Lab Logo
Lawrence Berkeley National Laboratory
Main | Search | Phone | Today | Notice
 
Office of the Chief Information Officer: Rosio Alvarez
Home | Policy | Privacy | Assurance | Federal Enterprise Architecture | CPIC | IT Division | Organizations and Committees

 

CSPP: Policy on the Certification and Accreditation of LBNL Enclaves
     
Summary, Keywords, Notes   Certification and Accreditation Policy

IThis policy relates to the high level management of cyber security at LBNL. While applicable to all systems, its intended audience is the Enclave Security Managers.

 

This policy is specific to enclave security management and was promulgated by the CPPM 5/17/2007.

Review is required by 5/17/2010

 

 

 

  1. It is the policy of LBNL to conduct Certification and Accreditation of systems, per DOE policy.
  1. LBNL groups similar systems into enclaves for the purpose of cyber security policy and management.  The term enclave is in all ways a synonym for NIST system. 
    1. Any organized unit of LBNL may request that it be treated as an enclave for purposes of cyber security accreditation. 
    2. The CPPM is responsible for determining the boundaries of enclaves and defining enclaves.
    3. The authoritative list of enclaves is held by the CPPM, a version may be found here.
  1. Each enclave is responsible for following the procedures laid out by the Certification and Accreditation Coordinator, who is appointed by the CPPM.
    1. These procedures include annual requirements for risk assessment, self assessment, disaster recovery testing, corrective action management, and assurance.
    2. These procedures include development of enclave-level policy and procedure to support the Certification and Accreditation process.
    3. These procedures include those described in the NIST Cycle (Information Categorization, Control Selection, Control Refinement, Control Documentation, Control Testing, Control Assurance).
  2. The CPPM is responsible for ensuring that LBNL's overall cyber security approach addresses the seventeen NIST control families laid out in NIST Special Publication 800-53. These requirements are integrated into the overall policy and control framework of cyber security operations. The CPPM maintains a cross walk of the seventeen control families to LBNL controls throughout the enclaves.
  3. Roles and Responsibilities related to the Certification and Accreditation of Systems at LBNL:

Roles

Responsibilities

LBNL Director

Responsibility: Ultimate responsibility for site management and operations.

Authority: Delegate cyber protection responsibilities (to CIO). Endorse CSPP.

Accountability: Accountable to DOE and UCOP for site operations.

LBNL Chief Information Officer (CIO) (may be same as below)

Responsibility: Oversees Cyber Protection Operations and overall IT posture of LBNL.  Sets IT Policy.

Authority: Designate CPPM. Direct resources to prioritize IT efforts.  Approve Institutional CSPP.

Accountability: Accountable to Director for IT performance and policy.

IT Division Director (may be same as above)

Responsibility: Manage all IT operations.  Recommend IT policy to CIO.

Authority: Direct IT operations, designate resources for IT projects.

Accountability: Accountable to CIO for sitewide IT performance.

Computer Protection Program Manager (CPPM)

Responsibility: Manages institutional cyber protection programs, supervises and coordinates enclave protection programs, evaluates overall cyber security posture and direction for LBNL.  Ensures Enclave implementation of all LBNL CSPP requirements. Recommends security policy to CIO.  Provides assurance of Cyber performance to CIO.

Authority: Approve enclave procedures and policies.  Direct resources to cyber protection efforts. 

Accountability: Accountable to CIO for Sitewide cyber performance.

Environment, Safety, and Health Division Director (ES&H)

Responsibility: Oversee management of site emergency response, oversee implementation of Integrated Safety Management (ISM) and Integrated Safeguards and Security Management (ISSM), manage contingency planning functions of LBNL.

Authority:  Direct emergency response, safety, and contingency planning resources.

Accountability:  Accountable to line management for sitewide performance.

Security and Emergency Operations Group Leader, Environment, Safety, and Health Division.

Responsibility: Manages site security and safeguards posture which complements cyber protection program.  Manage physical security operations.

Authority: Manage site Safeguards and Security Program

Accountability: Accountable through line management for sitewide implementation of ISSM.

Facilities Division Director

Responsibility: Oversee all facilities operations. Manage disposal and sanitization for cyber assets leaving LBNL.  Manage intake of new cyber assets entering LBNL.  Manage building support operations, including those supporting contingency operations. 

Authority: Direct operation of Facilities Division, create policy to enhance general and cyber security compliance and posture.

Accountability: Accountable to line management for sitewide performance.

Computer Protection Implementation Committee (CPIC)

Responsibility: Assist in the development of LBNL cyber security posture.  Bring organizational element perspective to cyber security process.

Authority: Recommend actions and policy changes to improve posture and effectiveness.

Accountability: Accountable to division vice line management for contributions to overall LBNL cyber security posture.

Information Technology Advisory Committee (ITAC)

Responsibility: Provide input on overall computing and communications infrastructure.  Use organizational element perspective to improve policy and procedure.

Authority: Recommend actions and policy changes to improve service offerings.

Accountability: Accountable to line management for contributions to process.

Systems and Network Security Group (SNS)

Responsibility: Coordinate institutional response to cyber security incidents and trends.  Coordinate cross-complex responses to new threats where appropriate.  Continually assess effectiveness of responses.  Recommend changes to CPPM.

Authority: Develop, with CPPM, institutional response and transmit to enclaves for implementation.

Accountability: Accountable to Line Management for incident and trend response.

Enclave Manager
(sometimes referenced as simply Enclave when used in the context of “The Enclave is Responsible for…”)

Responsibility: Develop enclave approach to cyber security.  Set FIPS 199 Risk Classification for Enclave.

Authority: Create enclave-level cyber protection plan.

Accountability: Accountable to CPPM for enclave plan content, Accountable to line manager for enclave performance.

Line Manager

Responsibility: Ensure safety and security of employees and systems within span of control.

Authority: Direct work and resources to operate in a safe and secure manner.

Accountability: Accountable to defined line manager for cyber performance within span of control.

System Administrator

Responsibility: Secure individual system or application.  Advise Enclave Owner on risk classification.

Authority: Manage system configuration to improve cyber security.

Accountability: Accountable to Line Manager for system operation.

Data Owner

Responsibility: Adopt and implement graded approach to defense and preservation of data.  Advise System Administrator on Risk Classification.

Authority: Access and manage data in a safe and secure manner.

Accountability:  Accountable to Line Manager for cyber performance.

Computer Security Liaison

Responsibility: Ensure policies, procedures, and practices developed by the CPP are implemented in their organizational element.

Authority: Communicate policies and procedures and practices developed by the CPP to their organizational element. Communicate organizational element policies, procedures and practices to the CPP.

Accountability: Accountable to Line Management for element implementation.

System User

Responsibility: Responsible for all computer use and activity as well as knowledge and application of appropriate policy.  Report security breaches and suspected security incidents.  Advise system administrator and Enclave Owner on security classification.

Authority: Operate authorized systems and access authorized data in a safe and secure manner.

Accountability: Accountable to Line Management for proper system operation and usage.

 

 
     
     

 

 

  Home | Policy | Privacy | Assurance | Federal Enterprise Architecture | CPIC | IT Division | Organizations and Committees  
 
Lab Logo
Lawrence Berkeley National Laboratory
University of California: It Starts Here
 
This page is and all subsequent pages are covered by the University's Privacy and Security Notice and Policies