|
|
||||||||||||||||||
...
The DOE IG performs audits of contractor cyber security operations. Results from these reviews must be carefully calibrated due to the IG's focus on cost-savings opportunities regardless of impact on mission achievement. The DOE IG conducts a variety of annual cyber security audits, including FISMA, and selects site based on an internal selection formula. DOE IG may conduct additional, cyber-related audits.
2.5 DOE Financial Statement Audit
Per 31 U.S.C. § 3515, Financial Statements of Agencies, the head of the agency is required to prepare and submit to the Congress and the Director of the Office of Management and Budget (OMB) an audited financial statement for the preceding fiscal year, covering all accounts and associated activities of each office and the agency not later than March 1. This audit is in support of the Federal Managers' Financial Integrity Act (FMFIA).
2.6 Other DOE
...
Reviews
The DOE also annually conducts intensive audits in support of the Federal Information Security Management Act (FISMA). These audits are sometimes, but not always, coordinated with the FMFIA audits. Both the annual Financial Statement audit and the annual FISMA audit typically contain IT related testing and evaluation.
2.7 Other DOE Reviews
The DOE Berkeley Site Office (BSO) conducts graded oversight reviews of the Laboratory's Cyber Security Berkeley Site Office (BSO) conducts graded oversight reviews of the Laboratory's Cyber Security Program. These reviews include ongoing operational awareness activities and scheduled assessments and reviews into particular risks or control families. Assessment topics are generally planned and calendared at the start of the performance year. LBNL's safeguards and security program is often subject to an extensive DOE BSO review.
...
The DOE Office of Science has also initiated Integrated Safeguards and Security (S&S) Surveys that include cyber security in scope. The Office of Science works to coordinate any reviews with HSS reviews.
2.
...
7 Peer Reviews
LBNL makes targeted use of peer reviews on an as needed basis and where internal expertise or external oversight is judged to be insufficient, or where the only reasonable form of oversight is peer review (for instance, where expertise about a specific issue is limited to the peer group).
2.
...
8 Advisory Board
An external advisory board, consisting of three to four IT leaders, convenes typically every year to review all parts of IT, including the Cyber Security Program.
...
8.2 FY 14 Assessment Schedule
| # | Assessment TitleType | Schedule (and Title) | Performed By | ||
|---|---|---|---|---|---|
| 2.2 | Authorizing System Assessments | Was triennial, moving to continuous authorization | Office of the CIO/Cyber Security Program/External Assessors | ||
Peer Review | Every 3-5 years, last assessed in June 2010 | Similar institutions | |||
| 2.3 | Internal Audit | Per IAS Audit Plan. The FY14 audit plan does not include any IT focused audits, although some of the audits will likely touch IT (e.g. Payroll Processing, F$M Pre-Implementation Review). | LBNL Internal Audit Services | ||
DOE Financial Statement Audit* | Varies | DOE Inspector General using KPMG | |||
| 2.4 | IG Audits and Reviews* |
|
|
| DOE Inspector General using KPMG |
| 2.5 | DOE | Varies | FMFIA | Typically no later than March | DOE |
Peer Review | Every 3-5 years, last assessed in June 2010 | Similar institutions | |||
Berkeley Site Office Oversight Activities* | Varies | BSO | |||
DOE-HSS Oversight Activities* | Varies | DOE-HSS | |||
| SC Surveys* | Scheduled for May 2014 | DOE Office of Science | |||
Management Controls and Compliance Program | Completed by 7/1 (At discretion of OCFO, subset of controls related to IT operations) | LBNL CFO | |||
Self-Assessment Risk Assessment | Annually by 10/1 | Office of the CIO/Cyber Security Program | |||
UC Self-Assessment | Annually by 10/1 (if required by UC) | Office of the CIO/Cyber Security Program |
...
