Thursday, June 28, 2012

3 Simple Reminders that Reduce the risk of security violations



Markings should not be the “stand alone” security measure. FSOs might be tempted to add additional markings to already cluttered media hoping to prevent a user lapse in judgment. Once again the effectiveness begins to wear off and man hours are wasted on efforts that may not increase awareness. To counter the effects, the holder of the classified material must remain vigilant and aware of their surroundings and situation at all times. This is a proactive posture and requires a bit of imagination. Such security is accomplished with solid training and reminders of responsibilities while possessing classified information.

Simple Solutions
1.  Clean desk policy has helped reduce security violations. In this situation, an employee removes everything from the tops of their working surfaces or desks except for the classified material. That simple practice could make a busy employee more aware that any articles on the desk requires extra diligence and must never be left unattended. When no longer needed, classified information should be locked up in a security container or closed area.

2.  Desk tent and door hanger with an important reminder that classified items are left out. As the employee leaves their work area, they will encounter the warnings on their desk or door handle.

3.  End of Day Checks-Using a check list can help ensure classified items are stored properly. Before ever leaving an area for approved classified work, the cleared employee should check classified copy machines, printers, work areas and etc for classified information.

Multiple layers of security should be implemented to reduce the risk of a violation. With a system in place, empty or clean desks, work areas cleared, security containers locked and end of day checklist documented, the cleared employee can proceed with confidence that no classified items are out. This discipline creates an environment that reduces the chances of the employee leaving a classified item vulnerable to compromise if they forget to secure it prior to taking a break or leaving for the day.



Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . Jeff is an accomplished writer of non-fiction books, novels and periodicals. He also owns Red bike Publishing. Published books include: "Get Rich in a Niche-Insider's Guide to Self Publishing in a Specialized Industry" and "Commitment-A Novel". Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training" See Red Bike Publishing for print copies of: Army Leadership, The Ranger Handbook, The Army Physical Readiness Manual, Drill and Ceremonies, The ITAR,and The NISPOM

Thursday, June 21, 2012

Four Ways FSOs in Small Defense Contractors Can Improve Security Measures


The term Cleared Defense Contractor,might conjure images of large complexes, with a healthy security staff, plenty of closed areas, labs and conference rooms. However, there are many, many more contractors that are just a few employees with great ambition, drive and ideas. In some cases, smaller and less experienced defense contractors may not be as proficient in executing security responsibilities. Full time FSOs understand a little about the requirements of a DD Form 254 and how to protect ITAR controlled technical information. But, knowing how to interpret and apply the National Industrial Security Program Operating Manual (NISPOM) let alone the Federal Acquisitions Regulation it is something that takes time.

I travel to many defense contractors working on cutting edge research and development efforts. These defense contractors have been as large as thousands of employees and as small as three scientists in a converted school house. Think Apple in their garage years; state of the art development in primitive settings.
                                          
1.  Address Challenges
One contractor had just received a facility clearance and the FSO is the chief operating officer, another had just a few employees and also had a designated FSO. In spite of cutting edge research, neither could afford the luxury or overhead for a full time dedicated facility security officer. They relied on each other to learn the ropes.

However, they did understand how to protect their intellectual property. They also had to adapt to learn to protect classified information according to the DD Form 254, statement of work and National Industrial Security Program Operating Manual.

2.  Make Priorities
No different than with large defense contractors, priorities that drive small organizations are cost, performance and schedule. They want to turn a product over to their customers and want to make a profit. However the difference is the amount of effort they can afford to spent on protection

3.  Understand Risk Management/NISPOM Requirements
That’s why it’s critical for a leader to make decisions that spend resources on protecting absolutely what is necessary. These decisions should be made with a combination of a risk assessment model and NISPOM requirements. For example, the risk model may identify that there is a low crime rate. Classified information can be properly stored in a GSA approved security container locked in a central office. On the other hand, intellectual property may require stepped up security resources. The NISPOM instructs on minimum protection measures for classified, while the risk assessment identifies where the more aggressive security measures should exist.

4.  Delegate Responsibilities
The appointed FSO who also serves as a senior officer should consider delegating the administrative duties to someone more available. The security clearance requests, visit requests, classified storage and other NISPOM issues can be administered by junior employees while the “FSO” makes policy and final decisions regarding security programs.

Not all defense contractors are the same and classified contract requirements vary just as much. It’s up to the organization to implement security procedures that make sense and meet budget. Focusing efforts based on regulatory guidance AND risk management help do so in an effective and affordable way.



For more FSO, Risk Management and NISPOM Training tips, sign up for our newsletter and read DoD Security Clearances and Contracts Guidebook



Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . Jeff is an accomplished writer of non-fiction books, novels and periodicals. He also owns Red bike Publishing. Published books include: "Get Rich in a Niche-Insider's Guide to Self Publishing in a Specialized Industry" and "Commitment-A Novel". Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training" See Red Bike Publishing for print copies of: Army Leadership, The Ranger Handbook, The Army Physical Readiness Manual, Drill and Ceremonies, The ITAR,and The NISPOM

Saturday, June 16, 2012

Beyond Gates and Guards-Protecting Company Secrets


Gates and guards seem to be the back stop of most security efforts. However, without a real risk or security assessment, these efforts only go so far. Many Facility Security Officers (FSO) and cleared employees work within the walls of impenetrable fortress like structures. These reinforced security bunkers are built to withstand repeated break in attempts as well as maintain state of the art alarms, close circuit television cameras, and card readers that can resist and detect most types of intrusion, but…

…when was the last time you’ve read of an intruder breaking into a cleared facility and cracking a security container to run off with secrets? What do DSS, security educators and security practitioners preach as the biggest threat? Sensitive information available in the public sector, trusted employees transferring technical data to adversaries through seminars, emails, or just walking out of secure facilities with it.

Without addressing the real threat, the security community continuously pumps resources into protecting sensitive information primarily with physical security.  Cleared employees are trained how to properly mark, store and disseminate classified information, but not taught how to effectively communicate without inadvertently disclosing sensitive information. For example, a scientist disclosing intellectual property, proprietary information or export controlled data at a conference or symposium. In other words, how do sensitive program employees work with, discuss, or demonstrate their technology without transferring technical information?

There’s another threat. According to this article, http://www.reuters.com/article/2012/06/13/us-media-tech-summit-symantec-idUSBRE85B1E220120613, there is an imminent cyber threat. Even though we are aware of this vulnerability, we are unprepared to protect information on servers and computers.

Recognizing that there are more obvious threats than cat burglars, here are 5 ways you can develop real countermeasures and strengthen security in your facility.

1. Perform risk analysis. Make sure you know what you know. Conduct a crime search by zip code, research the weather, form working groups and determine what needs to be protected. List the treats and vulnerabilities and impact. Then form your security plan.

2. Determine government requirements. If you fall under NISPOM, HIPAA or other regulation, these trump your risk analysis and must be considered. Make sure your security plan is equal to or exceed the government requirements.

3. Understand contractual requirements. FSOs can get valuable information from the DDForm254, statements of work and security classification guides.

4. Develop security program based on numbers 1-3. Include the risk and develop countermeasures and implement those countermeasures as well as regulated NISPOM and other requirements. Identify the threat, determine the risk of threat, and document impact and countermeasure costs.

5. Train employees to meet the security program requirements.

Gates and guards are the most visible and popular method of security. Considering the real threat, they may be the least useful. It is almost impossible for an adversary to break in, but very easy for an authorized employee to walk out with the secret sauce.

For more information on conducting risk analysis and creating countermeasures, see “DoD Security Clearance and Contracts Guidebook

See article about cyber threats below.
Leading cyber experts warned of a shortage of talented computer security experts in the United States, making it difficult to protect corporate and government networks at a time when attacks are on the rise. Symantec Corp Chief Executive Enrique Salem told the Reuters Media and Technology Summit in New York that his company was working with the U.S. military, other government agencies and universities to help develop new programs to train security professionals.


"We don't have enough security professionals and that's a big issue. What I would tell you is it's going to be a bigger issue from a national security perspective than people realize," he said on Tuesday. The warnings come at a time when the security industry is under fire for failing to detect increasingly sophisticated pieces of malicious software designed for financial fraud and espionage and failing to prevent the theft of valuable data. More <http://www.reuters.com/article/2012/06/13/us-media-tech-summit-symantec-idUSBRE85B1E220120613


Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . Jeff is an accomplished writer of non-fiction books, novels and periodicals. He also owns Red bike Publishing. Published books include: "Get Rich in a Niche-Insider's Guide to Self Publishing in a Specialized Industry" and "Commitment-A Novel". Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training" See Red Bike Publishing for print copies of: Army Leadership, The Ranger Handbook, The Army Physical Readiness Manual, Drill and Ceremonies, The ITAR,and The NISPOM




Thursday, June 14, 2012

A few ISP Certification Study Questions for FSOs

Want a few ISP Certification study guide questions? Grab your NISPOM and try these questions to see how you do?

44. Receipt must be provided for which level of classified material?


a. SECRET (NISPOM 5-401)

b. CONFIDENTIAL

c. UNCLASSIFIED

d. A and b

e. All the above

45. Working papers must be marked the same as finished documents at the same classification level

EXCEPT when:

a. Transmitted outside the facility

b. Retained for more than 30 days from creation for TOP SECRET

c. Retained for more than 120 days from creation for SECRET (NISPOM 5-203b)

d. Retained for more than 180 days from creation for CONFIDENTIAL

e. Retained for more than 180 days from creation for SECRET

46. Classified material may be destroyed by which of the following methods

a. Mutilation

b. Chemical decomposition

c. Pulverization

d. Melting

e. All the above (NISPOM 5-705)

47. What methods are approved to protect miscellaneous openings of greater than 96 inches and over

6 inches in smallest dimension?

a. ½ inch diameter steel bar with maximum of 6 inches between bars

b. Grills consisting of 18-guage expanded metal

c. Grills consisting of 18-guage expanded wire mesh

d. B and c

e. All the above (NISPOM 5-801h)
 
44. Receipt must be provided for which level of classified material?


a. SECRET (NISPOM 5-401)

45. Working papers must be marked the same as finished documents at the same classification level

EXCEPT when:

c. Retained for more than 120 days from creation for SECRET (NISPOM 5-203b)

46. Classified material may be destroyed by which of the following methods

e. All the above (NISPOM 5-705)

47. What methods are approved to protect miscellaneous openings of greater than 96 inches and over

6 inches in smallest dimension?

e. All the above (NISPOM 5-801h)

How did you do?

For 440 questions (4 complete practice tests) see ISP Certification-The Industrial Security Professional Exam Manual


Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . Jeff is an accomplished writer of non-fiction books, novels and periodicals. He also owns Red bike Publishing. Published books include: "Get Rich in a Niche-Insider's Guide to Self Publishing in a Specialized Industry" and "Commitment-A Novel". Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training" See Red Bike Publishing for print copies of: Army Leadership, The Ranger Handbook, The Army Physical Readiness Manual, Drill and Ceremonies, The ITAR,and The NISPOM

Periodic Reinvestigations


The granted security clearance is part of a continuing evaluation process. Once a security clearance is granted the cleared employee will be periodically reevaluated and reinvestigated if the clearance is to remain in effect. When cleared employees require access to classified material beyond the scope of the initial investigation, the facility security office will submit a request for a Periodic Reinvestigation (PR). The adjudicator makes decisions concerning whether or not the subject’s allegiance is still to the United States, they can still be trusted to protect classified information and they will still be able to carry out their duties at all times.

The PR for the TOP SECRET clearance is the same level of investigation as was initially conducted. The SSBI-PR is conducted every 5 years as needed. For SECRET, the NACLC is conducted every 10 years and for CONFIDENTIAL the NACLC is conducted every 15 years. Part of the security education process emphasizes the importance of continuous evaluation of the cleared employee. This is a requirement for cleared employees to report any information on themselves and other cleared employees that may demonstrate an inability to protect classified information.
 
However, the PR should not be the first time the investigator, adjudicator or FSO becomes aware of adverse information. The FSOs security training should include the requirement for cleared employees to report instances where either they or other cleared employees demonstrate behavior that may question their ability to protect classified information. Such examples include:
 
  • Excessive and or unpaid dept
  • Undue affluence
  • Alcohol or drug related incidences
  • Inability or refusal to comply with security policies
The continuous evaluation process is in place to protect our nations secrets. Security clearances are not "one and done", but a process of determining whether or not an employee or organization can continue to be trusted to protect classified information. Failure to report adverse information violates many directives, agreements and regulations including the DD Form 441 DoD Security Agreement, NISPOM, Classified Information Nondisclosure Agreement, and EO 12968.  Violations could cause your cleared employees or organization to lose their secruity clearance.  
 
For more informaiton, read Insider's Guide to Security Clearances or DoD Security Clearances and Contracts Guidebook.
Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . Jeff is an accomplished writer of non-fiction books, novels and periodicals. He also owns Red bike Publishing. Published books include: "Get Rich in a Niche-Insider's Guide to Self Publishing in a Specialized Industry" and "Commitment-A Novel". Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training" See Red Bike Publishing for print copies of: Army Leadership, The Ranger Handbook, The Army Physical Readiness Manual, Drill and Ceremonies, The ITAR,and The NISPOM

Thursday, June 7, 2012

Legacy of the Facility Security Officer (FSO)

You might already know how to write policy that reflects the NISPOM and export compliance or ITAR regulations. That might very well be an easy task for you. Just like ISP certification mentioned in an earlier post, the policy itself should not be the catch all solution. Just as the certification compliments the bearer’s capabilities, the policy should complement the processes and procedures you have in place.

Policy tells what should happen and is in itself easier to write and have approved than the how to do it found in processes and procedures. Even if you do not know how to write policy, you can always download a boilerplate standard practice procedures, technology control plan, or sample security policies downloaded from Defense Security Services (DSS), or shared by fellow security professional organization contacts. What won’t be so easy to find is policy tailored to your specific needs and how to incorporate them into company business. That will require teamwork with other business unit managers.

Some of the reading audience might understand better than others that most policies exist as “gotchas”. In other words, policies can be used as a basis for discipline. However, unless part of the company DNA, most employees may not know the policy even exists.

For example, suppose you are trying to implement procedures to support your customer’s requirement of approving public release information as identified in the DD Form 254 for cleared contractors. You know it’s a requirement, but your company continues to publish contract related information in news releases and on the website without customer approval. To solve this problem, you could:

1. Write a policy and wait for employees to read and comply. If they do not, you can nab them later, pointing out their short falls.

2. Create policy, coordinate with others to create supporting trigger points and courses of action, shop it to all the managers, work together to develop a workflow, and check the progress.

Option two works best because it will be part of an organizational solution and not “just another thing to do.” Option one will cause all kind of trouble and leave the situation unresolved.

An FSO is designated to develop security policy to protect classified information. However, this is not a solution that should be undertaken alone. The entire organization should take part. Just as human resources, facilities, finance and other business units seek the cooperation of the enterprise, the FSO should get similar buy in. With approved and accepted procedures in place, the policy will be easily supported.

For more information on establishing security procedures, see DoD Security Clearances and Contracts Guidebook

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . Jeff is an accomplished writer of non-fiction books, novels and periodicals. He also owns Red bike Publishing. Published books include: "Get Rich in a Niche-Insider's Guide to Self Publishing in a Specialized Industry" and "Commitment-A Novel". Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training" See Red Bike Publishing for print copies of: Army Leadership, The Ranger Handbook, The Army Physical Readiness Manual, Drill and Ceremonies, The ITAR,and The NISPOM

Friday, June 1, 2012

World Class FSO Installation 1-Bone Fides


World class security programs under the National Industrial Security Program (NISP) are run by world class Facility Security Officers (FSO) who continually demonstrate their qualifications. It’s one thing to be good at your job, know the NISPOM well, be technically efficient and capable of personally validating security plans. An FSO should be capable of more than just a security clearance pipeline. It’s quite another to become recognized as a leader, recruit assistance company wide and become recognized for the good work. 

In the second example, your efforts perpetuate themselves as others become force multipliers and quickly engage and support your mission. One way to ensure such success is to document your qualifications through professional certification. Of itself certification is not the answer, but does complete the picture. For example, there are many leaders in the industrial security community who are very influential and well respected; their work stands alone. A certification for them would continue to demonstrate their dedication to the profession, technical competence and leadership.

When you achieve a professional certification, such as the Industrial Security Professional (ISP) certification, the next step is to validate both the accomplishment and the certification. In other words, the stellar FSO can take the opportunity to demonstrate the importance of the certification and why they chose to pursue the challenge of becoming certified. Some certifications are required by contract or government regulation such as the CISSP, while many others like the ISP are added endorsements that help the recipient stand out. Whether or not the certification is a requirement bearer can capitalize on many opportunities to elevate their own status as well as that of the organization they work for.

If you have earned a certification or plan to earn a professional certification, here are four ways you and your organization can capitalize on the accomplishment:

1. Send out a press release-News organizations are always looking for great articles. Newspapers have a mini-section where local industry can announce accomplishments. Write-ups should include your name, the organization you work for and the importance of the certification you just earned. This gives credibility to your hard work and demonstrates your organization supports the certification.

2. Put the accomplishment under the “News” section of the corporate website. This lends credibility to the certification, and demonstrates that your organization values the certification. Be sure to talk up the certification purpose and how accomplishing the certification is important to the organization. When you succeed the entire organization wins.

3. Create a plaque or certificate announcing your accomplishment. “_____ employs Board Certified Industrial Security Professionals”. Visitors will take away the value of the certification and may recommend it to their employees. It also may help sway a potential business partner or customer decision and shows another level of FSO training.

4. Insert language into every proposal that demonstrates the value of your certification. For example, I always ensured our proposals include “The FSO is board certified to protect classified information”, or similar wording. This adds to the appeal, qualification and professionalism of your organization and its ability to perform on classified contracts. Winning contracts depends on a defense contractor being capable of protecting classified information according to the Contract Security Classification Specification (DD Form 254). The cleared contractor benefits from that when their security personnel earn the certification. Again, be sure to explain the certification and why it would enhance a decision to award the contract.

A certification is just another feather in the cap of the recipient. But without the demonstrated work ethic, capability or effectiveness it is just a piece of paper. However a certification paired with a capable FSO is a winning combination. The bearer and the organization can equally benefit from the achievement. Think of some ways you can demonstrate your competency and bone fides.


Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . Jeff is an accomplished writer of non-fiction books, novels and periodicals. He also owns Red bike Publishing. Published books include: "Get Rich in a Niche-Insider's Guide to Self Publishing in a Specialized Industry" and "Commitment-A Novel". Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training" See Red Bike Publishing for print copies of: Army Leadership, The Ranger Handbook, The Army Physical Readiness Manual, Drill and Ceremonies, The ITAR, and The NISPOM