Lawrence Berkeley National Laboratory masthead LBNL Home A-Z Index U.S. Department of Energy logo Phone Book Jobs Search

RPM

REQUIREMENTS AND POLICIES MANUAL

Search the RPM
 
Home

Cyber Security Risk Management Approach

    Title:

    Cyber Security Risk Management Approach

    Publication date:

    3/30/2017

    Effective date:

    3/20/2007

    BRIEF

    Policy Summary

    This policy describes roles and responsibilities for Berkeley Lab's cyber security risk management approach.

    Who Should Read This Policy

    Employees and affiliates with Cyber Security Program responsibilities, including enclave owners and enclave security coordinators

    To Read the Full Policy, Go To:

    The POLICY tab on this wiki page

    Contact Information

    Information Technology Policy Manager
    Information Technology Division
    itpolicy@lbl.gov

    Title:

    Cyber Security Risk Management Approach

    Publication date:

    3/30/2017

    Effective date:

    3/20/2007

    POLICY

    A. Purpose

    The purpose of this policy is to establish and maintain a risk management approach that appropriately and cost-effectively mitigates cyber security risks at Lawrence Berkeley National Laboratory (Berkeley Lab).

    B. Persons Affected

    This policy applies to employees and affiliates with cyber security program responsibilities and related compliance activities.

    C. Exceptions

    None.

    D. Policy Statement

    1. Berkeley Lab manages risk to systems consistent with Department of Energy and Office of Science requirements using a cost-effective approach that balances mission and risk.
    2. Description of Systems
      1. Berkeley Lab groups information technology into enclaves that serve as systems for the purpose of cyber security policy and management.
      2. Any organized unit of Berkeley Lab may request that it be treated as an enclave for the purpose of cyber security management.
    3. The Deputy CIO for Technology and Policy must approve minimum security controls and policies for all enclaves. Enclaves must implement the minimum security controls and policies.
    4. The Policy and Risk Manager must develop procedures and requirements for the risk management approach, system authorization, disaster recovery testing, plan of action and milestones, assurance, and other related processes. Enclaves must follow the procedures and requirements where applicable.

    E. Roles and Responsibilities

    Role

    Responsibility

    Chief Information Officer

    Oversees site risk management approach, including system authorization responsibilities

    Deputy CIO for Technology and Policy

    • Develops the site risk management approach
    • Communicates the risk-management approach to the Berkeley Lab community
    • Approves minimum security controls and policies
    • Designates enclave boundaries and maintains the authoritative list of enclaves

    Cyber Security Manager

    • Manages implementation of the Cyber Security Program for Berkeley Lab
    • Assists in the development of the site risk management approach and the selection of minimum security controls and policies
    • Manages implementation of security controls to mitigate cyber risk
    • Ensures that the Cyber Security Program is continuously monitoring and responding to cyber risks
    • Conducts high-quality risk analysis and planning for cyber decision-making

    Policy and Risk Manager

    • Develops procedures and requirements to support the site risk management approach
    • Assists in the development of the site risk management approach and the selection of minimum security controls and policies
    • Ensures Cyber Security Program appropriately meets regulatory requirements and manages risk
    • Conducts high-quality risk analysis and planning for cyber decision-making

    Enclave Owners

    • Understand the risks identified and the controls in place to mitigate against those risks within their enclave
    • Monitor the risks and notify the Chief Information Officer or their designee of changes in the cyber security profile of their enclave

    Enclave Cyber Security Coordinators

    • Coordinate the implementation of site risk management procedures and requirements in their enclave
    • Provide input into the site risk management approach and related procedures and requirements

    F. Definitions/Acronyms

    Term

    Definition

    Enclave

    Groups of information technology that share a similar level of risk, use similar controls, and are under the same management. Enclave serves as a synonym for system as defined in the National Institute of Standards and Technology Special Publication 800-37, Revision 1.

    G. Recordkeeping Requirements

    None.

    H. Implementing Documents

    None.

    I. Contact Information

    Information Technology Policy Manager
    Information Technology Division
    itpolicy@lbl.gov

    J. Revision History

    Date

    Revision

    By Whom

    Revision Description

    Section(s) Affected

    Change Type

    1/2/2012

    0

    J. Bonaguro

    Re-write for wiki (brief)

    All

    Minor

    8/21/2012

    1

    J. Bonaguro

    Re-write for wiki (policy)

    All

    Minor

    2/7/2014

    1.1

    J. Bonaguro

    Edited to clarify roles

    D and E

    Minor

    3/30/2017 1.2 S. Lau Minor typographical edits All Minor

    DOCUMENT INFORMATION

    Title:

    Cyber Security Risk Management Approach

    Document number

    10.01.006.000

    Revision number

    1.2

    Publication date:

    3/30/2017

    Effective date:

    3/20/2007

    Next review date:

    3/30/2019

    Policy Area:

    Information Technology

    RPM Section (home)

    Information Management

    RPM Section (cross-reference)

    none

    Functional Division

    Information Technology

    Prior reference information (optional)

     

    Source Requirements Documents

    • DOE O 205.1B, Department of Energy Cyber Security Management Program, CRD
    • DOE P 205.1, Departmental Cyber Security Management Policy
    • DOE Office of Science Program Cyber Security Plan, June 2010

    Implementing Documents

    None

    • No labels

    Adaptavist ThemeBuilder EngineAtlassian Confluence