RPM 9.01 requires that all individuals at LBNL take responsibility for responsible and secure stewardship of IT assets throughout their lifecycle:

LBNL information technology assets will be treated in a responsible manner throughout their lifecycle.  This includes appropriate planning, implementation, maintenance, and disposal of computing and information assets.  All members of the LBNL community are accountable for providing appropriate stewardship of the computing and information assets they utilize and manage.  This includes appropriate information and computer security, information management, continuity and lifecycle planning, and asset management.

The following implementing guidance provides descriptions of key controls and policies which implement the stewardship policy and cross-walks to NIST 800-53 Control Families. This is not an exhaustive list of how LBNL implements (or chooses not to implement) the controls in NIST 800-53 - this may be obtained from the CPPM.

Control Area	Description	Links	Discussion
Access Control	LBNL access control policy is found in the RPM Section 9.01: All use of LBNL systems must be authorized by a responsible employee who takes security responsibility for the use and/or user and ensures that LBNL IT policies are communicated to the user and followed in the course of granting access.  Use must be reviewed by the granting employee on a schedule appropriate to the risks presented by the service or system. Guidance: It is LBNL policy to enforce access control by utilizing mechanisms for limiting access wherever possible. The default method is the use of individually identifiable credentials. Where individual credentials are impractical, shared and open access may be utilized provided it is limited to a defined subset of systems (for instance, a beamline) and the responsible line manager understands the risks associated with lack of user-level accountability. Institutional accounts may not be shared, subject to RPM Policy at RPM 9.02 Access should be limited to a reasonable set of services appropriate to the work. RPM 9.02: The safeguards that are provided by the operating system in use should be invoked to the maximum extent that does not interfere with the work of the users. Such safeguards include the following: Control over system privileges Protection of the password file User notification of unsuccessful log-in attempts Temporary deactivation of user ID after several successive failure Less-than-universal defaults for file access	Strong Passwords and Use of Passwords.   Description of LBNL Access Control Methodology and Implementation
Awareness and Training	It is LBNL policy that all individuals must possess the appropriate skills, knowledge, and abilities to do work in a secure manner. Training and awareness supplement these skills and form an integral part of our security program. CPP is available to provide advice on additional training opportunities.	Cyber Security Training & Training Policy and Responsibilities Training Database
Audit and Accountability	It is LBNL policy that each enclave must maintain appropriate records to reasonably reconstruct security incidents. Systems keeping business records and/or moderate information must maintain logs which allow for accountability over individual transactions to facilitate investigation, subject to functional owner requirements. Other audit requirements are driven by the Minimum Security Requirements which set minimum requirements for certain Linux/Unix systems (syslog) and Windows systems (via the Secure Baseline or the Windows Security Template).	Minimum Security Standards	The CSPP Appendix 1 Describes the Minimum Requirements for Enclave-Level Logging.
Certification, Accreditation, and Assessments	It is LBNL policy to conduct Certification and Accreditation per DOE Policy. Please see the policy on Certification and Accreditation	Policy on C&A
Configuration Management	LBNL's Configuration Management Approach is a function of detailed configuration management of key infrastructure, and general configuration management of distributed assets. The acceptable configuration for all systems is specified by the Minimum Security Standards. CPP Sets the Minimum Security Standards, End Users and System Administrators ensure they are implemented and maintained, and line management provides security oversight in the context of their line management oversight. In addition, the LBNL ROE Enclave Configuration Management Plan addresses a number of infrastructure areas with further defined configuration management requirements.	Min. Security Standards
Contingency Planning	It is LBNL policy to prepare for contingencies in a risk-based and graded manner. This includes the development of strategic recovery objectives by Senior Management and integration of IT resource planning into the overall LBNL Emergency Preparedness and Business Continuity Plans.	Disaster Recovery
Identification and Authentication	See Access Control
Incident Response	It is LBNL policy that all computer security incidents be reported to the Computer Protection Program for investigation, and that the CPP report incidents of an unusual or enduring nature to the appropriate reporting authorities.	Incident Handling RPM on Incident Reporting
Maintenance	It is LBNL policy that employees conduct appropriate, cost-effective software maintenance, including required patching and upgrading of unsupported systems. RPM 9.01: LBNL information technology assets will be treated in a responsible manner throughout their lifecycle.  This includes appropriate planning, implementation, maintenance, and disposal of computing and information assets.  All members of the LBNL community are accountable for providing appropriate stewardship of the computing and information assets they utilize and manage.  This includes appropriate information and computer security, information management, continuity and lifecycle planning, and asset management.	Minimum Security Requirements OS Patching
Media Protection	It is LBNL policy that all employees apply appropriate, cost and risk based protection to media. RPM 9.01: LBNL information technology assets will be treated in a responsible manner throughout their lifecycle.  This includes appropriate planning, implementation, maintenance, and disposal of computing and information assets.	Media Protection Implementing Guidance
Physical and Environmental Protection	It is LBNL policy to ensure that appropriate physical security and disaster recovery planning are integrated into IT planning. The minimum security requirements define provision of physical security as a necessary security component. Institutional datacenters are defined as rooms whose primary purpose is the support of shared use systems with multiple users whose failure would result in wide scale disruption to institutional or programmatic functions. Institutional datacenters require strong environmental controls and physical security policies and training. RPM 9.02: Laboratory employees who possess such equipment are responsible for ensuring the physical safety of that equipment.	Physical Security	Review of datacenters was completed in Nov 2006. The list is available from itpolicy@lbl.gov
Planning	It is LBNL policy to integrate cyber security planning into the development of new initiatives and practices per the RPM Stewardship Policy. RPM 9.01 LBNL information technology assets will be treated in a responsible manner throughout their lifecycle.  This includes appropriate planning, implementation, maintenance, and disposal of computing and information assets.	Security planning at the enclave level.
Personnel Security	LBNL Personnel Security policies are a function of the RPM Background Check Policy, the LBNL Site Security Plan, and any internal requirements developed by system owners.	Background Checks Background Checks RPM	Note: In 2007, HR and CIO conducted a review of the sensitivity of positions at LBNL and expanded background checks to a new class of administrators.
Risk Assessment	It is LBNL policy to conduct risk assessment and manage risks in a cost-benefit manner.	Enclave Management Policy.
System and Service Acquisition	It is LBNL policy to restrict the purchase of identified security-risk items by utilizing the restricted and prohibited item lists to ensure compliance. It is LBNL policy to integrate information security requirements into services procurement contracts wherever appropriate.	Model Contract Language
System and Communications Protection	It is LBNL policy to separate information systems into enclaves, and to monitor and manage security controls both within and between enclaves.	Enclaves
System and Information Integrity	It is LBNL policy to protect the integrity of both information and systems. RPM 9.01: The Laboratory’s computer systems and all information contained in these systems must be appropriately protected from unauthorized use, alteration, manipulation, and disclosure.  In keeping with the principals of Integrated Safeguards and Security Management (ISSM), security is the responsibility of the user and his or her line management.   Users, data owners, and system owners must take appropriate precautions to secure the confidentiality, integrity, and availability of systems and data, and line management must provide adequate oversight to assure these precautions are appropriate and maintained.      Employees are responsible for protecting the Confidentiality, Integrity, and Availability of systems. CPP provides assurance and assists employees by utilizing vulnerability scanning, configuration management, and malicious code detection. Malicious code detection (antivirus) is a Minimum Security Requirement and is also implemented at the email gateway. Vulnerability scanning provides assurance that systems are appropriately configured. Configuration management, as described above, helps to preserve integrity.	Vulnerability Scanning