Page History

...

The goal of the LBNL Cyber Security Assurance Plan is to ensure that LBNL cyber security systems are effective, meet contractual requirements, and support the LBNL mission. LBNL establishes, with the Department of Energy (DOE), an understanding of acceptable risk and develops and tailors controls in an ongoing way to meet this standard. LBNL develops and implements the appropriate controls and provides, for itself, assurance that the system is functioning as intended.

This Plan describes the Cyber Security assurance mechanisms that inform management if controls are working as designed and if the set of controls is appropriately protecting the institution. Implementing this Plan drives performance improvement by self-identifying, preventing, and correcting issues. These assurance mechanisms will be used to demonstrate to DOE, the University of California (UC), and LBNL management that the cyber security mechanisms themselves are adequate to reduce risk to the agreed upon level, and that controls are functioning as intended.

2.0 Independent Assessments

2.1 Overview

The LBNL Cyber Security Program is designed to A variety of groups can provide independent assessment assessments of the security controls of those who operate and manage IT hardware. Roles and responsibilities are split in such a way as to allow Cyber Security Program staff autonomy in terms of reviewing configurations and practices, both from automated tools such as configuration/vulnerability scanning systems as well from from more in-depth deep dives. These operations are covered under Self Assessments and Reporting since they are not completely independent, but they are core to understanding how the Cyber Security Program approach to independent assessments works. The nature and frequency of independent assessments usually depends on planning processes that are independent from LBNL.

2.2 External Assessments Contracted As Part of Authorizing Systems

The Cyber Security Program analyzes risk and documents its controls and compliance through a process called the Risk Management Framework (formerly, the Certification and Accreditation Process or the System Authorization Process). This process describes a series of steps necessary to manage and analyze technical, operational, and management controls, evaluate risks and residual risks, and assess system function and risk management. While the process for managing controls is continuous, on a cycle that usually lasts three years, a full we usually conduct a full evaluation of the systems are undertakensystem program every three years.

During this process, LBNL engages we engage external assessors, either through Peer Review or through contracted external auditors, to evaluate system operation. These are the most in-depth and risk-informed evaluations we undertake. In the past, these reviews have taken multiple weeks and included both technical testing and document review. The results of these reviews become part of the authorization package and are available to DOE for review.

...

2.5 DOE Financial Statement Audit

Pursuant to Per 31 U.S.C. § 3515, Financial Statements of Agencies, the head of the agency is required to prepare and submit to the Congress and the Director of the Office of Management and Budget (OMB) an audited financial statement for the preceding fiscal year, covering all accounts and associated activities of each office and the agency not later than March 1. This audit is in support of the Federal Managers' Financial Integrity Act (FMFIA).

2.6 DOE Annual FISMA

...

Audits

The DOE also annually conducts intensive audits in support of the Federal Information Security Management Act (FISMA). These audits are sometimes, but not always, coordinated with the FMFIA audits. Both the annual Financial Statement audit and the annual FISMA audit typically contain IT related testing and evaluation.

...

Historically, DOE Office of Health, Safety and Security (HSS) has conducted both assistance visits and red team/full evaluations of Laboratory cyber security programs. Additionally, LBNL can engage HSS upon request to review our systems and practices.

2.8 Peer Reviews

The DOE Office of Science has also initiated Integrated Safeguards and Security (S&S) Surveys that include cyber security in scope. The Office of Science works to coordinate any reviews with HSS reviews.

2.8 Peer Reviews

LBNL makes targeted use of peer LBNL makes targeted use of peer reviews on an as needed basis . In the past three years, separate peer reviews of ESnet security and the 800-53 Certification and Accreditation process were conducted. LBNL utilizes peer reviews where internal expertise or external oversight is judged to be insufficient, or where the only reasonable form of oversight is peer review (for instance, where expertise about a specific issue is limited to the peer group)is limited to the peer group).

2.9 Advisory Board

An external advisory board, consisting of three to four IT leaders, convenes typically every year to review all parts of IT, including the Cyber Security Program.

3.0 Self Assessments

3.1 Ongoing Review of Operations and Incidents

The core of the LBNL's Contractor Assurance System for Cyber Security revolves around the continuous monitoring system and the management of the Cyber Security Program. This program is dynamic; and the Chief Information Officer and Computer Protection Program Cyber Security Manager are involved in a continuous process of evaluating existing controls, the changing threat environment, and demonstrated risks/damages to optimize the controls in place (including reducing such controls when they are not cost-benefit positive). Monitoring systems also verify the technical functioning of the controls and support root cause reviews for incidents. At ongoing meetings and through day-tp-day email communication, the cyber security team evaluates these factors to determine if new controls (policy, management, and technical) are required to address the changing environment. These priorities are reflected in changes to the focus of the team and in funding reallocations as appropriate.

...

Training Completion
Percent of LBNL staff that have completed required cyber security training. Reported in real-time as part of overall training reports to division representatives and quarterly as needed to cyber security management.

...

IT prepares a Tri-Annual Assurance Report for BSO, UCOP, and LBNL Management. Each Assurance Report provides an overview of LBNL performance and recent assurance activities, including activities detailed in the IT Assurance Plan; performance against the PEMP’s Goals, Objectives, and Notable Outcomes; and related activities. This report provides the basis for a tri-annual tri-party Assurance meeting with counterparts from BSO and UCOP. Following meetings of each Operations' function; senior BSO, UCOP, and LBNL Management meet to discuss significant risks and concerns and corresponding mitigations.

For FY 13, cyber has the following Notable Outcome:

...

function; senior BSO, UCOP, and LBNL Management meet to discuss significant risks and concerns and corresponding mitigations.

5.2 Federal Manager's Financial Integrity Act (FMFIA)

...

Cyber security incident reports follow defined reporting channels, with primary reporting to the Department of Energy's Computer Incident Response Center (CIRC) or equivalent, with copies to Counterintelligence, the Office of the Inspector General, and the Berkeley Site Office. Incident reports are shared internally with key stakeholders to assure broad knowledge of current risks. Likewise, the Laboratory's cyber security staff remains abreast of new trends in attacks and threats primarily from public sector sources, but also from DOE sources such as CIAC alerts. As appropriate, briefing and discussions of cyber security incidents are entered into the LBNL Lessons Learned and Best Practices database and disseminated to target staff. These inputs, along with broad based incident review, allow the Laboratory to adjust its protection mechanisms continuously to ensure optimal protection.  Incident Incident trends and actions are communicated to the Computer Protection Implementation Committee, with membership from across the divisions.

...

Major corrective actions are also reported to DOE (through the Office of Science) through the Plan of Actions and Milestones Process or POAMs. POAMs are an integral part of quarterly Federal Information Security Management Act reporting.

6.2

...

Event Tracking

All cyber security incidents events are tracked and identified with the goal of identifying proximate and root causes. See earlier discussion.

...

All incident and damage statistics are tracked for trends based on nine years more than a decade of data and growing. The quarterly Both ongoing and the annual risk assessments provide an opportunity to review trends and make adjustments to controls as appropriate. In addition, the Laboratory keeps summary connection information indefinitely so that long term studies of trends in attacks and connections can be conducted. These are often used to answer questions such as "what are the trends in password guessing attacks," and "how our our connections from other countries changing?"

...

The Program shares information gleaned from incidents as well as best practices from other labs and within the Laboratory widely. Generally, such information is shared via the CPP website as recommendations. In certain cases, Where appropriate, the program uses the Laboratory's Lessons Learned system is utilized.

8.0 Assurance Systems and Assessment Schedule

...

8.2 FY

...

14 Assessment Schedule

...