|
|
||||||||||||||||||
...
As always, the primary ongoing assurance activity is the review of incidents conducted by the security program to determine if the program is efficiently and effectively protecting the scientific mission of the Laboratory. This ongoing review suggests that the program is functioning well and we continue to make adjustments to controls and policies as required by the environment.The Laboratory continued its new System Authorization Process (formally Authority to Operate / Certification and Accreditation). During this period we began to conduct full reviews of our systems and are updating and revisiting the contractor assurance system for cyber security at LBL. The review will be complete in Q4 and includes an external review of both security controls and actual performance.
Most Significant Risks
1. Continued Threats from APT
For discussion in person at our tri-party: coordinated attack on two national labs (PNNL and JLab)
2. Emergent Security Risks and Evolving Threats
As always, we continue to see new and evolving issues in the cyber security space. The malicious code environment continues to become more devious, with a marked shift away from targeted phishing towards browser drive-by attacks against unpatched vulnerabilities in both browsers and browser-plugins (Flash, PDF). New detection measures and countermeasures appear to be appropriately mitigating this risk at this time.
Assessments
Ongoing review of Incidents and Threats / Ongoing / Internal Assessment
...
IS-3 (Cyber) Audit / Complete / Internal Audit / LBL Actions Defined
Internal Audit concluded its review of IS-3 compliance (overall information/cyber security) during Q3, which focused on systems and applications determined to be critical to LBNL operations or systems storing, processing, or transmitting Personaly Identifiable Information (PII). The review found us to be generally in compliance with the following opportunities for improvement:*
- Update the BSE cyber security plan. We will proceed with updating this plan as scheduled for October 2011.
...
- User Account Administration. We will support HR functional owners to put in place a new annual privileged account review process. We will update account management procedures for the System Support group as part of the update of the BSE cyber security plan update.
...
- Update the inventory of business systems containing PII.
...
- Enhance the detection of PII by requiring the groups with high access to PII to run Identify Finder every six months versus annually.
...
- Enhance the protection of PII by adding encryption to backup tapes of PII (in addition to existing controls of chain of custody for tapes, insured backup transportation providers, and locked transportation containers).
...
- Update incident handling procedures to include procedures specific to PII.
Performance Measures
PEMP Goals, Objectives, Notable Outcomes
...
Two areas for improvement were noted in the FY10 Laboratory Performance Evaluation.
1. Information Types and Ownership
The Laboratory began a dialog with BSO in FY10 regarding proposed changes to the Prime Contract to clarify ownership over certain kinds of personally identifiable information. This effort needs to be completed during FY11. This effort has been incorporated into the wider C31 Reform efforts.
2. Physical Security of Lost/Stolen Devices
BSO has indicated that there is opportunity for improvement in ensuring that possible risks associated with lost/stolen devices are mitigated. The Laboratory believes this risk is appropriately mitigated. During Q2, the Laboratory and BSO stakeholders met to discuss this risk area and agreed to our existing path forward agreed to with BSO in 2009. No further action is contemplated during this performance period.
...
