Page History
...
id | myId |
---|
...
default | true |
---|---|
label | Brief |
Title: | Security for Information Technology |
Publication date: |
...
3/ |
...
30/ |
...
2017 | |
Effective date: | 3/20/2007 |
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
This policy describes cyber security responsibilities and requirements for
...
Berkeley Lab Information Technology (IT). This includes responsibilities and requirements for:
- Individuals and supervisors
- Certain roles such as system administrator, web server owner, and application developer
- Divisions, including division security liaisons and
- The Cyber Security Program (
...
- Cyber Security)
Anchor | ||||
---|---|---|---|---|
|
- Employees and affiliates who use or manage
...
- Berkeley Lab IT or
...
- Berkeley Lab information
- Employees with additional security responsibilities for
...
- Berkeley Lab IT, such as
...
- cyber security liaisons or members of
...
- Cyber Security
Anchor | ||||
---|---|---|---|---|
|
The POLICY tab on this wiki page
Anchor | ||||
---|---|---|---|---|
|
Information Technology Policy
...
ManagerInformation Technology Division
...
...
label | Policy |
---|
Title: | Security for Information Technology |
Publication date: |
...
3/ |
...
30/ |
...
2017 | |
Effective date: | 3/20/2007 |
Anchor | ||||
---|---|---|---|---|
|
...
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
The purpose of this policy is to enable a computing environment for Lawrence Berkeley National Laboratory (Berkeley Lab) that is both open and appropriately secure.
Anchor | ||||
---|---|---|---|---|
|
This policy applies to employees and affiliates as well as individuals with additional cyber security responsibilities for
...
Berkeley Lab Information Technology (IT).
Anchor | ||||
---|---|---|---|---|
|
The Berkeley Lab Chief Information Officer, the
...
Chief Information Security Officer, and the Cyber Security Program
...
may approve exceptions to this policy.
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
- Everyone Is Responsible for Security.
...
- Berkeley Lab IT
...
- cyber security is a line-management function at Berkeley Lab. Employees and affiliates are responsible for the security of computers and devices that they use or manage. They must take appropriate steps to secure
...
- Berkeley Lab IT and
...
- information that they create, possess, manage, or have access to in connection with their
...
- employment or research.
- Authorizing Access to IT Resources. Employees and affiliates may authorize the use of
...
- Berkeley Lab IT that they manage. When authorizing use, employees and affiliates assume cyber security responsibility for the use and/or user and must ensure that Berkeley Lab IT policies are communicated to the user and followed in the course of granting access.
- Reviewing Authorization. After authorization, employees and affiliates must review access on a schedule appropriate to the risks presented by the service or system.
- Cyber Security Requirements. Employees and affiliates must ensure that computers and devices they use or manage meet the Berkeley Lab Minimum Security Requirements. Employees with specific roles must meet the Role-Based Security Requirements. Employees and affiliates must meet any additional requirements and procedures that
...
- Cyber Security determines are necessary to secure the Laboratory.
- Minimum Security Requirements. Minimum security requirements protect both the integrity of Laboratory
...
- information and our network by providing a baseline level of protection for devices. Requirements may include training, security patches, passwords, media protection, anti-virus protection, physical protections, and network access.
- Role-based Security Requirements. Certain roles require additional security requirements to protect
...
- Berkeley Lab IT and
...
- information. Roles include system administrators, web server owners, and application developers.
- Other Requirements. Employees and affiliates must adhere to additional requirements, standards, and procedures that
...
- Cyber Security
...
- determines are necessary to protect
...
- Berkeley Lab IT and
...
- information. Additional requirements are available on the
...
- Reporting Cyber Security Incidents. Employees and affiliates must follow the appropriate procedures to report cyber security incidents, including the loss or theft of
...
- Berkeley Lab IT or
...
- information.
Anchor | ||||
---|---|---|---|---|
|
- Supervisors and managers must provide adequate oversight to ensure that employees and affiliates under their management are taking appropriate steps to secure
...
- Berkeley Lab IT and
...
- information throughout its lifecycle.
- The division or department director must ensure that the division adheres to policies, requirements, and procedures related to securing
...
- Berkeley Lab IT and
...
- information.
- The division or department director must designate a
...
- Cyber Security Liaison who has authority and responsibility for coordination of
...
- cyber security activities.
Anchor | ||||
---|---|---|---|---|
|
- Exceptions to Cyber Security Requirements
- Some systems, most commonly scientific ones, are unable to meet the cyber security requirements. Possible reasons include:
- Technical. For example, a legacy operating system that does not have patches for
- Some systems, most commonly scientific ones, are unable to meet the cyber security requirements. Possible reasons include:
...
- a vulnerability.
- Operational. For example, a device that performs experiments, such as genome sequencing or systems used in the Advanced Light Source (ALS) control, may have uptime requirements such that they cannot be patched or rebooted.
- Cost-efficiency. For example, the cost, either monetarily or for mission reasons, of upgrading a device to meet requirements exceeds the cyber security benefit.
- Exceptions. Employees and affiliates should take a risk-based approach to using exceptions and seek guidance from
...
- Cyber Security as appropriate.
...
- Cyber Security may refuse exceptions based on institutional risk or require compensating controls.
- Enforcement. Employees and affiliates who do not comply with this policy may temporarily be denied access to
...
- Berkeley Lab IT or information and may be subject to other penalties and disciplinary action up to and including termination. Non-compliant devices may be disconnected from the
...
- Berkeley Lab network at any time and until the device is compliant.
Anchor | ||||
---|---|---|---|---|
|
...
Cyber Security has the authority and responsibility to support the cyber security of
...
Berkeley Lab IT and
...
information. The program must:
- Provide general protection for
...
- Berkeley Lab IT and
...
- information that is risk-based, cost-effective, and supports the mission of the Laboratory;
- Establish requirements, standards, procedures, and guidelines to help secure
...
- Berkeley Lab IT and
...
- information and comply with all applicable regulations and requirements;
- Provide information and resources to help Laboratory divisions and employees meet their cyber security responsibilities; and
- Elicit input from divisions and programs on cyber security policies and procedures.
Although
...
Cyber Security supports the cyber security of
...
Berkeley Lab IT and
...
information, ultimate responsibility for cyber security and its implementation rests with each Berkeley Lab employee and affiliate.
Anchor | ||||
---|---|---|---|---|
|
Employees and affiliates must adhere to this policy. The table below describes specific responsibilities, authorities, and accountabilities by role:
Role | Responsibility | Authority | Accountability |
Director | Oversees site management and operations | Delegates cyber |
...
security responsibilities (to CIO) | Accountable to DOE and UCOP for site operations |
Chief Information Officer (CIO) |
|
...
|
|
...
|
|
Deputy CIO for Technology and Policy |
|
...
|
...
|
|
|
...
Chief Information Security |
...
Officer ( |
...
CISO) |
|
...
|
|
...
|
|
Cyber Security |
...
|
...
|
|
|
...
|
...
Cyber Security Liaisons |
|
...
|
|
| |
Supervisors and Managers |
|
|
|
Anchor | ||||
---|---|---|---|---|
|
Term | Definition |
...
Berkeley Lab IT | Berkeley Lab-managed |
...
information technology, including computing devices, networks, services, and accounts. |
...
Berkeley Lab information | Information used to accomplish job-related tasks |
...
. Information may be owned by the Regents of University of California or the Department of Energy. |
Anchor | ||||
---|---|---|---|---|
|
None
Anchor | ||||
---|---|---|---|---|
|
Document number | Title | Type |
10.01.002.001 | Standard | |
10.01.002.002 | Standard | |
10.01.002.003 | Standard | |
11.04.003.000 | Policy |
Anchor | ||||
---|---|---|---|---|
|
Information Technology Policy
...
ManagerInformation Technology Division
...
Anchor | ||||
---|---|---|---|---|
|
Date | Revision | By whom | Revision Description | Section(s) affected | Change Type |
1/2/2012 | 0 | J. Bonaguro | Rewrite for wiki (brief) | All | Minor |
7/30/2012 | 1 | J. Bonaguro | Rewrite for wiki (policy) | All | Minor |
2/5/2014 | 1.1 | J. Bonaguro | Periodic review | All | Minor |
3/30/2017 | 1.2 | S. Lau | Editorial updates | All | Minor |
...
Anchor |
---|
...
|
Title: | Security for Information Technology |
Document number | 10.01.002.000 |
Revision number | 1. |
...
2 |
Publication dates: |
...
3/ |
...
30/ |
...
2017 | |
Effective date: | 3/20/2007 |
Next review date: | 3/ |
...
30/ |
...
2019 | |
Policy Area: | Information Technology |
RPM Section (home) | Information Management |
RPM Section (cross-reference) |
...
| |
Functional Division | Information Technology |
Prior reference information (optional) |
...
|
Anchor | ||||
---|---|---|---|---|
|
- DOE O 205.1B, Department of Energy Cyber Security Management, CRD
- DOE P 205.1, Departmental Cyber Security Management Policy
- UCOP IS-3, Electronic Information Security
Implementing Documents
Document number | Title | Type |
10.01.002.001 | Minimum Security Requirements | Requirements |
10.01.002.002 | Role-Based Security Requirements | Requirements |
10.01.002.003 | Security Requirements | Requirements |
11.04.003.000 | Policy |
...
Anchor | ||
---|---|---|
|
...
|
...
group | rpm2-admins |
---|
|
...
label | Additional Information |
---|
ADDITIONAL INFORMATION
Title: | Security for Information Technology |
Document number | 10.01.002.000 |
Revision number | 1. |
...
2 |
Publication dates: |
...
3/ |
...
30/ |
...
2017 | |
Effective date: | 3/20/2007 |
Next review date: | 3/ |
...
30/ |
...
2019 | |
Policy Area: | Information Technology |
RPM Section (home) | Information Management |
RPM Section (cross-reference) |
...
| |
Functional Division | Information Technology |
Author name/contact info |
...
S. |
...
Lau | |
|
|
Revision 0 publication date | 3/20/2007 |
Retirement date | n/a |
Prior reference information (optional) |
...
| |
|
|
Inputs from more than one Functional Area? | No |
List additional Functional Areas & contacts |
|
|
|
Inputs from more than one Policy Area? | No |
List additional Policy Areas & contacts |
|
|
|
30-day notification needed? | No |
30-day start date | n/a |
30-day end date | n/a |
|
|
LDAP protected? | No |
|
|
Need TABL reminders? | No |
Frequency | n/a |
Brief reminder text: | n/a |
|
|
Approval Sheet for this revision received (date) |
...
[Note: author is responsible} |
|
Anchor | ||||
---|---|---|---|---|
|
- (Policy Area 1), (Policy Area 2), (Section)
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
(optional – these will be used for tracing between requirements and associated documents)
Document number | Title |
Side bars:
...
Side bar 1 location (cite by Policy Section # - for example: Section D.2.a)
...
Sidebar 1 text:
...
Sidebar 2
...
locationSidebar 2 text:
...
Sidebar 3
...
locationSidebar 3 text: