Review of the Department of Justice’s Reporting Procedures for Loss of Sensitive Electronic Information

Evaluation and Inspections Report I-2007-005
June 2007
Office of the Inspector General


Appendix XIV
OIG Analysis of the Office of the Chief
Information Officer Response

On May 4, 2007, the OIG sent copies of the draft report to the Office of the Deputy Attorney General, the Office of Privacy and Civil Liberties of the Deputy Attorney General, the Office of the Chief Information Officer (CIO), and the nine components involved in the review with a request for comments. In a memorandum dated May 25, 2007, the Office of the CIO responded to the report’s eight recommendations on behalf of the Department of Justice (Department). As a result of that response, Recommendation 7 is closed, and Recommendations 1 through 6 and 8 are resolved and remain open.

In addition to the comments received from the Office of the CIO, we received formal comments from the DEA and the USMS. We address their comments in Appendices XV through XVIII below. The Criminal Division, EOUSA, the FBI, and the Tax Division sent informal comments discussing technical and factual matters, and we made revisions to the report where appropriate to address these comments. ATF, the BOP, and JMD did not offer any technical or factual corrections to the report.

Summary of the Office of the CIO Response and OIG Analysis

Recommendation 1.  Require all components to ensure their procedures cover reporting of after-hours incidents.

Status. Resolved – open.

Summary of the Office of the CIO Response. The Office of the CIO concurred with this recommendation and stated that the Department of Justice Computer Emergency Readiness Team (DOJCERT) will update the Incident Response Plan template with procedures to cover reporting of after-hours incidents within 120 days.

OIG Analysis. The action proposed by the Office of the CIO is responsive to our recommendation. So that we may close this recommendation, please provide the OIG with a copy of the revised Incident Response Plan template reflecting these updates by October 1, 2007.

Recommendation 2.  Review the components’ procedures for reporting classified incidents to ensure those procedures comply with the standards in the Department’s Security Program Operating Manual.

Status. Resolved – open.

Summary of the Office of the CIO Response. The Office of the CIO concurred with this recommendation and stated that it would issue a clarification to the components within 120 days to ensure their procedures for reporting classified incidents comply with the standards in the Department’s Security Program Operating Manual.

OIG Analysis. The action proposed by the Office of the CIO is responsive to our recommendation. So that we may close this recommendation, please provide the OIG with a copy of the clarification to the components by October 1, 2007.

Recommendation 3.  Clarify the requirement that all losses of PII be reported within 1 hour and to whom so that all Department employees understand who to report to and when the 1-hour timeframe begins and ends.

Status. Resolved – open.

Summary of the Office of the CIO Response. The Office of the CIO concurred with this recommendation and stated that it would work with the Office of Management and Budget (OMB) and the United States Computer Emergency Readiness Team (US‑CERT) to clarify the 1-hour reporting requirement. The Office of the CIO stated that existing Department documentation will be updated within 120 days to reflect the results of these discussions.

OIG Analysis. The action proposed by the Office of THE CIO is responsive to our recommendation. So that we may close this recommendation, please provide the OIG with a copy of the revised Incident Response Plan template reflecting these updates by October 1, 2007.

Recommendation 4.  Ensure all components meet the established reporting timeframes.

Status. Resolved – open.

Summary of the Office of the CIO Response. The Office of the CIO concurred with this recommendation and stated that once it has completed the actions proposed for Recommendation 3, it will develop reporting metrics within the Archer Database to track the components’ compliance with the reporting timeframes.

OIG Analysis. The action proposed by the Office of the CIO is responsive to our recommendation. Please provide by October 1, 2007, the OIG with a description of the reporting metrics and the methods for collecting the necessary information, printed screen views showing how the Archer Database has been modified to incorporate the reporting metrics, and a plan of action describing how DOJCERT will respond if the reporting metrics indicate that a component is failing to meet the required timeframes. If these actions are not completed by October 1, please provide the OIG with a status report at that time.

Recommendation 5.  Promptly implement a Department-wide policy for notifying affected individuals in the event of a loss of personally identifiable information (PII).

Status. Resolved – open.

Summary of the Office of the CIO Response. The Office of the CIO concurred with this recommendation and stated that it was working with the Department’s Office of Privacy and Civil Liberties to develop a Data Breach Notification Policy. The Office of the CIO stated that it would issue the policy within 90 days.

OIG Analysis. The action proposed by the Office of the CIO is responsive to our recommendation. So that we may close this recommendation, please provide the OIG with a copy of the Department’s Data Breach Notification Policy by October 1, 2007.

Recommendation 6.  Develop a Department-specific definition of PII.

Status. Resolved – open.

Summary of the Office of the CIO Response. The Office of the CIO concurred with this recommendation, with reservations, stating that the Department’s Chief Office of Privacy and Civil Libertiesr had asked OMB specifically if the Department could develop its own definition of PII in response to this recommendation. OMB expressed reservations about the Department’s request. The Office of the CIO and the Department’s Chief Office of Privacy and Civil Libertiesr will continue working with OMB on the issue.

OIG Analysis. The action proposed by the Office of the CIO is responsive to our recommendation. Please provide the OIG with either a Department-specific definition of PII or a status report on the discussions with OMB by October 1, 2007.

Recommendation 7.  Consider whether any of the procedures described as “Best Practices” should be implemented across the Department.

Status. Resolved – closed.

Summary of the Office of the CIO Response. The Office of the CIO concurred with this recommendation and stated that it would review the “Best Practices” identified in this report, as well as “Best Practices” identified by other government agencies, and evaluate the feasibility of implementing them across the Department. The Office of the CIO anticipated being able to complete this evaluation within 90 days.

OIG Analysis. The action proposed by the Office of the CIO is responsive to our recommendation. This recommendation is closed.

Recommendation 8.  Ensure that components update their internal policies to reflect correct reporting procedures in conformance with the DOJCERT Incident Response Plan template and contain up-to-date titles of internal departments and staff.

Status. Resolved – open.

Summary of the Office of the CIO Response. The Office of the CIO concurred with this recommendation and stated that it would work with the components to ensure that the components’ internal policies reflected correct procedures and current personnel. The Office of the CIO anticipated that it would complete this process within 120 days.

OIG Analysis. The action proposed by the Office of the CIO is responsive to our recommendation. So that we may close this recommendation, please provide the OIG with a certification from the Office of the CIO confirming that all components have updated their internal policies by October 1, 2007. If these actions are not completed by October 1, please provide the OIG with a status report at that time.



« Previous Table of Contents Next »