|
|
||||||||||||||||||
Use layout NORIGHTSIDEBAR NORIGHTSIDEBAR Effective Date: October 1, 2014-September 30, 2015
...
8.1 Outcomes and Related Assurance Systems
Outcome | Assurance System | System artifacts |
|---|---|---|
Systems are securely configured and meet requirements. | Vulnerability scanning, continuous and on demand, to identify insecurely configured or vulnerable systems with actions in response to a finding of vulnerability | On request access to blocked host history lists, web site information with current scans |
Systems are not infected or attacking other systems. | Monitoring systems provide indications of vulnerable systems | On request access to Bro logs and incident investigation reports |
Attackers cannot search indiscriminately for targets. | Monitoring systems (Bro, Syslog, Netflow) provide defenses against indiscriminate attacker | On request access to Bro logs |
Users are trained. | LBL Training Database | Report outputs on training rates as part of PEMP |
Security systems are operational. | System monitoring and alerts to detect failures in critical cyber defense systems | On request access to Nagios and related logging reports |
DOE and LBNL jointly understand residual risk. | Annual risk assessment and ongoing briefings as necessary. Cost-benefit analysis of cyber program. | Dialogue with site office. |
8.2 FY15 Assessment Schedule
| # | Assessment Type | Schedule (and Title) | Performed By |
|---|---|---|---|
| 2.2 | Authorizing System Assessments | Was triennial, moving to continuous authorization | Office of the CIO/Cyber Security Program with External Assessors |
| 2.3 | Internal Audit | Per IAS Audit Plan. The FY15 audit plan does not include any IT focused audits, although some of the audits will likely touch IT (e.g. Continuity Planning). | LBNL Internal Audit Services |
| 2.4 | IG Audits and Reviews | Assessment of LBNL occurs at the discretion of oversight entity, audits include:
| DOE Inspector General (often using KPMG) |
| 2.5 | DOE FMFIA | Typically no later than March | DOE |
| 2.6 | Berkeley Site Office Oversight Activities | Assessment occurs at the discretion of oversight entity. | BSO |
| 2.6 | DOE-HSS Oversight Activities | Assessment occurs at the discretion of oversight entity. | DOE-HSS |
| 2.6 | SC Surveys | Assessment occurs at the discretion of oversight entity; Last occurred May 2014. | DOE Office of Science |
2.7 | Peer Review | Every 3-5 years, last assessed in June 2010; None planned for FY15 | Similar institutions |
| 2.8 | Advisory Board | Typically annually | Board members |
| 3.2 | Self-Assessment Risk Assessment | Annually by 10/1 | Office of the CIO/Cyber Security Program |
| 3.3 | UC Self-Assessment | Assessment occurs at the discretion of UC. | Office of the CIO/Cyber Security Program |
| 3.4 | Management Controls and Compliance Program | Completed by 7/1 (At discretion of OCFO, subset of controls related to IT operations) | LBNL CFO |
| 3.5 | IAS Advisory Service | No advisory services planned for FY15. | LBNL Internal Audit Services |
