Sunday, April 19, 2009

Performing Security Checks in Defense Contractor Organizations

Try this question out and see if you know what to do. Better yet, if you are a security manager or facility security officer, run the following scenario by your cleared employees: Your colleagues leave for lunch. On their way out, they inform you that you are going to be the only one left. Your facility is authorized to store classified materials. What will you check for prior to leaving? Which form will you sign?

The end of day security check lists play a critical role in protecting our classified items as well as personal, proprietary and company sensitive material. The end of day checklist is a procedure required in the NISPOM and other federal agency regulations. However, they could be implemented in any situation where privileged or sensitive items prove vulnerable to theft or espionage.

Though the checklist is signed daily, it should not be signed just for the sake of compliance or "checking the block". This signature should only be annotated as a result of completing the activity. "Check the block?" you might ask. Let me share with you a real life situation.

I had a discussion with a security employee who indicated that he signs the end of day checks because he is required to do so. I had observed him walking up to the SF 701 and checking the boxes indicating that the coffee pot had been turned off, the windows had been locked, the printer and desk tops had been cleared of sensitive items and the security container had been locked. Keep in mind, that he had performed no such checks.

I pressed him on the reasons he signed the check list, and he stated because he was required to do so "by the regulations."
"But why do you perform the checks," I had asked a second time.
"Because when the inspection comes due, I want to show we are in compliance.'
"But, you never actually performed the checks, you just signed the sheet."

Each and every end of shift, or prior to leaving an area where sensitive items would other wise be left unattended, ensure it is properly secured. This means checking desks, printers and trash cans for sensitive items; locking windows and doors; and implementing physical security. Each activity must be performed with equal enthusiasm as on the first day on the job. Use the check list as a guide and experience as a resource to protect sensitive information.

Our security roles can easily become routine if we lose focus. This lack of focus could lead us to forget why we perform. We are appointed to "implement and direct security programs to..." The second part of our description is the most important, "...protect classified information." Unfortunately too many people believe, "...to pass inspections."

Read more about this article and follow Jeff's other ariticles, newsletters and updates @ http://www.redbikepublishing.com/index_files/Page412.htm
Jeffrey W. Bennett is the owner of Red Bike Publishing (http://www.redbikepublishing.com). He is an accomplished writer of non-fiction books, novels and periodicals. Published books include: "ISP Certification-The Industrial Security Professional Exam Manual"-Red Bike Publishing

Visit our site often for in formation on the upcoming book "Managing the Security of Classified Information and Contracts".

About Red Bike Publishing: Our company is registered as a government contractor company with the CCR and VetBiz (DUNS 826859691). Specifically we are a service disabled veteran owned small business.

Jeffrey W. Bennett
Author of ISP Certification-The Industrial Security Professional Exam Manual
www.redbikepublishing.com
Join our newsletter
http://www.redbikepublishing.com/index_files/Page412.htm
Follow me on twitter
http://twitter.com/jwbenne
Linkedin Profile
http://www.linkedin.com/in/redbike
Join the Linkedin Industrial Security Professional Group
http://www.linkedin.com/groups?gid=1816119

Sunday, April 12, 2009

Manage Defense Contractor Security Training

What defines this room as approved for open storage?” I had asked while consulting on a project a few years ago.

I had been in the middle of an extreme security discussion. The whole time I realized that the security employees I consulted understood their responsibilities, but did not know why the security measures were in place or where to find the guidance.

“This area is approved for open storage. So, when we leave, we don’t have to set the alarm or spin the dial,” they said.

“So, does that mean your document control folks in the other area can leave their safe open as long as they shut the door?” I asked, picking up on their logic.

“No, they are not approved for open storage.” They have to lock the security containers in their office prior to leaving them unattended.

“Correct, classified items should be secured prior to leaving the area,” I replied. “However, an area approved for open storage should be secured before leaving. That means setting the alarms and “spinning the dial” prior to leaving for any length of time, not just after hours. Again, what defines open storage?” asked.

I could see they were having trouble with this one.

“Open storage is simply having the government’s permission to keep classified information on shelves or out in the open. But only as long as it is contained in an approved room that can be secured with a GSA approved lock and approved alarms. During working hours, supplanting access control devices such as badge readers with PIN numbers or bio readers are employed.”

“Exactly,” they replied.

“But you didn’t say that. You said that you could just shut the door and leave for lunch without locking it and setting the Alarm,” I countered.

“We can, because it’s approved for open storage,”

And round and round it went, my asking questions without getting the answer I was looking for. Clearly these folks had been taught to perform a certain task, but had not received “real” security training.

So, what’s the fix? Doing just what I recommended to the security manager. Industrial security is a complex profession. There are many moving parts that require in depth thinking and proactive protection measures based on threat assessment and OPSEC. Develop training and certification for your security employees. If your company is a defense contractor or government agency, set aside time to train security employees on the NISPOM and the President’s Executive Orders or agency policies. Develop employee certification that can be validated, especially concerning new employees. Only after they have proven that they understand how to support a security program designed to protect classified information should they be turned loose to do so.