The Department has developed an Incident Response Plan template to standardize the procedures that its components are required to follow to report computer security incidents. The nine Department components reviewed by the OIG have all developed and implemented their own component-specific incident response plans that follow the Department’s template. However, as of April 2007 two of the nine components had not updated their incident response plans to conform to the Department’s November 2006 revision that requires all computer security incidents involving PII to be reported within 1 hour.

Although the Department’s template does not require it, we also found that four of the nine components had developed additional written procedures to ensure prompt reporting of incidents that occur outside normal business hours and that one component’s procedures are the same 24 hours a day. To ensure that all Department employees know who to call after hours to report a computer security incident, we believe the Department should require all of its components to develop after-hours reporting procedures.

While all of the components stated that they believed their staff followed procedures established for reporting computer security incidents through their chains of command up to component headquarters, we found indications that the FBI’s IT staff was not always following the reporting procedures outlined in the Department’s Incident Response Plan template or its own internal procedures. The FBI also was not reporting classified computer security incidents directly to the Security and Emergency Planning Staff, as required by the Department’s Security Program Operating Manual.

Because this review covered only nine components, it is unknown whether other Department components are reporting all classified computer security incidents. Because of the potential risk involved in the loss of classified information, we believe the Department should review and ensure each component’s compliance with the Department’s requirements for the reporting of classified security incidents.

In addition, we found that the components were not always reporting all computer security incidents to DOJCERT within the timeframes established in the Department’s Incident Response Plan template. In particular, the components were not consistently reporting PII incidents within a 1-hour timeframe to DOJCERT, nor was DOJCERT consistently reporting PII incidents within a 1-hour timeframe to US-CERT.

We believe the components need further clarification from the Department on when the 1-hour window for reporting PII begins and ends and who must receive the report within 1 hour of discovery or detection – component IT staff, DOJCERT, or US-CERT. Three components remarked that the 1-hour timeframe was impractical and unrealistic. We believe the Department should examine and clarify the 1-hour timeframe.

The components told us that training was the primary means of ensuring that employees report computer security incidents. The training most often used was the Department’s annual Computer Security Awareness Training. Also, some components have developed additional methods of reminding their employees of the requirement to report computer security incidents that we consider Best Practices. For example, the Criminal Division displays security tips, including procedures for reporting computer security incidents, on employees’ computer monitors each time they log in. We believe the Department and other components should examine these practices and determine if any should be adopted Department-wide.

Neither the Department nor any of the components we reviewed have developed procedures for notifying affected individuals in the event of a loss of PII. To address this issue, the Department’s Office of Privacy and Civil Liberties and the Office of the CIO are working together to develop a Department-wide policy. We believe this is a positive step and encourage the Department to finalize and issue this policy promptly.

To determine what data may have been lost as the result of a computer security incident, officials in all nine components interview the employee who reported the incident. Three components have developed questionnaires to conduct these interviews, while the other six components use more informal interviewing methods. Five components also use computer forensic techniques to supplement the information provided by the employee. DOJCERT told us that later in fiscal year 2007 it plans to release an Incident Response Handbook to provide the components with additional guidance on determining the type of data contained on lost equipment.

The Department has issued a standard definition of sensitive information in its Security Program Operating Manual, and seven components have developed component-specific definitions that are similar to the Department’s definition. The other two components use the Department’s definition. However, officials in seven of the nine components we reviewed stated that their components considered all information to be sensitive.

The Department currently relies on OMB’s definition of PII. Most of the components reviewed expressed the opinion that the Department should develop its own, more specific definition of PII because they believed that OMB’s definition was vague and overbroad. We agree and encourage the Department to clarify the definition of PII.

Recommendations

We make eight recommendations to help the Department improve its computer security incident reporting procedures, including the procedures for reporting data loss and classified incidents.

We recommend that the Department:

1. Require all components to ensure their procedures cover reporting of after-hours incidents.

2. Review each component’s procedures for reporting classified incidents to ensure those procedures comply with the standards in the Department’s Security Program Operating Manual.

3. Clarify the requirement that all losses of PII be reported within 1 hour and to whom so that all Department employees understand who to report to and when the 1-hour timeframe begins and ends.

4. Ensure all components meet the established reporting timeframes.

5. Promptly implement a Department-wide policy for notifying affected individuals in the event of a loss of PII.

6. Develop a Department-specific definition of PII.

7. Consider whether any of the procedures described as “Best Practices” should be implemented across the Department.

8. Ensure that components update their internal policies to reflect correct reporting procedures in conformance with the DOJCERT Incident Response Plan template and contain up-to-date titles of internal departments and staff.