"This Plan identifies key Department officials who will serve on the Identity Theft Task Force (ID Theft Task Force) to develop strategies for handling data security breaches, including those incidents posing a potential risk of identity theft. In addition, the Plan specifies the responsibilities of the ID Theft Task Force, whose mission is to provide advance planning, guidance, in-depth analysis, and a recommended course of action in response to a data breach/loss. In the event of a data breach/loss declared by a Department Bureau/Office to be of moderate or high risk, the ID Theft Task Force will be convened promptly, conduct a risk analysis to validate the level of risk associated with the loss, review all relevant compensating controls in place to protect the data after the loss, determine whether the breach poses risks related to identity theft or other harms,3 and timely implement a risk-based, tailored response to each breach. As part of this process, the ID Theft Task Force will consider all existing compensating controls available to protect PII data after loss. This Plan establishes a procedure that supplements current requirements for reporting and handling incidents pursuant to Federal Information Security Management Act (FISMA), National Institute of Standards and Technology (NIST) Special Publication 800-61, Computer Security Incident Handling Guide, and the concept of operations for Department of Homeland Security (DHS), United States - Computer Emergency Readiness Team (US-CERT). All Department Bureaus, Offices, organizations, and contractors are responsible for compliance with policies and procedures as set forth in this Plan."
U.S. Dept. of Commerce, Office of the Chief Information Officer: http://ocio.os.doc.gov/index.htm