EOUSA provides the 93 United States Attorneys’ Offices (USAO) with administrative management oversight, operational support, policy development, and coordination with other components of the Department and other federal agencies. As part of this support, EOUSA provides policy and procedural assistance for implementation of all security programs for the USAOs and ensures compliance with all applicable statutes and Executive and Department Orders.⁹⁵ The USAOs are required to report all computer security incidents to EOUSA, and EOUSA acts as the point of contact for notifying DOJCERT and the Security and Emergency Planning Staff (SEPS). For the purposes of this appendix, we use the acronym EOUSA to refer to EOUSA and the USAOs combined.

Introduction

Between December 2005 and November 2006, EOUSA reported 463 security incidents to DOJCERT, including 142 incidents involving potential PII loss and 4 incidents potentially involving classified information.⁹⁶ According to an EOUSA official, EOUSA considers a reportable computer security incident to be any physical loss of media, systems information, or a breach that results in the loss of data, a laptop, a cell phone, or a wireless device such as a BlackBerry device.

EOUSA considers its information to be either Limited Official Use or classified; however, most of its information is designated as Limited Official Use. EOUSA relies on the 1982 DOJ Order 2620.7, which defines Limited Official Use as “unclassified information of a sensitive, proprietary or personally private nature which must be protected against release to unauthorized individuals....”⁹⁷ EOUSA uses the term Limited Official Use as synonymous with the terms “sensitive” and “Sensitive But Unclassified.” Limited Official Use information includes but is not limited to “grand jury information, informant and witness information, investigative material, federal tax and tax return information, Privacy Act information, and information that can cause risk to individuals or could be sold for profit.”⁹⁸

In 2003, EOUSA further defined Limited Official Use information to include the term Law Enforcement Sensitive, which developed through “common usage and agency culture to identify a specific type of Limited Official Use or Sensitive information,” for example, intelligence information unrelated to terrorism.⁹⁹

EOUSA considers PII as a category of sensitive information. While EOUSA does not have its own specific definition of PII, it has adopted the definition of PII published in OMB Memorandum M-06-15 to Department and agency heads that defines PII to be “any information about an individual” that is “maintained by an agency... which can be used to distinguish or trace an individual’s identity.”¹⁰⁰

To define classified information, EOUSA relies on the National Security Information definition in Executive Order 12958, as Amended, Classified National Security Information, dated March 25, 2003.¹⁰¹

Reporting Procedures

Limited Official Use and PII Reporting Procedures

EOUSA has several written policies that contain instructions for reporting computer security incidents. General reporting procedures for Sensitive But Unclassified (Limited Official Use) and PII are contained in EOUSA’s Incident Response Plan, dated December 13, 2006. This plan is consistent with the DOJCERT Incident Response Plan and has been updated to reflect DOJCERT’s November 2006 revision. Additionally, written policies and procedures for USAOs are contained in the United States Attorneys’ Manual and the United States Attorneys’ Procedures.¹⁰² However, because no one policy defines the entire reporting chain of command from the field to EOUSA to DOJCERT, our description of reporting procedures is taken from a combination of policies, draft policies, and practice as stated by EOUSA officials during interviews.

According to interviews, the procedures for reporting computer security incidents involving Limited Official Use (Sensitive But Unclassified) information and PII are as follows: In the USAO districts, an employee is required to immediately notify the District Office Security Manager that a computer security incident had occurred.¹⁰³ If the District Office Security Manager is unreachable, then the employee should report the incident to a Regional Security Specialist for that District’s region. The District Office Security Manager or Regional Security Specialist should then e-mail an incident report to the Assistant Director, Information Systems Security Staff, who should report the incident to DOJCERT. If a data loss incident occurs at EOUSA, the employee or the employee’s immediate supervisor should notify the Assistant Director, Information Systems Security Staff. If PII is involved, the Assistant Director should notify DOJCERT within 1 hour.

For incidents that do not involve PII, DOJCERT should be notified within the timeframes specified in the EOUSA Incident Response Plan. For both EOUSA and the USAOs, when an incident occurs after hours, the employee should contact the EOUSA Security Operations Center.¹⁰⁴ Depending on the severity of the incident, the Assistant Director may also report the incident immediately to the Department’s CIO. An example of a severe incident could be a virus outbreak that hinders the operating capability of EOUSA or a particular USAO office. Chart 15 shows EOUSA’s procedures for reporting the loss of sensitive information, including PII.

Chart 15: Flowchart of EOUSA’s Reporting Procedures for Loss of Sensitive Information, Including PII

[Image Not Available Electronically]

Classified Reporting Procedures

For reporting classified information loss, the EOUSA’s Incident Response Plan states that reporting procedures shall be done in accordance with the Department’s Security Program Operations Manual. According to EOUSA officials we interviewed, when an USAO employee discovers a classified incident, the employee is required to report the incident to his or her supervisor and then to the District Office Security Manager. The District Office Security Manager in turn should report it to EOUSA’s Information Security Program Manager. The Information Security Program Manager then should obtain the facts of the incident from the District Office Security Manager or EOUSA employee and forward the incident report to his supervisor, the Security Programs Manager, who then forwards the report to SEPS. If a data loss occurred at EOUSA Headquarters, the employee should report directly to EOUSA’s Information Security Program Manager. Chart 16 shows EOUSA’s procedures for reporting classified information loss.

Chart 16: Flowchart of EOUSA’s Reporting Procedures for Loss of Classified Information

[Image Not Available Electronically]

Indications of Compliance with Reporting Procedures

We were told in interviews by EOUSA officials that they believed their employees were following the reporting procedures. While we did not validate this statement, our analysis of the Archer Database showed that EOUSA was not always reporting computer security incidents, including PII, within the required timeframes specified in both the DOJCERT and EOUSA Incident Response Plan. Between December 2005 and November 2006, EOUSA reported 80 percent of its computer security incidents to DOJCERT within the required timeframes. However, only 16 percent of the PII incidents that occurred on or after July 12, 2006 were reported within the required 1-hour timeframe.¹⁰⁵ Table 11 shows EOUSA’s reporting in each category.¹⁰⁶

An EOUSA official we interviewed stated that employees are expected to report computer security incidents immediately. This official also stated that while EOUSA tries to adhere as much as possible to the 1-hour requirement for reporting incidents to DOJCERT when PII is involved, the 1-hour requirement was impractical because of the number of steps that have to be taken prior to the notification to DOJCERT. The official stated that it takes time for an employee to recall when the incident occurred, what information was on the device, or where the device might have been lost. It also takes time for a District Office Security Manager to gather the necessary information and facts surrounding the loss of data or a device before reporting the incident to the EOUSA Information Systems Security Officer.

Ensuring All Incidents Are Reported

EOUSA said that it primarily relies on training and employee integrity for ensuring that employees report all computer security incidents. EOUSA relies on the Department’s annual Computer Security Awareness Training and the USAOs’ Justice Consolidated Office Network II Rules of Behavior to inform employees of their responsibility to report such incidents.¹⁰⁷ The Rules of Behavior, which employees are required to read and sign when they begin employment, state that loss of a Department laptop or personal digital assistant shall be reported immediately to the District Office Security Manager and EOUSA Assistant Director, Information Systems Security Staff. The rules also require any actual or suspected security violations, incidents, vandalism, or vulnerabilities be reported to the District Office Security Manager and Systems Manager. Any violation of these rules may be cause for disciplinary action. EOUSA also said that it relies on the employee to report any incidents in which electronic devices or sensitive data is lost or stolen.

Notification to Affected Parties

EOUSA has not developed policies concerning notification to affected parties in the event of a loss of PII.

Determining the Type of Data Lost

EOUSA said that it primarily relies on interviews with employees, supervisors, and systems managers for identifying the information contained on lost or stolen laptops and personal digital assistants.

95. United States Attorneys’ Manual, Security Programs Management, § 3-15.010, August 2004.

96. As of January 31, 2007, the loss of PII has been confirmed in three incidents. The remaining 139 incidents involve potential losses of PII.

97. DOJ Order 2620.7, Control and Protection of Limited Official Use Information, September 1, 1982, p. 1.

98. United States Attorneys’ Manual, Security Programs Management, § 3-15.120, August 2004.

99. EOUSA Memorandum sent via e-mail, Limited Official Use (Sensitive) Information Designation, January 14, 2003.

100. OMB Memorandum M-06-15 for Heads of Departments and Agencies, Safeguarding Personally Identifiable Information, Clay Johnson III, Acting Director, May 22, 2 006.

101. Executive Order 12958, Classified National Security Information, April 17, 1995.

102. The manual contains general policies and procedures relevant to the work of the USAOs and to their relations with the legal divisions, investigative agencies, and other components within the Department. United States Attorneys’ Manual, § 1-1.100, September 1997.

103. An employee may also notify his or her immediate supervisor, who then reports the incident to the District Office Security Manager. Each USAO has a District Office Security Manager.

104. In April 2007, an EOUSA official stated that EOUSA had developed a draft policy on after-hours reporting procedures, but that this policy had not yet been issued.

105. We did not analyze incidents for timeliness that occurred before OMB established the 1-hour timeframe in July 2006.

106. Our calculations are based on Categories 1 through 5 and Category 7. We did not include incidents found in Categories 0 and 6 because they had no associated time criteria, nor did we include incidents for which the Archer Database contained no information to indicate when DOJCERT received the report that an incident had occurred.

107. United States Attorneys’ Offices Justice Consolidated Office Network II, Rules of Behavior, April 13, 2004.