Viewable by the world
Group Access to RPM
Can VIEW the space: rpm2-editors ,  rpm2-admins ,  confluence-users ,  anonymous ,  confluence-administrators , 
Can EDIT the space: rpm2-editors ,  confluence-administrators ,  rpm2-admins , 
Can ADMINISTER the space: confluence-administrators , 

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Editorial revision as per policy change request on 7/24/24

Pop away
likesandlabelstrue

Cyber Security Manager (CSM))
Deck of Cards
idmyIdSecurity for Information Technology
Card
defaulttrue
labelBrief

Title:

Security for Information Technology

Publication date:

2

8/

5

9/

2014

2024

Effective date:

3/20/2007

Anchor
SecurityforInformationTechnology-BRIEF
SecurityforInformationTechnology-BRIEF
BRIEF

Anchor
SecurityforInformationTechnology-PolicyS
SecurityforInformationTechnology-PolicyS
Policy Summary

This policy describes cyber security responsibilities and requirements for Laboratory Berkeley Lab Information Technology (IT). This includes responsibilities and requirements for:

  • Individuals and supervisors
  • Certain roles such as system administrator, web server owner, and application developer
  • Divisions, including division security liaisons and
  • The Cyber Security Program (CSP)Cyber Security)

Anchor
SecurityforInformationTechnology-WhoShou
SecurityforInformationTechnology-WhoShou
Who Should Read This Policy

  • Employees and affiliates who use or manage Laboratory Berkeley Lab IT or Laboratory InformationBerkeley Lab information
  • Employees with additional security responsibilities for Laboratory Berkeley Lab IT, such as computer cyber security liaisons or members of the CSPCyber Security

Anchor
SecurityforInformationTechnology-ToReadt
SecurityforInformationTechnology-ToReadt
To Read the Full Policy, Go To:

The POLICY tab on this wiki page

Anchor
SecurityforInformationTechnology-Contact
SecurityforInformationTechnology-Contact
Contact Information

Information Technology Policy Manager
Information Technology Division
[email protected]

Approves
Card
labelPolicy

Title:

Security for Information Technology

Publication date:

2

8/

5

9/

2014

2024

Effective date:

3/20/2007

Anchor
SecurityforInformationTechnology-POLICY
SecurityforInformationTechnology-POLICY
POLICY

Anchor
SecurityforInformationTechnology-A.Purpo
SecurityforInformationTechnology-A.Purpo
A. Purpose

The purpose of this policy is to enable a computing environment for Lawrence Berkeley National Laboratory (Berkeley Lab) that is both open and appropriately secure.

Anchor
SecurityforInformationTechnology-B.Perso
SecurityforInformationTechnology-B.Perso
B. Persons Affected

This policy applies to employees and affiliates as well as individuals with additional cyber security responsibilities for Laboratory Berkeley Lab Information Technology (IT).

Anchor
SecurityforInformationTechnology-C.Excep
SecurityforInformationTechnology-C.Excep
C. Exceptions

The Berkeley Lab Chief Information Officer, the Cyber Security Manager (CSM)Chief Information Security Officer, and the Cyber Security Program (CSP) may approve exceptions to this policy.

Anchor
SecurityforInformationTechnology-D.Polic
SecurityforInformationTechnology-D.Polic
D. Policy Statement

Anchor
SecurityforInformationTechnology-D.1Empl
SecurityforInformationTechnology-D.1Empl
D.1 Employees and Affiliates

  1. Everyone Is Responsible for Security. Laboratory Berkeley Lab IT Security cyber security is a line-management function at Berkeley Lab. Employees and affiliates are responsible for the security of computers and devices that they use or manage. They must take appropriate steps to secure Laboratory Berkeley Lab IT and Information information that they create, possess, manage, or have access to in connection with their Laboratory employment or research.
    1. Authorizing Access to IT Resources. Employees and affiliates may authorize the use of Laboratory Berkeley Lab IT that they manage. When authorizing use, employees and affiliates assume cyber security responsibility for the use and/or user and must ensure that Berkeley Lab IT policies are communicated to the user and followed in the course of granting access.
    2. Reviewing Authorization. After authorization, employees and affiliates must review access on a schedule appropriate to the risks presented by the service or system.
  2. Cyber Security Requirements. Employees and affiliates must ensure that computers and devices they use or manage meet the Berkeley Lab Minimum Security Requirements. Employees with specific roles must meet the Role-Based Security Requirements. Employees and affiliates must meet any additional requirements and procedures that CSP Cyber Security determines are necessary to secure the Laboratory.
    1. Minimum Security Requirements. Minimum security requirements protect both the integrity of Laboratory Information information and our network by providing a baseline level of protection for devices. Requirements may include training, security patches, passwords, media protection, anti-virus protection, physical protections, and network access.
    2. Role-based Security Requirements. Certain roles require additional security requirements to protect Laboratory Berkeley Lab IT and Informationinformation. Roles include system administrators, web server owners, and application developers.
    3. Other Requirements. Employees and affiliates must adhere to additional requirements, standards, and procedures that the Cyber Security Program (CSP) determines are necessary to protect Laboratory Berkeley Lab IT and Informationinformation. Additional requirements are available on the CSP's Cyber Security Requirements page.
  3. Reporting Cyber Security Incidents. Employees and affiliates must follow the appropriate procedures to report cyber security incidents, including the loss or theft of Laboratory Berkeley Lab IT or Information.information.

Anchor
SecurityforInformationTechnology-D.2Labo
SecurityforInformationTechnology-D.2Labo
D.2 Laboratory Management

  1. Supervisors and managers must provide adequate oversight to ensure that employees and affiliates under their management are taking appropriate steps to secure Laboratory Berkeley Lab IT and Information information throughout its lifecycle.
  2. The division or department director must ensure that the division adheres to policies, requirements, and procedures related to securing Laboratory Berkeley Lab IT and Informationinformation.
  3. The division or department director must designate a Computer Cyber Security Liaison who has authority and responsibility for coordination of computer cyber security activities.

Anchor
SecurityforInformationTechnology-D.3Exce
SecurityforInformationTechnology-D.3Exce
D.3 Exceptions and Enforcement

  1. Exceptions to Cyber Security Requirements
    1. Some systems, most commonly scientific ones, are unable to meet the cyber security requirements. Possible reasons include:
      1. Technical. For example, a legacy operating system that does not have patches for some a vulnerability.
      2. Operational. For example, a device that performs experiments, such as genome sequencing or systems used in the Advanced Light Source (ALS) control, may have uptime requirements such that they cannot be patched or rebooted.
      3. Cost-efficiency. For example, the cost, either monetarily or for mission reasons, of upgrading a device to meet requirements exceeds the cyber security benefit.
    2. Exceptions. Employees and affiliates should take a risk-based approach to using exceptions and seek guidance from CSP Cyber Security as appropriate. CSP Cyber Security may refuse exceptions based on institutional risk or require compensating controls.
  2. Enforcement. Employees and affiliates who do not comply with this policy may temporarily be denied access to Laboratory Berkeley Lab IT or information and may be subject to other penalties and disciplinary action up to and including termination. Non-compliant devices may be disconnected from the Laboratory network Berkeley Lab network at any time and until the device is compliant.

Anchor
SecurityforInformationTechnology-D.4Cybe
SecurityforInformationTechnology-D.4Cybe
D.4 Cyber Security Program

The CSP Cyber Security has the authority and responsibility to support the cyber security of Laboratory Berkeley Lab IT and Informationinformation. The program must:

  1. Provide general protection for Laboratory Berkeley Lab IT and Information information that is risk-based, cost-effective, and supports the mission of the Laboratory;
  2. Establish requirements, standards, procedures, and guidelines to help secure Laboratory Berkeley Lab IT and Information information and comply with all applicable regulations and requirements;
  3. Provide information and resources to help Laboratory divisions and employees meet their cyber security responsibilities; and
  4. Elicit input from divisions and programs on cyber security policies and procedures.

Although CSP Cyber Security supports the cyber security of Laboratory Berkeley Lab IT and Informationinformation, ultimate responsibility for cyber security and its implementation rests with each Berkeley Lab employee and affiliate.

Anchor
SecurityforInformationTechnology-E.Roles
SecurityforInformationTechnology-E.Roles
E. Roles and Responsibilities

Employees and affiliates must adhere to this policy. The table below describes specific responsibilities, authorities, and accountabilities by role:

Role

Responsibility

Authority

Accountability

Director

Oversees site management and operations

Delegates cyber

protection

security responsibilities (to CIO)

Accountable to DOE and UCOP for site operations

Chief Information Officer (CIO)

  • Oversees institutional
Cyber Security Program
  • cyber security program
  • Oversees cyber security policy and related oversight activities
  • Designates the
CSM
  • Chief Information Security Officer
  • Directs resources to prioritize cyber security efforts
  • Accountable to Director for cyber security performance and policy

Deputy CIO for Technology and Policy

Chief Information Security Officer (CISO)

  • Manages and directs the institutional
Cyber Security Program
  • cyber security program
  • Ensures that the
Cyber Security Program
  • cyber security program is effectively managing risk
  • Establishes cyber security policy
  • Establishes risk management approach

Accountable to CIO for cyber security performance

  • Manages the institutional Cyber Security Program
    • Evaluates overall cyber security posture and direction for Berkeley Lab
    • Recommends cyber security controls to
    CIO and Deputy CIO
    • CIO 
    • Directs resources to cyber
    protection
    • security efforts
    • Establishes risk management approach
    • Establishes cyber security requirements
    • Establishes cyber security policy
    • Accountable to
    CIO and Deputy
    • CIO
    for
    • cyber security performance

    Cyber Security

    Program (CSP)

    • Develops and operates the institutional
    Cyber Security Program
    • cyber security program
    • Recommends and enforces cyber security requirements
    • Accountable to
    CSM
    • CISO for cyber security performance
    Computer

    Cyber Security

    Liaisons

    Policy Managers

    • Advise in the development of
    Cyber Security Program
    • cyber security program by representing their division
    • Communicate cyber security policies and requirements to their divisions
    • Recommend changes to cyber security policy and requirements
    • Accountable to division line management for contributions to cyber security posture

    Supervisors and Managers

    • Ensure safety and security of employees and systems within span of control
    • Direct work and resources to operate in a safe and secure manner
    • Accountable to defined line manager for cyber security performance within span of control

    Anchor
    SecurityforInformationTechnology-F.Defin
    SecurityforInformationTechnology-F.Defin
    F. Definitions/Acronyms

    Term

    Definition

    Laboratory

    Berkeley Lab IT

    Berkeley Lab-managed

    IT

    information technology, including computing devices, networks, services, and accounts.

    Laboratory Information

    Berkeley Lab information

    Information used to accomplish job-related tasks

    ; information

    . Information may be owned by the Regents of University of California or the Department of Energy.

    Anchor
    SecurityforInformationTechnology-G.Recor
    SecurityforInformationTechnology-G.Recor
    G. Recordkeeping Requirements

    None

    Anchor
    SecurityforInformationTechnology-H.Imple
    SecurityforInformationTechnology-H.Imple
    H. Implementing Documents

    Document number

    Title

    Type

    10.01.002.001

    Minimum Security Requirements

    Standard

    10.01.002.002

    Role-based Security Requirements

    Standard

    10.01.002.003

    Cyber Security Requirements

    Standard

    11.04.003.000

    Financial Management System (FMS) User Access control

    Policy

    Anchor
    SecurityforInformationTechnology-I.Conta
    SecurityforInformationTechnology-I.Conta
    I. Contact Information

    Information Technology Policy Manager
    Information ManagerInformation Technology Division
    [email protected]

    Anchor
    SecurityforInformationTechnology-J.Revis
    SecurityforInformationTechnology-J.Revis
    J. Revision History

    Date

    Revision

    By whom

    Revision Description

    Section(s) affected

    Change Type

    1/2/2012

    0

    J. Bonaguro

    Rewrite for wiki (brief)

    All

    Minor

    7/30/2012

    1

    J. Bonaguro

    Rewrite for wiki (policy)

    All

    Minor

    2/5/2014

    1.1

    J. Bonaguro

    Periodic review

    All

    Minor

    3/30/2017

    1.2

    S. Lau

    Editorial updates

    All

    Minor

    6/15/20211.2A. SultanPeriodic review. No changes.AllEditorial
    8/9/20241.3A. SultanPeriodic review: R&Rs update. No policy changes.EEditorial 
    Card
    labelDocument Informationinformation

    DOCUMENT INFORMATION

    Title:

    Security for Information Technology

    Document number

    10.01.002.000

    Revision number

    1.

    1

    3

    Publication dates:

    2

    8/

    5

    9/

    2014

    2024

    Effective date:

    3/20/2007

    Next review date:

    3

    8/

    1

    8/

    2015

    2027

    Policy Area:

    Information Technology

    RPM Section (home)

    Information Management

    RPM Section (cross-reference)

    Sections 9.01 and 9.02


    Functional Division

    Information Technology

    Prior reference information (optional)

    RPM Sections 9.01 and 9.02


    Anchor
    SecurityforInformationTechnology-SourceR
    SecurityforInformationTechnology-SourceR
    Source Requirements Documents

    • DOE O 205.1B1C, Department of Energy Cyber Security ManagementCybersecurity Program, CRD
    • DOE P 205.1, Departmental Cyber Security Cybersecurity Management Policy (cancelled on 9/23/21)
    • UCOP IS-3, Electronic Information Security

    Implementing Documents

    Document number

    Title

    Type

    10.01.002.001

    Minimum Security Requirements

    Requirements

    10.01.002.002

    Role-Based Security Requirements

    Requirements

    10.01.002.003

    Security Requirements

    Requirements

    11.04.003.000

    Financial Management System (FMS) User Access control

    Policy

    builder
    show-
    show
    if
    grouprpm2-admins
    Card
    labelAdditional Information

    ADDITIONAL INFORMATION

    Title:

    Security for Information Technology

    Document number

    10.01.002.000

    Revision number

    1.

    1

    3

    Publication dates:

    2

    8/

    5

    9/

    2014

    2024

    Effective date:

    3/20/2007

    Next review date:

    3

    8/

    1

    8/

    2015

    2027

    Policy Area:

    Information Technology

    RPM Section (home)

    Information Management

    RPM Section (cross-reference)

    Sections 9.01 and 9.02


    Functional Division

    Information Technology

    Author name/contact info

    J

    S.

    Bonaguro

    Lau

     

     



    Revision 0 publication date

    3/20/2007

    Retirement date

    n/a

    Prior reference information (optional)

    RPM Sections 9.01 and 9.02

     

     




    Inputs from more than one Functional Area?

    No

    List additional Functional Areas & contacts

     

     

     




    Inputs from more than one Policy Area?

    No

    List additional Policy Areas & contacts

     

     

     




    30-day notification needed?

    No

    30-day start date

    n/a

    30-day end date

    n/a

     

     



    LDAP protected?

    No

     

     



    Need TABL reminders?

    No

    Frequency

    n/a

    Brief reminder text:

    n/a

     

     



    Approval Sheet for this revision received (date)


    [Note: author is responsible}


    Anchor
    SecurityforInformationTechnology-Keylabe
    SecurityforInformationTechnology-Keylabe

     

    Key labels/tags:

    • (Policy Area 1), (Policy Area 2), (Section)

    Anchor
    SecurityforInformationTechnology-Newterm
    SecurityforInformationTechnology-Newterm
    New terms that need to be added to Glossary/Acronym list:

    Anchor
    SecurityforInformationTechnology-Impleme
    SecurityforInformationTechnology-Impleme
    Implementing Documents restricted to department/functional use

    (optional – these will be used for tracing between requirements and associated documents)

    Document number

    Title

    Side bars:


    Side bar 1 location (cite by Policy Section # - for example: Section D.2.a)

    Sidebar 1 text:

    Sidebar 2 location

    Sidebar 2 text:

    Sidebar 3 location

    Sidebar 3 text: