Lab Logo
Lawrence Berkeley National Laboratory
Main | Search | Phone | Today | Notice
 
Office of the Chief Information Officer: Rosio Alvarez
Home | Policy | Privacy | Assurance | Federal Enterprise Architecture | CPIC | IT Division | Organizations and Committees

 

Information Technology Assurance
     
Summary, Keywords, Notes   First Quarter 2008 Performance Report.

Information related to this page.

 

 

 



Berkeley Lab Cyber Security Scorecard, FY 08

This is a 100 point Cyber Security Scorecard covering reviews, corrective actions, improvements, risk assessments, and multiple training measures.

 

1. Reviews. 1

2. Corrective Action Management 1

3. Risk Assessments. 2

4. New or Substantially Improved Controls. 2

5. Training of Employees. 2

6. Training Guests. 2

7. PII Training. 3

8. Completion of Certification. 3

 

1. Reviews

Objective: The Laboratory conducts internal and external reviews of its security program.

Maximum Score: 20
Scoring: Internal Audits: 5, Self Assessments Per Enclave: 3, Peer Reviews: 8, External Audits: 3, External Contracted Audits: 10

Protocol: Starts or Ends during Performance Period. Cannot double count across performance periods.

Performance Updates:

Q1

Current Status: Satisfactory

UC Internal Audit of Datacenters has begun and will complete during Q2.  Given the large volume of reviews associated with ATO, expect this performance to be loaded towards the end of the year.  Self-Assessment schedule will likely be late spring, early summer.  With Internal Audit (5 points) and scheduled self assessments (5 * 3) currently on par for 20 points.

2. Corrective Action Management

Objective: The laboratory closes findings in a timely manner.

Maximum Score: 10
Scoring:
0 Overdue to Target: 10,  1 Overdue to Target: 5,  2+ Overdue to Target: 0

Protocol: Measured via closure of reported main action POAMs to schedule via quarterly report.

Performance Updates:

Q1

Current Status: Satisfactory

Currently tracking three POAMs, none are overdue to target.

3. Risk Assessments

Objective: The Laboratory codifies its understanding of risk.

Maximum Score: 10
Scoring: All Enclaves: 10, All But One: 5 Any Fewer: 0

Protocol: Annual risk assessment conducted by enclave turned in to site office during performance period.

Performance Updates:

Q1

Current Status: Scheduled

The schedule for risk-assessment typically puts it in mid-summer.

 

4. New or Substantially Improved Controls

Objective: The Laboratory continuously improves the effectiveness of its management, operational, and technical control environment by creating new controls or improving existing ones.

Maximum Score: 10
Scoring: 1-5 per improvement as jointly agreed during development with BSO.

Protocol: Will jointly agree with BSO on value as we propose and develop new controls.

 

Performance Updates:

Q1

Current Status: In Progress

CPP is investigating new controls for malicious code detection and PII detection.  Will report more substantively in Q2.

5. Training of Employees

Objective: The Laboratory ensures the awareness of its staff through training.

Maximum Score: 20
Scoring: 92+: 20, 85+: 18, 80+: 15, 75+: 12, 70+: 10, <: 0

Protocol: As measured by the defined employee group within JHQ.

Performance Updates:

Q1

Current Status: Satisfactory

Cycle of testing is based on annual expiration date.  208 training takers during Q1. Lab is currently at 92% compliance.

6. Training Guests

Objective: The Laboratory will ensure that risk-based categories of guests receive appropriate cyber training.

Maximum Score: 10
Scoring:  90: 10, 80: 8, 70: 6, 60: 4, <: 0

Protocol: LBNL will select at least two organizations to prototype mandatory cyber training for guests (not annual). Total population size will be >30 people.

Discussion: The guest issue is different for cyber security then for EHS training. Because many of our guests are either very short-term or receive training from other organizations (such as LLNL), and because our training is quite high level, we have identified that there are only certain categories of individuals who should receive guest training. We are still attempting to understand what the best way of capturing this is, and who needs the LBL cyber security training. This project is the first step in that regard, identifying targeted guest-types and organizations for this project.

 

Performance Updates:

Q1

Current Status: In Progress

Computer Protection Program is evaluating the target populations.  Targets will be selected in Q2.

7. PII Training

Objective: LBNL will train individuals who manage PII on their responsibilities

Maximum Score: 10
Scoring: 90: 10, 80: 8, 70: 6, 60: 4, <: 0

Protcol: LBNL will identify the position/organization categories for PII training, develop the training, and train as required within the Performance Period.

Discussion: This is a major initiative involving the identification of PII responsible individuals and the development of a new and intensive course on PII management.

Performance Updates:

Q1

Current Status: In Progress

Cooperative planning with HR has begun.  Should be able to report identified groups by Q2.

 

8. Completion of Certification

Objective: The Laboratory will complete the necessary paperwork to Certify its systems.

Maximum Score: 10
Scoring: Yes: 10, No: Zero

Protocol: Certification is a Laboratory responsibility. This does not address accreditation.

Performance Updates:

Q1

Current Status: Scheduled

This was completed ahead of schedule and we need to negotiate a new measure with BSO - this has begun.


 

     
     

 

 

  Home | Policy | Privacy | Assurance | Federal Enterprise Architecture | CPIC | IT Division | Organizations and Committees  
 
Lab Logo
Lawrence Berkeley National Laboratory
University of California: It Starts Here
 
This page is and all subsequent pages are covered by the University's Privacy and Security Notice and Policies