Incident Management and Response
How to Report an Incident
Report Privacy Incidents as soon as possible
VA is required to report Privacy Incidents to US-CERT within 1 hour of discovering the incident.
Always report suspected or confirmed privacy and security incidents to your Privacy Officer, Information Security Officer, and (for VA employees) your supervisor immediately upon suspicion. To find your Privacy Officer, contact VA Privacy Service at 202-273-5070 or email firstname.lastname@example.org.
After normal business hours, weekend or holidays, contact the National Service Desk (NSD) by calling 1-855-673-4357 (Option 6, Option 1) or sending an email to NSD.VPNSecurity@va.gov. The NSD will open a ticket and route it to the NSOC Network Defense Center (NDC), who will then open a PSETS ticket for the Privacy Officer.
Information that the caller needs to submit
The caller should be prepared to answer questions about the incident such as:
- Caller’s name
- Phone number
- Office (location)
- Date of incident
- What was lost, compromised, or disclosed?
- What happened?
- Was data encrypted if it was an electronic device?
- Was the electronic device turned on, and if so, was it password protected?
The Incident Management and Response operation was implemented in response to the VA Information Security Enhancement Act of 2006 and other related laws. The Act, which established Information Technology (IT) requirements for VA Sensitive Personal Information (SPI), mandates that VA develop the following:
- Procedures for detecting, immediately reporting, and responding to security incidents
- Method of notification to Congress of any significant data breaches involving SPI
- Provision of credit protection services, if necessary to those individuals whose SPI may have been compromised
- Procedures for Incident Management and Response to detect, report and analyze all complaints, incidents and breaches
The details of the provisions Incident Management and Response adapted consist of the following:
- Section 13402 of the HITECH Act and the Breach Notification Rule at 45 C.F.R. § 164.400-414 required covered entities subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and their business associates to notify individuals of breaches involving their unsecured protected health information (PHI)
- The Office of Management and Budget (OMB) M-07-16, Safeguarding Against and Responding to Breach of Personally Identifiable Information, required agencies to develop and implement a breach notification policy while maintaining proper safeguards to protect such information
Based on these provisions, an incident is any event that has resulted in, or has the potential to result in, unauthorized access to or disclosure of VA SPI in a manner not permitted under the applicable confidentiality provisions which poses a risk of financial, reputation or other harm to the individual.
Privacy Incident: The loss of control, compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or any similar term referring to situations where persons other than authorized users, and for any other than an authorized purpose, have access or potential access to SPI in any usable form, whether physical or electronic. This term encompasses both suspected and confirmed incidents involving SPI.
Personally Identifiable Information (PII): PII is any information about an individual that can be used to distinguish or trace an individual’s identity, alone, or when combined with other information which is linked or linkable to a specific individual, such as: name, social security number, date and place of birth, mother’s maiden name, telephone number, driver’s license number, credit card number, photograph, finger prints, biometric records, education, financial transactions, medical history, and criminal or employment history, etc.
Sensitive Personal Information (SPI): SPI, as defined in VA Handbook 6500, is any information about the individual maintained by an agency, including the following: (i) education, financial transactions, medical history, and criminal or employment history; and (ii) information that can be used to distinguish or trace the individual’s identity, including name, social security number, date and place of birth, mother’s maiden name, or biometric records.
Examples of Privacy Incidents: Hacker obtains information from laptops; unauthorized access to personnel files; papers left on community printer with names, addresses and account numbers; employee roster posted on portal disclosing name, personal cell phone number, and home address; key logger gains access to a computer and its accounts.
Incident Prevention. Security and privacy policies and system security controls are the primary mechanisms for preventing and reducing the number of data breach incidents. VA personnel ensures that appropriate policies and controls exist to protect SPI and VA information systems using, storing and transmitting SPI.
Incident Detection, Reporting, and Analysis. Incident detection and reporting occurs either through technical detection or reporting of the incident. VA employees must immediately report to their supervisor, Privacy Officer (PO), and Information Security Officer (ISO) any data incident involving the compromise of any VA sensitive information. The PO and/or ISO will promptly report the incident (within one hour of notification) to the VA-Network Security Operations Center (VA-NSOC) in accordance with the OIT Incident Management procedures.
Corrective/Mitigation Action. After an incident has been detected and reported, the steps necessary to contain the incident are taken. Depending on the results of the analysis, recovery activities may include training employees on applicable policy and proper procedures and providing notice or credit protection services to individuals who’s SPI was compromised in a data breach. While engaging in these activities, VA officials will also collect evidence to support potential legal proceedings.
Post-Incident Activity. Post incident activity involves:
- asking questions about the incident, such as what happened; when; and how well staff and management responded;
- confirming that the incident is closed by addressing the incident in writing and providing closure;
- using collected incident information to improve processes, and retain evidence.