DOJCERT is located within the Office of the CIO, which is a subcomponent of the Justice Management Division (JMD). For purposes of incident reporting, the subcomponents of JMD are treated as separate components. Each subcomponent reports its own incidents and maintains its own Incident Response Plan. The following section is based on interviews with and documents obtained from two subcomponents of JMD: Personnel and the Security and Emergency Planning Staff (SEPS).

Introduction

Between December 2005 and November 2006, JMD reported 402 computer security incidents to DOJCERT, including 18 incidents involving PII and 5 incidents potentially involving classified information.¹³² Both Personnel and SEPS consider any loss of PII, including the loss of any electronic device or removable media containing PII, to be reportable computer security incidents.

JMD officials we interviewed stated that their subcomponents of JMD follow the Department’s definition of sensitive information and consider all of their information to be sensitive. In the Security Program Operating Manual, the Department defines sensitive information as:

any information, the loss, misuse, modification of, or unauthorized access to, could affect the national interest, law enforcement activities, the conduct of Federal programs, or the privacy to which individuals are entitled under Section 552a of Title 5, U.S. Code, but that has not been specifically authorized under criteria established by an executive order or an act of Congress to be kept classified in the interest of national defense or foreign policy.¹³³

The Personnel division considers PII to be synonymous with information that is protected by the Privacy Act.¹³⁴ However, SEPS uses OMB’s definition of PII. Personnel does not handle classified information, while SEPS does. SEPS uses the definition of classified information contained in Executive Order 12958, as Amended, Classified National Security Information, dated March 25, 2003.

Reporting Procedures

JMD employees are required to contact the individual who handles security issues in their subcomponent to report any computer security incidents. In Personnel, the Avue User Rules of Behavior require all employees to report all computer security incidents to the Avue Administrator, who is required to notify the Personnel Information Systems Security Officer.¹³⁵ Personnel’s Information Systems Security Officer should notify DOJCERT, via the Archer Database, and also should ensure that the Personnel staff follows the procedures outlined in Personnel’s Incident Response Plan. Personnel staff may also notify their supervisors of computer security incidents, although no policy specifically requires them to do so. Personnel has not developed any written procedures for reporting computer security incidents after hours.

SEPS employees are not provided with written procedures instructing them on how to report computer security incidents through the SEPS reporting chain of command. We were told in interviews that, in practice, employees report computer security incidents to their supervisors, who forward the report to the staff of the Technical Security Section.¹³⁶ The Technical Security Section notifies DOJCERT, via the Archer Database, and also ensures that SEPS follows the procedures outlined in its Incident Response Plan. For classified incidents, SEPS’s employees said that in practice they report a suspected loss to their supervisor. The supervisor then reports the incident to the Technical Security Section who forwards the report to the Department Security Officer (Director of SEPS). Chart 18 shows Personnel’s and SEPS’s procedures for reporting all computer security incidents, including those involving sensitive, PII, and classified information.

Chart 18: Flowchart of Personnel’s and SEPS’s Procedures for Reporting All Computer Security Incidents, Including Sensitive, PII, and Classified Information

[Image Not Available Electronically]

Personnel and SEPS have updated the Incident Response Plans they maintain to reflect the changes DOJCERT made to the November 2006 Incident Response Plan template. The Incident Response Plans identify the seven categories of incidents that should be reported to DOJCERT within specified timeframes.

Both Personnel and SEPS use the Archer Database to track incidents that have been reported to DOJCERT.

Indications of Compliance with Reporting Procedures

For the two JMD subcomponents we reviewed, subcomponent officials told us that they believed employees were following the correct reporting procedures. While we did not validate this statement, we did analyze data from the Archer Database to determine if all of the subcomponents of JMD were reporting incidents to DOJCERT in a timely manner.¹³⁷ Our analysis showed that JMD was not always reporting computer security incidents, including PII, within the required timeframes specified in both the DOJCERT and JMD Incident Response Plans. Between December 2005 and November 2006, JMD reported 84 percent of its computer security incidents to DOJCERT within the required timeframes. However, only 14 percent of PII incidents that occurred on or after July 12, 2006 were reported within the required 1-hour timeframe.¹³⁸ Personnel reported one PII incident after July 12, 2006, but did not report it in the required 1-hour timeframe. SEPS did not report any PII incidents. Table 13 shows JMD’s overall reporting in each category.¹³⁹

Ensuring All Incidents Are Reported

JMD said that it relies primarily on training as its method for ensuring employees are aware of the requirement to report computer security incidents, including those involving PII loss. An official on the Personnel staff described the Department’s annual Computer Security Awareness Training as “the number one vehicle” for emphasizing the importance of security to Personnel staff and for reinforcing the reporting requirements that are outlined in the Avue User Rules of Behavior. JMD said that personnel staff members receive verbal briefings on the procedures for reporting computer security incidents when they are given the equipment necessary to use Justice Secure Remote Access and also receive a wallet card summarizing those reporting procedures. Lost laptops or BlackBerry devices can be identified through Personnel’s annual inventory process. Personnel’s Property Officer told us that the annual property inventory has not uncovered any problems with lost or stolen electronic devices.

A Security Specialist in the SEPS Technical Security Section noted that there is no failsafe method for ensuring that all incidents are reported but stated that explaining the reporting procedures and encouraging employees to make reports was an important method for ensuring that incidents are properly reported. SEPS’s Executive Officer told us that the annual property inventory has not uncovered any lost or stolen electronic devices.

Notification to Affected Parties

JMD has not developed policies concerning notification to affected parties in the event of a loss of PII.

Determining the Type of Data Lost

JMD said that it generally determines the type of data loss through employee interviews. In Personnel, the Information Systems Security Officer is required to interview both the employee reporting the loss and the employee’s supervisor to determine how the employee used the device and what data it may have contained. In addition, in August 2006 Personnel modified its Avue User Rules of Behavior to require employees to obtain written permission from their supervisors before downloading PII to the hard drive of a laptop.

SEPS does not have any written procedures for determining what data a lost or stolen electronic device may have contained, and SEPS officials stated that only one laptop has been stolen in the past 15 years. A member of SEPS’s Technical Security Section stated that if a lost or stolen laptop were to be reported, the Technical Security Section would speak with the employee reporting the loss and his or her supervisor to determine what information the laptop may have contained. SEPS did not report any lost or stolen electronic devices between December 2005 and November 2006.

132. Personnel reported 13 incidents to DOJCERT between December 2005 and November 2006, including 1 incident involving potential loss of PII, and no incidents involving classified information. SEPS reported four incidents to DOJCERT between December 2005 and November 2006, none of which involved either PII or classified information. All of the incidents reported by SEPS were instances of SEPS employees receiving spam e-mails.

133. The Security Program Operating Manual is written by SEPS and applies to the entire Department.

134. 5 U.S.C. § 552a.

135. Avue is the system the Department uses for online job applications.

136. SEPS is divided into 10 different sections, each of which handles a different aspect of security. The Technical Security Section handles the security of technology used to store and transmit classified information.

137. The Archer Database included incidents that were reported by 25 different subcomponents of JMD.

138. We did not analyze incidents for timeliness that occurred before OMB established the 1-hour timeframe in July 2006. We could not analyze two incidents that occurred after OMB established the 1-hour timeframe because there was no information in the Archer Database to indicate when DOJCERT received the reports.

139. Our calculations are based on Categories 1 through 5 and Category 7. We did not include incidents found in Categories 0 and 6 because they had no associated time criteria, nor did we include incidents for which the Archer Database contained no information to indicate when DOJCERT received the report that an incident had occurred.