Management System Owner: Chief Information Officer (CIO)
Revision and Date: Revision 3.0 - December 20, 2018
The purpose of the Information Systems & Cybersecurity management
system is to provide policies, procedures, best practices, governance,
monitoring, strategy and oversight functions, and a cybersecurity program, that
together ensure that Fermilab IT assets are procured, managed, operated and
disposed of in accordance with the contract. In addition, it will ensure
that information services support laboratory operations, the scientific program
and the other management systems of the laboratory effectively, efficiently,
securely, and safely.
○ C.4(b)(3) – Office of Science High-Energy Physics Program
○ C.4(c)(9) – Information Resources Management
○ DOE O 200.1A – Information Technology Management
○ DOE O 205.1B – Department of Energy Cyber Security Program
○ DOE O 206.1 – Department of Energy Privacy Program
○ DOE O 243.1B Admin Chg 1 – Records Management Program
The objectives of the Information Systems & Cybersecurity Management System are to deliver IT services, information system products and information management processes to laboratory staff, collaborators and clients to enable scientific and operational excellence. Its functions assure the efficient and effective use of information resources in compliance with standards and best practices to protect the confidentiality, integrity and reliability of the laboratory's information assets.
4.1 IT Policy.
All activities associated with computing and information are governed by Fermilab Information Policies and the Fermilab Computing Policy. An additional set of Fermilab Computing Policies provide governance and direction on specific functional areas and topics. Together, this collection of documents helps ensure effective management system implementation and operation.
The IT Policy Board manages the process of formulating IT policies (including computer security policies) and making recommendations to the laboratory CIO. The process also facilitates the representatives from different organizations to raise and communicate potential impacts of proposed policies (and policy changes) on their organizations. The topics for potential new or revised policies can arise from the Computer Security Board, service owners, laboratory organizations or groups of users.
4.2 IT Investment Oversight and Governance.
The following IT investment oversight and governance processes have been established to optimize the IT portfolio and maximize the value proposition in each investment while properly managing risk. The portfolio of IT services is determined and managed through the Service Lifecycle and Continuous Service Improvement Service Management frameworks. Two Portfolio Management Teams (PMTs) execute investment decision processes. The goal of the PMTs is to maximize strategic impact and value delivered to Fermilab. To achieve this goal, each PMT reviews, evaluates and prioritizes projects and needs within its portfolio and ensures continued relevance and strategic alignment.
The Information Systems Portfolio Management Team (IS-PMT) provides a forum for reviewing and prioritizing the Fermilab IT information systems portfolio, which is a selected set of planned initiatives and projects that affect the information systems infrastructure at Fermilab. The IS-PMT also recommends to the chairperson which projects should be implemented. The IS-PMT is chaired by the Chief Operating Officer.
The Scientific Computing Portfolio Management Team (SC-PMT) provides a forum for the various scientific projects and programs at Fermilab to present their scientific computing needs and requirements and for the SC-PMT to evaluate and prioritize these needs. The SC-PMT's goal is to ensure that computing resources are allocated in a manner that maximizes benefit to the Fermilab scientific community. As the portfolio of scientific programs evolves, the SC-PMT will guide decisions that need to be made regarding the allocation of human resources and the investment of funds to purchase computing materials and services in a manner that most effectively meets the needs of the scientific program. The SC-PMT plays an important role in reviewing scientific computing investment plans and making appropriate recommendations. The SC-PMT is chaired by the Deputy Chief Research Officer.
4.3 Cyber Security.
Cyber security processes ensure that information systems at Fermilab are
operated at an appropriate level of risk. One set of processes reviews
risk assessments, security plans and impact statements to determine whether
risks associated with new or modified systems or applications are consistent
with the existing accepted risk envelope and makes recommendations about
acceptance of any new residual risks. Additional risk management
processes include approval of variances from baselines. Policies and procedures dealing with computer
security are continuously reviewed and evaluated, particularly in response to
reports on significant computer security incidents at Fermilab and elsewhere in
the DOE complex. Analysis of significant computer security events include
discussions of their implications and required countermeasures. These
processes are managed at regular meetings of the Computer Security Board (CS-Board).
In addition, a series of dashboards provide continuous monitoring of security
4.4 Service Management.
Service Management defines and governs the processes by which the
laboratory maintains and delivers computing services. These processes are
modeled from the Information Technology Information Library (ITIL) framework
and ISO20000 standard. The processes are grouped into service lifecycle
stages: Service Strategy, Service Design, Solution Delivery, and Service
Transition. Service Strategy incorporates the needs of the users and
interacts with the PMTs and enterprise architecture. Service Design
interacts with Solution Delivery and ensures that Information Security,
Continuity, Capacity, and Availability are considered and included in IT
solutions. Service Transition interacts with Solution Delivery to ensure
that changes to Services and IT operational processes are carried out in a
4.5 Service Operations.
Service Operations ensures that IT Services are operated and delivered effectively and efficiently in accordance with user needs. This includes both providing core IT services (networking, email, server and desktop support, enterprise application support) and scientific computing services (compute servers, storage servers, grid and cloud computing, scientific application support).
4.6 IT Solution Delivery.
The IT Project Management Office (IT PMO) process manages many computing projects, ranging from short-term, low-cost projects to multimillion-dollar projects involving many stakeholders. The mission of the IT PMO is to oversee and continuously improve IT solution-delivery methodology that helps computing project managers more effectively plan and manage computing projects and measure results. The goal is to complete projects that deliver the planned value, on time and within budget, by applying project management practices and principles at a level that facilitates solid execution without excessive burden and overhead.
4.7 Enterprise Architecture.
The Enterprise Architecture (EA) process defines, maintains and governs the lifecycle and roadmap for Fermilab's computing environment. The process also aligns and maps the roadmap with the required IT investments. The goal of the Enterprise Architecture process is to enhance planning by establishing a comprehensive master plan that incorporates the underpinning computing environment roadmaps. As part of the lifecycle plan, the EA process also defines standards for the computing environment and identifies emerging technologies.
4.8 Software Quality Assurance.
Software Quality Assurance (SQA) defines necessary quality-assurance requirements for all software applications used by Fermilab. Software quality assurance is implemented using a graded approach based on the analysis of potential risks should the software not perform as intended. Evaluating each software application against potential consequences allows for the application of appropriate quality-assurance measures and controls. Through this approach, Fermilab's SQA Program ensures development, management and delivery of reliable software applications through adequate planning, testing and control.
4.9 Publications & Records Management.
The goal of the Publications and Records Management process is to efficiently and effectively identify, maintain, catalog and preserve publications, records and other content that document Fermilab's history, organization, functions, policies, procedures, decisions, essential transactions and results of projects and research. Publications & Records Management provides an overall framework regarding how recorded information should be appraised, saved, discarded or preserved.
The information management system applies across all sectors of the laboratory's line organizations and to all laboratory visitors, contractors and collaborators that operate computing assets and services on the laboratory network.
4.10 Integration with Other Management Systems
The Information Systems & Cybersecurity management system is integrated with other management systems in several ways:
Each function of the information management system involves communication processes. These are governed by the Stakeholder Relations & Communications management system as well as Computing organization communication processes.
4.11 Other Processes Supporting the Management System
All Fermilab activities associated with computing and information in South Dakota are governed by the computing policies described in Section 4.1 above. The goal is to extend computing to SURF such that Fermilab team members stationed at SURF interact with all lab processes just as if they were located at Fermilab in Batavia.
In addition to Section 4.1, the following elements of this management system apply to Fermilab activities in South Dakota:
The South Dakota Services Division (SDSD) is supported by a liaison appointed by the Core Computing Division (CCD) to ensure that SDSD IT computing requirements are sufficiently understood and met, and that computing activities in South Dakota are conducted in accordance with Fermilab policies and procedures. The Core Computing South Dakota IT Operations Liaison (CCD Liaison) will periodically visit the site and is available by phone or email to provide support as necessary. Other support for specific issues or technical needs will be provided by CCD or subject matter experts and coordinated through the CCD liaison.
Additionally, CCD will coordinate with the DUNE online coordinator to ensure the computing needs of the DUNE experiment will be met at SURF.
Due to the nature of the work in South Dakota and an integrated workforce comprising Fermilab and non-Fermilab staff, additional policies and cyber security measures may be required. Periodic assessments of South Dakota computing needs and the computing environment will be made by CCD subject matter experts in coordination with the CCD liaison and appropriate actions taken as required.