Tuesday, March 31, 2009

Managing Classified Conversation

In the course of performing on defense contracts, exchange of classified information is inevitable. The movement of classified information outside of a secure environment is to be kept to a minimum and as a last resort. Prior to removing classified information, the holder should determine whether or not the classified information is necessary and whether or not the information may already be available. When classified information is necessary in the performance of the contract, the information should be sent via approved channels.
Once the classified information is on-site, it's time to get to work. When we talk about work, we are referring to conferences, classes, engineering, services or any other environment where classified information is used. Classified information is controlled at all times to include conversations. As the senior industrial security manager in Defense contracting companies, the FSO leads the security program designed to protect classified information and prevent unauthorized disclosure. While working in the secure environment, contractors protect classified information under their control and cleared employees protect classified information entrusted to them. Without this protection, national security could face varying degrees of damage depending on what information is disclosed and how it was used. Not only is information, objects, documents, etc to be protected, but classified conversations as well. These conversations are only to be conducted in authorized areas and will be covered later in this chapter.
Classified verbal communications should only occur in controlled environments. For example, classified conversations are authorized in controlled areas where access and need to know have been verified. These classified communications should never take place in hallways, around the water cooler, in public places or car pools where eavesdropping cannot be prevented or access and need to know cannot be verified. Just as the holder of classified documents verifies a receiver’s need to know and security clearances before handing them over, the same is true for releasing classified information in verbal form.
Prior to the start of a classified meeting either the government sponsor or the contractor representative should provide a security briefing notifying attendees of the classification of information to be discussed, whether or not taking notes is permitted and if so, how they will be controlled. For example, when classified notes are permitted, they will have to be properly marked, introduced into accountability and prepared for dissemination (hand carry with the attendee or mailed at a later date). The presentation is controlled to prevent the inadvertent and unauthorized release. Each attendee should also be reminded to remove any cell phones or other electronic devices.
When working on classified material in approved locations, keep in mind that uncleared persons in the area may be within voice range. Some companies and security managers may allow cleared employees to take classified work back to their cubicles and desks. They are able to protect the information from prying eyes, but eaves dropping cannot be prevented outside of a closed area. Additionally, even though everyone may be cleared, they could be on the phone with uncleared people and any conversations can be picked up.

Please see our website for more on this topic www.redbikepublishing.com.

Friday, March 20, 2009

Who gets the combination and where does it go?


On my first day as an FSO at a defense contractor, I came across a situation that I did not like very well. It was after walking the floor and talking to employees that I became introduced to a security container. As part of my inspection, I wanted to verify all documents were properly marked and stored appropriately. Upon asking for the custodian to open the container, he pulled out his cell phone and began scrolling. I asked what he had been looking for an he stated: "I can't remember the combination, but I'm sure that it's in here somewhere."

Whoa! Hold the presses. I immediately changed the combination and took possession of the security container in my office. I also providing a clear policy and training agenda and that problem disappeared. The story has been altered to change the exact situation, but the story may sound familiar to you. But here's the question: Do your employees really understand how to protect classified information? Some younger and less mature defense contractors may require extra and unrelenting training and diligence to make sure such situations never happen. The above example is a good demonstration of what could happen when the security program is only run through the FSO. More successful programs include training conducted by managers and supervisors as they apply to the employee specific duties.

So who has access to your security containers? Do you limit it to only security personnel or do cleared program employees have it as well. This access depends on your program. Regardless of who has access, authorized employees having access to combinations or keys should be kept to the bare minimum amount necessary.

Agencies and contractors maintain administrative records and tight control for a sound security system designed to protect the classified information and to demonstrate effectiveness during security inspections. The security specialists also maintain a log of those with knowledge of combinations, change combinations, and fill out the Security Container Information Form, Standard Form 700. Combinations are meant to be memorized and not written down or stored in computers, phones or Personal Data Assistant devices. The combination is protected at that same level of the contents in the security container. If the contents are CONFIDENTIAL, then so is the combination. To ease in memorization, many who assign combinations use a six letter word or the first six letters of a longer word.

Instead of memorizing a long six digit number, they create a word and use a phone for the corresponding numbers. Many have magnetic combinations reminders similar to telephone touch pads. For example the number 2 corresponds with ABC, three with DEF, etc. If the memorized word is CORKIE, then the combination is 26-75-43. When persons have access to multiple safes, they may commit security violations by writing the combinations down. Using combination word clues and providing an administrative security container helps reduce the risk of such violations. You can see my website as listed below for examples of these magnetic reminders.

So, see if you can answer this question. How often should you change combinations according to the NISPOM?
The answer: Change combinations upon initial use, change in status of authorized users, compromise or suspected compromise of container or combination, when safe is left open or when required by FSO or CSA. Did anyone say "annually"? If so, better check the NISPOM. 5-309. Changing Combinations

Thursday, March 12, 2009

The delivery

Security specialists, document control professionals, facility security officers and others receive classified information, depending on the contract. Part of the receipt is the critical inspection of the package throughout the unwrapping process. The inspector is searching for evidence of tampering or to otherwise to inspect that there has been no compromise of classified material since leaving the sender’s organization. Classified material is protected by a two layer wrapping job. Each layer consists of material that is impossible to see through such as: an envelop, paper, box or other strong wrapping material. To prevent opening, the seams of the layers are covered with anti-tampering rip proof tape to create a solid layer of covering. The initial inspection is more cosmetic as the inspector looks for evidence of tearing, ripping, re-wrapping or some other means of unauthorized access to the material.
Next, review the address labels for approved classified mailing address, return address and which does not identify any recipient by name. The label is addressed to the “Commander” if a Government entity or the name and approved classified mailing address of the contractor facility. Additionally, check to see that there are no classification markings on the outer layer. The outer layer should is designed not to draw attention that it contains classified contents. Classification markings and named individuals on the outer layer are security violations because they direct unwanted attention
The inside wrapping contains the full address of the recipient as well as classification markings on the top, bottom, front and back. Classified information should have receipts included. Receipts are not necessary with the shipment of CONFIDENTIAL material. Sign all receipts and return them to the sender.
The receiver then checks the receipt against the titles to ensure the item has been identified correctly. The receipt lists all the pertinent information to identify the contents. The properly filled out receipt identifies the sender, the addressee and correctly identifies the contents by the correct and preferably unclassified title and appropriate quantity. The title should be unclassified. If not, then the receipt is to be protected at the classification level identified in the title. When practical, contact the sender to see if it can be issued an unclassified title or prepare to store the receipt long term in an a GSA approved container.
The receiver then compares the classification identified in the receipt with that annotated on the inner wrapper. These will ensure the package is handled correctly once the outer wrapping has been opened or removed. The receiver of the classified item compares the classification marking on the contents with the wrapper and the receipt to once again verify the accuracy of the classified information and prevent unauthorized disclosure. Once all the checks and verifications are complete, the receiver can then sign a copy of the receipt and return to the sender, thus closing the loop on the sender’s accounting responsibilities. The copies of receipts are filed away and the classified information is put into a database and the items are stored according to the classification.

Jeffrey W. Bennett
Author of ISP Certification-The Industrial Security Professional Exam Manual
www.redbikepublishing.com
Join our newsletter
http://www.redbikepublishing.com/index_files/Page412.htm
Follow me on twitter
http://twitter.com/jwbenne
Linkedin Profile
http://www.linkedin.com/in/redbike
Join the Linkedin Industrial Security Professional Group
http://www.linkedin.com/groups?gid=1816119

Monday, March 2, 2009

The Security Budget

An Facility Security Officer (FSO)should put careful consideration into the security budget. This is a primary opportunity in the continuing plan of building credibility. The manager who arbitrarily throws in a number with meritless base is sending the wrong message. However, a well thought out line item count based on risk management, company mission and NISPOM requirements is more apt to impress and build instant respect. The budget contribution should enforce and support a message the FSO is constantly communicating. The budget request should not be first time executives are introduced to figures.
Managements support or lack of support of a security budget demonstrates either a well received or an unsupported security program. The intuitive FSO understands business, the company mission and how the role of protecting classified material fits. In that environment, the FSO provides a risk assessment based on the threat appraisal and speaks intelligently of the procedures, equipment and costs associated with protecting classified information. For example the FSO understands how to contract security vendors to install alarms, access control and other life safety and protective measures. The FSO is also able to demonstrate how the expense will benefit the company either in cost reduction or other tangible results.
The FSO presents the budget in a manner that all business units understand. For example, if part of the budget line is to provide access control there is a significant associated cost. Incorporating management involvement and support builds credibility and puts the company in a better position to provide the funding. Not only is a projected return on investment required, due diligence should be conducted. Sample questions and answers the FSO should be prepared to address are:
• Why is access control necessary? Prevents unauthorized persons from entering the premises and gives an extra layer of protection for classified and sensitive information.
• What happens if we do not implement access controls? The organization would have to commit persons to controlling the access to the company. At a manager’s salary of between $20.00 - $30.00 per hour, this could become expensive over time. The FSO could demonstrate the cost of the access controls against the time a manager takes to ensure someone provides visibility of the doors.
• What is the return on investment for access control? The intangible return on investment is the prevention of damage, injury, theft, and other risks inherent to unauthorized visitors. More tangible is the amount of energy saved while keeping the doors closed and saving energy. In one such study an FSO estimated a cost reduction of $12,000 per year cost reductions on the electric bill.
Other questions abound and the FSO should not hesitate to forward such questions to vendors. These vendors have statistics that they use as selling points for their products.
Speaking the language of business will serve the FSO well and ensure that executives understand the significance of a well supported security program. Security managers who just quote regulations or use “best practices” without putting much thought into the costs or talking points will quickly lose credibility.