Viewable by the world
Title: |
Cyber Security Risk Management Approach |
Publication date: |
8/9/2024 |
Effective date: |
3/20/2007 |
BRIEF
Policy Summary
This policy describes roles and responsibilities for Berkeley Lab's cyber security risk management approach.
Who Should Read This Policy
Employees and affiliates with Cyber Security Program responsibilities, including enclave owners and enclave security coordinators
To Read the Full Policy, Go To:
The POLICY tab on this wiki page
Contact Information
Information Technology Policy Manager
Information Technology Division
[email protected]
Title: |
Cyber Security Risk Management Approach |
Publication date: |
8/9/2024 |
Effective date: |
3/20/2007 |
POLICY
A. Purpose
The purpose of this policy is to establish and maintain a risk management approach that appropriately and cost-effectively mitigates cyber security risks at Lawrence Berkeley National Laboratory (Berkeley Lab).
B. Persons Affected
This policy applies to employees and affiliates with cyber security program responsibilities and related compliance activities.
C. Exceptions
None.
D. Policy Statement
- Berkeley Lab manages risk to systems consistent with Department of Energy and Office of Science requirements using a cost-effective approach that balances mission and risk.
- Description of Systems
- Berkeley Lab groups information technology into enclaves that serve as systems for the purpose of cyber security policy and management.
- Any organized unit of Berkeley Lab may request that it be treated as an enclave for the purpose of cyber security management.
- The Deputy CIO for Technology and Policy must approve minimum security controls and policies for all enclaves. Enclaves must implement minimum security controls and policies.
- The Policy and Risk Manager must develop procedures and requirements for the risk management approach, system authorization, disaster recovery testing, plan of action and milestones, assurance, and other related processes. Enclaves must follow the procedures and requirements where applicable.
E. Roles and Responsibilities
Role |
Responsibility |
Chief Information Officer |
|
Chief Information Security Officer |
|
Cyber Security Policy Managers |
|
Enclave Owners |
|
Enclave Cyber Security Coordinators |
|
F. Definitions/Acronyms
Term |
Definition |
Enclave |
Groups of information technology that share a similar level of risk, use similar controls, and are under the same management. Enclave serves as a synonym for system as defined in the National Institute of Standards and Technology Special Publication 800-37, Revision 1. |
G. Recordkeeping Requirements
None.
H. Implementing Documents
None.
I. Contact Information
Information Technology Policy Manager
Information Technology Division
[email protected]
J. Revision History
Date |
Revision |
By Whom |
Revision Description |
Section(s) Affected |
Change Type |
1/2/2012 |
0 |
J. Bonaguro |
Re-write for wiki (brief) |
All |
Minor |
8/21/2012 |
1 |
J. Bonaguro |
Re-write for wiki (policy) |
All |
Minor |
2/7/2014 |
1.1 |
J. Bonaguro |
Edited to clarify roles |
D and E |
Minor |
| 3/30/2017 | 1.2 | S. Lau | Minor typographical edits | All | Minor |
| 6/15/2021 | 1.2 | A. Sultan | Periodic review. No changes. | All | Editorial |
| 8/9/2024 | 1.3 | A. Sultan | Periodic review: R&R updates, no policy changes | E | Editorial |
DOCUMENT INFORMATION
Title: |
Cyber Security Risk Management Approach |
Document number |
10.01.006.000 |
Revision number |
1.3 |
Publication date: |
8/9/2024 |
Effective date: |
3/20/2007 |
Next review date: |
8/8/2027 |
Policy Area: |
Information Technology |
RPM Section (home) |
Information Management |
RPM Section (cross-reference) |
none |
Functional Division |
Information Technology |
Prior reference information (optional) |
Source Requirements Documents
- DOE O 205.1C, Department of Energy Cybersecurity Management Program, CRD
- DOE P 205.1, Departmental Cyber Security Management Policy
- DOE Office of Science Program Cybersecurity Plan, June 2010
Implementing Documents
None
Overview
Community Forums
Content Tools
