Management System Owner: Chief Information Officer (CIO)
Revision and Date: Revision 2.1 - June 21, 2018
The information management system's purpose is to provide policies, procedures, best practices, governance, monitoring, strategy and oversight functions and a cybersecurity program that together ensure that Fermilab IT assets are procured, managed, operated and disposed of in accordance with the contract. In addition, it will ensure that information services support laboratory operations, the scientific program and the other management systems of the laboratory effectively, efficiently securely and safely.
· Oversees the Computer Security Program
· Chairs the Computer Security Board
· Serves as point of contact for law enforcement
· Handles DOE incident response
○ C.4(b)(3) – Office of Science High-Energy Physics Program
○ C.4(c)(9) – Information Resources Management
○ DOE O 200.1A – Information Technology Management
○ DOE O 205.1B – Department of Energy Cyber Security Program
○ DOE O 206.1 – Department of Energy Privacy Program
○ DOE O 243.1B Admin Chg 1 – Records Management Program
The objectives of the Information Management System are to deliver IT services, information system products and information management processes to laboratory staff, collaborators and clients to enable scientific and operational excellence. Its functions assure the efficient and effective use of information resources in compliance with standards and best practices to protect the confidentiality, integrity and reliability of the laboratory's information assets.
The IT Policy Board (ITBoard) manages the process of formulating IT policies (including computer security policies) and making recommendations to the laboratory CIO. The process also facilitates the representatives from different organizations to raise and communicate potential impacts of proposed policies (and policy changes) on their organizations. The topics for potential new or revised policies can arise from the Computer Security Board, service owners, laboratory organizations or groups of users.
The following IT investment oversight and governance processes have been established in order to optimize the IT portfolio and maximize the value proposition in a given investment while properly managing the overall risk. At the highest level, there is the IT Executive Council, and it provides guidance to three Portfolio Management Teams (PMTs) that execute the investment decision processes. The portfolio of services are determined and managed through the Service Lifecycle and Continuous Service Improvement Service Management frameworks. The goal of the PMTs is to maximize the strategic impact and value delivered to Fermilab. To achieve this goal, each PMT reviews, evaluates and prioritizes the projects and needs within its portfolio and ensure continued relevance and strategic alignment. As appropriate, each PMT also recommends needed adjustments to ensure maximum value is realized by Fermilab from these investments.
Provides guidance and direction for the Computing Project Portfolio Management processes to ensure that IT investments are aligned with the laboratory's strategic agenda, goals and priorities. The IT Executive Council, as needed, also provides a forum for establishing priorities among different PMTs.
Manages the Fermilab IT information systems portfolio, which is a selected set of planned initiatives and projects that affect the information systems infrastructure at Fermilab. The IS-PMT is chaired by the COO.
Manages the Fermilab core information technology portfolio, which is a selected set of planned initiatives and projects that affect the information technology infrastructure at Fermilab. The IT-PMT is chaired by the CIO.
Provides a forum for the various scientific projects and programs at Fermilab to present their scientific computing needs and requirements and for the Scientific Computing Portfolio Management Team (SC-PMT) to evaluate and prioritize these needs. The SC-PMT's goal is to ensure that computing resources are allocated in a manner that maximizes benefit to the Fermilab scientific community. As the portfolio of scientific programs evolves, the SC-PMT will guide decisions that need to be made regarding the allocation of human resources and the investment of funds to purchase computing materials and services in a manner that most effectively meets the needs of the scientific program. The SC-PMT plays an important role in reviewing scientific computing investment plans and making appropriate recommendations. The SC-PMT is chaired by the Deputy Chief Research Officer.
Cyber security processes ensure that information systems at Fermilab are operated at an appropriate level of risk. One set of processes reviews of risk assessments, security plans and impact statements to determine whether risks associated with new or modified systems or applications are consistent with the existing accepted risk envelope, and makes recommendations about acceptance of any new residual risks. Further risk management processes include approval of variances from baselines. Policies and procedures dealing with computer security are continuously reviewed and evaluated, in particular in response to reports on significant computer security incidents at Fermilab and elsewhere in the DOE complex and discussions of their implications and required countermeasures. These processes are managed at regular meetings of the Computer Security Board (CSBoard). In addition, a series of dashboards provide continuous monitoring of security operations.
Service Management defines and governs the processes by which the laboratory maintains and delivers services. These processes are modeled from the Information Technology Information Library (ITIL) framework and ISO20000 standard. The processes are grouped into service lifecycle stages; Service Strategy, Service Design, Solution Delivery, and Service Transition. Service Strategy incorporates the needs of the users and interacts with the PMTs and enterprise architecture. Service Design interacts with Solution Delivery and ensures that Information Security, Continuity, Capacity, and Availability are considered and included in IT solutions. Service Transition Interacts with Solution Delivery to ensure that changes to Services and IT operational processes are carried out in a coordinated way.
Service Operations ensures that IT Services are operated and delivered effectively and efficiently in accordance with user needs. This includes both providing core IT services (networking, email, server and desktop support, enterprise application support) and scientific computing services (compute servers, storage servers, grid and cloud computing, scientific application support).
The IT Project Management Office (IT PMO) process manages a large number of computing projects, ranging from short-term, low-cost projects to multi-million dollar projects involving many stakeholders. The mission of the IT PMO is to oversee and continuously improve IT solution-delivery methodology that helps computing sector project managers to more effectively plan and manage their computing projects and measure their results. The goal is to complete projects that deliver the planned value, on time and within budget, by applying project management practices and principles at a level that facilitates successful completion without excessive burden and overhead.
The Enterprise Architecture (EA) process defines, maintains and governs the lifecycle and roadmap for Fermilab's computing environment. The process also aligns and maps the roadmap with the required IT investments. The goal of the Enterprise Architecture process is to enhance planning by establishing a comprehensive master plan that incorporates the underpinning computing environment roadmaps. As part of the lifecycle plan, the EA process also defines standards for the computing environment and identifies emerging technologies.
Software Quality Assurance (SQA) defines necessary quality-assurance requirements for all software applications used within Fermilab. Software quality assurance is implemented using a graded approach based on the analysis of potential risks should the software not perform as intended. Evaluating each software application against potential consequences allows for the application of appropriate quality-assurance measures and controls. Through this approach, Fermilab's SQA Program ensures development, management and delivery of reliable software applications through adequate planning, testing and control.
The goal of the Publications & Records Management process is to efficiently and effectively identify, maintain, catalog and preserve publications, records and other content, that document Fermilab's history, organization, functions, policies, procedures, decisions, and essential transactions and results of projects and research. Publications & Records Management provides an overall framework regarding how recorded information should be appraised, saved, discarded or preserved.
The information management system applies across all sectors of the laboratory's line organizations and to all laboratory visitors, contractors and collaborators that operate computing assets and services on the laboratory network.
The information management system is integrated with other management systems in several ways:
Each function of the information management system involves communication processes. These are governed by the communications management system as well as communication processes of the information management system.
Other Processes Supporting the Management System
This section formally captures the extension of this management system to Fermilab activities and roles at SURF. (Add appropriate text below and change font back to black when finished)
In this new section, please make appropriate declarations about equivalencies AND note areas where the management system would operate differently. Importantly, also note how your M.S. will provide assurances about performance at SURF (e.g., visits, inspections, monthly reports, SDSD personnel oversight, and so on).
ES&H has completed an analysis that generated a graphic identifying what requirements where for what work. A reference to this analysis would be appropriate to include in this section. In another example, the Legal Management System might observe formally that the Prime Contract applies to all legal matters identically to FRA-sponsored work in South Dakota as it does in Batavia and the same points of contact should be used.