Viewable by the world
Group Access to CIO
Can VIEW the space: cio-editors ,  anonymous ,  all-lbnl-users ,  confluence-administrators , 
Can EDIT the space: confluence-administrators , 
Can ADMINISTER the space: confluence-administrators , 
Individual Access to CIO
Can VIEW the space: asultan@lbl.gov ,  adstone@lbl.gov ,  pbutler@lbl.gov ,  mtdedlow@lbl.gov ,  scedwards@lbl.gov ,  jekrous@lbl.gov ,  jrschober@lbl.gov ,  arica@lbl.gov , 
Can EDIT the space: mtdedlow@lbl.gov ,  adstone@lbl.gov ,  pbutler@lbl.gov ,  jekrous@lbl.gov ,  asultan@lbl.gov ,  jrschober@lbl.gov ,  scedwards@lbl.gov ,  arica@lbl.gov , 
Can ADMINISTER the space: jekrous@lbl.gov ,  asultan@lbl.gov ,  adstone@lbl.gov ,  pbutler@lbl.gov ,  mtdedlow@lbl.gov ,  jrschober@lbl.gov ,  scedwards@lbl.gov ,  arica@lbl.gov , 

Versions Compared

Old Version 57

changes.mady.by.user Joy Ellyn Bonaguro

Saved on

compared with

New Version 58

changes.mady.by.user Joy Ellyn Bonaguro

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Outcome

Assurance System

System artifacts

Systems are securely configured and meet requirements.

Vulnerability scanning, continuous and on demand, to identify insecurely configured or vulnerable systems with actions in response to a finding of vulnerability

On request access to blocked host history lists, web site information with current scans

Systems are not infected or attacking other systems.

Monitoring systems provide indications of vulnerable systems

On request access to Bro logs and incident investigation reports

Attackers cannot search indiscriminately for targets.

Monitoring systems (Bro, Syslog, Netflow) provide defenses against indiscriminate attacker

On request access to Bro logs

Users are trained.

LBL Training Database

Report outputs on training rates as part of PEMP

Security systems are operational.

System monitoring and alerts to detect failures in critical cyber defense systems

On request access to Nagios and related logging reports

DOE and LBNL jointly understand residual risk.

Annual risk assessment and ongoing briefings as necessary. Cost-benefit analysis of cyber program.

Dialogue with site office.

8.2 FY 14 FY14 Assessment Schedule

#

Assessment Type

Schedule (and Title)

Performed By

2.2

Authorizing System Assessments

Was triennial, moving to continuous authorization

Office of the CIO/Cyber Security Program with External Assessors

2.3Internal AuditPer IAS Audit Plan. The FY14 audit plan does not include any IT focused audits, although some of the audits will likely touch IT (e.g. Payroll Processing, F$M Pre-Implementation Review).LBNL Internal Audit Services
2.4IG Audits and Reviews

Assessment of LBNL occurs at the discretion of oversight entity, audits include:

  • Financial Reporting
  • IT General and Application Controls
  • Federal Information Security Act (FISMA) Audit
  • IT Vulnerability Assessment
  • Others per audit plan
DOE Inspector General (often using KPMG)
2.5DOE FMFIATypically no later than MarchDOE
2.6

Berkeley Site Office Oversight Activities

Assessment occurs at the discretion of oversight entity.

BSO

2.6

DOE-HSS Oversight Activities

Assessment occurs at the discretion of oversight entity.

DOE-HSS

2.6SC SurveysAssessment occurs at the discretion of oversight entity; Scheduled for May 2014DOE Office of Science

2.7

Peer Review

Every 3-5 years, last assessed in June 2010; None planned for FY14

Similar institutions
2.8Advisory BoardTypically annuallyBoard members
3.2

Self-Assessment Risk Assessment

Annually by 10/1

Office of the CIO/Cyber Security Program

3.3

UC Self-Assessment

Assessment occurs at the discretion of UC.

Office of the CIO/Cyber Security Program

3.4

Management Controls and Compliance Program

Completed by 7/1 (At discretion of OCFO, subset of controls related to IT operations)

LBNL CFO

3.5

IAS Advisory Service

No advisory services planned for FY14.

LBNL Internal Audit Services