Review of the Department of Justice’s Reporting Procedures for Loss of Sensitive Electronic Information

Evaluation and Inspections Report I-2007-005
June 2007
Office of the Inspector General

Purpose, Scope, and Methodology of the OIG Review


The purpose of this review was to provide an overview of the policies and procedures that Department components are required to follow to respond to and report computer security incidents.


This review examined nine of the Department’s components:

These 9 components accounted for 69 percent of the total number of all computer security incidents reported to DOJCERT between December 2005 and November 2006. According to the 9 components, taken together they have 229 databases that contain PII. These databases contain personal information from or about the public and therefore present a potentially serious risk to the public if this sensitive data is lost.

We identified each component’s reporting procedures for the following situations:

We also determined:

However, the review did not:


The methodology used in this review consisted of interviews with 40 staff, document review and analysis, and data analysis.

Interviews. To determine the computer security incident reporting procedures followed by each of the components, we interviewed officials from all nine components, including the headquarters-based individuals with primary responsibility for contacting DOJCERT on behalf of the component. For those components with field offices, we interviewed a field office official with computer security incident reporting responsibilities. We also interviewed officials from the Office of the CIO, the Security and Emergency Planning Staff (SEPS), and the Office of the Deputy Attorney General to discuss Department-wide standards for computer security incident reporting and Department-wide issues concerning privacy.

Officials Interviewed


  • Chief, Product Assurance Branch
  • Information Systems Security Officer
  • Project Manager, Information Systems Security Office
  • Special Agent in Charge, Investigations Division
  • Assistant Special Agent in Charge, Investigations Division
  • Assistant Special Agent in Charge, Miami Field Division


  • Chief, IT Planning and Development
  • Chief, Information Security
  • Information Technology Security Administrator
  • Program Analyst, Information Security Programs Section
  • Supervisory Management Analyst, Internal Affairs Division
  • Computer Services Manager, Allenwood Federal Correctional Complex


  • Director, Information Technology Management
  • Information Systems Security Officer


  • Chief, Information Security
  • Deputy Chief Information Officer
  • Deputy Chief Counsel
  • Security Programs Manager
  • Assistant Special Agent in Charge, Houston Field Division


  • Information Systems Security Officer
  • Senior Security Programs Specialist
  • District Office Security Manager, Southern District of New York
  • Executive Assistant U.S. Attorney, Central District of California


  • Unit Chief, Assurance Management Unit
  • Unit Chief, Security Compliance Unit
  • Unit Chief, Enterprise Security Operations Center
  • Unit Chief, Major Theft Unit
  • Assistant Special Agent in Charge, New York Field Division


  • Chief Information Security Officer, Office of the CIO
  • Deputy Director for Information Technology Security, Office of the CIO
  • DOJCERT Project Manager, Office of the CIO
  • Assistant Director for Information Safeguards and Security Oversight, SEPS
  • Security Specialist, SEPS
  • Information Systems Security Officer, Personnel Staff

Tax Division

  • Executive Officer
  • Associate Executive Officer
  • Information Technology Specialist


  • Chief, Enterprise Management
  • Chief Deputy U.S. Marshal, District of Colorado

Office of the
Deputy Attorney

  • Chief Office of Privacy and Civil Libertiesr

Document Review and Analysis. We reviewed federal, Department, and component procedures and policies regarding computer security incident reporting. These included various federal statutes, memorandums issued by OMB, US-CERT’s Concept of Operations, Department Orders, memorandums issued by the Deputy Attorney General, memorandums issued by the Department’s CIO, the DOJCERT Incident Response Plan Template, the Department’s IT Security Standard on Incident Response, documents detailing the Department’s compliance with FISMA, the components’ Incident Response Plans, and the components’ IT security policies. See Appendices X and XI for a complete list of the acts, directives, standards, and component policies we reviewed.

Data Analysis. DOJCERT maintains a database titled the DOJCERT Incident Response and Vulnerability Patch Database, also known as the Archer Database, for tracking all computer security incidents, including data loss incidents. We downloaded data from this database to identify all computer security incidents reported by the nine components that occurred in the 12-month period of December 1, 2005, through November 30, 2006. Within each incident category defined in the DOJCERT Incident Response Plan, we analyzed compliance with reporting timeframes.

We also conducted an analysis of this data to determine the number of incidents reported by each component that involved actual or potential loss of PII or classified information. We determined that an incident involved actual or potential loss of PII if the database showed that the components answered “Yes” or “Unknown,” respectively, when asked if an incident involved personal data loss. We determined that an incident potentially involved classified information based on the incident description provided in the database. We did not verify this data with either DOJCERT or the components’ internal records.

In addition, we analyzed the components’ compliance with the July 12, 2006, OMB memorandum requiring all federal agencies to report actual or potential losses of PII within 1 hour.

« Previous Table of Contents Next »