Wednesday, September 28, 2011

5 Steps to Hiring the Perfect Security Employee

Your company is growing and you find yourself reassessing your security team needs. Or, you find yourself severely lacking the personnel required to effectively perform security functions. In either case, it is up to you to hire the perfect employee.


Find the perfect employee? Though a daunting task, it is important that you hire and build a team of excellent security managers. Never, ever settle for a warm body just to get the job done. Many of you know from experience the issues of hiring the wrong candidate bring about.

There are a few good observations about potential candidates that can further them into the hiring process. These are 5 considerations you should employ befire hiring a security team member.
1.  All qualified applicants must reflect the company culture. What kind of employee does the company value? You must know this before you begin the search process. If your company values initiative, make sure your prescreen selects thinkers who can execute security functions with limited supervision.

2.  Know yourself and what you value. Obviously your values support the company culture, but here is where you use your “gut” to identify successful people. The successful person must also be mindful of the Government regulations required for the job. For example if your desire is to hire a document custodian, potential candidates should have an excellent knowledge of the National Industrial Security Program Operating Manual NISPOM. Your job is to filter technically proficient applicants with initiative to learn and execute security procedures. Then, recommend them for the interview.

3.  Find these successful people? Network with your industry peers; don't forget your professional networks and organizations. Review your job announcement and make sure it specifically identifies the need and requirements. Do they need a security certification? What security clearance level is necessary? Do they need one now or can you initate one later? How much experience is necessary? Is there a requirement for college?

If qulification aren't spelled out, spend some time editing it. This will prevent wasted time reviewing unqualified resumes.


Word of mouth and networking is another great resource. You never know who might be looking for a career boosting job or different work experiences. Also, consider temporary agencies. They are a resource full of qualified potential applicants.

4. Conduct the interview. Alright, here is where you need to be the most prepared. Rehearse, rehearse, rehearse! Here is your first impression of the applicant and vice-versa. It is important to find out everything about this applicant and see if they will be a good fit to existing company culture and whether or not they have the minimum qualifications.

During the interview, tell the applicant about the job description and the company. Use this time to evaluate their posture, bearing and interest. Then use open ended questions to assess their capabilities. For company culture consider questions like:
     a. Describe at time you made a decision
     b. What security initiatives have you implemented and how were they received by management?
     c. Describe how to wrap classified material?
     d. Describe how you open a safe?
     e. What steps do you follow to send a visit request?
Be as specific as possible. Remember, you want to identify someone who supports company culture and is capable of either learning or performing the job.

5. Finally, once you have made a decision to hire, assimilate this person onto the team. On the first day, invest a few hours with your new hire to review company values, introduce to the team, and further outline the job requirements. Be quick to welcome this person and involve the rest of the team. Later, help foster relationships between coworkers. The best way is have them train and cross train. This builds cohesion and breaks down pre-existing barriers. Your team will communicate better and appreciate your decision to hire this applicant.

With practice and the right skills your journey to hiring the perfect candidate and building a great team will be rewarding. Know your company, your requirements, identify qualifications, rehearse and conduct the interview, then build your team.


Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . Jeff is an accomplished writer of non-fiction books, novels and periodicals. He also owns Red bike Publishing. Published books include: "Get Rich in a Niche-Insider's Guide to Self Publishing in a Specialized Industry" and "Commitment-A Novel". Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training" See Red Bike Publishing for print copies of: Army Leadership The Ranger Handbook The Army Physical Readiness Manual Drill and Ceremonies The ITAR The NISPOM

Wednesday, September 21, 2011

3 Ways FSOs can Have a More Effective Security Program

The Facility Security Officer’s (FSO) successful program depends on developing relationships with employees, managers and executives to facilitate execution of company policies, necessary security awareness training, willful employee self-admittance of security infractions or change of status, and proactive action toward expired, existing and future classified contracts. Any of the above mentioned success measures is difficult to obtain in a changing employee and contract environment, but is simplified through employee and executive buy-in.

How to do this:

The following 3 points pave the way for a successful security program.

1. Gain executive, manager and work force buy-in. This can be accomplished by first demonstrating a sound understanding of company mission, classified contract requirements and providing sound security policy. Cross cultural buy-in is critical for integrating the security plan into all business units and company operations.

2. Become the “go to” person for all new security challenges. The FSO doesn’t need to be involved in every decision made by cleared employees. However, if it involves a procedural change or the degradation in security, contacting the FSO should be an automatic response. Become recognized as not only and expert at NISPOM compliance, but a part of the team. This will help ensure that all units within an enterprise notify the FSO of any change in disposition of classified material storage. This integrated system will trigger the contracts, program manager, business development and other units to coordinate with the FSO and keep the FSO informed of expired, current, and future contract opportunities and responsibilities.

3.  Create a budget based on mission and NISPOM compliance. An obviously important task is to direct the security program to protect classified information. But this is not to be assumed at all costs. Even NISPOM identifies the need to apply using economically feasible solutions. The FSO’s task should be to have an award winning program while supporting the company’s primary mission; to make money. The FSO owes allegiance to protecting nation’s secrets, but will not be able to do so if the company profits go straight into the security budget. Do this by becoming a good steward of company resources and develop policy that corresponds with the mission.

More tips can be found in the book “DoD Security Clearance and Contracts Guidebook-What Defense Contractors Need to Know About Their Need to Know”

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . Jeff is an accomplished writer of non-fiction books, novels and periodicals. He also owns Red bike Publishing. Published books include: "Get Rich in a Niche-Insider's Guide to Self Publishing in a Specialized Industry" and "Commitment-A Novel". Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training" See Red Bike Publishing for print copies of: Army Leadership The Ranger Handbook The Army Physical Readiness Manual Drill and Ceremonies The ITAR The NISPOM

5 Effective Ways to Study For the ISP Certification Exam

Out of the approximately 3500 NCMS members nearly 325 hold the ISP certification.  The test is challenging and candidates are expected to score at least 75% for a passing grade.

Why Certify?
 The ISP holder demonstrates a high level of knowledge. The certification is based on the NISPOM but also covers electives such as: COMSEC, OPSEC, and other topics.

This certified professional communicates to upper management that they are committed to the business, the industry and the protection of national interests. It puts the company in a stronger position while bidding on contracts and lends credibility to relationships with the oversight agency the Defense Security Services (DSS). Most of all, it gives the bearer confidence in their ability to apply their knowledge. As this certification program evolves, more and more employers will require the certification.

Preparing
Only those working in the National Industrial Security Program for at least 5 years are edible for the ISP Certification. Five years experience should make the professional more than capable of passing the exam. However, understanding how to study will make a difference in their success.

Targeted focus for thirty minutes to an hour a day for six months can make a huge difference. However, study methods for open book tests are a lot different than for closed book tests. For example, the ISP Certification allows you to use the NISPOM and other reference material during the exam. This requires a broader understanding of where to find information by topic. The DoD’s Security Professional education Development certification does not allow candidates to bring reference material. This requires more memorization and more depth of study. However, in both cases, the tests are tough and candidates need to study. The few minutes made a big difference.

Test topics include Security Administration and Management, Document Security, Information Systems Security, Physical Security, Personnel Security, International Security, Classification, Security Education, and Audits and Self-Assessments. The broad scope of study provides a challenge as not every cleared contractor is experienced in all aspects of the NISPOM. But there are ways to prepare that will help pass the exam regardless of how much actual experience a candidate has for any of the topic areas. For example, you can pass all sections including NISPOM Chapter 8 topics without ever having had worked in the environment. An FSO or security manager at a company that only provides security cleared employees can pass the ISP Certification exam without ever having marked a classified document. How?  By following these five study methods to gain a better understanding of NISPOM.

1. Determine which type of test you will take and study using those resources and REGISTER. This will cause the clock to start ticking and seal your commitment. I recommend taking the computer exam and using the electronic NISPOM with ISLs. The “ctrl f” function is a life saver as it will allow you to search the NISPOM by keyword and topic. For instance, if a question covers proper marking procedures, you can search the NISPOM using keywords such as “classification marking”, “marking”, or using actual keywords in the question.

2. Become familiar with the NISPOM. It’s not necessary to memorize the NISPOM. Just, become familiar with chapter titles and paragraph topics and understand their applicability. This will help if you cannot find the answer using the keyword search. Sometimes questions won’t contain keywords and you’ll have to rely on intuition, experience and book knowledge. It’s important to know that information systems security is in Chapter 8, security education is in Chapter 3, document security is in chapter 5 and etc. Knowing topics will save a tremendous amount of time searching the NISPOM

3. Form a study group. Contact your local chapter of NCMS and join an existing or form a new study group. Also, join the NCMS’ Exam Preparation Program. This is led by a team of ISP Mentors and includes conference calls, downloads and purchasing their study guide.

4. Work outside of your area of expertise. Security specialists working in a large organization might work in one small discipline such as document control, classified contracts, information system security, or program area. It may be possible to cross train in other security disciplines to become more familiar with wider ranging NISPOM requirements. If you the opportunity does not exist, consider asking FSOs in another company to train you on their procedures. This can form the basis of a working study group.

5. Take DSS courses. Concentrate on the nine core areas of the ISP Certification Exam. This will help you reinforce NISPOM requirements and where to find answers in the NISPOM concerning the subject matter.

There are many excuses not to take the exam: the cost, time involved, or fear of failure. Take the online test! If you can perform a search in a PDF file, you can pass the test. The exam gives 110 multiple choice questions and takes up to 120 minutes. There is a clock that keeps track of the time and the test times out automatically. How convenient.

If you take the online exam, I recommend using two monitors. Open the test in one monitor and the PDF version of the NISPOM in the other. Open the search function in the NISPOM and type key words from the test question to find the reference. It’s that simple, but takes some practice.

The following are websites that offer reference for the ISP test study. The first website offers 20 free practice questions, study tips and PDF files of the NISPOM.
http://www.redbikepublishing.com
ISP Certification Exam Manual
NISPOM

NCMS website:

I studied for six months, before I had the courage to take the test. I studied, documented my study methodology and began writing a book. I have a database of 440 questions  (four practice tests and recommendations) that will definitely help guarantee your success.

Whether you’re employed in the security field as a government employee, contractor, loss prevention or IT, you need the competitive edge.


Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . Jeff is an accomplished writer of non-fiction books, novels and periodicals. He also owns Red bike Publishing. Published books include: "Get Rich in a Niche-Insider's Guide to Self Publishing in a Specialized Industry" and "Commitment-A Novel". Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training" See Red Bike Publishing for print copies of: Army Leadership The Ranger Handbook The Army Physical Readiness Manual Drill and Ceremonies The ITAR The NISPOM

Monday, September 19, 2011

A Little Humor-Not in the FSOs Job Description

A Little Humor

Dear FSO,
I noticed that there is a strange glass container in the parking lot. It looked like someone was trying to make sun tea. Can you make a policy about this? It is really making our "facilities" look bad.
Signed
Tea me
***

Dear Tea,

According to NISPOM, Mail or shipments containing classified material shall be addressed to the Commander or approved classified mailing address of a Federal activity or to a cleared contractor using the name and classified mailing address of the facility. An individual's name shall not appear on the outer cover. This does not prevent the use of office code letters, numbers, or phrases in an attention line to aid in internal routing.

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . Jeff is an accomplished writer of non-fiction books, novels and periodicals. He also owns Red bike Publishing. Published books include: "Get Rich in a Niche-Insider's Guide to Self Publishing in a Specialized Industry" and "Commitment-A Novel". Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training" See Red Bike Publishing for print copies of: Army Leadership The Ranger Handbook The Army Physical Readiness Manual Drill and Ceremonies The ITAR The NISPOM

Comix-Getting Ready for the DSS Inspection


Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . Jeff is an accomplished writer of non-fiction books, novels and periodicals. He also owns Red bike Publishing. Published books include: "Get Rich in a Niche-Insider's Guide to Self Publishing in a Specialized Industry" and "Commitment-A Novel". Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training" See Red Bike Publishing for print copies of: Army Leadership The Ranger Handbook The Army Physical Readiness Manual Drill and Ceremonies The ITAR The NISPOM

Sunday, September 11, 2011

4 Measures to Prevent Unauthorized Export of Technical Data

ITAR
Though not as sinister and espionage riddled as most savvy spy novels, export compliance is an issue that will get Defense contractors in trouble. Violating State Department regulations will bring the weight of the US Government on the offending company. According to the International Traffic In Arms Regulation, ITAR, “Any person who engages in the United States in the business of either manufacturing or exporting defense articles or furnishing defense services is required to register”. Cleared contractors must have a plan not only to protect classified information, but also to prevent the unauthorized transfer of technical information and data."

Unauthorized transfer of technical data can occur in a variety of ways. Keep in mind that exports can and do occur not only during shipments but when hosting foreign visitors, during meetings, trade shows, plant tours, chat-room discussions, published articles and many other means. You can even export technical items exposed on your desk or otherwise revealed when a foreign visitor tours the facilities.

Though not covered in ITAR think of the term “Deemed Export”, where transfer occurs in simple acts as briefings or providing presentations of technical data to non-US persons.

This includes sending or removing technical data out of the U.S. or transferring it to a non US person in the U.S. by such acts as:

• Disclosing (oral, email, written, video, or other visual disclosure) or transferring technical data to a foreign person whether in the U.S. or abroad
• Providing a service to, or for the benefit of a foreign person, whether in the U.S. or abroad

You can help prevent unauthorized disclosure by taking the following actions:

1. helping your company understand the requirement to register with the State Department (see requirements).

2. Remind decision makers the responsibility to protect technical data. You can do this by helping create a technology control plan (TCP). If your company is authorized to export or reveal technical data, understand the license or technology assistance agreement (TAA). Follow it to the letter. The TCP will ensure that only authorized persons have access to technical data.

3. Provide a briefing to employees that whether or not in the U.S. or visiting overseas, they should only discuss what is authorized by licenses and or TAAs.

4. Prior to travel with a laptop, either have the information technology (IT) department scrub or provide a clean computer free of all technical data not authorized by licenses

Do everything within your power to help others in your enterprise understand that no technical data or service should be given without proper approval. This means performing due diligence prior to receiving foreign visitor, sending business development to trade shows, and prior to working on teaming agreements with non US persons.


Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . Jeff is an accomplished writer of non-fiction books, novels and periodicals. He also owns Red bike Publishing. Published books include: "Get Rich in a Niche-Insider's Guide to Self Publishing in a Specialized Industry" and "Commitment-A Novel". Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training" See Red Bike Publishing for print copies of: Army Leadership The Ranger Handbook The Army Physical Readiness Manual Drill and Ceremonies The ITAR The NISPOM

Thursday, September 8, 2011

2 Steps to Determining Need to Know

Take a look at the following dramatization. A Facility Security Officer (FSO) is engaged in an inquiry to determine whether or not a security violation led to the loss, compromise or suspected compromise of classified information. A cleared employee had left classified information out on his desk. A cleared employee asked another cleared employee to “keep an eye” on a classified document while she left for lunch.
A short time later, the second employee was summoned to his bosses office to answer some questions. He left in a hurry, forgetting about the classified information on the desk. At first glance, the unattended classified information is the most obvious violation. However, once the inquiry concluded another issue became evident. The co-workers did not work on the same contract or share in any kind of project relationship. The first co-worker entrusted the safeguarding of classified information to an employee who held the proper security clearance, but who did not have need to know.
Holders of classified information should verify two things prior to releasing it to another party. They should determine the recipient’s active security clearance level whether or not they have a valid need to possess the classified information. Determining clearance level can be easily accomplished by the FSO, Personnel Security Officer or equivalent. They can access the Department of Defense’s Joint Personnel Adjudication System (JPAS) for that information.  However, that’s just half of the requirement. To complete the process, the holder has to identify whether or not the recipient has need to know.
So, how does one determine need to know? Is it the FSO’s job? Is it the program manager’s job? Whose job is it? “Need to know” can be established using these 2 principals

1. Who determines need to know-Need to know is a determination exclusively made by the holder. Those in possession of classified information are responsible for the proper release or disclosure.
2.  How to determine need to know- Verifying contract number, performance on a project or program, validation by a project manager, access roster and other methods can be used to determine need to know.

Security clearances should be kept to the minimum amount necessary to perform the classified work, access to that classified information must be kept to only those with a valid need to perform on the government work. JPAS or even security clearance verification cannot provide need to know. Just because one has a clearance doesn’t mean they should be authorized access. Need to know is based on a contractual or work performance basis.

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . Jeff is an accomplished writer of non-fiction books, novels and periodicals. He also owns Red bike Publishing. Published books include: "Get Rich in a Niche-Insider's Guide to Self Publishing in a Specialized Industry" and "Commitment-A Novel". Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training" See Red Bike Publishing for print copies of: Army Leadership The Ranger Handbook The Army Physical Readiness Manual Drill and Ceremonies The ITAR The NISPOM

Friday, September 2, 2011

Five Ways For an FSO to Increase High Power Team Effectiveness

Maybe you think you are alone, fighting the one person fight that many leaders face. However, you would be wrong to assume that the head of security is the only one responsible for the security program. For cleared defense contractors, the Facility Security Officer is in charge of the security program, but not the only one with a vested interest in protecting classified contracts. So how does the FSO create a teaming environment or create a program where everyone works together?
 
Through High Power Teams
High power teams (HPT) are the most effective types of entities. Where groups form, storm and norm, HPTs go further to create a body more capable than any individual. They do this by agreeing to rules and primarily keeping in mind that throughout any process or problem, it’s not about the individual, it’s about the group. This allows the organization to benefit as a whole as each member sacrifices their individual desires. The members do not lose or give up the individuality that makes them unique. It does not stifle individual creativity. What each individual sacrifices are selfish desires and the need for self importance.
 
High power teams (HPT) consists of a small number of people with complementary skills. Individual members of HPTs are committed to a common goal and hold themselves mutually accountable. This structure and assembly of individual core competencies, skills and capabilities create a superpower stronger than any one person could ever be.

The charter defines the standards the HPT will perform under. It provides the purpose vision, norms, goals, expectations and procedures. The charter is the rudder that keeps the group focused and forms the basis for group discipline and accountability. For example, if someone arrives late or makes fun of another member’s contribution, corrections can be made by referring to the charter. Additionally, if the group loses focus, the members can refer to the vision and goals.

While the charter provides the fundamentals other dynamics provide the groups personality and incredible effectiveness. Typically, all groups go through a forming, storming, norming, and performing, but that’s where a group’s effectiveness ends. There is a distinct difference between groups and teams.

 Teams build on the four stages by engaging collective performance, positive environment, holding individuals and the entire group accountable for charter guidelines and taking advantage of complementary skills. This again increases effectiveness and provides results associated with the capabilities of the HPT.

Anyone can form an HTP and especially so for highly effective formal and informal leader. Let’s for the sake of relativity, consider a Facility Security officers, command security managers or other security specialist. In other words, how can an HPT help?

Start with the charter. A leader can form an HPT from all business units. Since the FSO is responsible for creating a security program to protect classified information, they may either suggest or take the lead and form the group. Once in the group, the individuals begin to discuss the vision, norms and etc. Such topics to tackle might include policy, security violations, refresher training, emergency operations planning, and communication for starters. A multi organizational HPT can bring depth and breadth to a stagnant security program.

The difficulty for some leaders will be to sacrifice their will and turn over problems for a group to solve. That’s natural, but one of the benefits is that security is now part of the organization’s DNA and not just “overhead” or a “necessary evil”. The effective group will have capabilities beyond just the one leader. The tradeoff is perfect and the results impressive.
 
Here are recommendations for forming an HPT:
  1. Engage-Invite interested parties-canvas your corporation and determine who might be interested in joining this group. You may need to build security allies who might help you recruit effective individuals
  2. Focus-Develop a game plan and respect other members time. You can increase effectiveness with a charter as described above
  3.  Accountability-Have meeting minutes and document your work and products. Be sure to capture all important decisions and who will act on them. When the group assigns responsibilities to individuals, they tend to come through
  4.  Followup-Let the group know you appreciate their efforts. Better yet, assign credit to your group members and ensure the executives and department heads (if they aren’t part of the group) understand who the members are and to buy in on decisions.
  5.  Have fun-This is a time to allow creativity. Work within the confines of governing regulations and corporate policy, but allow out of the box thinking.