By Daniel Pulliam
June 18, 2007
Officials at the Justice Department have failed to report certain
computer security incidents within the time frame required by the Office
of Management and Budget, according to an audit report released Monday.
The 142-page report  from Justice's inspector general office found
that the department had not consistently implemented a July 2006 OMB
requirement  that agencies report data breaches involving the loss of
personally identifiable information within one hour of discovery. Recent
computer security incidents, including the Veterans Affairs Department's
May 2006 loss of 26.5 million records containing sensitive information
on veterans, prompted the requirement.
Two of nine agencies within the department had not updated their
policies and procedures to include the new OMB requirement, the IG
found. And an analysis of nearly 200 computer security incidents from
July to November 2006 found that officials failed to consistently report
the loss of personally identifiable information within one hour to the
department's Computer Emergency Readiness Team. The audit found that
none of the incidents were reported within one hour to the Homeland
Security Department's Computer Emergency Readiness Team, or US-CERT, as
required by OMB.
Auditors also found that none of the department's component agencies
have established procedures for notifying people who could be affected
by the loss of personal information. "We believe that the lack of
procedures could cause delays in notifying individuals whose information
has been compromised, increasing the individuals' risk of falling victim
to fraud or identity theft," the report stated.
In addition, the IG found that officials at the nine Justice agencies
believed their employees followed the proper internal reporting
procedures when issuing notifications of security incidents. But the
information technology staff of the FBI was not always doing so in
practice, the auditors found.
Incident reports are sent to two separate offices at the FBI, yet only
one is required to relay them to the Justice team, the IG noted. The
result is that some incidents do not get reported, the report stated.
On a more positive note, the IG found that several Justice agencies have
taken extra steps to minimize unauthorized access to sensitive
information and to educate employees on reporting requirements. These
include posting security information on their intranet sites or on
employee computer monitors upon login. The IG urged officials to
consider adopting these procedures across the department.
Justice officials told the IG that reporting within an hour is not
practical. They also said the guidance on reporting to US-CERT -- the
organization responsible for coordinating the response to computer
security incidents governmentwide -- is not clear on whether reports
must arrive within the same hour as those to the Justice readiness team.
But officials concurred with the IG's eight recommendations to help
improve the department's procedures, including one to clarify the
deadlines for reporting incidents. The department also agreed to
instruct agencies on proper reporting of incidents with classified
information, and is developing reporting measures for ensuring that all
agencies meet established time frames. Additionally, officials are
developing procedures for notifying people affected by a loss of
Attend Black Hat USA, July 28-August 2 in Las Vegas,
the world's premier technical event for ICT security
experts. Featuring 30 hands-on training courses and
90 Briefings presentations with lots of new content
and new tools. Network with 4,000 delegates from
70 nations. Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on
June 1 so register today. http://www.blackhat.com