Effective Date: October 1, 2016 - September 30, 2017
Approval
Approved By: Rosio Alvarez, Chief Information Officer
Table of Contents
1.0 Introduction
The Berkeley Lab IT Assurance Plan is designed to ensure that Berkeley Lab IT efforts meet contractual requirements and support Berkeley Lab's mission. This plan is primarily concerned with functions provided by IT division for the Laboratory. DOE requires a separate Cyber Security Assurance Plan, which is concerned with the institution's overall cyber security performance.
1.1 Approach to Assurance
Our approach to assurance is coupled to the ongoing oversight of programs and projects that is a normal and ongoing part of IT management. As such, our primary assurance is the annual development of strategic objectives accompanied by quarterly reports and/or meetings on those objectives between IT Senior Management and heads of Service Areas.
Independent assessments, including peer reviews, provide additional assurance along with our ongoing key metrics such as network availability and customer satisfaction.
2.0 Independent Assurance
2.1 Overview
IT systems are subject to a number of external assessments.
2.2 Peer Reviews
The IT Division conducts a peer review every three to five years, based on guidance provided by Operations. The last Peer Review was conducted in June of 2010. Peer reviewers are typically chosen from among similar institutions in the research, national laboratory, University, and nonprofit space. Peer Review typically produce recommendations and/or findings which are considered as part of the Division's strategic and tactical planning.
2.3 Internal Audit
UC operates an independent Internal Audit system for Berkeley Lab, Internal Audit Services (IAS). IAS's mission is to assess and monitor the Laboratory community in the performance of their oversight, management and operating responsibilities in relation to governance processes, systems of internal controls, and compliance with laws, regulations, contracts and Berkeley Lab, UC, and DOE policies.
IAS has been granted authority through its charter and the UC Internal Audit Management Charter approved by the Regents of UC. IAS functions under the policies established by the Regents and Laboratory management under delegated authority. IAS is authorized full, free and unrestricted access to information including records, computer files, property, and personnel of the Laboratory required in the performance of audits. The work of IAS is unrestricted except where limited by law. IAS is free to review and evaluate all policies, procedures and practices of any Laboratory activity, program or function.
In practice, Internal Audit conducts at least one IT focused audit each year. Results are shared with UC and Berkeley Lab management.
2.4 Inspector General Operations Audits and Reviews
The DOE IG performs audits of M&O IT operations. Results from these reviews must be carefully calibrated due to the IG's focus on cost-savings opportunities regardless of impact on mission achievement.
2.5 Other DOE Reviews
The DOE Berkeley Site Office (BSO) conducts graded oversight reviews of the Laboratory's IT Operations. These reviews include ongoing operational awareness activities, and scheduled assessments and reviews into particular risks or control families. Assessment topics are generally planned and calendared at the start of the performance year.
Other IT-related assessments and informal evaluations, such as visits from the DOE Records Management Program or SC Privacy Officers, supplement these reviews.
2.6 Advisory Board
An external advisory board, consisting of three to four IT leaders, convenes typically every year to review all parts of IT, and provide an assessment to Senior Management.
3.0 Internal Assurance
On an ongoing basis, the IT Director and service area leads agree on a portfolio of objectives. Each objective includes a set of related strategies and metrics and key performance indicators that service area leads use to manage progress toward objectives. This plan forms the basis of self assessments.
3.1 Project Monitoring
Under the line management approach, service area leads are responsible for monitoring and reporting on projects. Service area leads report and IT senior management discusses the status of strategic objectives, including a summary of how the objective and related strategies were met, any changes in direction/approach, and/or significant problems or risks.
3.2 Project Assessments
Every year, the CIO will select one or more strategic projects for an in-depth assessment.
3.3 Self-Assessment Risk Assessment
Excerpt from Cyber Security Assurance Plan:
"The Office of the CIO and the Cyber Security Program undertake annual risk and self assessments of its information technology posture. The risk-assessment process is designed to provide transparency to DOE and the Laboratory Community on current and emerging threats as well as residual risks from our security posture. The self-assessment process seeks to verify the effectiveness of technical, administrative, and operational controls.
Both processes are consistent with National Institute of Standards and Technology guidance. However, Berkeley Lab's approach is unique in that it utilizes a cost-damage model collaboratively developed with Carnegie Mellon University, and uses extensive narrative description to ensure that Berkeley Lab community members and oversight organizations can understand the risks clearly and in lay, comprehensible terms. Results are transmitted to DOE and are used as input for strategic planning and service management in the coming year.
Based on the annual risk assessment, cyber security plan owners will review and update plans as necessary to reflect any changes in technical, administrative, and operational controls."
3.4 Federal Manager’s Financial Integrity Act (FMFIA)/Entity Assessment Annual Self-Assessment
The Financial Management Assurance (FMA) program is DOE’s internal control assessment program to meet the requirements of the Financial Integrity Act (FMFIA) of 1982 and Office of Management and Budget (OMB) Circular A-123, Management’s Responsibility for Internal Control, including Appendix A, Internal Control Over Financial Reporting. The FMA program requires an evaluation of programmatic and non-financial reporting administrative controls, an assessment of entity controls, and evaluation and testing of financial management reporting controls.
3.5 UC Self-Assessment
The University of California Office of the President, at the direction of the Regents, may require a self-assessment or review.
3.6 IAS Advisory Service
IAS may be requested to perform advisory services for various areas of information technology. Advisory services are activities designed to mitigate risk, improve operations, and/or assist management in achieving its business objectives, in which the nature and scope of the engagements are agreed upon with the management of the subject matter being evaluated. Examples include informational resources, counsel, advice, facilitation, process design, and training.
4.0 Performance Measures
4.1 Performance Evaluation and Measurement Plan (PEMP)
The IT Division prepares a Midyear and Annual Assurance Report for BSO, UCOP, and Berkeley Lab Management. Each Assurance Report provides an overview of Berkeley Lab performance and recent assurance activities, including activities detailed in the IT Assurance Plan; performance against the PEMP’s Goals, Objectives, and Notable Outcomes; and related activities. This report provides the basis for a biannual tri-party Assurance meeting with counterparts from BSO and UCOP. Following meetings of each Operations' function; senior BSO, UCOP, and Berkeley Lab Management meet to discuss significant risks and concerns and corresponding mitigations.
4.2 Management Reporting
As part of monthly senior management meetings, IT reports a variety of metrics, including status of high priority objectives.
5.0 Assurance Systems and Assessment Schedule
5.1 DOE Requirements and Related Assurance Systems
DOE Requirements related to Information Technology are listed on the CIO website with corresponding implementation measures and assurance systems. See DOE Crosswalks.
5.2 FY17 Assessment Schedule
| # | Assessment Type | Schedule (and Title) | Performed By |
|---|---|---|---|
2.2 | Peer Reviews | Every 3-5 years, last assessed in June 2010. | Similar institutions |
2.3 | Internal Audit | Per IAS Audit Plan. The FY17 audit plan does not include any IT focused audits, although some of the audits will likely touch IT. | Berkeley Lab Internal Audit Services |
2.4 | IG Audits and Reviews | Assessment of Berkeley Lab occurs at the discretion of oversight entity, audits include:
| DOE Inspector General (often using KPMG) |
2.5 | Berkeley Site Office Oversight Activities | Assessment occurs at the discretion of oversight entity. | BSO |
2.5 | DOE-HSS Oversight Activities | Assessment occurs at the discretion of oversight entity. | DOE-HSS |
| 2.5 | Safeguard and Security Review | Every 3 years. Scheduled for Q1 FY 17 | DOE Office of Science |
2.6 | Advisory Board | Typically annually. | Board members |
3.2 | Project Assessments | Within 1 month of end of FY. | Office of the CIO |
3.3 | Self-Assessment Risk Assessment | Annually by Q1 FY. | Office of the CIO/Cyber Security Program |
3.4 | FMFIA/Entity Assessment | Last assessed Q4 FY13 (Subset of controls related to IT operations). | Berkeley Lab Line Management |
3.5 | UC Self-Assessment | Assessment occurs at the discretion of UC. Scheduled for Q2 FY 17. | Office of the CIO/Cyber Security Program |
3.6 | IAS Advisory Service | Follow-up to Q4 FY16 Multifactor Authentication Implementation Management Advisory by request of IT. End of Q1 FY17. | Berkeley Lab Internal Audit Services |
