 31, 2006.

  8. BOP, Property Management Manual, P4400.05, May 26, 2004.

  9. The BOP’s Rules of Behavior are contained in a BOP policy entitled Information Resources Protection, P1237.12, February 20, 2001.

  10. BOP, Information Security, P1237.13, March 31, 2006, p. 14.



« Previous Table of Contents Next »