Justice breaks 1-hour rule

Agency’s security officials will comply, but some say reporting rule is impractical

IT security plans getting personal

It’s been a year since the Office of Management and Budget directed agencies to report security incidents within an hour after technicians discover them. But the Justice Department’s inspector general discovered that security officials in some Justice agencies, including the FBI, have a patchy record of compliance with the new rule.

OMB imposed the rule after several incidents last year in which personal data collected by the government was stolen or compromised. A quick response to data breaches gives federal agencies a better chance to recover the data and reduce the risk of identity theft.

After reviewing department procedures, Justice’s IG found security officials lax in reporting data incidents within an hour to department’s internal computer emergency team and to the Homeland Security Department’s U.S. Computer Emergency Readiness Team (US-CERT). “Officials from three components remarked that the one-hour time frame was impractical and unrealistic,” said Glenn Fine, Justice’s IG, in a report released earlier this month. 

Justice will implement the IG recommendations to clarify the one-hour rule and take other steps to improve information security procedures, said Vance Hitch, Justice’s chief information officer, in a letter to Fine last month.

Dennis Heretick, Justice’s chief information security officer, said he wants faster and better incident reporting. “I want [incidents] reported so we can take corrective action,” he said at a recent industry event. 

The IG’s report reveals that even departments that perform well on most measures of compliance with the Federal Information Security Management Act can falter in some aspects. Justice earned an A-minus on its fiscal 2006 FISMA score card after receiving a D the previous year.

In July 2006, OMB directed agencies to report to US-CERT any security incidents involving personal data breaches. However, Justice apparently directed its agencies to report incidents within one hour only to its internal computer emergency team.

Paul Proctor, research vice president at Gartner’s security and risk practice, said the one-hour reporting requirement appears designed to get agencies to act rather than consider options. “Clearly agencies need to do better reporting of suspected breaches, but this overly simplified reporting requirement will likely remain a challenge for organizations,” he said.

The IG examined 1,501 computer security incidents that nine Justice agencies reported last year. Those agencies reported only 15 percent of incidents involving personally identifiable information to Justice’s internal computer emergency team within an hour of their discovery, and none of those incidents were subsequently reported to US-CERT within an hour, the IG said.

Justice agencies develop their own incident response plans, internal policies and practices to conform to departmentwide policy. But some components have contradictory reporting procedures, or they have procedures for incidents reported after business hours that don’t comply with department policy, the IG found.

The IG also uncovered a discrepancy between the number of lost electronic devices reported within the FBI and the number recorded in Justice’s Incident Response and Vulnerability Patch Database, commonly called the Archer Database.
Officials responsible for federal employees’ personal records should safeguard and limit their use of Social Security numbers while the Office of Personnel Management develops a governmentwide employee identifier, according to a new memo from Linda Springer, OPM’s director.

“Once this new employee identifier is established, it will be an important tool in combating the serious and growing problem of identity theft,” Springer wrote in the June 18 memo to agency chief human capital officers.

Meanwhile, agencies should eliminate unnecessary printing and displaying of Social Security numbers on forms, reports and computer screens and restrict access to only those whose official duty requires it, Springer said.
— Mary Mosquera

The 2014 Federal 100

Get to know the 100 women and men honored this year for going above and beyond in federal IT.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above