DOE lab rates risk to dodge cyber disasters

download-pdf
Chicago lab preaches "know thy data"

The Argonne National Laboratory, a multipurpose Energy Department national laboratory based in the Chicago area, is working to maintain a holistic cybersecurity strategy, building in deeper levels of integration and situational awareness to adapt to ongoing threats and risks.

When the team at Argonne first investigated cybersecurity in 1999, everything was driven by network port numbers. The lab leveraged network data flow to figure out where servers were located, which served the Internet, and which were used to service the lab’s internal community.

Now the mantra at Argonne has shifted from a focus on networks to one that centers on “know thy data.” The lab’s current cybersecurity architecture review group includes members from all the different business units in the organization. This committee was charged with developing the initial architecture, and meets on a regular basis to review and update the architecture.

Argonne has found it important to manage network security from the inside out, while coordinating involvement among all departments and business units. Argonne’s security architecture now provides an example of a more holistic security policy that uses the cohesiveness of all internal business units to deal with every aspect of keeping a network from being vulnerable to attack.

The focus now is on risk avoidance and getting more involved in the daily operational decisions involved in running the organization. Unlike a decade ago, most applications no longer reside solely on local networks. More applications reside on the Internet, which causes difficulties for IT organizations because it’s impossible to control everything users touch. Many organizations are also dealing with network perimeter erosion due to ever increasing numbers of mobile workers.

Elements of strong security

A strong security policy must encompass three primary components:

  • Confidentiality or role-based policies that state whom should see what data.
  • Integrity or ensuring that the data for a particular system is in a known good state.
  • Availability or access to systems or processes when a user needs it to perform a specific task.

In general, public-sector organizations should assume that malicious users are in the network and they must find ways to protect access to critical systems and data. Maintaining secure networks is challenging when there’s unknown traffic on the network and it can be difficult to control what this traffic is doing both internally between networks and outside of the organization to the Internet.

To achieve greater security, organizations such as Argonne have learned it's important to make sure security policy supports the organization’s primary mission goals. To accomplish this goal, public-sector organizations assign risk and the probability of certain risks occurring to all important operational systems and applications. This can help managers determine how much it would cost to lose a critical system and whether that’s a risk they want to assume.

All about risk

Federal agencies as well as organizations in the financial sector face strong requirements to protect critical information and avoid risks associated with data loss or exposure or misuse. This has led to a greater focus across most government organizations on consolidation – especially when it comes to the number of Web gateways used, which can lower costs and help reduce possible exposure to risks.

The lack of proper security controls would leave any organization vulnerable to compliance problems based on federal regulations designed to protect the security and privacy of agency information. Argonne deals with compliance problem with education. The lab has worked hard to make sure its personnel are aware of Energy's definition of personally identifiable information, which has helped the organization to better protect data with strict standards that define when problems need to be reported to Energy.


About this Report

This report was commissioned by the Content Solutions unit, an independent editorial arm of 1105 Government Information Group. Specific topics are chosen in response to interest from the vendor community; however, sponsors arenot guaranteed content contribution or review of content before publication. For more information about 1105 Government Information Group Content Solutions, please email us at GIGCustomMedia@1105govinfo.com