Tune IT Up Campaign Overview Mark Kaletka Computing Division 9/29/2009 Mark Kaletka Computing Division 9/29/2009

A “Few” of the Lab’s IT Directives & Regulations One of the items specified in that contract is the list of regulations that Fermilab must comply with, and a process for updating that list managed through our DOE site office; One of the items specified in that contract is the list of regulations that Fermilab must comply with, and a process for updating that list managed through our DOE site office; – Applicable Standards and Guidance – Legislation – Office of Management and Budget (OMB) Memorandum Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002 September 26, – Office of Management and Budget (OMB) Memorandum Instructions For Complying With The President's Memorandum Of May 14, 1998, "Privacy and Personal Information in Federal Records, January 7, – Public Law (44 U.S.C. Ch 36) E-Government Act of 2002, Title III— Information Security, also known as the Federal Information Security Management Act (FISMA) of – Office of Management and Budget (OMB) Circular No. A-130, Management of Federal Information Resources, Appendix III, Security of Federal Automated Information Resources, February 8, – Public Law, Information Technology Management Reform Act of 1996 (Clinger-Cohen Act) – NIST Guidance – Federal Information Processing Standards (FIPS) – FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, July – FIPS 199, Standards for Security Categorization of Federal Information and Information Systems, February – Special Publications – SP , The NIST Security Configuration Checklists Program,May – SP , Integrating Security into the Capital Planning and Investment Control Process, January – SP , Security Considerations in the Information System Development Life Cycle, October 2003 (publication original release date) (revision 1 released June 2004). – SP , Guide for Mapping Types of Information and Information Systems to Security Categories, June – SP , Recommended Security Controls for Federal Information Systems, February – SP , Wireless Network Security: , Bluetooth, and Handheld Devices, November – SP , Guide for the Security Certification and Accreditation of Federal Information Systems, May – SP , Contingency Planning Guide for Information Technology Systems, June – SP , Risk Management Guide for Information Technology Systems, July – SP , Rev. 1 NIST DRAFT Special Publication , Revision 1: Guide for Information Security Program Assessments and System Reporting Form. – SP , Rev. 1 Guide for Developing Security Plans for Federal Information Systems February – DOE Policy and Guidance – Revitalization of the Department of Energy Cyber Security Program (1/2006) – Department of Energy Cyber Security Management Program Order 205.1, (Draft) – Department of Energy Cyber Security Management Program, (3/21/2003) – Notice Incident Prevention Warning and Response Manual – Notice Foreign National Access to DOE Cyber Systems (extended to 9/30/06) – Notice Password Generation, Protection and Use, (extended to 9/30/06) – Notice Handling Cyber Alerts and Advisories, and Reporting Cyber Security Incidents (extended to 07/06/05) – Notice Cyber Security Requirements for Wireless Devices and Information Systems, (3/18/06) – Notice Certification and Accreditation Process for Information Systems, including National Security Systems, (3/18/06) – Notice Cyber Security Requirements for Risk Management, (3/18/06) – Notice Security Requirements for Remote Access to DOE and Applicable Contractor Information Technology Systems (3/1/8/06) – Notice Clearing, Sanitizing, and Destroying Information System Storage Media, Memory Devices, and Other Related Hardware (2/19/2004) – Notice Extension of DOE Directive on Cyber Security, (7/6/2004)

Audit not Quite “Fail” Safeguards and Security Audit of Computer Security Program in May 2009 resulted in 6 findings; Safeguards and Security Audit of Computer Security Program in May 2009 resulted in 6 findings; – For us this is like going from A+ to C-.

Audit Findings = Consequences… Findings have serious consequences for the Lab; Findings have serious consequences for the Lab; There is a contract between FRA and DOE to manage Fermilab; There is a contract between FRA and DOE to manage Fermilab; Consequences of failing to meet terms of contract can be both tangible (financial, resources, rebid our contract) and intangible (credibility of lab to conduct scientific program); Consequences of failing to meet terms of contract can be both tangible (financial, resources, rebid our contract) and intangible (credibility of lab to conduct scientific program); – Just like safety, quality assurance; Auditors will keep coming back, we need to work together Lab-wide to improve; Auditors will keep coming back, we need to work together Lab-wide to improve; We want to fix the underlying causes that led to audit findings; We want to fix the underlying causes that led to audit findings; – Not just address isolated consequences;

Launch!Launch! Lab Director (Pier) instructed CIO (Vicky White) to lead a lab wide response; Lab Director (Pier) instructed CIO (Vicky White) to lead a lab wide response; CIO placed me (Mark Kaletka) in charge of leading the lab wide response; CIO placed me (Mark Kaletka) in charge of leading the lab wide response; Progress is being monitored by DOE Site office; Progress is being monitored by DOE Site office; The response is the Tune IT Up Campaign; The response is the Tune IT Up Campaign;Tune IT Up CampaignTune IT Up Campaign

Message from the Director I have directed Vicky White, Fermilab’s chief information officer, to take whatever steps are necessary to address the findings in this audit and to bring Fermilab cybersecurity up to the same standard of excellence we require for every other area of laboratory operations. With my full support, she will lead a campaign, “Tune IT Up,” that will involve every Fermilab employee and user in making changes to the way we manage computers. We will need to move quickly. Just like safety, cybersecurity is the responsibility of every person at the laboratory. Line managers are responsible for understanding and enforcing policies on computer security. System administrators must follow the requirements for configuration of the machines under their control. Each user is responsible for understanding and following the Fermilab Policy on Computing. Employees with higher levels of responsibility, for example those handling privacy information, must exercise a higher level of care handling the information under their control. I have directed Vicky White, Fermilab’s chief information officer, to take whatever steps are necessary to address the findings in this audit and to bring Fermilab cybersecurity up to the same standard of excellence we require for every other area of laboratory operations. With my full support, she will lead a campaign, “Tune IT Up,” that will involve every Fermilab employee and user in making changes to the way we manage computers. We will need to move quickly. Just like safety, cybersecurity is the responsibility of every person at the laboratory. Line managers are responsible for understanding and enforcing policies on computer security. System administrators must follow the requirements for configuration of the machines under their control. Each user is responsible for understanding and following the Fermilab Policy on Computing. Employees with higher levels of responsibility, for example those handling privacy information, must exercise a higher level of care handling the information under their control.Fermilab Policy on ComputingFermilab Policy on Computing

Message from the CIO It’s time for a tune-up! Today we launch a campaign to tune up our Information Technology (IT) to fully comply with our published security baselines and policies. We do this not only to comply with the audit requirements but to strengthen computing at Fermilab to support our physics mission. In the coming months every desktop and laptop owned by Fermilab will receive either a physical or virtual visit from a trained system administrator who will check it for full compliance with required baseline configurations. Those who do not need administrative privileges to carry out their job functions will no longer have such privileges. Those who do will maintain administrative privileges and will be retrained in how to ensure that their systems meet requirements. We will incorporate every machine into the automated inventory and patching systems provided for Windows, Linux and Mac systems. We will remove from the network desktops and laptops that are not running an approved OS with a published security baseline. We will take out of service desktops and laptops that are too old to be updated or are running systems that cannot be brought up to standards; or we will fully document the need to run them and put in place compensatory controls (such as isolating them in their own network segment). It’s time for a tune-up! Today we launch a campaign to tune up our Information Technology (IT) to fully comply with our published security baselines and policies. We do this not only to comply with the audit requirements but to strengthen computing at Fermilab to support our physics mission. In the coming months every desktop and laptop owned by Fermilab will receive either a physical or virtual visit from a trained system administrator who will check it for full compliance with required baseline configurations. Those who do not need administrative privileges to carry out their job functions will no longer have such privileges. Those who do will maintain administrative privileges and will be retrained in how to ensure that their systems meet requirements. We will incorporate every machine into the automated inventory and patching systems provided for Windows, Linux and Mac systems. We will remove from the network desktops and laptops that are not running an approved OS with a published security baseline. We will take out of service desktops and laptops that are too old to be updated or are running systems that cannot be brought up to standards; or we will fully document the need to run them and put in place compensatory controls (such as isolating them in their own network segment).

Campaign Goals Review and update all security baselines and policies (including password and authentication policies). Review and update all security baselines and policies (including password and authentication policies). Ensure that all computers at Fermilab conform to security baselines and security plans and that all applications are patched. Ensure that all computers at Fermilab conform to security baselines and security plans and that all applications are patched. Improve efficiency and consistency of management of desktop and laptops and move towards standards and central management of all systems with least user privilege granted. Improve efficiency and consistency of management of desktop and laptops and move towards standards and central management of all systems with least user privilege granted. Ensure all systems deviating from baselines are assessed and approved (or have corrective action plans) – or are detected and responded to. Ensure all systems deviating from baselines are assessed and approved (or have corrective action plans) – or are detected and responded to.

Campaign Goals Ensure that all sensitive data and PII are in systems protected with moderate level controls detailed in “major application” security plans, that those people who have access to such data are approved, and that all lab contracts related to such data are reviewed. Ensure that all sensitive data and PII are in systems protected with moderate level controls detailed in “major application” security plans, that those people who have access to such data are approved, and that all lab contracts related to such data are reviewed. Tune up and increase training and education on cyber secure behaviors and how to recognize and protect sensitive data and PII. Tune up and increase training and education on cyber secure behaviors and how to recognize and protect sensitive data and PII. Tune up and make more rigorous our internal assessments and ST&E of our cyber security program. Tune up and make more rigorous our internal assessments and ST&E of our cyber security program.

Strategies to Achieve the Goals Consolidate the management of IT under a CIO in order to procure, operate, dispose of and protect IT assets in a more standard, cost effective and secure manner. Consolidate the management of IT under a CIO in order to procure, operate, dispose of and protect IT assets in a more standard, cost effective and secure manner. Enhance the computer security program (which provides the guidelines for operating IT in a secure manner, based on program requirements and assessment/acceptance of a certain level of risk) to increase audit, oversight and training capabilities. Enhance the computer security program (which provides the guidelines for operating IT in a secure manner, based on program requirements and assessment/acceptance of a certain level of risk) to increase audit, oversight and training capabilities. Create additional IT policies and begin to lay out an enterprise architecture – in order to set requirements and guidance for selecting, procuring and operating IT assets (including software assets) Create additional IT policies and begin to lay out an enterprise architecture – in order to set requirements and guidance for selecting, procuring and operating IT assets (including software assets)

TimelineTimeline The campaign is expected to last approximately six months with an intense period of activity in the period mid July to mid October, 2009 followed by an ongoing program of work for the remainder of 2009 to ensure that the goals of the campaign are met and that the IT management practices put into place are sustainable. The campaign is expected to last approximately six months with an intense period of activity in the period mid July to mid October, 2009 followed by an ongoing program of work for the remainder of 2009 to ensure that the goals of the campaign are met and that the IT management practices put into place are sustainable. At that time attention will turn to beginning execution of Information Systems projects that are not part of this campaign but are part of the corrective action plan for the audit findings. At that time attention will turn to beginning execution of Information Systems projects that are not part of this campaign but are part of the corrective action plan for the audit findings.

DeliverablesDeliverables Services Management Services Management Password Policy Password Policy Baseline Security Baseline Security Information Security Information Security Antivirus Alerts Antivirus Alerts

Color Key Completed Completed In Progress In Progress Yet to Start Yet to Start

Services Management Form a policy committee to write and maintain configuration requirements for Mac and Linux desktops. Form a policy committee to write and maintain configuration requirements for Mac and Linux desktops. Enforce configuration requirements for all desktop machines. Enforce configuration requirements for all desktop machines. Require supervisors to approve employee requests to run non-standard services, such as Web services. Require supervisors to approve employee requests to run non-standard services, such as Web services.

Password Policy Enforce DOE password complexity requirements in the Windows domain. Enforce DOE password complexity requirements in the Windows domain. Stop adding new IMAP accounts and begin setting up all new accounts on the Exchange server. Stop adding new IMAP accounts and begin setting up all new accounts on the Exchange server. Enforce a 10-character minimum for passwords on the IMAP server. Enforce a 10-character minimum for passwords on the IMAP server. Enforce password complexity guidelines for local Windows accounts. Enforce password complexity guidelines for local Windows accounts. Migrate laboratory employees’ accounts from IMAP to Exchange server. Migrate laboratory employees’ accounts from IMAP to Exchange server.

Baseline Security Disable remote access to local accounts with administrative privileges. Disable remote access to local accounts with administrative privileges. Require supervisors to approve employee requests for local administrative privileges. Require supervisors to approve employee requests for local administrative privileges.

Information Security Review roles and responsibilities associated with system identified in review as needing improvement. Review roles and responsibilities associated with system identified in review as needing improvement. Review architecture and configuration of system identified in review as needing improvement. Review architecture and configuration of system identified in review as needing improvement. Implement architectural review recommendations. Implement architectural review recommendations. Reduce usage of personally identifiable information. Reduce usage of personally identifiable information. Hold basic and advanced trainings for handling personally identifiable information. Hold basic and advanced trainings for handling personally identifiable information.

Antivirus Alerts Automate response procedure for antivirus alerts. Automate response procedure for antivirus alerts. Create new policy for response procedure for antivirus alerts. Create new policy for response procedure for antivirus alerts. Centralize management of system administrators. Centralize management of system administrators.

Baseline Assessment As part of the lab-wide Tune IT Up campaign, every employee and visitor at the lab who uses a laptop, desktop or smart phone to connect to the Fermilab network for daily work must fill out an assessment form. As part of the lab-wide Tune IT Up campaign, every employee and visitor at the lab who uses a laptop, desktop or smart phone to connect to the Fermilab network for daily work must fill out an assessment form. The laboratory is taking this inventory to gather up-to-date information about the laptops, desktops and smart phones used to connect to the Fermilab network. Using this information will allow the laboratory to better support and protect computers and to ensure that systems are appropriately configured. The vulnerability of even one computer can cause a disruption across the entire laboratory. The laboratory is taking this inventory to gather up-to-date information about the laptops, desktops and smart phones used to connect to the Fermilab network. Using this information will allow the laboratory to better support and protect computers and to ensure that systems are appropriately configured. The vulnerability of even one computer can cause a disruption across the entire laboratory. To date, 1276 users (58% of the Lab’s employees) have completed surveys for 2043 computers; To date, 1276 users (58% of the Lab’s employees) have completed surveys for 2043 computers;