As always, the primary ongoing assurance activity is the review of incidents conducted by the security program to determine if the program is efficiently and effectively protecting the scientific mission of the Laboratory. This ongoing review suggests that the program is functioning well and we continue to make adjustments to controls and policies as required by the environment.
The OIG concluded its investigation of cloud computing with a letter report. The report made recommendations regarding additional guidance from DOE on cloud computing. The Laboratory believes it is effectively managing risk associated with cloud computing adoption, while moving aggressively to take advantage of its benefits to reduce costs and improve flexibility where appropriate. Against the backdrop of guidance from numerous expert groups such as NIST, NACUA, UC, etc we do not agree with the IG that additional guidance from DOE would assist us in better managing cloud related risks.
Most major assurance activities this year will take place during Q3 and Q4 when the Laboratory completes its new System Authorization Process (formally Authority to Operate / Certification and Accreditation). During this period we will conduct full reviews of our systems and update and revisit the contrator assurance system for cyber security at LBL.
Finally, Internal Audit anticipates a major review of IS-3 compliance (overall information/cyber security) during this FY. We expect to incorporate the results of this review as part of our overall System Authorization Process Cycle.
Most Significant Risks
1. Emergent Security Risks and Evolving Threats
As always, we continue to see new and evolving issues in the cyber security space. The malicious code environment continues to become more devious, with a marked shift away from targeted phishing towards browser drive-by attacks against unpatched vulnerabilities in both browsers and browser-plugins (Flash, PDF). New detection measures and countermeasures appear to be appropriately mitigating this risk at this time.
2. Continued Threats from APT
For discussion in person at our tri-party.
Ongoing review of Incidents and Threats / Ongoing / Internal Assessment
Cloud Computing OIG Audit / Complete / Inspector General / No LBL Actions
System Authorization Cycle with Assessments / Scheduled / Internal and External
IS-3 (Cyber) Audit / Scheduled / Internal Audit
PEMP Goals, Objectives, Notable Outcomes
"In measuring the performance of the above Objectives, the DOE evaluator(s) shall consider performance trends, outcomes and continuous improvement in the safeguards and security, cyber security and emergency management program systems. This may include, but is not limited to, the commitment of leadership to strong safeguards and security, cyber security and emergency management systems; the integration of these systems into the culture of the Laboratory; the degree of knowledge and appropriate utilization of established system processes/procedures by Contractor management and staff; maintenance and the appropriate utilization of Safeguards, Security, and Cyber risk identification, prevention, and control processes/activities; and the prevention and management controls and prompt reporting and mitigation of events as necessary."
The Laboratory remains strongly dedicated to appropriate cyber security management, as evidenced through its continuous assessment and improvement program for incidents and threats, as well as its strong technical cyber security program. See further discussion regarding Q2 incident performance.
No notable outcome is defined for cyber security.
Laboratory Management Performance Measures
Describe performance against each Laboratory Management Performance Measure, as detailed in each function’s Assurance Plan.
Cyber Security Incident Analysis
Berkeley Lab experienced a "normal" incident profile in Q2. Instances of malicious code were within current trends and there were no instances of mal code escalation or compromise of other hosts at the Laboratory. Newer detection measures implemented over the past 18 months continue to pay dividends in terms of speedy detection of these issues. Two classic stolen credential incidents occurred during the quarter, both of which were well contained. In one the attackers paid particularly good attention to covering their tracks, though the forensics were still completed normally. That same incident also showed that the SSH credential attackers continue to expand their portfolio of tricks in ways that attempt to subvert our newer controls.
Also in the realm of incident analysis, the Laboratory has begun to report the same data shared with BSO on incident trends on an annual basis in our Self Assessment and Risk Assessment, with Laboratory management as part of the Ops Dashboard.
System Availability and Function Data
Cyber security systems experienced normal uptime profiles during this quarter. Additional resiliency is expected from the Bro Cluster when it reaches full production status.
Percent of LBNL staff that have completed required cyber security training
Reported in real-time on demand as part of overall training reports to divsion representatives, and quarterly to cyber security management. Reported as a percentage of individuals completing training per requirements. Currently at XXXX% up to date (within target of 90%).
Cyber Security Training received a feedback score of 3.84 on a scale of 1-5. Selected comment:
"This is refreshingly candid and useful in comparison to the drab equivalents found at other national labs and government installations. Kudos! "
No other measures to report.
Other Issues/ Concerns
Two areas for improvement were noted in the FY10 Laboratory Performance Evaluation.
1. Information Types and Ownership
The Laboratory began a dialog with BSO in FY10 regarding proposed changes to the Prime Contract to clarify ownership over certain kinds of personally identifiable information. This effort needs to be completed during FY11. This effort has been incorporated into the wider C31 Reform efforts.
2. Physical Security of Lost/Stolen Devices
BSO has indicated that there is opportunity for improvement in ensuring that possible risks associated with lost/stolen devices are mitigated. The Laboratory believes this risk is appropriately mitigated. During Q2, the Laboratory and BSO stakeholders met to discuss this risk area and agreed to our existing path forward agreed to with BSO in 2009.
The Laboratory expects that its approach to the system authorization cycle and updated contractor assurance system will be noteworthy activities this year.