|
|
||||||||||||||||||
Use layout NORIGHTSIDEBAR NORIGHTSIDEBAR Effective Date: October 1, 2016-September 30, 2017
...
8.1 Outcomes and Related Assurance Systems
Outcome | Assurance System | System artifacts |
|---|---|---|
Systems are securely configured and meet requirements. | Vulnerability scanning, continuous and on demand, to identify insecurely configured or vulnerable systems with actions in response to a finding of vulnerability. | On request access to blocked host history lists, web site information with current scans. |
Systems are not infected or attacking other systems. | Monitoring systems provide indications of vulnerable systems. | On request access to Bro logs and incident investigation reports. |
Attackers cannot search indiscriminately for targets. | Monitoring systems (Bro, Syslog, Netflow) provide defenses against indiscriminate attacker. | On request access to Bro logs. |
Users are trained. | Berkeley Lab Training Database. | Report outputs on training rates as part of PEMP. |
Security systems are operational. | System monitoring and alerts to detect failures in critical cyber defense systems. | On request access to Nagios and related logging reports. |
DOE and Berkeley Lab jointly understand residual risk. | Annual risk assessment and ongoing briefings as necessary. Cost-benefit analysis of cyber program. | Dialogue with site office. |
8.2 FY17 Assessment Schedule
| # | Assessment Type | Schedule (and Title) | Performed By |
|---|---|---|---|
| 2.2 | Authorizing System Assessments | Continuous authorization. | Office of the CIO/Cyber Security Program with External Assessors |
| 2.3 | Internal Audit | Per IAS Audit Plan. The FY17 audit plan does not include any IT focused audits, although some of the audits will likely touch IT. | Berkeley Lab Internal Audit Services |
| 2.4 | IG Audits and Reviews | Assessment of Berkeley Lab occurs at the discretion of oversight entity, audits include:
Occured Q2 of FY17, with roll forward audit in Q4 of FY17. | DOE Inspector General (often using KPMG) |
| 2.5 | DOE FMFIA | Typically no later than March. Occured Q2 of FY17. | DOE |
| 2.6 | Berkeley Site Office Oversight Activities | Assessment occurs at the discretion of oversight entity. | BSO |
| 2.6 | DOE-HSS Oversight Activities | Assessment occurs at the discretion of oversight entity. | DOE-HSS |
| 2.6 | SC Surveys | Assessment occurs at the discretion of oversight entity; Last occurred May 2014. | DOE Office of Science |
2.6 | Safeguard & Security Review | Every 3 years. Safeguard & Security review occured Q1 FY17. | DOE Office of Science |
2.7 | Peer Review | Every 3-5 years, last assessed in June 2010; None planned for FY17. | Similar institutions |
| 2.8 | Advisory Board | Typically annually. | Board members |
| 3.2 | Self-Assessment Risk Assessment | Annually by end of Q1 FY. | Office of the CIO/Cyber Security Program |
| 3.3 | UC Self-Assessment | Assessment occurs at the discretion of UC. UC Cyber Security Framework assessment cccured 2nd Quarter FY17. | Office of the CIO/Cyber Security Program |
| 3.4 | Management Controls and Compliance Program | Completed by Q3 FY (At discretion of OCFO, subset of controls related to IT operations). | Berkeley Lab CFO |
| 3.5 | IAS Advisory Service | Follow-up to Q4 FY16 Multifactor Authentication Implementation Management Advisory by request of IT. End of Q1 FY17. | Berkeley Lab Internal Audit Services |
