As always, the primary ongoing assurance activity is the review of incidents conducted by the security program to determine if the program is efficiently and effectively protecting the scientific mission of the Laboratory. This ongoing review suggests that the program is functioning well and we continue to make adjustments to controls and policies as required by the environment.The Laboratory continued its new System Authorization Process (formally Authority to Operate / Certification and Accreditation). During this period we began to conduct full reviews of our systems and are updating and revisiting the contractor assurance system for cyber security at LBL. The review will be complete in Q4 and includes an external review of both security controls and actual performance.
Most Significant Risks
1. Continued Threats from APT
For discussion in person at our tri-party: coordinated attack on two national labs (PNNL and JLab)
2. Emergent Security Risks and Evolving Threats
As always, we continue to see new and evolving issues in the cyber security space. The malicious code environment continues to become more devious, with a marked shift away from targeted phishing towards browser drive-by attacks against unpatched vulnerabilities in both browsers and browser-plugins (Flash, PDF). New detection measures and countermeasures appear to be appropriately mitigating this risk at this time.
Ongoing review of Incidents and Threats / Ongoing / Internal Assessment
System Authorization Cycle with Assessments / Ongoing / Internal and External
IS-3 (Cyber) Audit / Complete / Internal Audit / LBL Actions Defined
Internal Audit concluded its review of IS-3 compliance (overall information/cyber security) during Q3, which focused on systems and applications determined to be critical to LBNL operations or systems storing, processing, or transmitting Personaly Identifiable Information (PII). The review found us to be generally in compliance with the following opportunities for improvement:
- Update the BSE cyber security plan. We will proceed with updating this plan as scheduled for October 2011.
- User Account Administration. We will support HR functional owners to put in place a new annual privileged account review process. We will update account management procedures for the System Support group as part of the update of the BSE cyber security plan update.
- Update the inventory of business systems containing PII.
- Enhance the detection of PII by requiring the groups with high access to PII to run Identify Finder every six months versus annually.
- Enhance the protection of PII by adding encryption to backup tapes of PII (in addition to existing controls of chain of custody for tapes, insured backup transportation providers, and locked transportation containers).
- Update incident handling procedures to include procedures specific to PII.
PEMP Goals, Objectives, Notable Outcomes
"In measuring the performance of the above Objectives, the DOE evaluator(s) shall consider performance trends, outcomes and continuous improvement in the safeguards and security, cyber security and emergency management program systems. This may include, but is not limited to, the commitment of leadership to strong safeguards and security, cyber security and emergency management systems; the integration of these systems into the culture of the Laboratory; the degree of knowledge and appropriate utilization of established system processes/procedures by Contractor management and staff; maintenance and the appropriate utilization of Safeguards, Security, and Cyber risk identification, prevention, and control processes/activities; and the prevention and management controls and prompt reporting and mitigation of events as necessary."
The Laboratory remains strongly dedicated to appropriate cyber security management, as evidenced through its continuous assessment and improvement program for incidents and threats, as well as its strong technical cyber security program. See further discussion regarding Q3 incident performance.
No notable outcome is defined for cyber security.
Laboratory Management Performance Measures
Performance against each Laboratory Management Performance Measure, as detailed in the Cyber Security Assurance Plan follows.
Cyber Security Incident Analysis
Berkeley Lab experienced a "normal" incident profile in Q3. Instances of malicious code were within current trends and there were no instances of mal code escalation or compromise of other hosts at the Laboratory. Newer detection measures implemented over the past 18 months continue to pay dividends in terms of speedy detection of these issues. Details provided on Operations Dashboard.
System Availability and Function Data
Cyber security systems experienced normal uptime profiles during this quarter.
Percent of LBNL staff that have completed required cyber security training. Reported in real-time on demand as part of overall training reports to division representatives, and quarterly to cyber security management. Reported as a percentage of individuals completing training per requirements. Currently at 92% up to date (within target of 90%).
Cyber Security Training received a feedback score of 3.82 on a scale of 1-5. Selected comment: "This is an excellent, concise refresher. I will do some things today and over the next week as a result."
Two areas for improvement were noted in the FY10 Laboratory Performance Evaluation.
1. Information Types and Ownership
The Laboratory began a dialog with BSO in FY10 regarding proposed changes to the Prime Contract to clarify ownership over certain kinds of personally identifiable information. This effort needs to be completed during FY11. This effort has been incorporated into the wider C31 Reform efforts.
2. Physical Security of Lost/Stolen Devices
BSO has indicated that there is opportunity for improvement in ensuring that possible risks associated with lost/stolen devices are mitigated. The Laboratory believes this risk is appropriately mitigated. During Q2, the Laboratory and BSO stakeholders met to discuss this risk area and agreed to our existing path forward agreed to with BSO in 2009. No further action is contemplated during this performance period.
- The Laboratory expects that its approach to the system authorization cycle and updated contractor assurance system will be noteworthy activities this year.
- The Laboratory began a “major incident planning” process to develop new procedures and plans in case a major cyber incident similar to those that other national laboratories have recently experienced were to occur here.