As always, the primary ongoing assurance activity is the review of incidents conducted by the security program to determine if the program is efficiently and effectively protecting the scientific mission of the Laboratory. This ongoing review suggests that the program is functioning well and we continue to make adjustments to controls and policies as required by the environment.
This quarter we were also visited by the OIG in an audit of "cloud computing." Results are not expected for quite some time. Substantial senior staff time in both Research and Ops Divisons were spent on preparations for, discussions with, and follow up by the OIG on this audit. OIG audits of this kind normally do not involve Laboratory-specific findings, though this is always a possibility. The Laboratory believes it is effectively managing risk associated with cloud computing adoption, while moving aggressively to take advantage of its benefits to reduce costs and improve flexibility where appropriate.
Most major assurance activities this year will take place during Q3 and Q4 when the Laboratory completes its new System Authorization Process (formally Authority to Operate / Certification and Accreditation). During this period we will conduct full reviews of our systems and update and revisit the contrator assurance system for cyber security at LBL.
Finally, Internal Audit anticipates a major review of IS-3 compliance (overall information/cyber security) during this FY. We expect to incorporate the results of this review as part of our overall System Authorization Process Cycle.
Most Significant Risks
1. Policy Environment Uncertainty
Major changes in national cyber security policy (FISMA 2.0), redistribution of responsibilities at the Federal Level (OMB to DHS), and policy flux within the Department contribute to major uncertainties regarding future policy and assurance direction. The Laboratory remains committed to providing a comprehensive contractor assurance system which provides transparency and appropriate assurance to the Department that we are managing a responsive and cost-effective cyber security program. Some legislative changes currently under consideration have the potential to significantly increase the costs of managing the LBL cyber security program, as well as the potential to disrupt scientific work and collaboration. Other evolving requirements, such as the move to expand ipv6 use, present challenges for existing cyber security technical countermeasures, as well as new security risks of their own.
2. Emergent Security Risks and Evolving Threats
As always, we continue to see new and evolving issues in the cyber security space. The malicious code environment continues to become more devious, with a marked shift away from targeted phishing towards browser drive-by attacks against unpatched vulnerabilities in both browsers and browser-plugins (Flash, PDF). New detection measures and countermeasures appear to be appropriately mitigating this risk at this time.
Ongoing review of Incidents and Threats / Ongoing / Internal Assessment
Cloud Computing OIG Audit / Ongoing / Inspector General
System Authorization Cycle with Assessments / Scheduled / Internal and External
IS-3 (Cyber) Audit / Scheduled / Internal Audit
PEMP Goals, Objectives, Notable Outcomes
"In measuring the performance of the above Objectives, the DOE evaluator(s) shall consider performance trends, outcomes and continuous improvement in the safeguards and security, cyber security and emergency management program systems. This may include, but is not limited to, the commitment of leadership to strong safeguards and security, cyber security and emergency management systems; the integration of these systems into the culture of the Laboratory; the degree of knowledge and appropriate utilization of established system processes/procedures by Contractor management and staff; maintenance and the appropriate utilization of Safeguards, Security, and Cyber risk identification, prevention, and control processes/activities; and the prevention and management controls and prompt reporting and mitigation of events as necessary."
The Laboratory remains strongly dedicated to appropriate cyber security management, as evidenced through its continuous assessment and improvement program for incidents and threats, as well as its strong technical cyber security program. See further discussion regarding Q1 incident performance.
No notable outcome is defined for cyber security.
Laboratory Management Performance Measures
Describe performance against each Laboratory Management Performance Measure, as detailed in each function’s Assurance Plan.
Cyber Security Incident Analysis
Berkeley Lab experienced a "normal" incident profile in Q1. Instances of malicious code were within current trends and there were no instances of mal code escalation or compromise of other hosts at the Laboratory. Newer detection measures implemented over the past 18 months continue to pay dividends in terms of speedy detection of these issues. Two classic stolen credential incidents occurred during the quarter, both of which were well contained. One in particular involved notification and coordination with other research and education sites around the country and within DOE where we believe LBL cyber forensics expertise directly assisted in quickly containing the incident at multiple sites. Both stolen credential incidents had full "opportunities for improvement" reviews after cleanup where additional measures have been put in place to protect the impacted systems. The last incident of note was our first instance of a VOIP-related incident. The incident was detected by normal security means and was apparently the result of a misconfiguration by the vendor responsible for maintaining the system. Actions were taken to ensure speedier detection of these issues in the future as well as improved configuration management by the vendor.
System Availability and Function Data
Cyber security systems experienced normal uptime profiles during this quarter. Additional resiliency is expected from the Bro Cluster when it reaches full production status.
Percent of LBNL staff that have completed required cyber security training
Reported in real-time on demand as part of overall training reports to divsion representatives, and quarterly to cyber security management. Reported as a percentage of individuals completing training per requirements. Currently at 93% up to date (within target of 90%).
Cyber Security Training received a feedback score of 3.76 on a scale of 1-5. Selected comment:
"I thought this was a model for training at LBNL. The information was important and presented clearly. I was particularly impressed that the material was aimed at LBNL, not a generic institution. "
No other measures to report.
Other Issues/ Concerns
Two areas for improvement were noted in the FY10 Laboratory Performance Evaluation.
1. Information Types and Ownership
The Laboratory began a dialog with BSO in FY10 regarding proposed changes to the Prime Contract to clarify ownership over certain kinds of personally identifiable information. This effort needs to be completed during FY11. IT will reengage BSO on this matter during Q2.
2. Physical Security of Lost/Stolen Devices
BSO has indicated that there is opportunity for improvement in ensuring that possible risks associated with lost/stolen devices are mitigated. The Laboratory believes this risk is appropriately mitigated. Laboratory policy forbids the storage of "sensitive" information on end point devices of any kind, including laptops and smartphones. Technical controls at the application layer, and backup detection/assurance systems give us high confidence that collections of personally identifiable information are never located on these devices. Finally, all lost and stolen devices require the custodian to complete an affidavit regarding the information which was stored on the device. The Director of Institutional Assurance will schedule a meeting with BSO during Q2 to discuss these processes and seek feedback regarding the concerns expressed by BSO. As always, the Laboratory seeks to improve its performance and assurance mechanisms in any area where risk-justifies the expenditure of additional resources.
The Laboratory expects that its approach to the system authorization cycle and updated contractor assurance system will be noteworthy activities this year.