OIG Evaluation and Inspections Report I-2007-005

Review of the Department of Justice’s Reporting Procedures for Loss of Sensitive Electronic Information

Evaluation and Inspections Report I-2007-005
June 2007
Office of the Inspector General

Purpose

The purpose of this review was to provide an overview of the policies and procedures that Department components are required to follow to respond to and report computer security incidents.

Scope

This review examined nine of the Department’s components:

Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF);
Federal Bureau of Prisons (BOP);
Criminal Division;
Drug Enforcement Administration (DEA);
Executive Office for United States Attorneys (EOUSA);
Federal Bureau of Investigation (FBI);
Justice Management Division (JMD);
Tax Division; and
United States Marshals Service (USMS).

These 9 components accounted for 69 percent of the total number of all computer security incidents reported to DOJCERT between December 2005 and November 2006. According to the 9 components, taken together they have 229 databases that contain PII. These databases contain personal information from or about the public and therefore present a potentially serious risk to the public if this sensitive data is lost.

We identified each component’s reporting procedures for the following situations:

Losses of electronic devices, including hardware such as laptops and BlackBerry devices that potentially could contain sensitive information; and
Compromises of sensitive information, including PII and classified information, through unauthorized access to computer systems or data.

We also determined:

Whether the components had procedures to identify the information that was lost,
Whether the components had procedures to notify the affected parties, and
Whether the components had procedures for reporting computer security incidents outside normal business hours.

However, the review did not:

Examine Department or component procedures for tracking, protecting, or controlling sensitive information or PII prior to the reported occurrences;
Examine Department or component procedures for tracking, protecting, or controlling removable electronic media, including disks, CD-ROMs, and flash drives;
Verify components’ compliance with reporting procedures by means of a case file review;
Verify that all computer security incidents are reported; or
Verify the accuracy of the data contained in the Archer Database.

Methodology

The methodology used in this review consisted of interviews with 40 staff, document review and analysis, and data analysis.

Interviews. To determine the computer security incident reporting procedures followed by each of the components, we interviewed officials from all nine components, including the headquarters-based individuals with primary responsibility for contacting DOJCERT on behalf of the component. For those components with field offices, we interviewed a field office official with computer security incident reporting responsibilities. We also interviewed officials from the Office of the CIO, the Security and Emergency Planning Staff (SEPS), and the Office of the Deputy Attorney General to discuss Department-wide standards for computer security incident reporting and Department-wide issues concerning privacy.

Department Component	Officials Interviewed
ATF	Chief, Product Assurance Branch Information Systems Security Officer Project Manager, Information Systems Security Office Special Agent in Charge, Investigations Division Assistant Special Agent in Charge, Investigations Division Assistant Special Agent in Charge, Miami Field Division
BOP	Chief, IT Planning and Development Chief, Information Security Information Technology Security Administrator Program Analyst, Information Security Programs Section Supervisory Management Analyst, Internal Affairs Division Computer Services Manager, Allenwood Federal Correctional Complex
Criminal Division	Director, Information Technology Management Information Systems Security Officer
DEA	Chief, Information Security Deputy Chief Information Officer Deputy Chief Counsel Security Programs Manager Assistant Special Agent in Charge, Houston Field Division
EOUSA	Information Systems Security Officer Senior Security Programs Specialist District Office Security Manager, Southern District of New York Executive Assistant U.S. Attorney, Central District of California
FBI	Unit Chief, Assurance Management Unit Unit Chief, Security Compliance Unit Unit Chief, Enterprise Security Operations Center Unit Chief, Major Theft Unit Assistant Special Agent in Charge, New York Field Division
JMD	Chief Information Security Officer, Office of the CIO Deputy Director for Information Technology Security, Office of the CIO DOJCERT Project Manager, Office of the CIO Assistant Director for Information Safeguards and Security Oversight, SEPS Security Specialist, SEPS Information Systems Security Officer, Personnel Staff
Tax Division	Executive Officer Associate Executive Officer Information Technology Specialist
USMS	Chief, Enterprise Management Chief Deputy U.S. Marshal, District of Colorado
Office of the Deputy Attorney General	Chief Office of Privacy and Civil Libertiesr

Document Review and Analysis. We reviewed federal, Department, and component procedures and policies regarding computer security incident reporting. These included various federal statutes, memorandums issued by OMB, US-CERT’s Concept of Operations, Department Orders, memorandums issued by the Deputy Attorney General, memorandums issued by the Department’s CIO, the DOJCERT Incident Response Plan Template, the Department’s IT Security Standard on Incident Response, documents detailing the Department’s compliance with FISMA, the components’ Incident Response Plans, and the components’ IT security policies. See Appendices X and XI for a complete list of the acts, directives, standards, and component policies we reviewed.

Data Analysis. DOJCERT maintains a database titled the DOJCERT Incident Response and Vulnerability Patch Database, also known as the Archer Database, for tracking all computer security incidents, including data loss incidents. We downloaded data from this database to identify all computer security incidents reported by the nine components that occurred in the 12-month period of December 1, 2005, through November 30, 2006. Within each incident category defined in the DOJCERT Incident Response Plan, we analyzed compliance with reporting timeframes.

We also conducted an analysis of this data to determine the number of incidents reported by each component that involved actual or potential loss of PII or classified information. We determined that an incident involved actual or potential loss of PII if the database showed that the components answered “Yes” or “Unknown,” respectively, when asked if an incident involved personal data loss. We determined that an incident potentially involved classified information based on the incident description provided in the database. We did not verify this data with either DOJCERT or the components’ internal records.

In addition, we analyzed the components’ compliance with the July 12, 2006, OMB memorandum requiring all federal agencies to report actual or potential losses of PII within 1 hour.