Cyber Security Risk Management Approach

Title:	Cyber Security Risk Management Approach
Publication date:	6/15/2021
Effective date:	3/20/2007

BRIEF

Policy Summary

This policy describes roles and responsibilities for Berkeley Lab's cyber security risk management approach.

Who Should Read This Policy

Employees and affiliates with Cyber Security Program responsibilities, including enclave owners and enclave security coordinators

To Read the Full Policy, Go To:

The POLICY tab on this wiki page

Contact Information

Information Technology Policy Manager
Information Technology Division
[email protected]

Title:	Cyber Security Risk Management Approach
Publication date:	6/15/2021
Effective date:	3/20/2007

POLICY

A. Purpose

The purpose of this policy is to establish and maintain a risk management approach that appropriately and cost-effectively mitigates cyber security risks at Lawrence Berkeley National Laboratory (Berkeley Lab).

B. Persons Affected

This policy applies to employees and affiliates with cyber security program responsibilities and related compliance activities.

C. Exceptions

None.

D. Policy Statement

Berkeley Lab manages risk to systems consistent with Department of Energy and Office of Science requirements using a cost-effective approach that balances mission and risk.
Description of Systems
1. Berkeley Lab groups information technology into enclaves that serve as systems for the purpose of cyber security policy and management.
2. Any organized unit of Berkeley Lab may request that it be treated as an enclave for the purpose of cyber security management.
The Deputy CIO for Technology and Policy must approve minimum security controls and policies for all enclaves. Enclaves must implement minimum security controls and policies.
The Policy and Risk Manager must develop procedures and requirements for the risk management approach, system authorization, disaster recovery testing, plan of action and milestones, assurance, and other related processes. Enclaves must follow the procedures and requirements where applicable.

E. Roles and Responsibilities

Role	Responsibility
Chief Information Officer	Oversees site risk management approach, including system authorization responsibilities
Deputy CIO for Technology and Policy	Develops the site risk management approach Communicates the risk-management approach to the Berkeley Lab community Approves minimum security controls and policies Designates enclave boundaries and maintains the authoritative list of enclaves
Cyber Security Manager	Manages implementation of the Cyber Security Program for Berkeley Lab Assists in the development of the site risk management approach and the selection of minimum security controls and policies Manages implementation of security controls to mitigate cyber risk Ensures that the Cyber Security Program is continuously monitoring and responding to cyber risks Conducts high-quality risk analysis and planning for cyber decision-making
Policy and Risk Manager	Develops procedures and requirements to support the site risk management approach Assists in the development of the site risk management approach and the selection of minimum security controls and policies Ensures Cyber Security Program appropriately meets regulatory requirements and manages risk Conducts high-quality risk analysis and planning for cyber decision-making
Enclave Owners	Understand the risks identified and the controls in place to mitigate against those risks within their enclave Monitor the risks and notify the Chief Information Officer or their designee of changes in the cyber security profile of their enclave
Enclave Cyber Security Coordinators	Coordinate the implementation of site risk management procedures and requirements in their enclave Provide input into the site risk management approach and related procedures and requirements

F. Definitions/Acronyms

Term	Definition
Enclave	Groups of information technology that share a similar level of risk, use similar controls, and are under the same management. Enclave serves as a synonym for system as defined in the National Institute of Standards and Technology Special Publication 800-37, Revision 1.

G. Recordkeeping Requirements

None.

H. Implementing Documents

None.

I. Contact Information

Information Technology Policy Manager
Information Technology Division
[email protected]

J. Revision History

Date	Revision	By Whom	Revision Description	Section(s) Affected	Change Type
1/2/2012	0	J. Bonaguro	Re-write for wiki (brief)	All	Minor
8/21/2012	1	J. Bonaguro	Re-write for wiki (policy)	All	Minor
2/7/2014	1.1	J. Bonaguro	Edited to clarify roles	D and E	Minor
3/30/2017	1.2	S. Lau	Minor typographical edits	All	Minor
6/15/2021	1.2	A. Sultan	Periodic review. No changes.	All	Editorial

DOCUMENT INFORMATION

Title:	Cyber Security Risk Management Approach
Document number	10.01.006.000
Revision number	1.2
Publication date:	6/15/2021
Effective date:	3/20/2007
Next review date:	6/15/2024
Policy Area:	Information Technology
RPM Section (home)	Information Management
RPM Section (cross-reference)	none
Functional Division	Information Technology
Prior reference information (optional)

Source Requirements Documents

DOE O 205.1C, Department of Energy Cybersecurity Management Program, CRD
DOE P 205.1, Departmental Cyber Security Management Policy
DOE Office of Science Program Cybersecurity Plan, June 2010

Implementing Documents

None

Space shortcuts

Page tree

RPM | REQUIREMENTS AND POLICIES MANUAL

BRIEF

Policy Summary

Who Should Read This Policy

To Read the Full Policy, Go To:

Contact Information

POLICY

A. Purpose

B. Persons Affected

C. Exceptions

D. Policy Statement

E. Roles and Responsibilities

F. Definitions/Acronyms

G. Recordkeeping Requirements

H. Implementing Documents

I. Contact Information

J. Revision History

DOCUMENT INFORMATION

Source Requirements Documents

Implementing Documents