Date:July 26 , 2010
The Contractor Assurance System for Cyber Security and the Cyber Security Program overall are performing at acceptable levels.
(as listed in Assurance Plan Sections 2.0 and 3.0)
The primary form of assessment for Cyber Security is the ongoing review of incidents and the identification of vulnerabilities. This is an ongoing process which forms the basis of the Laboratory's Risk Management Approach.
Completed This Quarter:
1. Internal Audit of Backup and Recovery at LBL
Internal audit conducted a review of backup and recovery practices and operations at LBL. A full report was provided to BSO. IA made seven observations about current practices and LBL management committed to ten corrective actions with due dates across the next year. Observations concerned currency of recovery procedures and testing, as well as broader observations about the state of LBL Business Continuity Planning with downstream impacts on expectations for IT systems.
2. Peer Review of IT Division (incuding cyber security).
Full results are limited to LBL management at this time; however, the review team praised verbally and in the final report the efforts of the Laboratory to find the right cyber security balance. Laboratory Management committed to actions in eight areas in response to observations of the committee around communication, primarily around the development and management of enterprise systems projects, as well as issues regarding communication and scientific computing.
1. Special Risk Assessment for Google Apps Conversion conducted. No action items or findings.
Announced or In Progress:
1. Annual Self and Risk Assessment is scheduled for Q4
2. Annual Disaster Recovery Testing is scheduled for Q4
(as listed in Assurance Plan )
1. Cyber Security Incident Analysis:
Incidents are reviewed under PEMP Notable Outcomes.
2. Customer Service and Response, System Availability and Function Data, System Configuration Data,
These are separately tracked as internal measures. No major issues, outages, or concerns.
- Security Intro/Refresher: 92% of target population.
- PII: 98% of target population.
- PII Validation: 98% of target population.
4. Training Feedback. Overall 3.74 for the quarter on a 5 scale.
PEMP Notable Outcomes
Outcome: Review Incidents Quarterly and Determine whether they are within our acceptable risk envelope.
Our review of Q3 incidents suggests nothing but exceedingly minor and recoverable disruption to scientific work, and nothing that is outside our acceptable risk envelope. Incident quantities and costs are well within expected numbers. No scientific data was lost in any of these efforts, and disruption was limited to the time needed to clean up compromised systems.
We continue to observe an increase in successful malicious code infections which are being caught quickly by a new device we have procured for this purpose. The impact of these infections has continued to be very limited and many of the infections are on guest/transient systems. Some of this increase is related to how these infections are being caught and recorded; specifically, more of these infections are now being caught by a particular cyber security perimeter detection device that may, before, have been caught and cleaned by antivirus (which might or might show up as an event depending on how quickly A/V caught the infection).
Overall, LBL is managing to the risk profile we have agreed to, and we continue to observe the risks and demonstrated vulnerabilities
Outcome: Review program to ensure it does not unduly or inefficiently disrupt scientific work.
The Q3 IT Division Peer Review commended Berkeley Lab for how it has achieved an appropriate balance between cyber security and scientific freedom. Continued evaluation of this will take place in Q4.
Other Issues/ Concerns
- Expected transition to Risk Management Approach and CAS will require close coordination with BSO to meet everyone's needs.
- Expected transition of S&S Cyber to Overhead and uncertainty regarding WFO tax may present challenges.
- Growth of Laboratory leads to new employees - need to make sure we maintain a security aware culture.
- Some proposed legislation would require OMB to monitor agencies at the level of minutae. If applied to Laboratories, will be highly costly and misleading. Transition of cyber security locus of responsibility in .gov to DHS presents unknown challenges/complexities.