(M10) Information Technology
The Information Technology (IT) Management system’s purpose is to provide policies, procedures, best practices, governance, monitoring and oversight functions, and a cyber security program that together ensure that Fermilab IT assets are procured, managed, operated and disposed of in accordance with the contract, and that IT services support lab operations, the scientific program, and the other management systems of the lab effectively, efficiently and safely.
|Associate Laboratory Director for Computing/CIO:
- Sets up and oversees operations of the IT Management System.
- Chairs the IT Executive Council – the highest level IT governance body of the laboratory.
|Computer Security Executive:
(As described in Computer Security Program Plan)
|Computer Security Manager:
- Oversees Computer Security Program
- Chairs the Computer Security Board
|Fermilab Computer Security Coordinator:
(As described in Computer Security Program Plan)
- Serves as point of contact for law enforcement
- Handles DOE incident response
- Assures core IT services are operated in accordance with IT Infrastructure Library (ITIL) processes and achieve ISO20000 certification.
- Extends ITIL processes to Scientific IT operations.
- Oversees adherence to processes and standards.
- Supports and oversees ITIL process owners and the Continuous Service Improvement Program.
|Chief Operating Officer:
- Chairs the Information System Portfolio Management Team
|Associate Lab Director for Particle Physics:
- Chairs the Scientific Computing Portfolio Management Team
|Chief Information Officer:
- Chairs the IT Infrastructure Portfolio Management Team
|Head of Office of Enterprise Architecture and Configuration Management (Computing Sector):
- Chairs the Enterprise Architecture Board
|Head, Project Management Office (Computing Sector):
- Provides project management support and oversight for all IT Management System Portfolio Projects.
|Deputy Chief Information Officer:
- Chairs the IT Policy Board
The objectives of the IT Management System (ITMS) are to deliver IT services, information system products, and IT management processes to Laboratory staff, collaborators, and clients to enable scientific and operational excellence. ITMS functions assure the efficient and effective use of information resources in compliance with standards and best practices to protect the confidentiality, integrity, and reliability of the Laboratory's information assets. The ITMS is comprised of five major functions:
- IT Governance and Enterprise Architecture – planning, oversight, standards, methods, Service Management, performance assessment, configuration management, and reporting for ITMS services and projects.
- Cyber Security – establishing Laboratory policies and processes for the protection of computer-based information and assets, and implementing continuous monitoring to assess performance
- Information Technology Infrastructure – deploying and operating the fundamental information technologies, applications, and services to support essential capabilities and functionality.
- Information Systems – analyzing, developing, and deploying information systems and automated business processes.
- Scientific Computing – deploying and operating the computing technologies, applications, and services to support the scientific program.
The IT Governance and Enterprise Architecture functions and the Cyber Security functions apply to the other three service delivery functions of the ITMS.
The IT Management System applies across all sectors of the laboratory’s line organizations and to all laboratory visitors, contractors and collaborators that operate computing assets and services on the laboratory network.
Continuous evaluation of threats and vulnerabilities and assessment of and mitigation of risks are an integral part of the Cyber Security program, Project Management and Service Continuity processes.
The IT Management System is integrated with other management systems in several ways.
- IT Governance functions and processes ensure that developing and modernizing the underlying IT Infrastructure and Information Systems needed for effective operation of the other management systems, as well as for laboratory operations, are prioritized by portfolio management teams with broad representation across the scientific and operations sectors of the lab.
- Information Technology Infrastructure, Information Systems and Scientific Computing functions are integrated with processes of the Quality Assurance Management System, the ES&H Management System, the Financial Management System and the Operations Management System (Business Services).
- The Scientific Computing function is also integrated with the Science Management System, which provides strategic direction and priority guidance, and the Engineering Management System in areas of Scientific Computing where engineering is performed.
Each function of the IT Management System involves communication processes; these are governed by the Communications Management System as well as communication processes of the IT Management System.
FRA Contract Requirements: (may change as orders, manuals and guidance change)
FRA Contract DE-AC02-07CH11359 Section J, Appendix B PEMP
FRA Contract DE-AC02-07CH11359 Section C4.3 and Section H40, H41 and parts of H23 and H7
- DOE Manual 205.1-5 - Cyber Security Process Requirements Manual DOE Manual 205.1-8 - Cyber Security Incident Management Manual (ditto)
- DOE Notice N 205.2 - Foreign National Access to DOE Cyber Systems
- DOE Notice N 205.3 - Password Generation, Protection, and Use
- DOE Guide G 205.2 1 - Password Guide, dated 11/23/99
- DOE Notice N 205.8 - Cyber Security Requirement for Wireless Devices and Information Systems
- DOE Notice N 205.9 - Certification & Accreditation Process for Information Systems Including National Security Systems
- DOE Notice N 205.10 - Cyber Security Requirements for Risk Management
- DOE Notice N 205.11 - Security Requirements for Remote Access to DOE & Applicable Contractor Information Technology Systems
- DOE Manual 470.4-4 - Information Security Manual
- DOE Order O 200.1A - Information Technology Management
- DOE Order O 205.1B - Department of Energy Cyber Security Program (May 16, 2011) (check)
- DOE Order O 206.1 - Department of Energy Privacy Program (Jan 16, 2009)
- DOE Policy P 413.1, Program and Project Management Policy for the Planning, Programming, Budgeting, and Acquisition of Capital Assets, 6 10 00.
- DOE Policy P 470.1, Integrated Safeguards and Security Management (ISSM) Policy, dated 5 801.
- DOE O 471.2A, Information Security Program, dated 3 27 97.
- DOE O 471.A, Identification and Protection of Unclassified Controlled Nuclear Information, dated 10/23/01, extended to 07/07/06
- DOE O 471.4 Incidents of Security Concern, dated 03/17/04
- DOE O 471.3, Identifying and Protecting Official Use Only Information, dated 04/09/03
- NIST SP 800 14, Principles and Practices for Securing IT Systems, dated 09/96
- NIST SP 800 18, Guide For Developing Security Plans for Information Technology Systems, dated 12/98
- NIST SP 800 26, Security Self Assessment Guide for Information Technology Systems, dated 11/01
- NIST SP 800 30, Risk Management Guide for Information Technology Systems, dated 10/01
- NIST SP 800 34, Contingency Planning Guide for Information Technology Systems, dated 06/02
- NIST SP 800 40, Procedures for Handling Security Patches, dated 08.02
- NIST SP 800 46, Security for Telecommuting and Broadband Communication, dated 08/02
- NIST SP 800 48, Wireless Network Security 802.11, Bluetooth and Handheld Devices, dated 11/02
- NIST SP 800 44, Guidelines for Securing Public Web Servers, dated 09/02
- NIST SP 800 53 Recommended Security Controls for Federal Information Systems dated, 02/05
- NIST SP 800 60 Guide for Mapping Types of Information and Information Systems to Security Categories, dated 06/04
- NIST SP 800 61 Computer Security Incident Handling Guide, dated 01/044
- NIST SP 800 37 Guide for the Security Certification and Accreditation of Federal Information Systems,
- NIST SP 800 53 sets out the baseline management , operational , and technical controls that must be incorporated into a system to minimally assure the security of low , moderate , and high risk systems.
- NIST SP 800 53A contains testing criteria for the security controls.
- Federal Information Processing Standards (FIPS) 199 offers a standardized methodology to assess the risks to the confidentiality, integrity, and availability (CIA) of unclassified systems.
- FIPS 200 Minimum Security Requirements for Federal Information and Information Systems.
- Public Law 107 347 Title III of the E Government Act entitled the Federal Information Security Management Act of 2002 (FISMA).
- Public Law 104 106, Information Technology Management Reform Act (Clinger/Cohen Act) of 1996.
- Public Law 107 30, Sarbanes Oxley Act of 2002
- E.O. 13231, Critical Infrastructure Protection in the Information Age, October 16, 2001
- Office of Management and Budget (OMB) Circular No. A 130, "Management of Federal Information Resources", Attachment III, Security of Federal Automated Information Resources, dated 02/08/966
- OMB Circular A 11, Preparation, Submission and Execution of the Budget, Exhibits 53 and 300
- OMB Circular A 123
Fermilab Continuity of Operations Plan
Fermilab Business Impact Assessment (COOP) – see Operations Management System
MOU with ANL for Disaster Recovery Site
Bodies and policies which support the IT management system and provide aspects of assurance:
- Corporate Process: FRA Board and sub committees review the progress of this system several times a year.
- Processes by which the ITMS Boards and Councils listed above operate – described in their Charter.
- Computing Sector PMO processes by which IT projects are managed and metrics related to project management are tracked.
- Fermilab Computer Security Program (including all security plans, risk assessments, roles & responsibilities and operations of Fermilab Computer Incident Response Team (FCIRT)) (available on request).
- Contains many mandatory processes for IT operations, user behavior and training.
- Annual Computer Security Awareness Day and periodic hands-on training sessions.
- System Administrators’ Roundtable.
- IT Service Management processes based on ITIL best practices and the ISO 20000 standard. ITSM implementation program, leading to gaining and maintaining ISO20000 certification for core IT services. This includes documentation of all policies, procedures, services, service level agreements and operational agreements. IT Service Level agreements – creation, update, review of KPIs, monitoring of underpinning agreements and Operational Level agreements.
- Process and Service reviews against established metrics and KPIs as part of the established Continuous Service Improvement Program (CSIP).
- Problem identification and root cause analysis as part of ITIL Problem management
- Service Continuity related to Business Continuity of Operations plan (for lab Operations) and to science objectives and MOUs for the scientific program.
- Self assessments.
- NLCIO processes to interact with the DOE CIO and to assist in developing and interpreting DOE IT related policy and guidance.
- Quarterly Self-Assessments of aspects of operations of IT assets – reported to DOE
- Internal self assessments within Computing Sector organizations
- Annual DOE review of performance (PEMP)
- Internal Audits
- Targeted audit areas vary each year and are selected based on a formal risk assessment. CIO participates in risk assessment process with Manager of Internal Audit. IT service management processes are being reviewed one by one.
- Inspector General Audits
- IT Controls component of KPMG annual audit of financial systems.
- Fermilab Site Office Safeguards and Security Periodic Survey of Fermi National Accelerator Laboratory
- Authority to Operate granted by Fermilab Site Office Designated Approving Authority, based on external Security Testing and Evaluation.
- OMB 53 reporting to DOE
- DOE data calls on information security
- Assessment to achieve and maintain ISO/IEC 20000 certification for core IT services.
- Periodic DOE OHEP review of Scientific Computing (latest February 2011 review)
- FISMA audits
- Bi-weekly meeting with the Fermilab Site Office
- Reports to the weekly Scheduling and All Experimenters’ meetings.