The issue with this, the report explained, was multifaceted. "Department policy requires employees to report cybersecurity incidents to IRM security officials when any improper cyber-security practice comes to their attention... Notification is required when a user suspects compromise of, among other things, a personally owned device containing personally identifiable information... However, OIG found no evidence that the Secretary or her staff reported these incidents to computer security personnel or anyone else within the Department."
Sign up for CIO Asia eNewsletters.