Employees to be tested
Cyber security systems at the Laboratory are being audited by the Department of Energy’s Office of Security and Safety Performance Assurance starting next month.
DOE auditors will be onsite at all Laboratory technical areas from October through November to inspect all of the Lab’s safeguards and security functions and to evaluate its implementation of federal laws and DOE/NNSA requirements.
The survey will be performance-based, meaning that auditors will be reviewing documents and records to ensure adequate policies and procedures are in place, interviewing security personnel and Lab employees on general knowledge of security issues and responsibilities, and conducting performance testing. Auditors will look at both our classified and unclassified programs, so Lab employees should review cyber security regulations, ensure the appropriate computer safeguards are in place, and update required security training (if necessary).
Here are examples of questions and answers employees may find helpful in preparing for the audit.
Q: A visitor has just asked me to connect a flash drive to my computer. Should I do as requested?
A: No. You do not know what is on that media or what effect it might have on the LANL network.
Q: An individual has just asked me to tell him my computer password so that he can check to see if it complies with the LANL Password Policy. Can I share my password?
A: No. Your password should never be shared with anyone, even your manager.
Q: We just received a CD containing computer software from DOE with instructions to load it on the computers in our offices.
A: No. Do not load anything on your computer without having it first checked out by your CTN desktop support staff or by the LANL Cyber Security office.
Q: Someone just called me, identified himself as an security auditor, and asked to interview me on the phone. Should I do this?
A: No. There is no way for you to confirm the identity of the person on the phone.
Q: An inspection team member just asked that I run a report that I know contains sensitive unclassified information about LANL personnel or budgets and give him a hard copy for his file. Can I do this?
A: No. The fact that someone is an inspection team member does not qualify them for special access to information for which they might not have a need to know. Instead, take note of the information request and pass it on to your manager for action.
For additional questions and answers as well as other interview tips, go to http://int.lanl.gov/features/cybersecurity_tips.shtml online.
