Introduction

Between December 2005 and November 2006, the Tax Division reported 22 computer security incidents to DOJCERT, none of which involved the loss of PII. The Tax Division defines reportable computer security incidents as the loss of sensitive data; PII; or any portable electronic device or removable storage media that contains Tax Division information, including the loss of any laptop, BlackBerry device, flash drive, or CD. The Tax Division considers all of its information to be sensitive, including PII, Privacy Act information, federal taxpayer information, and grand jury information. The Tax Division defines PII as information that uniquely identifies an individual, which may include social security numbers, Taxpayer ID numbers, driver’s license numbers, license plate numbers, credit card numbers, current or previous addresses, current or previous telephone numbers, birthdates, maiden names, previous married names, aliases, and family or medical history. Tax return information, which is defined in Internal Revenue Service Publication 1075 and DOJ Order 2620.5A as including a taxpayer’s identity and information about his or her finances, is considered to be synonymous to PII, as is Privacy Act information. The Tax Division does not generally handle classified information.

Reporting Procedures

Tax Division employees are required to notify their supervisors and the Division’s Security Program Manager within 1 hour of discovering that sensitive data or PII may have been lost.¹⁴⁰ If Tax Division employees mistakenly contact the Help Desk to report sensitive data loss incidents, the Help Desk staff should direct them to contact the Security Program Manager. The Tax Division told us that employees have been instructed to report data loss incidents directly to the Help Desk if they are unable to reach the Security Program Manager immediately. The Help Desk should then notify the Information Systems Security Officer. Tax Division officials also told us that if an incident occurs after hours, employees should notify their supervisors. The supervisors have an after-hours contact number for the Security Program Manager.

The Security Program Manager should notify the Tax Division’s Information Systems Security Officer of all computer security incidents. The Information Systems Security Officer should notify DOJCERT, via the Archer Database, and ensure that the Tax Division follows the procedures outlined in its Incident Response Plan.¹⁴¹ The Tax Division’s plan identifies the seven categories of incidents that should be reported to DOJCERT within specified timeframes. The plan has been updated to reflect the required changes DOJCERT made in November 2006 to the DOJCERT Incident Response Plan template.

The Tax Division also has procedures in place for notifying senior Tax Division management of incidents. If a computer security incident includes PII, grand jury information, or federal taxpayer information, the supervisor of the employee involved should notify the Deputy Assistant Attorney General who oversees the section where the incident occurred. The Deputy Assistant Attorney General should then notify the Tax Division’s Office of the Assistant Attorney General. Chart 19 shows the Tax Division’s procedures for reporting loss of sensitive information, including PII.

Chart 19: Flowchart of the Tax Division’s Procedures for Reporting Sensitive Information Loss, Including PII

[Image Not Available Electronically]

For internal tracking purposes, computer security incidents and equipment losses are supposed to be recorded in the Tax Division Help Desk’s ticket database, known as Remedy. Equipment losses have been tracked in this way for several years, and the Tax Division began tracking data losses specifically in August 2006. The Information Systems Security Officer stated that all information tracked in Remedy is also entered into the Archer Database. Tax Division officials said they routinely query Remedy to generate reports on equipment losses.

Indications of Compliance with Reporting Procedures

Tax Division officials told us that they believed employees were following the correct reporting procedures. While we did not validate this statement, our analysis of the Archer Database showed that between December 2005 and November 2006, the Tax Division reported 95 percent of its computer security incidents within the required timeframes specified in both the DOJCERT and Tax Division Incident Response Plans. We did not analyze any Tax Division incidents for timeliness because the Tax Division did not report any incidents involving PII. Table 14 shows the Tax Division’s reporting in each category.¹⁴²

Ensuring All Incidents Are Reported

While the Tax Division uses several methods to ensure division employees are reporting computer security incidents, it relies primarily on training to ensure employees are aware of the requirement to report computer security incidents, including those involving loss of sensitive data or PII. The Tax Division said that it conducts annual Computer Security Awareness Training to remind users of the responsibility to report computer security incidents and has updated this training to instruct employees to report losses of PII within 1 hour. To remind employees of the importance of reporting sensitive data loss incidents, the Tax Division has also posted a copy of the Assistant Attorney General’s September 5, 2006, memorandum in a prominent position on the Tax Division’s intranet page. The Tax Division’s Rules of Behavior also instructs employees to report known or suspected incidents to the Information Systems Security Officer. Tax Division employees are required to read and acknowledge the Rules of Behavior annually.

Tax Division officials said that lost equipment is tracked through the annual inventory process. One Tax Division official we interviewed noted that it is easier for management to determine if hardware, such as a laptop or BlackBerry device, is missing because the user will need a replacement device. For other types of computer security incidents, this same official stated that there is no failsafe method for ensuring that all incidents are reported.

Notification to Affected Parties

The Tax Division has not developed policies concerning notification to affected parties in the event of a loss of PII. Tax Division officials expressed a general desire for the Department to take a greater leadership role in computer security issues, including developing a policy on notification.

Determining the Type of Data Lost

In the Tax Division, determining the type of data loss is usually accomplished through employee interviews. In general, the Tax Division’s Information Systems Security Officer is tasked with interviewing the employee reporting the loss and asks the employee to identify the information that the device may have contained. The Information Systems Security Officer may also speak with the employee’s supervisor to determine which cases the employee was most likely to have been working on, but the Tax Division is ultimately dependent on the employee’s memory of the device’s contents.

When an employee is working off-site and a computer security incident occurs, in addition to interviewing the employee reporting the loss, the supervisor may be able to determine the type of data lost through the Tax Division’s Document Management System. The Tax Division maintains a Document Management System that organizes case-related files, and employees’ access is restricted to the cases to which they have been assigned. To work on Tax Division information from a remote location without having to dial in to the Tax Division’s network, the employees can check out files from the Document Management System and have those files uploaded onto the hard drives of their laptops. If an employee chooses this access option and then reports the laptop lost or stolen, the Tax Division supervisor may be able to recreate the files that were on the device by reviewing the Document Management System’s checked out records. Data saved on flash drives must also be saved on the Document Management System or another part of the Tax Division’s network to provide a backup in the event that the flash drive is lost or stolen.¹⁴³

Alternatively, employees can access the Tax Division’s network remotely, either through a hard network connection in a United States Attorney’s Office or by dialing in using Justice Secure Remote Access. When employees choose to access the network remotely, the laptop serves as a dumb terminal, with all files saved to the Tax Division’s network instead of to the laptop’s hard drive.

140. On September 5, 2006, the Assistant Attorney General of the Tax Division sent a memorandum to all division employees instructing them to contact their supervisors and the division’s Security Program Manager within 1 hour of discovering that sensitive data or PII may have been lost. This 1-hour timeframe is also reflected in the Tax Division’s Incident Response Plan. All other types of computer security violations, incidents, and vulnerabilities are reported to the Tax Division Help Desk. The Help Desk is not required to report incidents that do not involve sensitive data or PII beyond this point.

141. The Tax Division’s Information Systems Security Officer supervises the Help Desk and thus should be aware of all reports of data loss incidents made to the Help Desk instead of to the Security Program Manager. The Information Systems Security Officer should inform the Security Program Manager of all sensitive data loss incident reports the Help Desk receives.

142. Our calculations are based on Categories 1 through 5 and Category 7. We did not include incidents found in Categories 0 and 6 because they had no associated time criteria, nor did we include incidents for which the Archer Database contained no information to indicate when DOJCERT received the report that an incident had occurred.

143. Only Tax Division-purchased flash drives are permitted; these flash drives are encrypted, use biometric security (a thumbprint is required to access the data on the flash drive), and are tracked in the Tax Division’s annual property inventory.