Viewable by the world

Effective Date: October 1, 2011-September 30, 2012


Approved By: Rosio Alvarez, Chief Information Officer

Table of Contents

1.0 Introduction

The LBNL IT Assurance Plan is designed to ensure that LBNL IT efforts meet contractual requirements and support the LBNL mission. This plan is primarily concerned with functions provided by IT division for the laboratory. DOE requires a separate Cyber Security Assurance Plan, which is concerned with the institution's overall cyber security performance (as opposed to the performance of IT division specifically).

1.1 Approach to Assurance

Our approach to assurance is coupled to the ongoing oversight of programs and projects that is a normal and ongoing part of IT management. As such, our primary assurance is the annual development of strategic objectives accompanied by quarterly reports and/or meetings on those objectives between IT Senior Management and heads of Service Areas. The IT Strategic Plan details these objectives, strategies, and metrics by service area.

Independent assessments, including peer reviews, provide additional assurance along with our ongoing key metrics such as network availability and customer satisfaction.

2.0 Independent Assurance

2.1 Overview

IT systems are subject to a number of external assessments.

2.2 Peer Reviews

The IT Division conducts a peer review every three to five years, based on guidance provided by Operations. The last Peer Review was conducted in June of 2010. Peer reviewers are typically chosen from among similar institutions in the research, national laboratory, University, and nonprofit space. Peer Review typically produce recommendations and/or findings which are considered as part of the Division's strategic and tactical planning.

2.3 Internal Audit

In practice, IA conducts at least one IT focused audit each year. Results are shared with UC and LBNL management. Fiscal Year 2012 planned audits and advisories that may include IT are Data Security of Outsourced Applications (audit) and Export Controls (advisory).

2.4 Inspector General Operations Audits and Reviews

The DOE IG performs audits of M&O IT operations. Results from these reviews must be carefully calibrated due to the IG's focus on cost-savings opportunities regardless of impact on mission achievement.

2.5 Other DOE Reviews

The DOE Berkeley Site Office (BSO) conducts graded oversight reviews of the Laboratory's IT Operations. These reviews include ongoing operational awareness activities, and scheduled assessments and reviews into particular risks or control families. Assessment topics are generally planned and calendared at the start of the performance year.

Other IT-related assessments and informal evaluations, such as visits from the DOE Records Management Program or SC Privacy Officers, supplement these reviews.

3.0 Internal Assurance

At the beginning of the fiscal year, the IT director and service area leads agree on a portfolio of objectives in the IT Strategic Plan. Each objective includes a set of related strategies and metrics and key performance indicators that service area leads use to manage progress toward objectives. This plan forms the basis of self assessments.

3.1 Project Monitoring and Quarterly Reporting

Under the line management approach, service area leads are responsible for monitoring and reporting on projects in the strategic plan. Service area leads submit brief quarterly reports on the status of strategic objectives, including a summary of how the objective and related strategies were met, any changes in direction/approach, and/or significant problems or risks.

3.2 Project Assessments

Every year, the CIO will select one or more strategic projects for an in-depth assessment. For FY12, the CIO will assess the new Service Desk Project and the Identity Management Program.

3.3 Self-Assessment Risk Assessment

Excerpt from Cyber Security Assurance Plan:

"The Office of the CIO and the Cyber Security Program undertake annual risk and self assessments of its information technology posture. The risk-assessment process is designed to provide transparency to DOE and the Laboratory Community on current and emerging threats as well as residual risks from our security posture. The self-assessment process seeks to verify the effectiveness of technical, administrative, and operational controls.

Both processes are consistent with National Institute of Standards and Technology guidance. However, LBNL's approach is unique in that it utilizes a cost-damage model collaboratively developed with Carnegie Mellon University, and uses extensive narrative description to ensure that LBNL community members and oversight organizations can understand the risks clearly and in lay, comprehensible terms. Results are transmitted to DOE and are used as input for strategic planning and service management in the coming year.

Based on the annual risk assessment, cyber security plan owners will review and update plans as necessary to reflect any changes in technical, administrative, and operational controls."

3.4 Federal Manager’s Financial Integrity Act (FMFIA)/Entity Assessment Annual Self-Assessment

The Financial Management Assurance (FMA) program is DOE’s internal control assessment program to meet the requirements of the Financial Integrity Act (FMFIA) of 1982 and Office of Management and Budget (OMB) Circular A-123, Management’s Responsibility for Internal Control, including Appendix A, Internal Control Over Financial Reporting. The FMA program requires an evaluation of programmatic and non-financial reporting administrative controls, an assessment of entity controls, and evaluation and testing of financial management reporting controls.

LBNL's FMFIA assessment is scheduled for Q4 FY12.

3.5 UC Self-Assessment

The University of California Office of the President, at the direction of the Regents, requires a self-assessment of each UC's compliance with IS-3.  In FY11, this was performed via an Internal Audit. A self-assessment for FY12 may occur.

4.0 Performance Measures

4.1 Performance Evaluation and Measurement Plan (PEMP)

FY12 PEMP Objective 6.5 states “Provide Efficient, Effective, and Responsive Management Systems for … Information Management…". No Notable Outcome for IT in FY12.

5.0 Assurance Systems and Assessment Schedule

5.1 DOE Requirements and Related Assurance Systems

DOE Requirements are listed on the CIO website with corresponding implementation measures and assurance systems. See DOE Crosswalks.

5.2 FY12 Assessment Schedule

Assessment Title


Performed By

Independent Assessments



Peer Review

Every 3-5 years, last assessed in June 2010

Similar institutions

Data Security of Outsourced Applications

Per IAS Audit Plan

LBNL Internal Audit Services

DOE Financial Statement Audit*

LBNL was selected for FY12. Audit conducted in June 2012.

DOE Inspector General using KPMG

DOE Federal Information Security Act (FISMA) Audit

LBNL was selected for FY12. Audit conducted in June 2012.

DOE Inspector General using KPMG

DOE IT General & Application Controls

LBNL was selected for FY12. Audit conducted in June 2012.

DOE Inspector General using KPMG

DOE IT Vulnerability Assessment

LBNL was selected for FY12. Audit conducted in June 2012.

DOE Inspector General using KPMG

DOE Cyber Security Incident Management Program

LBNL was selected for FY12. Audit conducted in April 2012.

DOE Inspector General

Berkeley Site Office Oversight Activities*



DOE-HSS Oversight Activities*



Internal Assessments



Project Assessments

Within 1 month of end of FY

Office of the CIO

Self-Assessment Risk Assessment

Annually by 10/1

Office of the CIO/Cyber Security Program

FMFIA/Entity Assessment

4th Quarter FY12 (Subset of controls related to IT operations)

LBNL Line Management

UC Self-Assessment*

Annually by 10/1 (if required by UC)

Office of the CIO/Cyber Security Program

*Assessment occurs at the discretion of oversight entity.

  • No labels