• OA Home
• Assessments

• Contract
  Performance

• CPARS
• Issues Management
• Procedures
• Quality
• SharePoint Site
• Contact OA

Goal 8.0 SUSTAIN AND ENHANCE THE EFFECTIVENESS OF INTEGRATED SAFEGUARD AND SECURITY MANAGEMENT (ISSM) AND EMERGENCY MANAGEMENT SYSTEMS.
Appendix B VOLUME 2, Self-Evaluation FY2006

Return to Table of Contents

SLAC contact is Robin Wendt, Interim Director, Office of Assurance
650-926-4295, rawendt@slac.stanford.edu

Summary evaluation

Objective 8.1 – Provide and Efficient and Effective Emergency Management System

• PM 8.1.a, “Lessons Learned” document to be submitted in a timely manner, in general, as a best effort, within 45 days of an occurrence: One occurrence report was related to the fire in IR 4 (ORPS Occurrence Number SC-SSO-SU-20060010). A lessons-learned is in process but was not published within the 45 day timeframe. However, the investigation conducted on the fire was presented to the Accelerator Systems Division, the Conventional and Experimental Facilities Department, and the external Machine Advisory Committee. Additionally, the associated Occurrence Report was posted on the Occurrence Reporting web page https://www-internal.slac.stanford.edu/operations/orps/. The report, including a paragraph on final evaluation/lessons learned, was called to the attention of all site ES&H coordinators and site supervisors.
• PM 8.1.b, An external review, survey, or inspection will be conducted at least once per year. Additional reviews may result if there is a significant event requiring follow-up action: An internal independent assessment of the SLAC Emergency Management System was conducted July 2006.
• PM 8.1.c, Employee and Management awareness of their Emergency Management responsibilities to include emergency response plans, training, established points of contact, providing SSO training records, and an emergency response plan submitted to SSO for approval: All items were met except that training records and an updated emergency response plan were not provided to SSO. Training was, however, partially completed.
• PM 8.1.d, Complete corrective actions in accordance with an approved Corrective action plan documented in ORPS: Corrective actions are on track for the occurrence report (described above) and the assessment report.

Objective 8.2 - Provide and Efficient and Effective System for Cyber Security

Stanford Linear Accelerator Center Performance Based Management Process Self Assessment Report October 2006 Functional Area: Unclassified Computer Security

(1) Introduction/Background

(b) Date of last assessment: October 2005

(a) Departmental Overview

(c) Laboratory Mission

The Stanford Linear Accelerator Center is the lead Department of Energy (DOE) laboratory for electron-based high energy physics. It is dedicated to research in elementary particle physics, accelerator physics and in allied fields that can make use of its synchrotron radiation facilities—including biology, chemistry, geology, materials science and environmental engineering. Operated on behalf of the DOE by Stanford University, SLAC is a national user facility serving universities, industry and other research institutions throughout the world. Its mission can be summarized as follows:

• Perform world-class research in high energy physics, particle astrophysics and cosmology, and in the use of synchrotron radiation
• Provide accelerators, detectors, instrumentation and support for national and international research programs in elementary particle physics and allied fields that use synchrotron radiation
• Advance the art of accelerators and related devices through development of sources of high energy particles and synchrotron radiation, plus new techniques for their scientific utilization
• Advance the critical technologies necessary to maintain its leadership and excellence in particle physics, accelerator physics, particle astrophysics and cosmology, and synchrotron radiation
• Transfer practical knowledge and innovative technology to the private sector
• Contribute to the education of the next generation of scientists and engineers, and to the scientific awareness of the public
• Achieve and maintain excellence in matters of environmental concern and provide for the safety and health of its staff and the general public.

Organizational Mission

The Unclassified Computer Security function is responsible for coordinating and promoting programs within the Laboratory to assure that information resources provide protection commensurate with the risk and magnitude of harm that could result from loss, misuse, or unauthorized access or from modification of such information resources and to assure that systems and applications operate effectively and provide appropriate confidentiality, integrity, and availability protection.

The Unclassified Computer Security functional area self-assessment is based on, and measured against, performance objectives and standards as reflected in the SLAC contract.

(d) Identification of Self-Assessment Report Staff

Names, titles, affiliations of participants

Bob Cowles, Computer Security Officer (CSO), SLAC
Heather M. Larrieu, Computer Security Team, SLAC
Richard Mount, Director, Scientific Computing and Computing Services (SCCS)

(e) Scope of Self- Assessment

(i) General Security Issues

A computer security awareness briefing was included in the September, 2006, ISEMS training given to all SLAC staff. An email is sent to all Windows when Microsoft releases critical patches. Users are encouraged to test patches before the lab-wide deployment and reminded to update other systems (e. g. home systems) that are not centrally maintained. Email and newsletters are used to communicate security issues site-wide. We continue to perform SANS Top-20 vulnerability scans against all machines on the network.

(ii) Web and Anti-Virus Activities

Almost all incoming mail enters SLAC through a single gateway that runs flexible algorithms for scanning and stripping potentially harmful attachment files. Further scanning is performed at the MS Exchange server, and real-time anti-virus scanning is performed at the user’s workstations and home directory file servers. There were no reportable incidents of serious virus infection at SLAC in FY2006.

Secure BSD-Network

Work is continuing on the business system network to accommodate the PeopleSoft HR and Financials applications move to PeopleSoft version 8. Substantial changes in the security structure have been implemented and are undergoing refinement to accommodate broader access to PeopleSoft information through a web and application server (3-tier) architecture. A new management network and firewall design is in the process of being deployed.

SPAM

The “quarantine” option of the PureMessage spam-tagging software has proven effective in reducing the amount of scam email delivered to mail system users.

Management of Windows systems

We have steadily improved effectiveness of our patching program. This year we have moved from the SUS to the WSUS service which allows better patching support for applications. This system also has improved auditing capabilities. This improved system in conjunction with the configuration management enforcement has significantly improved the security posture of our Microsoft Windows based platforms. We are also discouraging users from using VPN in favor of Citrix-based remote access.

Management of Linux and Solaris systems

The SCCS Unix Systems Group uses software to standardize the management of Red Hat Linux, Scientific Linux and Sun Solaris systems. This software is used on all central Linux and Solaris servers and is strongly encouraged for desktop systems. There were two root compromises of managed systems during the year. The exact vector for the privilege escalation is still being investigated by CIAC as local investigators found no indication of an exploit of any known vulnerability.

There were also some SLAC user accounts compromised in security incidents at other sites. Intruders attempting to use those accounts were unable to get privileged access on SLAC systems. We have required password changes, SSH RAS key changes and suggested grid certificate revocations as applicable.

We continue to monitor for indications of user password compromise and brute-force password attacks on systems supporting interactive login.

Certification and Accreditation Activities

A C&A package, which grew out of the SC sponsored SAV program, was approved by the DAA. The policies and documentation contained therein are in a form that is satisfies the latest DOE and NIST requirements, is consistent across the SC Labs, and has the approval of OA.

Risk Assessment and Mitigations

Complete Threat and Risk Assessments have been conducted with internal and external subject matter experts. They and their associated mitigations are documented and included in the Certification and Accreditation package approved September 2006.

(ii) Discussion of Individual Performance Objectives

In measuring the performance of this Objective the DOE evaluator shall consider the following:

• The Contractor’s success in meeting Cyber-Security goals and expectations.
• The commitment of leadership to a strong Cyber-Security performance is appropriately demonstrated through security plans, audits, and reporting/follow-up on all Cyber-Security incidents.
• The maintenance and appropriate utilization of Cyber-Security risk identification, prevention, and control processes/activities. One aspect of this area would involve network firewall implementation and audit reviews.

The overall performance (outcomes/results) of the following set of performance measures (tasks, activities, requirements, accomplishments, and/or milestones) shall be utilized by evaluators as the primary measure of the Contractor’s success in meeting this Objective and for determining the numerical score awarded. The evaluation of this Objective may also consider other tasks, activities, requirements, accomplishment, and/or milestones not otherwise identified below but that provide evidence to the effectiveness/performance of the Contractor in meeting this Objective. The weight of this objective is 40%.

8.2.a Cyber-Security Events are reported and mitigated immediately. Performance of network vulnerability scans on the SLAC network systems on a periodic basis (e.g. quarterly), or after significant system upgrades/changes. Reports from network system scans shall be submitted on a quarterly basis to the DOE/SSO.

8.2.b An external review, survey, or inspection will be conducted at least once per year. Additional review may result if there is a significant event requiring follow-up and corrective action.

8.2.c Ability to complete corrective actions for cyber-security events in a timely manner by the responsible line organizations. Cyber-security events are documented, and a “Lessons-learned” document for the year is compiled. Timeliness will be dependent on the level of the cyber-security event.

8.2.d Employee and Management awareness of their Cyber-security responsibilities, as evidenced by plans and employee training. Documented evidence of employee training on cyber-security shall be submitted to the DOE/SSO for review.

Discussion

Our Vulnerability Management, Incident Handling, and Security training program and policies are all documented in the Certification and Accreditation package approved by the site office. Cyber-security events are addressed upon discovery and, as indicated, are reported to appropriate agencies on a timeline consistent with published guidance. The Vulnerability Management program includes graduated periodic scanning including daily scans, quarterly scans, and “on access” scans for VPN connections. An activity report on quarterly scanning is provided to the SSO.

In July, Oak Ridge Operations Office conducted a Security Survey which included unclassified Cyber Security. The Cyber Security achieved a positive observation and no findings from the survey team.

In addition to specific event management processes that are a component of the Vulnerability Management program, cyber-security events are managed via our trouble ticketing system which facilitates logging and archiving, activity tracking, and workflow assignment. The analysis of each event is chronicled, including its remediation and any “lessons learned,” in the trouble ticketing system.

The CSPP and Cyber Security Program Policies outline the line management roles and responsibilities for cyber security. Senior lab management has signed the C&A package accepting those responsibilities. Additionally, enclave owners developed the security plans for their systems. Those plans supplement the lab’s core Cyber Security Program Plan (CSPP) detailing the enclave specific implementations of the required controls which include user awareness and training. Users and employees sign an acceptable usage agreement referencing computer security policies prior to being assigned a computer user account. Lab personnel have also been made aware of and acknowledged their role for appropriate data handling for PII data. In addition to the annual ISEMS briefing, a lab wide electronic newsletter and several mailing lists are used for communicating computer security issues to the lab community.

Status of FY2006 Goals:

1. Implement a “Scan-Me” facility so desktop administrators can test the efficacy of their patching
   Completed
2. Implement a registration system on the visitor network.
   Completed
3. Complete updates to CSPP and C&A packages in conformance with latest NIST guidelines and DOE directives.
   Completed. A Certification and Accreditation package was signed by the DAA

(f) Improvement Action Plans/Goals

Goals for FY2007:

1. Institute enforcement of password aging for Unix systems
2. Wireless network improvements for better detection of rogue access points
3. Develop enhanced security training program

Objective 8.3 – Provide and Efficient and Effective System for Protection of Special Nuclear Materials

• PM 8.3.a, Safeguard events are reported and mitigated as necessary: There were no safeguard events during the year.
• PM 8.3.b, External reviews, surveys, or inspections will be conducted once per year: The ISC/OR conducted an NMC&A inspection as part of the Focused Audit on Security in July 2006.
• PM 8.3.c, Ability to complete corrective actions: There were no corrective actions requiring completion in FY06.
• PM 8.3.d, Employee and Management awareness of their Safeguards responsibilities: No problems were identified during the ISC/OR NMC&A inspection in July 2006 (see PM 8.3.b above).

Objective 8.4 – Provide and Efficient and Effective System for the Protection of Classified and Sensitive Information

N/A