Date: April 13 , 2010
The Contractor Assurance System for Cyber Security and the Cyber Security Program overall are performing at acceptable levels.
(as listed in Assurance Plan Sections 2.0 and 3.0)
The primary form of assessment for Cyber Security is the ongoing review of incidents and the identification of vulnerabilities.
1. Special Risk Assessment for Google Apps Conversion conducted. No action items or findings.
Announced or In Progress:
2. Internal Audit has announced a review of Backup and Recovery to begin Q3.
3. A Peer Review of IT Division (incuding cyber security) is scheduled for Q3.
4. Annual Self and Risk Assessment is scheduled for Q4
5. Annual Disaster Recovery Testing is scheduled for Q4
(as listed in Assurance Plan )
1. Incidents are reviewed under PEMP Notable Outcomes.
2. System Availability Data is tracked as an internal measure. There was limited, accepted downtime due to hardware failure associated with perimeter protection during the performance period.
- Security Intro/Refresher: 93% of target population.
- PII: 97% of target population.
- PII Validation: 96% of target population.
4. Training Feedback. Overall 3.9 positive on a 5 scale.
Selected Quotes from this quarter:
PEMP Notable Outcomes
Outcome: Review Incidents Quarterly and Determine whether they are within our acceptable risk envelope.
Our review of Q2 incidents suggests nothing but exceedingly minor and recoverable disruption to scientific work, and nothing that is outside our acceptable risk envelope. Incident quantities and costs are well within expected numbers. No scientific data was lost in any of these efforts, and disruption was limited to the time needed to clean up compromised systems.
Outcome: Review program to ensure it does not unduly or inefficiently disrupt scientific work.
Conduct this review in Q3 or Q4. No indication that the program is unduly impacted scientific productivity or creativity.
Other Issues/ Concerns
- Expected transition of S&S Cyber to Overhead and uncertainty regarding WFO tax may present challenges.
- Growth of Laboratory leads to new employees - need to make sure we maintain a security aware culture.
- Some proposed legislation would require OMB to monitor agencies at the level of minutae. If applied to Laboratories, will be highly costly and misleading.