Effective Date: October 1, 2015-September 30, 2016
Approval
Approved By: Rosio Alvarez, Chief Information Officer
Table of Contents
1.0 Introduction
The goal of the LBNL Cyber Security Assurance Plan is to ensure that LBNL cyber security systems are effective, meet contractual requirements, and support the LBNL mission. LBNL establishes, with the Department of Energy (DOE), an understanding of acceptable risk and develops and tailors controls in an ongoing way to meet this standard. LBNL develops and implements the appropriate controls and provides, for itself, assurance that the system is functioning as intended.
This Plan describes the Cyber Security assurance mechanisms that inform management if controls are working as designed and if the set of controls is appropriately protecting the institution. Implementing this Plan drives performance improvement by self-identifying, preventing, and correcting issues. These assurance mechanisms will be used to demonstrate to DOE, the University of California (UC), and LBNL management that the cyber security mechanisms themselves are adequate to reduce risk to the agreed upon level, and that controls are functioning as intended.
2.0 Independent Assessments
2.1 Overview
A variety of groups can provide independent assessments of the Cyber Security Program. The nature and frequency of independent assessments usually depends on planning processes that are independent from LBNL.
2.2 External Assessments Contracted As Part of Authorizing Systems
The Cyber Security Program analyzes risk and documents its controls and compliance through a process called the Risk Management Framework (formerly, the Certification and Accreditation Process or the System Authorization Process). This process describes a series of steps necessary to manage and analyze technical, operational, and management controls, evaluate risks and residual risks, and assess system function and risk management. While the process for managing controls is continuous, we usually conduct a full evaluation of the system program every three years.
During this process, we engage external assessors, either through Peer Review or through contracted external auditors, to evaluate system operation. These are the most in-depth and risk-informed evaluations we undertake. In the past, these reviews have taken multiple weeks and included both technical testing and document review. The results of these reviews become part of the authorization package and are available to DOE for review.
2.3 Internal Audit
UC operates an independent Internal Audit system for LBNL, Internal Audit Services (IAS). IAS's mission is to assess and monitor the Laboratory community in the performance of their oversight, management and operating responsibilities in relation to governance processes, systems of internal controls, and compliance with laws, regulations, contracts and Laboratory, UC, and DOE policies.
IAS has been granted authority through its charter and the UC Internal Audit Management Charter approved by the Regents of UC. IAS functions under the policies established by the Regents and Laboratory management under delegated authority. IAS is authorized full, free and unrestricted access to information including records, computer files, property, and personnel of the Laboratory required in the performance of audits. The work of IAS is unrestricted except where limited by law. IAS is free to review and evaluate all policies, procedures and practices of any Laboratory activity, program or function.
In practice, IA conducts at least one IT focused audit each year. Results are shared with UC and LBNL management.
2.4 Inspector General Operations Audits and Reviews
The DOE IG performs audits of contractor cyber security operations. Results from these reviews must be carefully calibrated due to the IG's focus on cost-savings opportunities regardless of impact on mission achievement. The DOE IG conducts a variety of annual cyber security audits, including FISMA, and selects site based on an internal selection formula. DOE IG may conduct additional, cyber-related audits.
2.5 DOE Financial Statement Audit
Per 31 U.S.C. § 3515, Financial Statements of Agencies, the head of the agency is required to prepare and submit to the Congress and the Director of the Office of Management and Budget (OMB) an audited financial statement for the preceding fiscal year, covering all accounts and associated activities of each office and the agency not later than March 1. This audit is in support of the Federal Managers' Financial Integrity Act (FMFIA).
2.6 Other DOE Reviews
The DOE Berkeley Site Office (BSO) conducts graded oversight reviews of the Laboratory's Cyber Security Program. These reviews include ongoing operational awareness activities and scheduled assessments and reviews into particular risks or control families. Assessment topics are generally planned and calendared at the start of the performance year. LBNL's safeguards and security program is often subject to an extensive DOE BSO review.
Historically, DOE Office of Health, Safety and Security (HSS) has conducted both assistance visits and red team/full evaluations of Laboratory cyber security programs. Additionally, LBNL can engage HSS upon request to review our systems and practices.
The DOE Office of Science has also initiated Integrated Safeguards and Security (S&S) Surveys that include cyber security in scope. The Office of Science works to coordinate any reviews with HSS reviews.
2.7 Peer Reviews
LBNL makes targeted use of peer reviews on an as needed basis and where internal expertise or external oversight is judged to be insufficient, or where the only reasonable form of oversight is peer review (for instance, where expertise about a specific issue is limited to the peer group).
2.8 Advisory Board
An external advisory board, consisting of three to four IT leaders, convenes typically every year to review all parts of IT, including the Cyber Security Program.
3.0 Self Assessments
3.1 Ongoing Review of Operations and Incidents
The core of the LBNL's Contractor Assurance System for Cyber Security revolves around the continuous monitoring system and the management of the Cyber Security Program. This program is dynamic; and the Chief Information Officer and Cyber Security Manager are involved in a continuous process of evaluating existing controls, the changing threat environment, and demonstrated risks/damages to optimize the controls in place (including reducing such controls when they are not cost-benefit positive). Monitoring systems also verify the technical functioning of the controls and support root cause reviews for incidents. At ongoing meetings and through day-tp-day email communication, the cyber security team evaluates these factors to determine if new controls (policy, management, and technical) are required to address the changing environment. These priorities are reflected in changes to the focus of the team and in funding reallocations as appropriate.
Quarterly, the cyber security team discusses incidents of concern with division representatives on the Computer Protection Implementation Committee (CPIC). CPIC spreads awareness of the trends and seeks feedback on controls.
Annually, the entire incident and control framework is formalized and judged against the Berkeley Lab-Carnegie Mellon cost model for damages with comprehensive evaluation of mission damage in qualitative form, informed by expert opinion, to further evaluate and refine the program.
3.2 Annual Risk and Self-Assessment
The Office of the CIO and the Cyber Security Program undertake annual risk and self assessments of its information technology posture. The risk-assessment process is designed to provide transparency to DOE and the Laboratory Community on current and emerging threats as well as residual risks from our security posture. The self-assessment process seeks to verify the effectiveness of technical, administrative, and operational controls.
Both processes are consistent with National Institute of Standards and Technology guidance. However, LBNL's approach is unique in that it utilizes a cost-damage model collaboratively developed with Carnegie Mellon University, and uses extensive narrative description to ensure that LBNL community members and oversight organizations can understand the risks clearly and in lay, comprehensible terms. Results are transmitted to DOE and are used as input for strategic planning and service management in the coming year.
Based on the annual risk assessment, cyber security plan owners will review and update plans as necessary to reflect any changes in technical, administrative, and operational controls.
3.3 University of California Self Assessment
UC conducts assessments of various aspects of the cyber security program in parallel with its assessment of the campuses. A scorecard process helps to ensure similarity with other UC campuses and cross campus comparisons. The scorecard is normalized across the campuses and LBNL and presented to the Regents for review. This typically happens annually, though is at the direction of UC.
3.4 Management Controls and Compliance Program
The Management Controls and Compliance Program (MCC) is a comprehensive program for analyzing internal controls to meet financial and related compliance objectives. The MCC Program supports legislative requirements such as the Chief Financial Officers Act, the Inspector General Act of 1978, as amended, FMFIA, FISMA, and the Improper Payments Information Act of 2002 (IPIA).
Analysis of internal controls typically involves key cyber security and IT assurance mechanisms such as change management, alternate checking routines, and access and audit management.
The Office of the Chief Financial Officer implements the Management Controls and Compliance Program for LBNL. IT provides input on controls compliance as required.
3.5 IAS Advisory Service
IAS may be requested to perform advisory services for various areas of cyber security. Advisory services are activities designed to mitigate risk, improve operations, and/or assist management in achieving its business objectives, in which the nature and scope of the engagements are agreed upon with the management of the subject matter being evaluated. Examples include informational resources, counsel, advice, facilitation, process design, and training.
4.0 Performance Measures
4.1 Management Level Dashboard Measures
The Cyber Security Program reports to the Laboratory on the trends associated with incidents. The data is provided at the Laboratory Performance level and is updated monthly.
4.2 Cyber Security Performance Measures
The Cyber Security Program's key objective is to deliver efficient, effective and responsive cyber security and resources to enable the successful achievement of laboratory missions. Cyber Security Performance Measures are a strategic planning and management tool to monitor organization performance against operational/functional goals. LBNL management routinely monitors the following performance measures:
Cyber Security Incident Analysis
Number of incidents and extent/ severity of incidents experienced at LBNL. Measured and reported in an ongoing manner to cyber security staff and direct management. Reported at least semi-annually to the cyber security representatives of divisions (CPIC), monthly to CIO, and quarterly to Berkeley Site Office.
Customer Service and Response
Satisfaction surveys from community members on interaction with help-desk and cyber security contacts. Surveys are sent immediately following ticket resolution with ongoing feedback provided to managers of operations and quarterly reports shared with management.
System Availability and Function Data
Functioning and availability of infrastructure and cyber critical systems measured by automated systems (percent of time available). Continuous reporting elevates problems to system administrators. Reported monthly for network systems and quarterly for business systems to IT management.
System Configuration Data
Patch levels for systems during periods of high risk (number or percent of systems that are vulnerable). For example, if a new MS patch is released for an "in the wild" vulnerability, LBNL will track the patch numbers until the numbers dwindle to baseline vulnerability expectations. This data is gathered on an ad hoc basis. When gathered, it is typically reported every few days to cyber security management.
Training Completion
Percent of LBNL staff that have completed required cyber security training. Reported in real-time as part of overall training reports to division representatives and as needed to cyber security management.
Cyber Security Training Feedback
Average rating on a scale of 1-5. Reported on demand with real time information to cyber security management and reported quarterly to cyber security management.
5.0 External Reporting
5.1 PEMP
IT prepares a Mid-year and Annual Assurance Report for BSO, UCOP, and LBNL Management. Each Assurance Report provides an overview of LBNL performance and recent assurance activities, including activities detailed in the IT Assurance Plan; performance against the PEMP’s Goals, Objectives, and Notable Outcomes; and related activities. This report provides the basis for a biannual tri-party Assurance meeting with counterparts from BSO and UCOP. Following meetings of each Operations' function; senior BSO, UCOP, and LBNL Management meet to discuss significant risks and concerns and corresponding mitigations.
5.2 Federal Manager's Financial Integrity Act (FMFIA)
FMFIA requires agencies to establish and maintain internal controls. The agency head must annually evaluate and report on the control and financial systems that protect the integrity of Federal programs. The requirements of FMFIA serve as an umbrella under which other reviews, evaluations and audits should be coordinated and considered to support management's assertion about the effectiveness of internal control over operations, financial reporting, and compliance with laws and regulations.
The University of California Office of the President's (UCOP) Laboratory Management Office will issue an opinion regarding the Laboratory's system of internal accounting and management controls in effect during the fiscal period. Included with its internal control assertion is information about the internal accounting and management controls, reportable issues, and corrective action plans provided by the Laboratory Director based on input from CFO management and staff. The Cyber Security Program provides input to this opinion.
5.3 Annual Risk Letter
The Cyber Security Program provides an annual risk evaluation to the Berkeley Site Office. See also section 3.2. The Risk Letter summarizes the annual risk assessment and provides assurance that the Laboratory is managing within the agreed upon acceptable risk envelope.
5.4 Authority to Operate
The Cyber Security Program provides extensive program evaluation to DOE as part of its authority to operate process, typically on a three year cycle. The Program evaluation information includes information related to all aspects of external and internal testing of cyber security program controls.
5.5 Cyber Security Incident Tracking and Reporting
Cyber security incident reports follow defined reporting channels, with primary reporting to the Department of Energy's Computer Incident Response Center (CIRC) or equivalent, with copies to Counterintelligence, the Office of the Inspector General, and the Berkeley Site Office. Incident reports are shared internally with key stakeholders to assure broad knowledge of current risks. Likewise, the Laboratory's cyber security staff remains abreast of new trends in attacks and threats primarily from public sector sources, but also from DOE sources such as CIAC alerts. As appropriate, briefing and discussions of cyber security incidents are entered into the LBNL Lessons Learned and Best Practices database and disseminated to target staff. These inputs, along with broad based incident review, allow the Laboratory to adjust its protection mechanisms continuously to ensure optimal protection. Incident trends and actions are communicated to the Computer Protection Implementation Committee, with membership from across the divisions.
5.6 FISMA Reporting
LBNL reports the status of its systems and authority to operate quarterly as part of DOE's overall approach to FISMA compliance.
6.0 Issues Management
The Cyber Security Program follows the LBNL Issues Management Program (LBNL PUB-5519) for managing issues. This program encompasses the continuous monitoring of work programs, performance to promptly identify issues to determine their risk and significance, their causes, and to identify and effectively implement corrective actions to ensure successful resolution and prevent the same or similar problems from occurring.
Cyber security issues are identified through self-assessments, incident assessments, and audits and reviews. At a graded approach, proper issues management includes causal analysis, development and implementation of corrective actions, and verification and validation of corrective action implementation and effectiveness.
6.1 Corrective Actions
As part of the Laboratory's Issues Management Program (IMP), all cyber security issues and associated corrective actions (except for those that are immediately corrected or rectified) are entered into the LBNL Corrective Action Tracking System (CATS) database. This database enables LBNL employees to identify, track, manage, resolve, and search for issues and associated corrective actions. Corrective Actions are tracked to completion and validated.
Major corrective actions are also reported to DOE (through the Office of Science) through the Plan of Actions and Milestones Process or POAMs. POAMs are an integral part of quarterly Federal Information Security Management Act reporting.
6.2 Event Tracking
All cyber security events are tracked and identified with the goal of identifying proximate and root causes. See earlier discussion.
6.3 General Tracking
Issues related to the functioning of systems or from users are tracked either through the help desk ticketing system or through internal trouble reports. All issues are worked to completion. Automated systems ensure attention to unresolved issues. Weekly meetings discuss any open incident issues.
6.4 Trending
All incident and damage statistics are tracked for trends based on more than a decade of data. Both ongoing and the annual risk assessments provide an opportunity to review trends and make adjustments to controls as appropriate. In addition, the Laboratory keeps summary connection information indefinitely so that long term studies of trends in attacks and connections can be conducted. These are often used to answer questions such as "what are the trends in password guessing attacks," and "how our our connections from other countries changing?"
7.0 Lessons Learned and Best Practices
The Program shares information gleaned from incidents as well as best practices from other labs and within the Laboratory widely. Generally, such information is shared via the CPP website as recommendations. Where appropriate, the program uses the Laboratory's Lessons Learned system.
8.0 Assurance Systems and Assessment Schedule
8.1 Outcomes and Related Assurance Systems
Outcome | Assurance System | System artifacts |
|---|---|---|
Systems are securely configured and meet requirements. | Vulnerability scanning, continuous and on demand, to identify insecurely configured or vulnerable systems with actions in response to a finding of vulnerability | On request access to blocked host history lists, web site information with current scans |
Systems are not infected or attacking other systems. | Monitoring systems provide indications of vulnerable systems | On request access to Bro logs and incident investigation reports |
Attackers cannot search indiscriminately for targets. | Monitoring systems (Bro, Syslog, Netflow) provide defenses against indiscriminate attacker | On request access to Bro logs |
Users are trained. | LBL Training Database | Report outputs on training rates as part of PEMP |
Security systems are operational. | System monitoring and alerts to detect failures in critical cyber defense systems | On request access to Nagios and related logging reports |
DOE and LBNL jointly understand residual risk. | Annual risk assessment and ongoing briefings as necessary. Cost-benefit analysis of cyber program. | Dialogue with site office. |
8.2 FY16 Assessment Schedule
| # | Assessment Type | Schedule (and Title) | Performed By |
|---|---|---|---|
| 2.2 | Authorizing System Assessments | Was triennial, moving to continuous authorization | Office of the CIO/Cyber Security Program with External Assessors |
| 2.3 | Internal Audit | Per IAS Audit Plan. The FY16 audit plan does not include any IT focused audits, although some of the audits will likely touch IT. | Berkeley Lab Internal Audit Services |
| 2.4 | IG Audits and Reviews | Assessment of LBNL occurs at the discretion of oversight entity, audits include:
| DOE Inspector General (often using KPMG) |
| 2.5 | DOE FMFIA | Typically no later than March | DOE |
| 2.6 | Berkeley Site Office Oversight Activities | Assessment occurs at the discretion of oversight entity. | BSO |
| 2.6 | DOE-HSS Oversight Activities | Assessment occurs at the discretion of oversight entity. | DOE-HSS |
| 2.6 | SC Surveys | Assessment occurs at the discretion of oversight entity; Last occurred May 2014. | DOE Office of Science |
2.7 | Peer Review | Every 3-5 years, last assessed in June 2010; None planned for FY16 | Similar institutions |
| 2.8 | Advisory Board | Typically annually | Board members |
| 3.2 | Self-Assessment Risk Assessment | Annually by 10/1 | Office of the CIO/Cyber Security Program |
| 3.3 | UC Self-Assessment | Assessment occurs at the discretion of UC. | Office of the CIO/Cyber Security Program |
| 3.4 | Management Controls and Compliance Program | Completed by 7/1 (At discretion of OCFO, subset of controls related to IT operations) | LBNL CFO |
| 3.5 | IAS Advisory Service | No advisory services planned for FY16. | LBNL Internal Audit Services |
