Viewable by the world

Effective Date: October 1, 2012 - September 30, 2013


Approved By: Rosio Alvarez, Chief Information Officer

Table of Contents

1.0 Introduction

The LBNL IT Assurance Plan is designed to ensure that LBNL IT efforts meet contractual requirements and support the LBNL mission. This plan is primarily concerned with functions provided by IT division for the laboratory. DOE requires a separate Cyber Security Assurance Plan, which is concerned with the institution's overall cyber security performance (as opposed to the performance of IT division specifically).

1.1 Approach to Assurance

Our approach to assurance is coupled to the ongoing oversight of programs and projects that is a normal and ongoing part of IT management. As such, our primary assurance is the annual development of strategic objectives accompanied by quarterly reports and/or meetings on those objectives between IT Senior Management and heads of Service Areas. The IT Strategic Plan details these objectives, strategies, and metrics by service area.

Independent assessments, including peer reviews, provide additional assurance along with our ongoing key metrics such as network availability and customer satisfaction.

2.0 Independent Assurance

2.1 Overview

IT systems are subject to a number of external assessments.

2.2 Peer Reviews

The IT Division conducts a peer review every three to five years, based on guidance provided by Operations. The last Peer Review was conducted in June of 2010. Peer reviewers are typically chosen from among similar institutions in the research, national laboratory, University, and nonprofit space. Peer Review typically produce recommendations and/or findings which are considered as part of the Division's strategic and tactical planning.

2.3 Internal Audit

In practice, IA conducts at least one IT focused audit each year. Results are shared with UC and LBNL management. Fiscal Year 2013 planned audits include IT Governace.

2.4 Inspector General Operations Audits and Reviews

The DOE IG performs audits of M&O IT operations. Results from these reviews must be carefully calibrated due to the IG's focus on cost-savings opportunities regardless of impact on mission achievement.

2.5 Other DOE Reviews

The DOE Berkeley Site Office (BSO) conducts graded oversight reviews of the Laboratory's IT Operations. These reviews include ongoing operational awareness activities, and scheduled assessments and reviews into particular risks or control families. Assessment topics are generally planned and calendared at the start of the performance year.

Other IT-related assessments and informal evaluations, such as visits from the DOE Records Management Program or SC Privacy Officers, supplement these reviews.

2.6 Advisory Board

An external advisory board, consisting of three to four IT leaders, convenes typically every year to review all parts of IT, and provide an assessment to Senior Management.

3.0 Internal Assurance

At the beginning of the fiscal year, the IT director and service area leads agree on a portfolio of objectives in the IT Strategic Plan. Each objective includes a set of related strategies and metrics and key performance indicators that service area leads use to manage progress toward objectives. This plan forms the basis of self assessments.

3.1 Project Monitoring and Quarterly Reporting

Under the line management approach, service area leads are responsible for monitoring and reporting on projects in the strategic plan. Service area leads submit brief quarterly reports on the status of strategic objectives, including a summary of how the objective and related strategies were met, any changes in direction/approach, and/or significant problems or risks.

3.2 Project Assessments

Every year, the CIO will select one or more strategic projects for an in-depth assessment.

3.3 Self-Assessment Risk Assessment

Excerpt from Cyber Security Assurance Plan:

"The Office of the CIO and the Cyber Security Program undertake annual risk and self assessments of its information technology posture. The risk-assessment process is designed to provide transparency to DOE and the Laboratory Community on current and emerging threats as well as residual risks from our security posture. The self-assessment process seeks to verify the effectiveness of technical, administrative, and operational controls.

Both processes are consistent with National Institute of Standards and Technology guidance. However, LBNL's approach is unique in that it utilizes a cost-damage model collaboratively developed with Carnegie Mellon University, and uses extensive narrative description to ensure that LBNL community members and oversight organizations can understand the risks clearly and in lay, comprehensible terms. Results are transmitted to DOE and are used as input for strategic planning and service management in the coming year.

Based on the annual risk assessment, cyber security plan owners will review and update plans as necessary to reflect any changes in technical, administrative, and operational controls."

3.4 Federal Manager’s Financial Integrity Act (FMFIA)/Entity Assessment Annual Self-Assessment

The Financial Management Assurance (FMA) program is DOE’s internal control assessment program to meet the requirements of the Financial Integrity Act (FMFIA) of 1982 and Office of Management and Budget (OMB) Circular A-123, Management’s Responsibility for Internal Control, including Appendix A, Internal Control Over Financial Reporting. The FMA program requires an evaluation of programmatic and non-financial reporting administrative controls, an assessment of entity controls, and evaluation and testing of financial management reporting controls.

LBNL's FMFIA assessment is scheduled for Q4 FY13.

3.5 UC Self-Assessment

The University of California Office of the President, at the direction of the Regents, requires a self-assessment of each UC's compliance with IS-3.  In FY11, this was performed via an Internal Audit. A self-assessment for FY13 may occur.

4.0 Performance Measures

4.1 Performance Evaluation and Measurement Plan (PEMP)

FY12 PEMP Objective 6.5 states “Provide Efficient, Effective, and Responsive Management Systems for … Information Management…". No Notable Outcome for IT in FY13.

5.0 Assurance Systems and Assessment Schedule

5.1 DOE Requirements and Related Assurance Systems

DOE Requirements are listed on the CIO website with corresponding implementation measures and assurance systems. See DOE Crosswalks.

5.2 FY13 Assessment Schedule


Assessment Type

Schedule (and Title)

Performed By


Peer Reviews

No review in FY13

Similar institutions


Internal Audit

IT Governance audit in last quarter of FY13

LBNL Internal Audit Services


IG Audits and Reviews

LBNL was selected in FY13 for the following audits:

  • Annual audits (April and roll forward in September)
    • Financial Reporting
    • IT General and Application Controls
    • IT Vulnerability Assessment
  • Additional audits
    • Software Audit
    • Hardware Audit

DOE Inspector General (often using KPMG)


Berkeley Site Office Oversight Activities

Ongoing oversight, including tri-party reviews throughout the year



Other Oversight Activities

No assessments in FY13


2.6Advisory BoardConducted in July/July 2013Board members

Project Assessments

Within 1 month of end of FY

Office of the CIO


Self-Assessment Risk Assessment

Conducted in March 2013

Office of the CIO/Cyber Security Program


FMFIA/Entity Assessment

Conducted in May 2013

LBNL Line Management


UC Self-Assessment

Not required by UC in FY13

Office of the CIO/Cyber Security Program

3.6IAS Advisory ServiceNo advisory services conducted in FY13LBNL Internal Audit Services
  • No labels