Fermilab Computing Division
Search

FNAL Systems Risk Management Program

sidemenu
Security Home Page
ALERTS
Policy Guidelines
Technical Info
Support and Services
Certificates
Meetings and Events
Contacts
Restricted Access

To better understand individual computing risks and to keep system administrators informed of unintentional changes to their operating environments, Fermilab is developing a Systems Risk Management program to ensure systems meet a minimum baseline configuration. The FNAL Systems Risk Management project goals are to accurately perform Lab computing risk assessments, raise awareness of computing risks, ensure system information data accuracy and provide accountability of computing resources. Completion of a FSRM assessment grants usage of the FNAL IP network for the next year.

 

Life Cycle:

-          Identify risks (electronic questionnaire is updated to reflect the current baseline configuration and new threats)

-          System administrator performs an assessment for either an individual system or a cluster of similar systems. The assessment consists of an electronic question and answer process containing questions pertaining to conformance and deviations from baseline configuration, adherence to Lab computing policies, patching, privacy and backup/recovery processes. This assessment process also includes a listing of network accessible services offered by the machine or cluster of machines along with technical controls to mitigate threats.

-          After submission of a FSRM assessment, the local General Computer Security Coordinator (GCSC) acknowledges the FSRM assessment. This is to ensure the GCSC is kept informed of resources within their local administrative domain.

-          The FSRM assessment is then accepted by the Division/Section Head or Experiment Spokesperson. This ensures line management is aware of the computing risks they assume within their division, section or experiment.

-          Access to the FNAL GCE or OSE is granted for one year.

-          Continuous scanning by the Computer Security Team ensures any new network accessible services detected are documented by the approved FSRM assessment. Deviations generate an alert to the system administrator to either disable the service or to update the appropriate FSRM assessment to document the new service and associated technical controls.

-          The full lifecycle is executed every year.

 

Enforcement:

-          Scanning by the Computer Security Team, including inventory scanning and critical vulnerability scanning, verifies new network accessible services are defined in the appropriate FSRM assessment.

-          In the event of a FCIRT incident, the appropriate FSRM assessment is consulted to ensure the vulnerability was properly addressed. Inadequate and missing mitigation techniques are evaluated and the FSRM assessment is updated as required.

-          New nodes belonging to the GCE or OSE are required to have an accepted FSRM assessment before being granted network usage within these enclaves.

 

While this process is being developed, CST has provided a Computing Checklist of items to be considered before connecting a computer to the FNAL network. Most of the items listed in this checklist will be included in the FSRM program.

For assistance contact helpdesk@fnal.gov.
Information compiled and maintained by Computer Security Team ; last modified by TR on July 13, 2006.
(Address comments about page to the Computer Security Team.)