Lawrence Berkeley National Laboratory masthead LBNL Home A-Z Index U.S. Department of Energy logo Phone Book Jobs Search

RPM

REQUIREMENTS AND POLICIES MANUAL

Search the RPM
 
Home

Security for Information Technology

    Title:

    Security for Information Technology

    Publication date:

    2/5/2014

    Effective date:

    3/20/2007

    BRIEF

    Policy Summary

    This policy describes security responsibilities and requirements for Laboratory Information Technology (IT). This includes responsibilities and requirements for:

    • Individuals and supervisors
    • Certain roles such as system administrator, web server owner, and application developer
    • Divisions, including division security liaisons
    • The Cyber Security Program (CSP)

    Who Should Read This Policy

    • Employees and affiliates who use or manage Laboratory IT or Laboratory Information
    • Employees with additional security responsibilities for Laboratory IT, such as computer security liaisons or members of the CSP

    To Read the Full Policy, Go To:

    The POLICY tab on this wiki page

    Contact Information

    Information Technology Policy Manager
    Information Technology Division
    itpolicy@lbl.gov

    Title:

    Security for Information Technology

    Publication date:

    2/5/2014

    Effective date:

    3/20/2007

    POLICY

    A. Purpose

    The purpose of this policy is to enable a computing environment for Lawrence Berkeley National Laboratory (Berkeley Lab) that is both open and appropriately secure.

    B. Persons Affected

    This policy applies to employees and affiliates as well as individuals with additional security responsibilities for Laboratory Information Technology (IT).

    C. Exceptions

    The Berkeley Lab Chief Information Officer, the Cyber Security Manager (CSM), and the Cyber Security Program (CSP) may approve exceptions to this policy.

    D. Policy Statement

    D.1 Employees and Affiliates

    1. Everyone Is Responsible for Security. Laboratory IT Security is a line-management function at Berkeley Lab. Employees and affiliates are responsible for the security of computers and devices that they use or manage. They must take appropriate steps to secure Laboratory IT and Information that they create, possess, manage, or have access to in connection with their Laboratory employment or research.
      1. Authorizing Access to IT Resources. Employees and affiliates may authorize the use of Laboratory IT that they manage. When authorizing use, employees and affiliates assume security responsibility for the use and/or user and must ensure that Berkeley Lab IT policies are communicated to the user and followed in the course of granting access.
      2. Reviewing Authorization. After authorization, employees and affiliates must review access on a schedule appropriate to the risks presented by the service or system.
    2. Security Requirements. Employees and affiliates must ensure that computers and devices they use or manage meet the Minimum Security Requirements. Employees with specific roles must meet the Role-Based Security Requirements. Employees and affiliates must meet any additional requirements and procedures that CSP determines are necessary to secure the Laboratory.
      1. Minimum Security Requirements. Minimum security requirements protect both the integrity of Laboratory Information and our network by providing a baseline level of protection for devices. Requirements may include training, security patches, passwords, media protection, anti-virus protection, physical protections, and network access.
      2. Role-based Security Requirements. Certain roles require additional security requirements to protect Laboratory IT and Information. Roles include system administrators, web server owners, and application developers.
      3. Other Requirements. Employees and affiliates must adhere to additional requirements, standards, and procedures that the Cyber Security Program (CSP) determines are necessary to protect Laboratory IT and Information. Additional requirements are available on the CSP's Security Requirements page.
    3. Reporting Security Incidents. Employees and affiliates must follow the appropriate procedures to report cyber security incidents, including the loss or theft of Laboratory IT or Information.

    D.2 Laboratory Management

    1. Supervisors and managers must provide adequate oversight to ensure that employees and affiliates under their management are taking appropriate steps to secure Laboratory IT and Information throughout its lifecycle.
    2. The division or department director must ensure that the division adheres to policies, requirements, and procedures related to securing Laboratory IT and Information.
    3. The division or department director must designate a Computer Security Liaison who has authority and responsibility for coordination of computer security activities.

    D.3 Exceptions and Enforcement

    1. Exceptions to Security Requirements
      1. Some systems, most commonly scientific ones, are unable to meet the security requirements. Possible reasons include:
        1. Technical. For example, a legacy operating system that does not have patches for some vulnerability.
        2. Operational. For example, a device that performs experiments, such as genome sequencing or systems used in the Advanced Light Source (ALS) control, may have uptime requirements such that they cannot be patched or rebooted.
        3. Cost-efficiency. For example, the cost, either monetarily or for mission reasons, of upgrading a device to meet requirements exceeds the security benefit.
      2. Exceptions. Employees and affiliates should take a risk-based approach to using exceptions and seek guidance from CSP as appropriate. CSP may refuse exceptions based on institutional risk or require compensating controls.
    2. Enforcement. Employees and affiliates who do not comply with this policy may temporarily be denied access to Laboratory IT and may be subject to other penalties and disciplinary action up to and including termination. Non-compliant devices may be disconnected from the Laboratory network until the device is compliant.

    D.4 Cyber Security Program

    The CSP has the authority and responsibility to support the security of Laboratory IT and Information. The program must:

    1. Provide general protection for Laboratory IT and Information that is risk-based, cost-effective, and supports the mission of the Laboratory
    2. Establish requirements, standards, procedures, and guidelines to help secure Laboratory IT and Information and comply with applicable regulations and requirements
    3. Provide information and resources to help Laboratory divisions and employees meet their security responsibilities
    4. Elicit input from divisions and programs on security policies and procedures

    Although CSP supports the security of Laboratory IT and Information, ultimate responsibility for security and its implementation rests with each employee and affiliate.

    E. Roles and Responsibilities

    Employees and affiliates must adhere to this policy. The table below describes specific responsibilities, authorities, and accountabilities by role:

    Role

    Responsibility

    Authority

    Accountability

    Director

    Oversees site management and operations

    Delegates cyber protection responsibilities (to CIO)

    Accountable to DOE and UCOP for site operations

    Chief Information Officer (CIO)

    • Oversees institutional Cyber Security Program
    • Oversees cyber security policy and related oversight activities
    • Designates the CSM
    • Directs resources to prioritize cyber security efforts

    Accountable to Director for cyber security performance and policy

    Deputy CIO for Technology and Policy

    • Approves and directs the institutional Cyber Security Program
    • Ensures that the Cyber Security Program is effectively managing risk
    • Establishes cyber security policy
    • Establishes risk management approach

    Accountable to CIO for cyber security performance

    Cyber Security Manager (CSM))

    • Manages the institutional Cyber Security Program
    • Evaluates overall cyber security posture and direction for Berkeley Lab
    • Recommends security controls to CIO and Deputy CIO
    • Directs resources to cyber protection efforts
    • Establishes cyber security requirements

    Accountable to CIO and Deputy CIO for cyber security performance

    Cyber Security Program (CSP)

    Develops and operates the institutional Cyber Security Program

    Recommends and enforces cyber security requirements

    Accountable to CSM for cyber security performance

    Computer Security Liaisons

    • Advise in the development of Cyber Security Program by representing their division
    • Communicate cyber security policies and requirements to their divisions

    Recommend changes to cyber security policy and requirements

    Accountable to division line management for contributions to cyber security posture

    Supervisors and Managers

    Ensure safety and security of employees and systems within span of control

    Direct work and resources to operate in a safe and secure manner

    Accountable to defined line manager for cyber security performance within span of control

    F. Definitions/Acronyms

    Term

    Definition

    Laboratory IT

    Berkeley Lab-managed IT, including computing devices, networks, services, and accounts

    Laboratory Information

    Information used to accomplish job-related tasks; information may be owned by the Regents of University of California or the Department of Energy.

    G. Recordkeeping Requirements

    None

    H. Implementing Documents

    Document number

    Title

    Type

    10.01.002.001

    Minimum Security Requirements

    Standard

    10.01.002.002

    Role-based Security Requirements

    Standard

    10.01.002.003

    Security Requirements

    Standard

    11.04.003.000

    Financial Management System (FMS) User Access control

    Policy

    I. Contact Information

    Information Technology Policy Manager
    Information Technology Division
    itpolicy@lbl.gov

    J. Revision History

    Date

    Revision

    By whom

    Revision Description

    Section(s) affected

    Change Type

    1/2/2012

    0

    J. Bonaguro

    Rewrite for wiki (brief)

    All

    Minor

    7/30/2012

    1

    J. Bonaguro

    Rewrite for wiki (policy)

    All

    Minor

    2/5/2014

    1.1

    J. Bonaguro

    Periodic review

    All

    Minor

    DOCUMENT INFORMATION

    Title:

    Security for Information Technology

    Document number

    10.01.002.000

    Revision number

    1.1

    Publication dates:

    2/5/2014

    Effective date:

    3/20/2007

    Next review date:

    3/1/2015

    Policy Area:

    Information Technology

    RPM Section (home)

    Information Management

    RPM Section (cross-reference)

    Sections 9.01 and 9.02

    Functional Division

    Information Technology

    Prior reference information (optional)

    RPM Sections 9.01 and 9.02

    Source Requirements Documents

    • DOE O 205.1B, Department of Energy Cyber Security Management, CRD
    • DOE P 205.1, Departmental Cyber Security Management Policy
    • UCOP IS-3 Electronic Information Security

    Implementing Documents

    Document number

    Title

    Type

    10.01.002.001

    Minimum Security Requirements

    Requirements

    10.01.002.002

    Role-Based Security Requirements

    Requirements

    10.01.002.003

    Security Requirements

    Requirements

    11.04.003.000

    Financial Management System (FMS) User Access control

    Policy

    • No labels

    Adaptavist ThemeBuilder EngineAtlassian Confluence