One thing that I like about security professional organizations like American Society of Industrial Security Professionals International (ASIS) is their emphasis on giving to the community. The group sponsors scholarships, provides security services and training opportunities designed to help non-profit or not for profit organizations. Churches, charities, and students benefit from the generosity of local and national security professionals. In my own community I began to look at examples of how security professionals could contribute in a meaningful way.
The best examples I can give are what we have done in my neighborhood. For one organization in particular, I arranged for an FBI agent to present a small presentation on cyber security. The audience consisted of interested parties representing the community and various demographics. We had teachers, children, baseball teams and senior citizens all together for breakfast and training on a fine Saturday morning. The presenter gave valuable information derived from real data. The audience was appreciative and provided positive comments. This, of course was a few years ago. We are thinking of presenting it again since social networks like Face book, LinkedIn, and MySpace are so prevalent.
Just recently I invited a fellow security professional to present “Active Shooter” training for my church. I’ve known the presenter for the past few years as a result of NCMS (Society of Industrial Security Professionals) and ASIS. We’ve both spoken in the professional organizations’ seminars and luncheons. We’ve set up booths next to each other during conventions. One day while he thumbed through my latest book I had on display, he told me of his side business. I asked him his expertise and he said that he consults churches and non-profit organizations on security.
Coincidently, in a church meeting the next month our leadership raised concerns of recent violence in religious institutions during the past year. I thought of my friend and offered a solution. After a few months of planning, we hired him as a consultant. One Monday night, with over 50 people present, we learned how to possibly prevent or reduce the impact of an active shooter incident. Interestingly, we have police officers and federal agents at our church and many were in attendance. However, just because one is in law enforcement, does not necessarily mean they are an expert in a certain discipline. What we learned was how to plug law enforcement into the scenario and rehearse responses. The best part was that even though my buddy presented the training, my church leadership began to view my skills and training as a security professional in a new light.
So, how can you contribute to your community? The first step is to look at needs and trends. Look at the crime rate, high risk neighbors, gang affiliations, unique issues and national trends. You might consider identity protection, family security, loss prevention, anti-terrorism or cyber security training. Your security, operations security and risk management training offer very valuable opportunities to train volunteer based organizations with tiny budgets. Each community’s needs are different; however you may just have the necessary skills or connection to fill in vital gaps.
Friday, September 18, 2009
Thursday, September 17, 2009
Why FSOs and Defense Contractors Protect Classified Information
FSOs implement and direct security programs to protect classified information. As an FSO or a supporting security professional in this role, have you ever wondered how the classified information you protect gets its designation? We can find the answer in Presidential Executive Order 13292 . You may have heard and read reports of how over-classification results in unnecessary costs. You might also understand from similar reports of how under-classification can lead to compromise of sensitive information. To better prevent unauthorized disclosure and ensure that classification is assigned to only that information needing protection, the President has issued special guidelines. In cases where items may be assigned an original classification, four conditions must be met:
According to E.O. 13292, Sec. 1.1. Classification Standards. (a) Information may be originally classified if all of the following conditions are met:
(1) an original classification authority is classifying the information; Specifically, only the President and in certain circumstances the Vice President, agency heads designated by the President in the Federal Register, and appointed U.S. Government Officials can serve as OCA’s. Agency heads are responsible for ensuring that only the minimum amount of subordinate officials are delegated original classification authority. It is these Government checks and balances that ensure responsibility and accountability.
The President, Vice President, agency heads, and officials designated by the President can delegate TOP SECRET original classification authority. SECRET and CONFIDENTIAL original classification authority also may be given to senior agency officials who are designated by agency heads in writing. The authority may not be automatically re-delegated.
The original classification authorities attend training as identified in the executive order and other directives. The education is similar to annual security awareness training the FSOs are required to offer employees with security clearances. For example, they learn how to protect classified information, how to mark it, and how to handle dissemination in addition to learning how to determine the classification level.
(2) the information is owned by, produced by or for, or is under the control of the United States Government; An original classification authority may not determine a classification on anything that is not owned, produced or controlled by the U.S. Government. For example, the Government contracts a company to make a product important to national security. As part of the contract, the government will require that the company construct and assemble items that must be safeguarded at the SECRET level of classification. They will work with the contractor and provide direction and means for production, protection measures in addition to the stipulations of the contract. The company is then contracted to make defense articles or provide services that the Government owns.
(3) the information falls within one or more of the categories of information listed in section 1.4 of this order; and Classification levels are assigned to classified materials and information only if they fall into one of eight categories designated in the EO.
a. Military plans, weapons systems or operations
b. Foreign government information
c. Intelligence activities, sources or methods or cryptology
d. Foreign relations or activities of the United States including confidential sources
e. Scientific, technological, or economic matters relating to national security, including defense against transnational terrorism
f. U.S. programs for safeguarding nuclear materials or facilities
g. Vulnerabilities of systems, installations, infrastructures, projects, plans or protection services related to national security including terrorism
h. Weapons of mass destruction
(4) the original classification authority determines that the unauthorized disclosure of the information reasonably could be expected to result in damage national security, which includes defense against transnational terrorism, and the original classification authority is able to identify or describe the damage. This is the fourth and final requirement that must be met before an original classification authority can assign a classification level. Classification levels are designed to implement the proper level of protection. It is part of the risk management component of security. The consequence of loss of the information is part of the categorization process.
The impact of disclosure is categorized from reasonably causing “damage” for CONFIDENTIAL information through “serious damage” for SECRET information to “seriously grave damage” for TOP SECRET information. The EO 13292 states that the impact of loss or compromise of the information must be at one of the three defined levels in order to be assigned a classification. The other part is that the classifier should be able to describe or identify the damage. This measure again informs the user that the information is to be safeguarded at a necessary level and also to prevent the original classification authority from assigning a classification level needlessly.
According to E.O. 13292, Sec. 1.1. Classification Standards. (a) Information may be originally classified if all of the following conditions are met:
(1) an original classification authority is classifying the information; Specifically, only the President and in certain circumstances the Vice President, agency heads designated by the President in the Federal Register, and appointed U.S. Government Officials can serve as OCA’s. Agency heads are responsible for ensuring that only the minimum amount of subordinate officials are delegated original classification authority. It is these Government checks and balances that ensure responsibility and accountability.
The President, Vice President, agency heads, and officials designated by the President can delegate TOP SECRET original classification authority. SECRET and CONFIDENTIAL original classification authority also may be given to senior agency officials who are designated by agency heads in writing. The authority may not be automatically re-delegated.
The original classification authorities attend training as identified in the executive order and other directives. The education is similar to annual security awareness training the FSOs are required to offer employees with security clearances. For example, they learn how to protect classified information, how to mark it, and how to handle dissemination in addition to learning how to determine the classification level.
(2) the information is owned by, produced by or for, or is under the control of the United States Government; An original classification authority may not determine a classification on anything that is not owned, produced or controlled by the U.S. Government. For example, the Government contracts a company to make a product important to national security. As part of the contract, the government will require that the company construct and assemble items that must be safeguarded at the SECRET level of classification. They will work with the contractor and provide direction and means for production, protection measures in addition to the stipulations of the contract. The company is then contracted to make defense articles or provide services that the Government owns.
(3) the information falls within one or more of the categories of information listed in section 1.4 of this order; and Classification levels are assigned to classified materials and information only if they fall into one of eight categories designated in the EO.
a. Military plans, weapons systems or operations
b. Foreign government information
c. Intelligence activities, sources or methods or cryptology
d. Foreign relations or activities of the United States including confidential sources
e. Scientific, technological, or economic matters relating to national security, including defense against transnational terrorism
f. U.S. programs for safeguarding nuclear materials or facilities
g. Vulnerabilities of systems, installations, infrastructures, projects, plans or protection services related to national security including terrorism
h. Weapons of mass destruction
(4) the original classification authority determines that the unauthorized disclosure of the information reasonably could be expected to result in damage national security, which includes defense against transnational terrorism, and the original classification authority is able to identify or describe the damage. This is the fourth and final requirement that must be met before an original classification authority can assign a classification level. Classification levels are designed to implement the proper level of protection. It is part of the risk management component of security. The consequence of loss of the information is part of the categorization process.
The impact of disclosure is categorized from reasonably causing “damage” for CONFIDENTIAL information through “serious damage” for SECRET information to “seriously grave damage” for TOP SECRET information. The EO 13292 states that the impact of loss or compromise of the information must be at one of the three defined levels in order to be assigned a classification. The other part is that the classifier should be able to describe or identify the damage. This measure again informs the user that the information is to be safeguarded at a necessary level and also to prevent the original classification authority from assigning a classification level needlessly.
Thursday, July 23, 2009
Defense Contractors, Consultants and NISPOM
Consultants are hired by a company to fill a need the organization is not prepared to meet. The consultants share office furniture, the water cooler and are hopefully made to feel as part of the team. In spite of being a well respected contributor to the cause, consultants do not always enjoy the same benefits of a regular employee. However, this difference should occur when working on classified contracts the consultant has been hire to perform on.
According to NISPOM 2-212 “A consultant is an individual under contract to provide professional or technical assistance to a contractor in a capacity requiring access to classified information. The consultant shall not possess classified material off the premises of the using (hiring) contractor except in connection with authorized visits. The consultant and the using contractor shall jointly execute a consultant certificate setting forth respective security responsibilities. The using contractor shall be the consumer of the services offered by the consultant it sponsors for a PCL. For security administration purposes, the consultant shall be considered an employee of the using contractor."
Simply stated, though a consultant is not a regular employee, the NISPOM considers them an employee of the company that they represent. The contractor is expected to maintain the consultant’s clearance and assign classified work as specified in a contract. As with other employees, the consultant should also attend annual security awareness training and follows set procedures for working with classified information. For example, suppose a consultant is required to attend a classified meeting at a government location. There should be no problem with them couriering classified information as long as visit request and authorizations are in place. That could be as simple as providing a visit request to the government facility through JPAS. However, consult with the Government organization’s security department for specific requirements.
According to NISPOM 2-212 “A consultant is an individual under contract to provide professional or technical assistance to a contractor in a capacity requiring access to classified information. The consultant shall not possess classified material off the premises of the using (hiring) contractor except in connection with authorized visits. The consultant and the using contractor shall jointly execute a consultant certificate setting forth respective security responsibilities. The using contractor shall be the consumer of the services offered by the consultant it sponsors for a PCL. For security administration purposes, the consultant shall be considered an employee of the using contractor."
Simply stated, though a consultant is not a regular employee, the NISPOM considers them an employee of the company that they represent. The contractor is expected to maintain the consultant’s clearance and assign classified work as specified in a contract. As with other employees, the consultant should also attend annual security awareness training and follows set procedures for working with classified information. For example, suppose a consultant is required to attend a classified meeting at a government location. There should be no problem with them couriering classified information as long as visit request and authorizations are in place. That could be as simple as providing a visit request to the government facility through JPAS. However, consult with the Government organization’s security department for specific requirements.
Career Advice for Defense Contractor Security Specialists
I receive a lot of emails from people who wonder how to get into the security field. Many are looking for a career change and are curious about what kind of education and experience is needed to work as a security specialist in the defense and contractor industry. Others are just starting out in life and looking for a job with challenges and opportunities the security field offers. There are plenty of great opportunities in with large and small contractor companies providing the venue. Here is what I have discovered about our industry and some of you may have other experiences and advice you can pass to those who ask about a career in security.
Industrial security is an outstanding field for someone with all ranges of experience to enter into. Some have been hired at an entry level job and have received promotions and additional responsibilities. Others have transferred full time to security after enjoying serving in an additional duty capacity. Career growth occurs as the contract and company expands or the employee takes on more responsibilities after hiring on with another company. Security managers can also move to higher level security positions as chief security officer or corporate security officer as experience meets opportunity.
Employees just entering the work force can benefit from entry level jobs. These opportunities are great for building skills and filling a critical need while filing receipts, wrapping packages, checking access rosters, applying information system security, or bringing classified information into an accountability system. Those skills combined with learning to implement programs designed to safeguard classified information provides a great foundations to build careers on. Additionally, many employees attend university and other adult education opportunities while serving full time in the security field. The experience, education, certification and security clearance gained while on the job prove very valuable.
Taking a look at want ads and job announcement, one can see that education and certification is beginning to be more of a requirement. Past listings for entry level and some FSO jobs required only the ability to get a security clearance and having a high school diploma or a GED. However, more and more job announcements require formal education to include college and a preference for security certification. The defense security industry still provides a good career field to gain entry level experience and move up quickly. Being well entrenched in a good career provides the perfect environment and opportunity for simultaneous education and certification. This will make the prepared ready for future positions and raises.
For those starting their careers in smaller enterprises have a keen opportunity to perform in various security disciplines. Some actually assume appointed FSO responsibilities as an extra duty and learn as they go. Many of the defense contractor organizations are small and may only have one person in the security role. The sole security manager may only work in one discipline such as personnel security. Others have a larger scope, working with a guard force, information security, and compliance issues such as exports.
Large Defense Contractors and Government agencies also provide entry level security jobs. The job title is often security specialist and job descriptions allow for many experiences. Some descriptions use words to the affect as the following: “The candidate must be eligible for a security clearance. Job responsibilities include receiving, cataloging, storing, and mailing classified information. Maintain access control to closed areas. Provide security support for classified information processing and destruction. Initiate security clearance requests and process requests for government and contract employees conducting classified visits. Implement security measures as outlined in NISPOM.” Administrative, military, guard, and other past job experience may provide transferrable skills to allow a person to apply for the job. Once hired, the new employee learns the technical skills, they can quickly advance applying their other experiences and education.
Our industry is still a great place to learn and grow. Career advancement and promotions are continually available for the prepared. Opportunities continue to exist in companies large enough to provide increasing challenges and rewards. Some may have to apply for jobs with other enterprises to reach their potential. Others may be satisfied performing their valuable functions in an organization where their skills are valued and rewarded. Consider reading ISP Certification-The Industrial Security Professional Exam Manual. Our book provides excellent career advice and provides just the right review of NISPOM to prepare you for that important job interview. Regardless of your professional goals, what are you doing to remaining competitive?
Industrial security is an outstanding field for someone with all ranges of experience to enter into. Some have been hired at an entry level job and have received promotions and additional responsibilities. Others have transferred full time to security after enjoying serving in an additional duty capacity. Career growth occurs as the contract and company expands or the employee takes on more responsibilities after hiring on with another company. Security managers can also move to higher level security positions as chief security officer or corporate security officer as experience meets opportunity.
Employees just entering the work force can benefit from entry level jobs. These opportunities are great for building skills and filling a critical need while filing receipts, wrapping packages, checking access rosters, applying information system security, or bringing classified information into an accountability system. Those skills combined with learning to implement programs designed to safeguard classified information provides a great foundations to build careers on. Additionally, many employees attend university and other adult education opportunities while serving full time in the security field. The experience, education, certification and security clearance gained while on the job prove very valuable.
Taking a look at want ads and job announcement, one can see that education and certification is beginning to be more of a requirement. Past listings for entry level and some FSO jobs required only the ability to get a security clearance and having a high school diploma or a GED. However, more and more job announcements require formal education to include college and a preference for security certification. The defense security industry still provides a good career field to gain entry level experience and move up quickly. Being well entrenched in a good career provides the perfect environment and opportunity for simultaneous education and certification. This will make the prepared ready for future positions and raises.
For those starting their careers in smaller enterprises have a keen opportunity to perform in various security disciplines. Some actually assume appointed FSO responsibilities as an extra duty and learn as they go. Many of the defense contractor organizations are small and may only have one person in the security role. The sole security manager may only work in one discipline such as personnel security. Others have a larger scope, working with a guard force, information security, and compliance issues such as exports.
Large Defense Contractors and Government agencies also provide entry level security jobs. The job title is often security specialist and job descriptions allow for many experiences. Some descriptions use words to the affect as the following: “The candidate must be eligible for a security clearance. Job responsibilities include receiving, cataloging, storing, and mailing classified information. Maintain access control to closed areas. Provide security support for classified information processing and destruction. Initiate security clearance requests and process requests for government and contract employees conducting classified visits. Implement security measures as outlined in NISPOM.” Administrative, military, guard, and other past job experience may provide transferrable skills to allow a person to apply for the job. Once hired, the new employee learns the technical skills, they can quickly advance applying their other experiences and education.
Our industry is still a great place to learn and grow. Career advancement and promotions are continually available for the prepared. Opportunities continue to exist in companies large enough to provide increasing challenges and rewards. Some may have to apply for jobs with other enterprises to reach their potential. Others may be satisfied performing their valuable functions in an organization where their skills are valued and rewarded. Consider reading ISP Certification-The Industrial Security Professional Exam Manual. Our book provides excellent career advice and provides just the right review of NISPOM to prepare you for that important job interview. Regardless of your professional goals, what are you doing to remaining competitive?
Hiding In Plain Sight-OPSEC Procedures in a Defense Contractor Organization
While on vacation this summer I had the opportunity to bump into a famous actress. Actually, I didn’t even notice her until my wife pointed her out. But, there she was walking right past us in Dollywood, USA. At first, I did not recognize her because I really was not looking for her. Also, she had not been dressed in the fashion of her TV career. A moment later I asked my wife to continue with the children while I back tracked to get a better look.
I turned back and finally caught up with the actress and her group. Since I only wanted to verify my sighting and not bother her, I continued to walk past her, took a right and pretended to be lost. I looked around as if searching for something. After taking a discreet look I was able to finally recognize her as the TV personality. I then made my way back to my family smiling and nodding to the actress as I walked by.
“I’m not sure, but I think that was her,” I later told my wife. “Good sighting”.
Later that night, after returning to our vacation cabin my wife came running up to me.
“See, I knew that was her.” My wife held open a gossip magazine with the actress and her famous boyfriend in a photo walking along a resort beach.
In the picture, the actress had worn the same pink trucker hat and brown sunglasses we had seen her in earlier that day. I couldn’t believe it, it had been a good sighting.
“So, why didn’t you talk to her?” asked my wife.
“Well, I really didn’t know what I would say. Plus, I really think she just wanted to enjoy her holiday,” I replied.
I’ve been thinking of the event on and off since returning from our vacation. This actress had made an attempt at assuming a normal life on a normal vacation taken by normal people. However, instead of really blending in she stood out enough to be recognized by my wife (who has also been able to spot other celebrities at airports during our travels).
Our actress had attempted to blend in dressing in clothing to be somewhat incognito. However, the hat and sunglasses really made her stand out. Here in the south, many like to wear baseball caps. That day, few people wore hats. Those who did wore regular baseball caps and not the mesh type of trucker hats; especially not hot pink ones. The sunglasses were oversized and clashed with the hat (and outfit) and kind of made the appearance of someone doing everything wrong in an attempt to look like everyone else.
Not that I am a sound fan of fashion, but I am looking at this in an OPSEC or security point of view. Our actress attempted to have fun at a theme park while not drawing attention to herself or her celebrity status. However, her attempt to blend in may have failed because of her unusual dress.
Cleared professionals could learn a lesson from this story. Defense contractor and Government work should be performed in such a way not to bring attention to the operation. This applies for both classified and unclassified efforts. Practicing good OPSEC includes taking a look at your operations through the eyes of someone wanting to exploit your vulnerabilities. A good question to ask is “how would an adversary recognize our effort and how will they attempt to learn more about it?” Security managers should study the surroundings, situation, and environment to ensure performance on contracts, proprietary data and otherwise privileged information remains low key. Teach employees to work in a way to not draw unwanted attention.
I turned back and finally caught up with the actress and her group. Since I only wanted to verify my sighting and not bother her, I continued to walk past her, took a right and pretended to be lost. I looked around as if searching for something. After taking a discreet look I was able to finally recognize her as the TV personality. I then made my way back to my family smiling and nodding to the actress as I walked by.
“I’m not sure, but I think that was her,” I later told my wife. “Good sighting”.
Later that night, after returning to our vacation cabin my wife came running up to me.
“See, I knew that was her.” My wife held open a gossip magazine with the actress and her famous boyfriend in a photo walking along a resort beach.
In the picture, the actress had worn the same pink trucker hat and brown sunglasses we had seen her in earlier that day. I couldn’t believe it, it had been a good sighting.
“So, why didn’t you talk to her?” asked my wife.
“Well, I really didn’t know what I would say. Plus, I really think she just wanted to enjoy her holiday,” I replied.
I’ve been thinking of the event on and off since returning from our vacation. This actress had made an attempt at assuming a normal life on a normal vacation taken by normal people. However, instead of really blending in she stood out enough to be recognized by my wife (who has also been able to spot other celebrities at airports during our travels).
Our actress had attempted to blend in dressing in clothing to be somewhat incognito. However, the hat and sunglasses really made her stand out. Here in the south, many like to wear baseball caps. That day, few people wore hats. Those who did wore regular baseball caps and not the mesh type of trucker hats; especially not hot pink ones. The sunglasses were oversized and clashed with the hat (and outfit) and kind of made the appearance of someone doing everything wrong in an attempt to look like everyone else.
Not that I am a sound fan of fashion, but I am looking at this in an OPSEC or security point of view. Our actress attempted to have fun at a theme park while not drawing attention to herself or her celebrity status. However, her attempt to blend in may have failed because of her unusual dress.
Cleared professionals could learn a lesson from this story. Defense contractor and Government work should be performed in such a way not to bring attention to the operation. This applies for both classified and unclassified efforts. Practicing good OPSEC includes taking a look at your operations through the eyes of someone wanting to exploit your vulnerabilities. A good question to ask is “how would an adversary recognize our effort and how will they attempt to learn more about it?” Security managers should study the surroundings, situation, and environment to ensure performance on contracts, proprietary data and otherwise privileged information remains low key. Teach employees to work in a way to not draw unwanted attention.
Friday, June 5, 2009
Studying for the Industrial Security Professional (SP) Certification
Reading the National Industrial Security Program Operating Manual (NISPOM) will certainly have one learning new jargon and acronyms necessary to becoming fluent in Industrial Security Professional language. Throughout the exam there are questions referring to roles of government agencies. Such questions concern which organization has oversight, which organization would a security manager report a particular incident to, or which organization inspects a certain security program. The answer could be any possibility such as government contracting agency (GCA), general services administration (GSA), Cognizant Security Agency (CSA), or any other acronym of a critical federal organization listed in the NISPOM.
Consider the letters CSA which stand for Cognizant Security Agency. This acronym appears 250 times throughout the NISPOM between chapters one and eleven. The multiple listings pretty much conclude that the CSA plays an important role in managing the National Industrial Security Program. This is also one of those acronyms that a potential Industrial Security Professional must know to successfully pass the Industrial Security Professional Certification exam.
Primary questions a security manager should be able to describe are: What is a Cognizant Security Agency (CSA)? How does the Cognizant Security Office (CSO) fit in? To answer those questions, we can go to the source. However, I will answer them here. The CSAs are four primary federal agencies. They have cognizance or oversight authority over their own federal organizations. The CSAs are the Department of Defense, Department of Energy, Nuclear Regulatory Commission and the Central Intelligence Agency. Each of the federal organizations has authority and oversight over their own organizations. Each agency can delegate oversight to any office within their federal organization or to another CSA. The CSAs have Cognizant Security Offices (CSO) that take care of administrative functions. The CSAs are identified with their CSOs as follows:
CSA: Department of Defense
CSO: Defense Security Services (DSS)
CSA: Department of Energy
CSO: Department of Energy Field Offices Safeguards and Security Divisions
CSA: Central Intelligence Agency
CSO: Contract Officer's Security Representative (COSR)
CSA: Nuclear Regulatory Commission
CSO: Offices within the Nuclear Regulatory Commission
For example, the Facility Security Officer in a contractor organization under the Department of Defense (DoD) follows guidance of their CSA, the Department of Defense. Oversight and administrative functions are assigned to the DSS. The DSS provides support to the contractor as well as conducts analysis to determine whether or not the organization is capable of providing continuous protection of classified information while following the guidance of the Department of Defense. This would work in similar circumstances within each federal agency. The CSA is primarily concerned with administering clearances and oversight. They support the stipulations of the GCA.
The GCA is appointed by a federal agency to handle all acquisition functions. They provide contract support between the government agency and contractor. In our DoD example, the GSA provides contractual support to the defense contractor from the DoD. The GCA also provides the stipulations of the contract include the statement of work, DD Form 254, and other guidance on how to perform the classified work. The GCA is also an approval authority for any classified performance taking place between agencies and governments. The GCA is concerned with supporting and administering specifics of a contract. The GCA provides the guidance that the CSA will monitor.
The GSA approves equipment used in support of the security and mission. Locks, security containers, overnight delivery services and etc are approved for use by the general services administration.
Let’s check your knowledge:
1. Which organization would provide direction as to how classified information is disseminated (USPS, Overnight delivery, courier):
a. GCA
b. NSA
c. GSA
d. CSA
Remember that all classified work is stipulated by the contract. The GCA is the organization responsible for providing the specifics of how to perform on the contract. The answers can be found in the statement of work, DD Form 254, or the security classification guide. Questions concerning performance and specifics of a contract will point to the GCA.
2. Which organization would an FSO report loss, compromise or suspected compromise?
a. CSA
b. GSA
c. CIA
d. GCA
The answer is CSA. The Cognizant Security Agency provides oversight of the contractor protecting the federal agency’s classified information. All questions concerning oversight belong to the CSA.
3. Which organization provides a list of authorized overnight delivery services?
a. CSA
b. GCA
c. NSA
d. GSA
Many questions concerning approved products or services belong to GSA.
Acronyms and jargon are part of any professional organization. The FSO, security manager, security specialist and ISP certified individuals not only understand the jargon, but how it applies to protecting classified information and implementing classified programs. The ISP candidate would do well to understand the broad and general roles of the GCA, CSA, GSA and other agencies identified in NISPOM.
Consider the letters CSA which stand for Cognizant Security Agency. This acronym appears 250 times throughout the NISPOM between chapters one and eleven. The multiple listings pretty much conclude that the CSA plays an important role in managing the National Industrial Security Program. This is also one of those acronyms that a potential Industrial Security Professional must know to successfully pass the Industrial Security Professional Certification exam.
Primary questions a security manager should be able to describe are: What is a Cognizant Security Agency (CSA)? How does the Cognizant Security Office (CSO) fit in? To answer those questions, we can go to the source. However, I will answer them here. The CSAs are four primary federal agencies. They have cognizance or oversight authority over their own federal organizations. The CSAs are the Department of Defense, Department of Energy, Nuclear Regulatory Commission and the Central Intelligence Agency. Each of the federal organizations has authority and oversight over their own organizations. Each agency can delegate oversight to any office within their federal organization or to another CSA. The CSAs have Cognizant Security Offices (CSO) that take care of administrative functions. The CSAs are identified with their CSOs as follows:
CSA: Department of Defense
CSO: Defense Security Services (DSS)
CSA: Department of Energy
CSO: Department of Energy Field Offices Safeguards and Security Divisions
CSA: Central Intelligence Agency
CSO: Contract Officer's Security Representative (COSR)
CSA: Nuclear Regulatory Commission
CSO: Offices within the Nuclear Regulatory Commission
For example, the Facility Security Officer in a contractor organization under the Department of Defense (DoD) follows guidance of their CSA, the Department of Defense. Oversight and administrative functions are assigned to the DSS. The DSS provides support to the contractor as well as conducts analysis to determine whether or not the organization is capable of providing continuous protection of classified information while following the guidance of the Department of Defense. This would work in similar circumstances within each federal agency. The CSA is primarily concerned with administering clearances and oversight. They support the stipulations of the GCA.
The GCA is appointed by a federal agency to handle all acquisition functions. They provide contract support between the government agency and contractor. In our DoD example, the GSA provides contractual support to the defense contractor from the DoD. The GCA also provides the stipulations of the contract include the statement of work, DD Form 254, and other guidance on how to perform the classified work. The GCA is also an approval authority for any classified performance taking place between agencies and governments. The GCA is concerned with supporting and administering specifics of a contract. The GCA provides the guidance that the CSA will monitor.
The GSA approves equipment used in support of the security and mission. Locks, security containers, overnight delivery services and etc are approved for use by the general services administration.
Let’s check your knowledge:
1. Which organization would provide direction as to how classified information is disseminated (USPS, Overnight delivery, courier):
a. GCA
b. NSA
c. GSA
d. CSA
Remember that all classified work is stipulated by the contract. The GCA is the organization responsible for providing the specifics of how to perform on the contract. The answers can be found in the statement of work, DD Form 254, or the security classification guide. Questions concerning performance and specifics of a contract will point to the GCA.
2. Which organization would an FSO report loss, compromise or suspected compromise?
a. CSA
b. GSA
c. CIA
d. GCA
The answer is CSA. The Cognizant Security Agency provides oversight of the contractor protecting the federal agency’s classified information. All questions concerning oversight belong to the CSA.
3. Which organization provides a list of authorized overnight delivery services?
a. CSA
b. GCA
c. NSA
d. GSA
Many questions concerning approved products or services belong to GSA.
Acronyms and jargon are part of any professional organization. The FSO, security manager, security specialist and ISP certified individuals not only understand the jargon, but how it applies to protecting classified information and implementing classified programs. The ISP candidate would do well to understand the broad and general roles of the GCA, CSA, GSA and other agencies identified in NISPOM.
Tuesday, May 19, 2009
Books that should be in a security manager's library
There are several books that a security manager or facility security officer should have in their possession. No professional library is complete without these valuable resources. The books provide wonderful instruction on security systems, performing risk management, structuring a security department for success and managing classified information. I’ve read each of the books and will provide reviews as follows.
Managing the Security of Classified Information and Contracts, By: Jeffrey W. Bennett ISP I’m pleased to announce the upcoming release of Managing the Security of Classified Information and Contracts from CRC Press. This book is the only one of its kind written with defense contractors in mind. The facility security officer, contracts manager, senior officers, and cleared employee roles are defined. The reader will understand how to operate in a cleared contractor environment. This is a great overview of the National Industrial Security Program Operating Manual (NISPOM) and the acquisitions process. It is also a great resource for preparing for the Industrial Security Professional (ISP) certification exam and a great companion for ISP Certification-The Industrial Security Professional Exam Manual.
Security and Loss Prevention, By Philip Purpura Excellent resource! As a Facility Security Officer for a DoD contractor company, I find it to provide multiple layers of security or "security in-depth". This book offers insight from a retail environment that is very applicable to government and contractor security. Add this to your library.
The Security Clearance Manual: How to Reduce the Time it Takes to get your Government Clearance, By; William H. Henderson This book is timely and a gem. As an FSO, I find the information very helpful for answering security clearance related questions. Mr. Henderson's experience and know how give great insight in how the investigations work and what the subjects should expect. The persons undergoing background checks now have a clearer picture of what they can do to help get faster results. I highly recommend this book both to security specialists and to those obtaining security clearances.
Physical Security Systems Handbook: The Design and Implementation of Electronic Security Systems, by Michael Khairallah This book goes into great detail about security systems without being too simplified. My security background until recently had been in safeguarding information on a team of 22 security professionals. Recently I took a new job as the head of corporate security and had to develop new security systems. Of course I hired professionals to bid on the job, but I lacked experience to really understand what I needed. I consulted some colleagues and of course went to ASIS international for recommendations.
In the process, I was pleased to have discovered Physical Security Systems Handbook. It really helped me to work with the vendors to help them understand what I needed and better understand what they recommended. This book does an excellent job of breaking down the components of the security system (ie. strike plates, crash bars, cameras, alarms and etc). It also goes into great detail to show you how to survey existing systems and improve them. In my case, we had to start from scratch and this book helped me through the process.
If you have had similar experiences or are looking for study material for the CPP, ISP or other certifications, get this book.
Effective Security Management, Fourth Edition, by Charles A. Sennewald CPP Frankly this is an excellent book that teaches the tremendous role security plays. Contrary to some corporate environments, this book teaches that security should not be run from the background. Mr. Sennewald does an excellent job of demonstrating how security should be conducted in a corporate environment. For most, the lessons taught here will involve a change in culture that is desperately needed to allow the security function at an executive level position and allow the security executive to function at all levels.
The first chapters consider the security professional and the roles, structure and environment of the security organization at all levels of a corporate structure. The rest of the book shows how to conduct security surveys and perform risk analysis. It also spends considerable time teaching security as a profession and is heavy into how leaders should lead and conduct themselves professionally. Quality work!
After many years of working in the government, I had been looking for the ultimate "how to" book of how security should be structured. This book gets it and teaches it well.
The New School of Information Security, By: Adam Shostack This book commands attention! The authors bring to light current security practices, methods and decision analysis and their many shortcomings. The authors' thesis; to provide sound argument toward a more modern and effective way of implementing security practices. The ideas are easy to apply, but contrary to what is taught by security seminars and vendors selling security products.
While security seminars and education efforts teach cataclysmic results of security breaches, "New School" demonstrates the need for collecting data to assess the threat in a scientific manner. Shostack and Stewart champion going back to raw data to identify the threats and then develop programs to address those threats.
Aside from evidence related to loss, espionage or other threats, risk managers cannot effectively apply security measures. The authors indicate that breech data exists, but the holders are reluctant to share. However, the authors do a good job of proving that companies who publically admitted failure recovered quickly from any scandal or fallout from information or data breeches.
The authors know down the traditional walls of security training institutions. They preach good solid evidence behind decision making; otherwise security managers can not effectively determine whether or not the lack of threat is a result of new security measures or just plain luck.
The book is easy to read implement in all areas of security. The physical security, loss prevention, DoD contractor, and many others in and out of the security profession can adapt the principles to their business units.
Body of Secrets, By: James Bamford This book is well written and an easy read of one of the most fascinating agencies of all time. Mr. Bamford has performed exhaustive research into the workings of the super-secret NSA. Personally, I have a long history as an intelligence analyst during the Cold War and reading this book brings back a lot of memories of the history and working of the world at the time.
ISP Certification-The Industrial Security Professional Exam Manual, By: Jeffrey W. Bennett ISP If you are serious about advancing in your field, get this book. Learn the secrets to becoming influential, earning credibility and studying for the ISP Certification. Secret number one, you are a technical expert and know the business of protecting classified information. Let us help you prepare for the test. Our book helps you prepare for both your career and the ISP Certification Exam.
Jeffrey W. Bennett
Author of ISP Certification-The Industrial Security Professional Exam Manual
www.redbikepublishing.com
Join our newsletter
http://www.redbikepublishing.com/index_files/Page412.htm
Follow me on twitter
http://twitter.com/jwbenne
Linkedin Profile
http://www.linkedin.com/in/redbike
Join the Linkedin Industrial Security Professional Group
http://www.linkedin.com/groups?gid=1816119
Managing the Security of Classified Information and Contracts, By: Jeffrey W. Bennett ISP I’m pleased to announce the upcoming release of Managing the Security of Classified Information and Contracts from CRC Press. This book is the only one of its kind written with defense contractors in mind. The facility security officer, contracts manager, senior officers, and cleared employee roles are defined. The reader will understand how to operate in a cleared contractor environment. This is a great overview of the National Industrial Security Program Operating Manual (NISPOM) and the acquisitions process. It is also a great resource for preparing for the Industrial Security Professional (ISP) certification exam and a great companion for ISP Certification-The Industrial Security Professional Exam Manual.
Security and Loss Prevention, By Philip Purpura Excellent resource! As a Facility Security Officer for a DoD contractor company, I find it to provide multiple layers of security or "security in-depth". This book offers insight from a retail environment that is very applicable to government and contractor security. Add this to your library.
The Security Clearance Manual: How to Reduce the Time it Takes to get your Government Clearance, By; William H. Henderson This book is timely and a gem. As an FSO, I find the information very helpful for answering security clearance related questions. Mr. Henderson's experience and know how give great insight in how the investigations work and what the subjects should expect. The persons undergoing background checks now have a clearer picture of what they can do to help get faster results. I highly recommend this book both to security specialists and to those obtaining security clearances.
Physical Security Systems Handbook: The Design and Implementation of Electronic Security Systems, by Michael Khairallah This book goes into great detail about security systems without being too simplified. My security background until recently had been in safeguarding information on a team of 22 security professionals. Recently I took a new job as the head of corporate security and had to develop new security systems. Of course I hired professionals to bid on the job, but I lacked experience to really understand what I needed. I consulted some colleagues and of course went to ASIS international for recommendations.
In the process, I was pleased to have discovered Physical Security Systems Handbook. It really helped me to work with the vendors to help them understand what I needed and better understand what they recommended. This book does an excellent job of breaking down the components of the security system (ie. strike plates, crash bars, cameras, alarms and etc). It also goes into great detail to show you how to survey existing systems and improve them. In my case, we had to start from scratch and this book helped me through the process.
If you have had similar experiences or are looking for study material for the CPP, ISP or other certifications, get this book.
Effective Security Management, Fourth Edition, by Charles A. Sennewald CPP Frankly this is an excellent book that teaches the tremendous role security plays. Contrary to some corporate environments, this book teaches that security should not be run from the background. Mr. Sennewald does an excellent job of demonstrating how security should be conducted in a corporate environment. For most, the lessons taught here will involve a change in culture that is desperately needed to allow the security function at an executive level position and allow the security executive to function at all levels.
The first chapters consider the security professional and the roles, structure and environment of the security organization at all levels of a corporate structure. The rest of the book shows how to conduct security surveys and perform risk analysis. It also spends considerable time teaching security as a profession and is heavy into how leaders should lead and conduct themselves professionally. Quality work!
After many years of working in the government, I had been looking for the ultimate "how to" book of how security should be structured. This book gets it and teaches it well.
The New School of Information Security, By: Adam Shostack This book commands attention! The authors bring to light current security practices, methods and decision analysis and their many shortcomings. The authors' thesis; to provide sound argument toward a more modern and effective way of implementing security practices. The ideas are easy to apply, but contrary to what is taught by security seminars and vendors selling security products.
While security seminars and education efforts teach cataclysmic results of security breaches, "New School" demonstrates the need for collecting data to assess the threat in a scientific manner. Shostack and Stewart champion going back to raw data to identify the threats and then develop programs to address those threats.
Aside from evidence related to loss, espionage or other threats, risk managers cannot effectively apply security measures. The authors indicate that breech data exists, but the holders are reluctant to share. However, the authors do a good job of proving that companies who publically admitted failure recovered quickly from any scandal or fallout from information or data breeches.
The authors know down the traditional walls of security training institutions. They preach good solid evidence behind decision making; otherwise security managers can not effectively determine whether or not the lack of threat is a result of new security measures or just plain luck.
The book is easy to read implement in all areas of security. The physical security, loss prevention, DoD contractor, and many others in and out of the security profession can adapt the principles to their business units.
Body of Secrets, By: James Bamford This book is well written and an easy read of one of the most fascinating agencies of all time. Mr. Bamford has performed exhaustive research into the workings of the super-secret NSA. Personally, I have a long history as an intelligence analyst during the Cold War and reading this book brings back a lot of memories of the history and working of the world at the time.
ISP Certification-The Industrial Security Professional Exam Manual, By: Jeffrey W. Bennett ISP If you are serious about advancing in your field, get this book. Learn the secrets to becoming influential, earning credibility and studying for the ISP Certification. Secret number one, you are a technical expert and know the business of protecting classified information. Let us help you prepare for the test. Our book helps you prepare for both your career and the ISP Certification Exam.
Jeffrey W. Bennett
Author of ISP Certification-The Industrial Security Professional Exam Manual
www.redbikepublishing.com
Join our newsletter
http://www.redbikepublishing.com/index_files/Page412.htm
Follow me on twitter
http://twitter.com/jwbenne
Linkedin Profile
http://www.linkedin.com/in/redbike
Join the Linkedin Industrial Security Professional Group
http://www.linkedin.com/groups?gid=1816119
Subscribe to:
Posts (Atom)
Posts
