HSS Logo Department of Energy Seal
Left Tab SEARCH Right Tab TOOLS Right Tab Left Tab HOME Right Tab Left Tab ABOUT US Right Tab Left Tab FUNCTIONS Right Tab Left Tab RESOURCES Right Tab Left Tab NEWSFEEDS Right Tab Left Tab VIDEOS Right Tab Left Tab EVENTS
Headquarters Security Operations
Home
Sub Offices
HQ Security Officers (HSO) Program
Office of Information Security
Office of Headquarters Personnel
Office of Physical Protection
Office of Executive Protection
Classified Matter Protection and Control
Equivalencies and Exemptions Programs
Facility Approval
Foreign Ownership Control or Influence Program
HSO Program
- 2012 Spotlights
- 2011 Spotlights
- Spotlights Archives (2009 - 2007)
Operations Security
Security Awareness Program
Security Survey Program
Headquarters Facilities Master Security Plan
Security Reference Book
Health, Safety and Security
HSS Logo

Headquarters Information Security Program

Office of Headquarters Security Operations

HSO SPOTLIGHT No. 002-2010 Classified Data Spills-E-mail Contaminations

What is the issue?  How to Request Computer Sanitization Services
Why do we need this?  Informational
Who is impacted? HSOs
What does the HSO need to do?:  Understand How to Request Computer Sanitization Support
 
   

Over the past 12 months, there have been 14 security incidents at DOE Headquarters wherein classified information was included in an unclassified e-mail. This is the second most frequent type of security incident that occurs at DOE Headquarters (leaving safes or vaults unsecured is the most frequent type of security incident). Most of these "classified data spills" (also known as "e-mail contaminations") must be reported to the Emergency Operations Center through the submission of a DOE Form 471.1, Security Incident Notification Report.

The purpose of this HSO Spotlight is to provide guidance on how to report data spills/e-mail contaminations to the Office of Chief Information Officer (IM) and describe what follow-up actions will be taken by that office. When it becomes known that classified information has been transmitted via an unclassified e-mail, the HSO should first coordinate with Jeffrey A. Zarkin, the Headquarters Security Incident and Infractions Program Manager, by calling him at x6-9934. During your conversation with Mr. Zarkin, do not identify the date or time the e-mail was transmitted because that information is itself classified. He will advise you if a DOE Form 471.1 needs to be submitted. He will also advise you to report the matter to IM in order to initiate computer sanitization efforts. The HSO makes the report to the IM by:

  • Telephoning the Enterprise Service Center Help Desk at x3-2500. Immediately press "0" to talk with a Help Desk representative.
  • Telling the Help Desk representative that you want to report a "classified data spill." Answer whatever questions the Help Desk representative might have. These questions should relate to verifying the HSO's identity and contact information. The questions should not include the property number(s) of the computer(s) involved, the date or time of transmission, or any other specific details of the event. If a DOE F 471.1 is required, the HSO can now state on that form that sanitization efforts have been initiated.

The Help Desk representative will create a "ticket" reflecting that a "classified data spill" has occurred. The ticket is passed to the IM Cyber Incident Response Team (IM-CIRT) for action. The IM-CIRT will contact the HSO who reported the security incident for the additional information needed to locate and sanitize the contaminated computers and Blackberry devices, if any.

The IM-CIRT will sanitize the servers used to transmit the e-mail and the desktop or laptop computers of each recipient of the contaminated e-mail. The IM-CIRT may ask the HSO to assist in contacting all those with contaminated computers. Please be aware that it often takes a minimum of 8 hours to fully sanitize a contaminated computer.

If the e-mail was transmitted to a Blackberry device, that device will have to be recovered and stored as classified information. Currently, all Blackberry devices involved in a contamination must be destroyed; however, alternatives to destruction are under consideration.

The IM-CIRT will provide training on this topic at the next HSO Quarterly Meetings to be held on May 12 and 13, 2010. If you have any questions regarding this HSO Spotlight, please contact Christopher Crowley, the IM-CIRT leader, at (301) 903-8222, (301) 525-6782, or by encrypted e-mail.

  
This page was last updated on May 09, 2012