Effective Date: October 1, 2011-September 30, 2012
Approval
Approved By: Rosio Alvarez, Chief Information Officer
Table of Contents
1.0 Introduction
The LBNL IT Assurance Plan is designed to ensure that LBNL IT efforts meet contractual requirements and support the LBNL mission. This plan is primarily concerned with functions provided by IT division for the laboratory. DOE requires a separate Cyber Security Assurance Plan, which is concerned with the institution's overall cyber security performance (as opposed to the performance of IT division specifically).
1.1 Approach to Assurance
Our approach to assurance is coupled to the ongoing oversight of programs and projects that is a normal and ongoing part of IT management. As such, our primary assurance is the annual development of strategic objectives accompanied by quarterly reports and/or meetings on those objectives between IT Senior Management and heads of Service Areas. The IT Strategic Plan details these objectives, strategies, and metrics by service area.
Independent assessments, including peer reviews, provide additional assurance along with our ongoing key metrics such as network availability and customer satisfaction.
2.0 Independent Assurance
2.1 Overview
IT systems are subject to a number of external assessments.
2.2 Peer Reviews
The IT Division conducts a peer review every three to five years, based on guidance provided by Operations. The last Peer Review was conducted in June of 2010. Peer reviewers are typically chosen from among similar institutions in the research, national laboratory, University, and nonprofit space. Peer Review typically produce recommendations and/or findings which are considered as part of the Division's strategic and tactical planning.
2.3 Internal Audit
In practice, IA conducts at least one IT focused audit each year. Results are shared with UC and LBNL management. Fiscal Year 2012 planned audits and advisories that may include IT are Data Security of Outsourced Applications (audit) and Export Controls (advisory).
2.4 Inspector General Operations Audits and Reviews
The DOE IG performs audits of M&O IT operations. Results from these reviews must be carefully calibrated due to the IG's focus on cost-savings opportunities regardless of impact on mission achievement.
2.5 Other DOE Reviews
The DOE Berkeley Site Office (BSO) conducts graded oversight reviews of the Laboratory's IT Operations. These reviews include ongoing operational awareness activities, and scheduled assessments and reviews into particular risks or control families. Assessment topics are generally planned and calendared at the start of the performance year.
Other IT-related assessments and informal evaluations, such as visits from the DOE Records Management Program or SC Privacy Officers, supplement these reviews.
3.0 Internal Assurance
At the beginning of the fiscal year, the IT director and service area leads agree on a portfolio of objectives in the IT Strategic Plan. Each objective includes a set of related strategies and metrics and key performance indicators that service area leads use to manage progress toward objectives. This plan forms the basis of self assessments.
3.1 Project Monitoring and Quarterly Reporting
Under the line management approach, service area leads are responsible for monitoring and reporting on projects in the strategic plan. Service area leads submit brief quarterly reports on the status of strategic objectives, including a summary of how the objective and related strategies were met, any changes in direction/approach, and/or significant problems or risks.
3.2 Project Assessments
Every year, the CIO will select one or more strategic projects for an in-depth assessment. For FY12, the CIO will assess the new Service Desk Project and the Identity Management Program.
3.3 Self-Assessment Risk Assessment
Excerpt from Cyber Security Assurance Plan:
"The Office of the CIO and the Cyber Security Program undertake annual risk and self assessments of its information technology posture. The risk-assessment process is designed to provide transparency to DOE and the Laboratory Community on current and emerging threats as well as residual risks from our security posture. The self-assessment process seeks to verify the effectiveness of technical, administrative, and operational controls.
Both processes are consistent with National Institute of Standards and Technology guidance. However, LBNL's approach is unique in that it utilizes a cost-damage model collaboratively developed with Carnegie Mellon University, and uses extensive narrative description to ensure that LBNL community members and oversight organizations can understand the risks clearly and in lay, comprehensible terms. Results are transmitted to DOE and are used as input for strategic planning and service management in the coming year.
Based on the annual risk assessment, cyber security plan owners will review and update plans as necessary to reflect any changes in technical, administrative, and operational controls."
3.4 Federal Manager’s Financial Integrity Act (FMFIA)/Entity Assessment Annual Self-Assessment
The Financial Management Assurance (FMA) program is DOE’s internal control assessment program to meet the requirements of the Financial Integrity Act (FMFIA) of 1982 and Office of Management and Budget (OMB) Circular A-123, Management’s Responsibility for Internal Control, including Appendix A, Internal Control Over Financial Reporting. The FMA program requires an evaluation of programmatic and non-financial reporting administrative controls, an assessment of entity controls, and evaluation and testing of financial management reporting controls.
LBNL's FMFIA assessment is scheduled for Q4 FY12.
3.5 UC Self-Assessment
The University of California Office of the President, at the direction of the Regents, requires a self-assessment of each UC's compliance with IS-3. In FY11, this was performed via an Internal Audit. A self-assessment for FY12 may occur.
4.0 Performance Measures
4.1 Performance Evaluation and Measurement Plan (PEMP)
FY12 PEMP Objective 6.5 states “Provide Efficient, Effective, and Responsive Management Systems for … Information Management…". No Notable Outcome for IT in FY12.
5.0 Assurance Systems and Assessment Schedule
5.1 DOE Requirements and Related Assurance Systems
DOE Requirements are listed on the CIO website with corresponding implementation measures and assurance systems. See DOE Crosswalks.
5.2 FY12 Assessment Schedule
Assessment Title | Schedule | Performed By |
|---|---|---|
Independent Assessments |
|
|
Peer Review | Every 3-5 years, last assessed in June 2010 | Similar institutions |
Data Security of Outsourced Applications | Per IAS Audit Plan | LBNL Internal Audit Services |
DOE Financial Statement Audit* | LBNL was selected for FY12. Audit conducted in June 2012. | DOE Inspector General using KPMG |
DOE Federal Information Security Act (FISMA) Audit | LBNL was selected for FY12. Audit conducted in June 2012. | DOE Inspector General using KPMG |
DOE IT General & Application Controls | LBNL was selected for FY12. Audit conducted in June 2012. | DOE Inspector General using KPMG |
DOE IT Vulnerability Assessment | LBNL was selected for FY12. Audit conducted in June 2012. | DOE Inspector General using KPMG |
DOE Cyber Security Incident Management Program | LBNL was selected for FY12. Audit conducted in April 2012. | DOE Inspector General |
Berkeley Site Office Oversight Activities* | Varies | BSO |
DOE-HSS Oversight Activities* | Varies | DOE-HSS |
Internal Assessments |
|
|
Project Assessments | Within 1 month of end of FY | Office of the CIO |
Self-Assessment Risk Assessment | Annually by 10/1 | Office of the CIO/Cyber Security Program |
FMFIA/Entity Assessment | 4th Quarter FY12 (Subset of controls related to IT operations) | LBNL Line Management |
UC Self-Assessment* | Annually by 10/1 (if required by UC) | Office of the CIO/Cyber Security Program |
*Assessment occurs at the discretion of oversight entity.
