Viewable by the world
Group Access to RPM
Can VIEW the space: rpm2-editors ,  rpm2-admins ,  confluence-users ,  anonymous ,  confluence-administrators , 
Can EDIT the space: rpm2-editors ,  confluence-administrators ,  rpm2-admins , 
Can ADMINISTER the space: confluence-administrators , 

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Deck of Cards
idmyId
Wiki Markup
{dojo-tabs:theme=tundra} {dojo-tab:title=Brief|selected=true} |Title:|Security for Information Technology| |Publication date:|
Card
defaulttrue
labelBrief

Title:

Security for Information Technology

Publication date:

2/5/2014

| |

Effective

date:

|

3/20/2007

| h2.BRIEF h3.Policy Summary This policy describes security responsibilities and requirements for Laboratory Information Technology

BRIEF

Policy Summary

This policy describes security responsibilities and requirements for Laboratory Information Technology (IT).

This

includes

responsibilities

and

requirements

for:

*

  • Individuals
  • and
  • supervisors
*
  • Certain
  • roles
  • such
  • as
  • system
  • administrator,
  • web
  • server
  • owner,
  • and
  • application
  • developer
*
  • Divisions,
  • including
  • division
  • security
  • liaisons
*
  • The
  • Cyber
  • Security
  • Program
  • (CSP)
h3.

Who

Should

Read

This

Policy

*

  • Employees

  • and
  • affiliates
  • who
  • use
  • or
  • manage
  • Laboratory
  • IT
  • or
  • Laboratory
  • Information
*
  • Employees
  • with
  • additional
  • security
  • responsibilities
  • for
  • Laboratory
  • IT,
  • such
  • as
  • computer
  • security
  • liaisons
  • or
  • members
  • of
  • the
  • CSP
h3.

To

Read

the

Full

Policy,

Go

To:

The

POLICY

tab

on

this

wiki

page

h3.

Contact

Information

Information

Technology

Policy

Manager


Information

Technology

Division

[


[email protected]

|mailto:[email protected]] {dojo-tab} {dojo-tab:title=Policy} |Title: |Security for Information Technology| |Publication date: |

Card
labelPolicy

Title:

Security for Information Technology

Publication date:

2/5/2014

| |

Effective

date:

|

3/20/2007

| h2.POLICY h3.

POLICY

A.

Purpose

The

purpose

of

this

policy

is

to

enable

a

computing

environment

for

Lawrence

Berkeley

National

Laboratory

(Berkeley

Lab)

that

is

both

open

and

appropriately

secure.

h3.

B.

Persons

Affected

This

policy

applies

to

employees

and

affiliates

as

well

as

individuals

with

additional

security

responsibilities

for

Laboratory

Information

Technology

(IT).

h3.

C.

Exceptions

The

Berkeley

Lab

Chief

Information

Officer,

the

Cyber

Security

Manager

(CSM),

and

the

Cyber

Security

Program

(CSP)

may

approve

exceptions

to

this

policy.

h3.

D.

Policy

Statement

h4.

D.1

Employees

and

Affiliates

# *

  1. Everyone

  1. Is
  1. Responsible
  1. for
  1. Security.
*
  1. Laboratory
  1. IT
  1. Security
  1. is
  1. a
  1. line-management
  1. function
  1. at
  1. Berkeley
  1. Lab.
  1. Employees
  1. and
  1. affiliates
  1. are
  1. responsible
  1. for
  1. the
  1. security
  1. of
  1. computers
  1. and
  1. devices
  1. that
  1. they
  1. use
  1. or
  1. manage.
  1. They
  1. must
  1. take
  1. appropriate
  1. steps
  1. to
  1. secure
  1. Laboratory
  1. IT
  1. and
  1. Information
  1. that
  1. they
  1. create,
  1. possess,
  1. manage,
  1. or
  1. have
  1. access
  1. to
  1. in
  1. connection
  1. with
  1. their
  1. Laboratory
  1. employment
  1. or
  1. research.
## *
    1. Authorizing
    1. Access
    1. to
    1. IT
    1. Resources.
*
    1. Employees
    1. and
    1. affiliates
    1. may
    1. authorize
    1. the
    1. use
    1. of
    1. Laboratory
    1. IT
    1. that
    1. they
    1. manage.
    1. When
    1. authorizing
    1. use,
    1. employees
    1. and
    1. affiliates
    1. assume
    1. security
    1. responsibility
    1. for
    1. the
    1. use
    1. and/or
    1. user
    1. and
    1. must
    1. ensure
    1. that
    1. Berkeley
    1. Lab
    1. IT
    1. policies
    1. are
    1. communicated
    1. to
    1. the
    1. user
    1. and
    1. followed
    1. in
    1. the
    1. course
    1. of
    1. granting
    1. access.
## *
    1. Reviewing
    1. Authorization.
*
    1. After
    1. authorization,
    1. employees
    1. and
    1. affiliates
    1. must
    1. review
    1. access
    1. on
    1. a
    1. schedule
    1. appropriate
    1. to
    1. the
    1. risks
    1. presented
    1. by
    1. the
    1. service
    1. or
    1. system.
# *
  1. Security
  1. Requirements.
*
  1. Employees
  1. and
  1. affiliates
  1. must
  1. ensure
  1. that
  1. computers
  1. and
  1. devices
  1. they
  1. use
  1. or
  1. manage
  1. meet
  1. the
[
  1. Minimum
  1. Security
  1. Requirements
|https://commons.lbl.gov/display/cpp/Minimum+Security+Requirements]. Employees with specific roles must meet the [Role-Based Security Requirements|https://commons.lbl.gov/display/cpp/Role-Based+Security+Requirements]. Employees and affiliates must meet any additional requirements and procedures that CSP determines are necessary to secure the Laboratory. ## [*Minimum Security Requirements*|https://commons.lbl.gov/display/cpp/Minimum+Security+Requirements]. Minimum security requirements protect both the integrity of Laboratory Information and our network by providing a baseline level of protection for devices. Requirements may include training, security patches, passwords, media protection, anti-virus protection, physical protections, and network access. ## [*Role-based Security Requirements*|https://commons.lbl.gov/display/cpp/Role-Based+Security+Requirements]. Certain roles require additional security requirements to protect Laboratory IT and Information. Roles include system administrators, web server owners, and application developers. ## *Other Requirements.* Employees and affiliates must adhere to additional requirements, standards, and procedures that the Cyber Security Program (CSP) determines are necessary to protect Laboratory IT and Information. Additional requirements are available on the CSP's [Security Requirements|https://commons.lbl.gov/display/cpp/Cyber+Security+Requirements] page. # *Reporting Security Incidents.* Employees and affiliates must follow the appropriate procedures to report cyber security incidents, including the loss or theft of Laboratory IT or Information. h4.D.2 Laboratory Management # Supervisors and managers must provide adequate oversight to ensure that employees and affiliates under their management are taking appropriate steps to secure Laboratory IT and Information throughout its lifecycle. # The division or department director must ensure that the division adheres to policies, requirements, and procedures related to securing Laboratory IT and Information. # The division or department director must designate a Computer Security Liaison who has authority and responsibility for coordination of computer security activities. h4.D.3 Exceptions and Enforcement # *Exceptions to Security Requirements* ## Some systems, most commonly scientific ones, are unable to meet the security requirements. Possible reasons include: ### *Technical.* For example, a legacy operating system that does not have patches for some vulnerability. ### *Operational.* For example, a device that performs experiments, such as genome sequencing or systems used in the Advanced Light Source (ALS) control, may have uptime requirements such that they cannot be patched or rebooted. ### *Cost-efficiency.* For example, the cost, either monetarily or for mission reasons, of upgrading a device to meet requirements exceeds the security benefit. ## *Exceptions.* Employees and affiliates should take a risk-based approach to using exceptions and seek guidance from CSP as appropriate. CSP may refuse exceptions based on institutional risk or require compensating controls. # *Enforcement.* Employees and affiliates who do not comply with this policy may temporarily be denied access to Laboratory IT and may be subject to other penalties and disciplinary action up to and including termination. Non-compliant devices may be disconnected from the Laboratory network until the device is compliant. h4.D.4 Cyber Security Program The CSP has the authority and responsibility to support the security of Laboratory IT and Information. The program must: # Provide general protection for Laboratory IT and Information that is risk-based, cost-effective, and supports the mission of the Laboratory # Establish requirements, standards, procedures, and guidelines to help secure Laboratory IT and Information and comply with applicable regulations and requirements # Provide information and resources to help Laboratory divisions and employees meet their security responsibilities # Elicit input from divisions and programs on security policies and procedures Although CSP supports the security of Laboratory IT and Information, ultimate responsibility for security and its implementation rests with each employee and affiliate. h3.E. Roles and Responsibilities Employees and affiliates must adhere to this policy. The table below describes specific responsibilities, authorities, and accountabilities by role: |*Role*|*Responsibility*|*Authority*|*Accountability*| |Director|Oversees site management and operations|Delegates cyber protection responsibilities (to CIO)|Accountable to DOE and UCOP for site operations| |Chief Information Officer (CIO)|* Oversees institutional Cyber Security Program \\ * Oversees cyber security policy and related oversight activities|* Designates the CSM \\ * Directs resources to prioritize cyber security efforts|Accountable to Director for cyber security performance and policy| |Deputy CIO for Technology and Policy|* Approves and directs the institutional Cyber Security Program \\ * Ensures that the Cyber Security Program is effectively managing risk|* Establishes cyber security policy \\ * Establishes risk management approach|Accountable to CIO for cyber security performance| |Cyber Security Manager (CSM))|* Manages the institutional Cyber Security Program \\ * Evaluates overall cyber security posture and direction for Berkeley Lab \\ * Recommends security controls to CIO and Deputy CIO|* Directs resources to cyber protection efforts \\ * Establishes cyber security requirements|Accountable to CIO and Deputy CIO for cyber security performance| |Cyber Security Program (CSP)|Develops and operates the institutional Cyber Security Program|Recommends and enforces cyber security requirements|Accountable to CSM for cyber security performance| |Computer Security Liaisons|* Advise in the development of Cyber Security Program by representing their division \\ * Communicate cyber security policies and requirements to their divisions|Recommend changes to cyber security policy and requirements|Accountable to division line management for contributions to cyber security posture| |Supervisors and Managers|Ensure safety and security of employees and systems within span of control|Direct work and resources to operate in a safe and secure manner|Accountable to defined line manager for cyber security performance within span of control| h3.F. Definitions/Acronyms |*Term*|*Definition* | |Laboratory IT|Berkeley Lab-managed IT, including computing devices, networks, services, and accounts| |Laboratory Information|Information used to accomplish job-related tasks; information may be owned by the Regents of University of California or the Department of Energy.| h3.G. Recordkeeping Requirements None h3.H. Implementing Documents |*Document number*|*Title*|*Type*| |10.01.002.001|[Minimum Security Requirements|https://commons.lbl.gov/display/cpp/Minimum+Security+Requirements]|Standard| |10.01.002.002|[Role-based Security Requirements|https://commons.lbl.gov/display/cpp/Role-Based+Security+Requirements]|Standard| |10.01.002.003|[Security Requirements|https://commons.lbl.gov/display/cpp/Security+Requirements]|Standard | | 11.04.003.000| [Financial Management System (FMS) User Access control|https://commons.lbl.gov/display/rpm2/Financial+Management+System+%28FMS%29+User+Access+Control]|Policy| h3.I. Contact Information Information Technology Policy Manager Information Technology Division [[email protected]|mailto:[email protected]] h3.J. Revision History |*Date*|*Revision*|*By whom*|*Revision Description*|*Section(s) affected*|*Change Type*| |1/2/2012|0|J. Bonaguro|Rewrite for wiki (brief)|All|Minor| |7/30/2012|1|J. Bonaguro|Rewrite for wiki (policy)|All|Minor| |2/5/2014|1.1|J. Bonaguro|Periodic review|All|Minor| {dojo-tab} {dojo-tab:title=Document Information} h2.DOCUMENT INFORMATION |Title: |Security for Information Technology| |Document number|10.01.002.000| |Revision number|1.1| |Publication dates: |2/5/2014| |Effective date: |3/20/2007| |Next review date:|3/1/2015| |Policy Area:|Information Technology| |RPM Section (home)|Information Management| |RPM Section (cross-reference)|Sections 9.01 and 9.02| |Functional Division|Information Technology| |Prior reference information (optional)|RPM Sections 9.01 and 9.02| h3.Source Requirements Documents * DOE O 205.1B, _Department of Energy Cyber Security Management{_}, CRD * DOE P 205.1, _Departmental Cyber Security Management Policy_ * UCOP IS-3 _Electronic Information Security_ h3.Implementing Documents |*Document number*|*Title*|*Type*| |10.01.002.001|Minimum Security Requirements|Requirements| |10.01.002.002|Role-Based Security Requirements|Requirements| |10.01.002.003|Security Requirements|Requirements| | 11.04.003.000| [Financial Management System (FMS) User Access control|https://commons.lbl.gov/display/rpm2/Financial+Management+System+%28FMS%29+User+Access+Control]|Policy| {dojo-tab} {builder-show:group=rpm2-admins} {dojo-tab:title=Additional Information} h2.ADDITIONAL INFORMATION |Title: |Security for Information Technology| |Document number|10.01.002.000| |Revision number|1.1| |Publication dates: |2/5/2014| |Effective date: |3/20/2007| |Next review date:|3/1/2015| |Policy Area:|Information Technology| |RPM Section (home)|Information Management| |RPM Section (cross-reference)|Sections 9.01 and 9.02| |Functional Division |Information Technology| |Author name/contact info|J. Bonaguro| | | | |Revision 0 publication date|3/20/2007| |Retirement date|n/a| |Prior reference information (optional)|RPM Sections 9.01 and 9.02| | | | |Inputs from more than one Functional Area?|No| |List additional Functional Areas & contacts| | | | | |Inputs from more than one Policy Area?|No| |List additional Policy Areas & contacts| | | | | |30-day notification needed?|No| |30-day start date|n/a| |30-day end date|n/a| | | | |LDAP protected?|No| | | | |Need TABL reminders?|No| |Frequency|n/a| |Brief reminder text:|n/a| | | | |Approval Sheet for this revision received (date) \\ \[Note: author is responsible\}| | h3.Key labels/tags: * (Policy Area 1), (Policy Area 2), (Section) h3.New terms that need to be added to Glossary/Acronym list: h3.Implementing Documents restricted to department/functional use (optional – these will be used for tracing between requirements and associated documents) |Document number|Title| \\ \\ *Side bars:* Side bar 1 location (cite by Policy Section # - for example: Section D.2.a) Sidebar 1 text: \\ Sidebar 2 location Sidebar 2 text: \\ Sidebar 3 location Sidebar 3 text: {dojo-tab} {builder-show} {dojo-tabs}
  1. . Employees with specific roles must meet the Role-Based Security Requirements. Employees and affiliates must meet any additional requirements and procedures that CSP determines are necessary to secure the Laboratory.
    1. Minimum Security Requirements. Minimum security requirements protect both the integrity of Laboratory Information and our network by providing a baseline level of protection for devices. Requirements may include training, security patches, passwords, media protection, anti-virus protection, physical protections, and network access.
    2. Role-based Security Requirements. Certain roles require additional security requirements to protect Laboratory IT and Information. Roles include system administrators, web server owners, and application developers.
    3. Other Requirements. Employees and affiliates must adhere to additional requirements, standards, and procedures that the Cyber Security Program (CSP) determines are necessary to protect Laboratory IT and Information. Additional requirements are available on the CSP's Security Requirements page.
  2. Reporting Security Incidents. Employees and affiliates must follow the appropriate procedures to report cyber security incidents, including the loss or theft of Laboratory IT or Information.

D.2 Laboratory Management

  1. Supervisors and managers must provide adequate oversight to ensure that employees and affiliates under their management are taking appropriate steps to secure Laboratory IT and Information throughout its lifecycle.
  2. The division or department director must ensure that the division adheres to policies, requirements, and procedures related to securing Laboratory IT and Information.
  3. The division or department director must designate a Computer Security Liaison who has authority and responsibility for coordination of computer security activities.

D.3 Exceptions and Enforcement

  1. Exceptions to Security Requirements
    1. Some systems, most commonly scientific ones, are unable to meet the security requirements. Possible reasons include:
      1. Technical. For example, a legacy operating system that does not have patches for some vulnerability.
      2. Operational. For example, a device that performs experiments, such as genome sequencing or systems used in the Advanced Light Source (ALS) control, may have uptime requirements such that they cannot be patched or rebooted.
      3. Cost-efficiency. For example, the cost, either monetarily or for mission reasons, of upgrading a device to meet requirements exceeds the security benefit.
    2. Exceptions. Employees and affiliates should take a risk-based approach to using exceptions and seek guidance from CSP as appropriate. CSP may refuse exceptions based on institutional risk or require compensating controls.
  2. Enforcement. Employees and affiliates who do not comply with this policy may temporarily be denied access to Laboratory IT and may be subject to other penalties and disciplinary action up to and including termination. Non-compliant devices may be disconnected from the Laboratory network until the device is compliant.

D.4 Cyber Security Program

The CSP has the authority and responsibility to support the security of Laboratory IT and Information. The program must:

  1. Provide general protection for Laboratory IT and Information that is risk-based, cost-effective, and supports the mission of the Laboratory
  2. Establish requirements, standards, procedures, and guidelines to help secure Laboratory IT and Information and comply with applicable regulations and requirements
  3. Provide information and resources to help Laboratory divisions and employees meet their security responsibilities
  4. Elicit input from divisions and programs on security policies and procedures

Although CSP supports the security of Laboratory IT and Information, ultimate responsibility for security and its implementation rests with each employee and affiliate.

E. Roles and Responsibilities

Employees and affiliates must adhere to this policy. The table below describes specific responsibilities, authorities, and accountabilities by role:

Role

Responsibility

Authority

Accountability

Director

Oversees site management and operations

Delegates cyber protection responsibilities (to CIO)

Accountable to DOE and UCOP for site operations

Chief Information Officer (CIO)

  • Oversees institutional Cyber Security Program
  • Oversees cyber security policy and related oversight activities
  • Designates the CSM
  • Directs resources to prioritize cyber security efforts

Accountable to Director for cyber security performance and policy

Deputy CIO for Technology and Policy

  • Approves and directs the institutional Cyber Security Program
  • Ensures that the Cyber Security Program is effectively managing risk
  • Establishes cyber security policy
  • Establishes risk management approach

Accountable to CIO for cyber security performance

Cyber Security Manager (CSM))

  • Manages the institutional Cyber Security Program
  • Evaluates overall cyber security posture and direction for Berkeley Lab
  • Recommends security controls to CIO and Deputy CIO
  • Directs resources to cyber protection efforts
  • Establishes cyber security requirements

Accountable to CIO and Deputy CIO for cyber security performance

Cyber Security Program (CSP)

Develops and operates the institutional Cyber Security Program

Recommends and enforces cyber security requirements

Accountable to CSM for cyber security performance

Computer Security Liaisons

  • Advise in the development of Cyber Security Program by representing their division
  • Communicate cyber security policies and requirements to their divisions

Recommend changes to cyber security policy and requirements

Accountable to division line management for contributions to cyber security posture

Supervisors and Managers

Ensure safety and security of employees and systems within span of control

Direct work and resources to operate in a safe and secure manner

Accountable to defined line manager for cyber security performance within span of control

F. Definitions/Acronyms

Term

Definition

Laboratory IT

Berkeley Lab-managed IT, including computing devices, networks, services, and accounts

Laboratory Information

Information used to accomplish job-related tasks; information may be owned by the Regents of University of California or the Department of Energy.

G. Recordkeeping Requirements

None

H. Implementing Documents

Document number

Title

Type

10.01.002.001

Minimum Security Requirements

Standard

10.01.002.002

Role-based Security Requirements

Standard

10.01.002.003

Security Requirements

Standard

11.04.003.000

Financial Management System (FMS) User Access control

Policy

I. Contact Information

Information Technology Policy Manager
Information Technology Division
[email protected]

J. Revision History

Date

Revision

By whom

Revision Description

Section(s) affected

Change Type

1/2/2012

0

J. Bonaguro

Rewrite for wiki (brief)

All

Minor

7/30/2012

1

J. Bonaguro

Rewrite for wiki (policy)

All

Minor

2/5/2014

1.1

J. Bonaguro

Periodic review

All

Minor

Card
labelDocument Information

DOCUMENT INFORMATION

Title:

Security for Information Technology

Document number

10.01.002.000

Revision number

1.1

Publication dates:

2/5/2014

Effective date:

3/20/2007

Next review date:

3/1/2015

Policy Area:

Information Technology

RPM Section (home)

Information Management

RPM Section (cross-reference)

Sections 9.01 and 9.02

Functional Division

Information Technology

Prior reference information (optional)

RPM Sections 9.01 and 9.02

Source Requirements Documents

  • DOE O 205.1B, Department of Energy Cyber Security Management, CRD
  • DOE P 205.1, Departmental Cyber Security Management Policy
  • UCOP IS-3 Electronic Information Security

Implementing Documents

Document number

Title

Type

10.01.002.001

Minimum Security Requirements

Requirements

10.01.002.002

Role-Based Security Requirements

Requirements

10.01.002.003

Security Requirements

Requirements

11.04.003.000

Financial Management System (FMS) User Access control

Policy

Builder show
grouprpm2-admins
Card
labelAdditional Information

ADDITIONAL INFORMATION

Title:

Security for Information Technology

Document number

10.01.002.000

Revision number

1.1

Publication dates:

2/5/2014

Effective date:

3/20/2007

Next review date:

3/1/2015

Policy Area:

Information Technology

RPM Section (home)

Information Management

RPM Section (cross-reference)

Sections 9.01 and 9.02

Functional Division

Information Technology

Author name/contact info

J. Bonaguro

 

 

Revision 0 publication date

3/20/2007

Retirement date

n/a

Prior reference information (optional)

RPM Sections 9.01 and 9.02

 

 

Inputs from more than one Functional Area?

No

List additional Functional Areas & contacts

 

 

 

Inputs from more than one Policy Area?

No

List additional Policy Areas & contacts

 

 

 

30-day notification needed?

No

30-day start date

n/a

30-day end date

n/a

 

 

LDAP protected?

No

 

 

Need TABL reminders?

No

Frequency

n/a

Brief reminder text:

n/a

 

 

Approval Sheet for this revision received (date)
[Note: author is responsible}

 

Key labels/tags:

  • (Policy Area 1), (Policy Area 2), (Section)

New terms that need to be added to Glossary/Acronym list:

Implementing Documents restricted to department/functional use

(optional – these will be used for tracing between requirements and associated documents)

Document number

Title



Side bars:
Side bar 1 location (cite by Policy Section # - for example: Section D.2.a)
Sidebar 1 text:
Sidebar 2 location
Sidebar 2 text:
Sidebar 3 location
Sidebar 3 text: