Title: |
Cyber Security Risk Management Approach |
Publication date: |
8/9/2024 |
Effective date: |
3/20/2007 |
BRIEF
Policy Summary
This policy describes roles and responsibilities for Berkeley Lab's cyber security risk management approach.
Who Should Read This Policy
Employees and affiliates with Cyber Security Program responsibilities, including enclave owners and enclave security coordinators
To Read the Full Policy, Go To:
The POLICY tab on this wiki page
Information Technology Policy Manager
Information Technology Division
itpolicy@lbl.gov
Title: |
Cyber Security Risk Management Approach |
Publication date: |
8/9/2024 |
Effective date: |
3/20/2007 |
POLICY
A. Purpose
The purpose of this policy is to establish and maintain a risk management approach that appropriately and cost-effectively mitigates cyber security risks at Lawrence Berkeley National Laboratory (Berkeley Lab).
B. Persons Affected
This policy applies to employees and affiliates with cyber security program responsibilities and related compliance activities.
C. Exceptions
None.
D. Policy Statement
- Berkeley Lab manages risk to systems consistent with Department of Energy and Office of Science requirements using a cost-effective approach that balances mission and risk.
- Description of Systems
- Berkeley Lab groups information technology into enclaves that serve as systems for the purpose of cyber security policy and management.
- Any organized unit of Berkeley Lab may request that it be treated as an enclave for the purpose of cyber security management.
- The Deputy CIO for Technology and Policy must approve minimum security controls and policies for all enclaves. Enclaves must implement minimum security controls and policies.
- The Policy and Risk Manager must develop procedures and requirements for the risk management approach, system authorization, disaster recovery testing, plan of action and milestones, assurance, and other related processes. Enclaves must follow the procedures and requirements where applicable.
E. Roles and Responsibilities
Role |
Responsibility |
Chief Information Officer |
- Oversees site risk management approach, including system authorization responsibilities
|
Chief Information Security Officer |
- Develops the site risk management approach
- Approves security controls and policies to mitigate cyber risk
- Designates enclave boundaries and maintains the authoritative list of enclaves
- Ensures that the Cyber Security Program is continuously monitoring and responding to cyber risks
- Conducts high-quality risk analysis and planning for cyber decision-making
|
Cyber Security Policy Managers |
- Manages implementation of the Cyber Security Program for Berkeley Lab
- Communicates the risk-management approach to the Berkeley Lab community
- Assists in the development of the site risk management approach and the selection of minimum security controls and policies
- Manages implementation of security controls to mitigate cyber risk
- Develops procedures and requirements to support the site risk management approach
- Assists in the development of the site risk management approach and the selection of minimum security controls and policies
|
Enclave Owners |
- Understand the risks identified and the controls in place to mitigate against those risks within their enclave
- Monitor the risks and notify the Chief Information Officer or their designee of changes in the cyber security profile of their enclave
|
Enclave Cyber Security Coordinators |
- Coordinate the implementation of site risk management procedures and requirements in their enclave
- Provide input into the site risk management approach and related procedures and requirements
|
F. Definitions/Acronyms
Term |
Definition |
Enclave |
Groups of information technology that share a similar level of risk, use similar controls, and are under the same management. Enclave serves as a synonym for system as defined in the National Institute of Standards and Technology Special Publication 800-37, Revision 1. |
G. Recordkeeping Requirements
None.
H. Implementing Documents
None.
Information Technology Policy Manager
Information Technology Division
itpolicy@lbl.gov
J. Revision History
Date |
Revision |
By Whom |
Revision Description |
Section(s) Affected |
Change Type |
1/2/2012 |
0 |
J. Bonaguro |
Re-write for wiki (brief) |
All |
Minor |
8/21/2012 |
1 |
J. Bonaguro |
Re-write for wiki (policy) |
All |
Minor |
2/7/2014 |
1.1 |
J. Bonaguro |
Edited to clarify roles |
D and E |
Minor |
| 3/30/2017 |
1.2 |
S. Lau |
Minor typographical edits |
All |
Minor |
| 6/15/2021 |
1.2 |
A. Sultan |
Periodic review. No changes. |
All |
Editorial |
| 8/9/2024 |
1.3 |
A. Sultan |
Periodic review: R&R updates, no policy changes |
E |
Editorial |
