Effective Date: October 1, 2012 - September 30, 2013
Approval
Approved By: Rosio Alvarez, Chief Information Officer
Table of Contents
1.0 Introduction
The LBNL IT Assurance Plan is designed to ensure that LBNL IT efforts meet contractual requirements and support the LBNL mission. This plan is primarily concerned with functions provided by IT division for the laboratory. DOE requires a separate Cyber Security Assurance Plan, which is concerned with the institution's overall cyber security performance (as opposed to the performance of IT division specifically).
1.1 Approach to Assurance
Our approach to assurance is coupled to the ongoing oversight of programs and projects that is a normal and ongoing part of IT management. As such, our primary assurance is the annual development of strategic objectives accompanied by quarterly reports and/or meetings on those objectives between IT Senior Management and heads of Service Areas. The IT Strategic Plan details these objectives, strategies, and metrics by service area.
Independent assessments, including peer reviews, provide additional assurance along with our ongoing key metrics such as network availability and customer satisfaction.
2.0 Independent Assurance
2.1 Overview
IT systems are subject to a number of external assessments.
2.2 Peer Reviews
The IT Division conducts a peer review every three to five years, based on guidance provided by Operations. The last Peer Review was conducted in June of 2010. Peer reviewers are typically chosen from among similar institutions in the research, national laboratory, University, and nonprofit space. Peer Review typically produce recommendations and/or findings which are considered as part of the Division's strategic and tactical planning.
2.3 Internal Audit
In practice, IA conducts at least one IT focused audit each year. Results are shared with UC and LBNL management. Fiscal Year 2013 planned audits include IT Governace.
2.4 Inspector General Operations Audits and Reviews
The DOE IG performs audits of M&O IT operations. Results from these reviews must be carefully calibrated due to the IG's focus on cost-savings opportunities regardless of impact on mission achievement.
2.5 Other DOE Reviews
The DOE Berkeley Site Office (BSO) conducts graded oversight reviews of the Laboratory's IT Operations. These reviews include ongoing operational awareness activities, and scheduled assessments and reviews into particular risks or control families. Assessment topics are generally planned and calendared at the start of the performance year.
Other IT-related assessments and informal evaluations, such as visits from the DOE Records Management Program or SC Privacy Officers, supplement these reviews.
2.6 Advisory Board
An external advisory board, consisting of three to four IT leaders, convenes typically every year to review all parts of IT, and provide an assessment to Senior Management.
3.0 Internal Assurance
At the beginning of the fiscal year, the IT director and service area leads agree on a portfolio of objectives in the IT Strategic Plan. Each objective includes a set of related strategies and metrics and key performance indicators that service area leads use to manage progress toward objectives. This plan forms the basis of self assessments.
3.1 Project Monitoring and Quarterly Reporting
Under the line management approach, service area leads are responsible for monitoring and reporting on projects in the strategic plan. Service area leads submit brief quarterly reports on the status of strategic objectives, including a summary of how the objective and related strategies were met, any changes in direction/approach, and/or significant problems or risks.
3.2 Project Assessments
Every year, the CIO will select one or more strategic projects for an in-depth assessment.
3.3 Self-Assessment Risk Assessment
Excerpt from Cyber Security Assurance Plan:
"The Office of the CIO and the Cyber Security Program undertake annual risk and self assessments of its information technology posture. The risk-assessment process is designed to provide transparency to DOE and the Laboratory Community on current and emerging threats as well as residual risks from our security posture. The self-assessment process seeks to verify the effectiveness of technical, administrative, and operational controls.
Both processes are consistent with National Institute of Standards and Technology guidance. However, LBNL's approach is unique in that it utilizes a cost-damage model collaboratively developed with Carnegie Mellon University, and uses extensive narrative description to ensure that LBNL community members and oversight organizations can understand the risks clearly and in lay, comprehensible terms. Results are transmitted to DOE and are used as input for strategic planning and service management in the coming year.
Based on the annual risk assessment, cyber security plan owners will review and update plans as necessary to reflect any changes in technical, administrative, and operational controls."
3.4 Federal Manager’s Financial Integrity Act (FMFIA)/Entity Assessment Annual Self-Assessment
The Financial Management Assurance (FMA) program is DOE’s internal control assessment program to meet the requirements of the Financial Integrity Act (FMFIA) of 1982 and Office of Management and Budget (OMB) Circular A-123, Management’s Responsibility for Internal Control, including Appendix A, Internal Control Over Financial Reporting. The FMA program requires an evaluation of programmatic and non-financial reporting administrative controls, an assessment of entity controls, and evaluation and testing of financial management reporting controls.
LBNL's FMFIA assessment is scheduled for Q4 FY13.
3.5 UC Self-Assessment
The University of California Office of the President, at the direction of the Regents, requires a self-assessment of each UC's compliance with IS-3. In FY11, this was performed via an Internal Audit. A self-assessment for FY13 may occur.
4.0 Performance Measures
4.1 Performance Evaluation and Measurement Plan (PEMP)
FY12 PEMP Objective 6.5 states “Provide Efficient, Effective, and Responsive Management Systems for … Information Management…". No Notable Outcome for IT in FY13.
5.0 Assurance Systems and Assessment Schedule
5.1 DOE Requirements and Related Assurance Systems
DOE Requirements are listed on the CIO website with corresponding implementation measures and assurance systems. See DOE Crosswalks.
5.2 FY13 Assessment Schedule
| # | Assessment Type | Schedule (and Title) | Performed By |
|---|---|---|---|
| 2.2 | Peer Reviews | No review in FY13 | Similar institutions |
| 2.3 | Internal Audit | IT Governance audit in last quarter of FY13 | LBNL Internal Audit Services |
| 2.4 | IG Audits and Reviews | LBNL was selected in FY13 for the following audits:
| DOE Inspector General (often using KPMG) |
| 2.5 | Berkeley Site Office Oversight Activities | Ongoing oversight, including tri-party reviews throughout the year | BSO |
| 2.5 | Other Oversight Activities | No assessments in FY13 | DOE-HSS |
| 2.6 | Advisory Board | Conducted in July/July 2013 | Board members |
| 3.2 | Project Assessments | Within 1 month of end of FY | Office of the CIO |
| 3.3 | Self-Assessment Risk Assessment | Conducted in March 2013 | Office of the CIO/Cyber Security Program |
| 3.4 | FMFIA/Entity Assessment | Conducted in May 2013 | LBNL Line Management |
| 3.5 | UC Self-Assessment | Not required by UC in FY13 | Office of the CIO/Cyber Security Program |
| 3.6 | IAS Advisory Service | No advisory services conducted in FY13 | LBNL Internal Audit Services |
