Office of Cyber Security Evaluations (Reports to the Office of Independent Oversight)
Mission and Functions
Mission
The Office of Cyber Security Evaluations is responsible for the independent
evaluation of the effectiveness of classified and unclassified computer security policies and programs
throughout the Department. It has established and maintains a continuous program for assessing
Internet security to include offsite scanning and controlled penetration attempts to detect
vulnerabilities that could be exploited by hackers or sophisticated attackers. The office analyzes
cyber security trends and studies complex-wide issues in order to provide feedback on essential
information assurance practices to DOE sites.
Functions
Assesses new vulnerabilities and the effectiveness of DOE policies governing classified and unclassified cyber security.
Conducts annual evaluations of classified information security programs for DOE as required by the Federal Information Security Management Act.
Conducts independent special studies of cyber security topics of interest to the DOE community.
Conducts routine announced inspections of classified and unclassified cyber security programs at DOE sites.
Conducts unannounced (Red Team) assessments of DOE information systems.
Develops recommendations and identifies opportunities for improving cyber security performance.
Evaluates effectiveness of cyber security tools.
Maintains a continuous program of announced and unannounced remote testing for DOE network vulnerabilities through scanning and penetration testing.
Performs complex-wide reviews of cyber security topical areas and institutes follow-up activities to ensure that identified issues are addressed in a timely and effective manner.
Performs on-going analyses to identify trends and emerging issues in the cyber security arena.
Provides a "rapid response" capability to perform special reviews for the Secretary of Energy and senior DOE managers.
Provides input for the annual evaluation of DOE unclassified information security programs as required by the Federal Information Security Management Act.
Reviews other governmental and commercial cyber security programs to provide benchmarks for DOE performance.