Justice breaks 1-hour rule

It’s been a year since the Office of Management and Budget directed agencies to report security incidents within an hour after technicians discover them. But the Justice Department’s inspector general discovered that security officials in some Justice agencies, including the FBI, have a patchy record of compliance with the new rule.OMB imposed the rule after several incidents last year in which personal data collected by the government was stolen or compromised. A quick response to data breaches gives federal agencies a better chance to recover the data and reduce the risk of identity theft.After reviewing department procedures, Justice’s IG found security officials lax in reporting data incidents within an hour to department’s internal computer emergency team and to the Homeland Security Department’s U.S. Computer Emergency Readiness Team (US-CERT). “Officials from three components remarked that the one-hour time frame was impractical and unrealistic,” said Glenn Fine, Justice’s IG, in a report released earlier this month.  Justice will implement the IG recommendations to clarify the one-hour rule and take other steps to improve information security procedures, said Vance Hitch, Justice’s chief information officer, in a letter to Fine last month. Dennis Heretick, Justice’s chief information security officer, said he wants faster and better incident reporting. “I want [incidents] reported so we can take corrective action,” he said at a recent industry event.  The IG’s report reveals that even departments that perform well on most measures of compliance with the Federal Information Security Management Act can falter in some aspects. Justice earned an A-minus on its fiscal 2006 FISMA score card after receiving a D the previous year.In July 2006, OMB directed agencies to report to US-CERT any security incidents involving personal data breaches. However, Justice apparently directed its agencies to report incidents within one hour only to its internal computer emergency team. Paul Proctor, research vice president at Gartner’s security and risk practice, said the one-hour reporting requirement appears designed to get agencies to act rather than consider options. “Clearly agencies need to do better reporting of suspected breaches, but this overly simplified reporting requirement will likely remain a challenge for organizations,” he said.The IG examined 1,501 computer security incidents that nine Justice agencies reported last year. Those agencies reported only 15 percent of incidents involving personally identifiable information to Justice’s internal computer emergency team within an hour of their discovery, and none of those incidents were subsequently reported to US-CERT within an hour, the IG said.Justice agencies develop their own incident response plans, internal policies and practices to conform to departmentwide policy. But some components have contradictory reporting procedures, or they have procedures for incidents reported after business hours that don’t comply with department policy, the IG found. The IG also uncovered a discrepancy between the number of lost electronic devices reported within the FBI and the number recorded in Justice’s Incident Response and Vulnerability Patch Database, commonly called the Archer Database.