Friday, September 28, 2012

Desperate Phishermen


Wow, these phishermen are really setting the bait waiting to lure us into the frying pan. But whatever you do, don’t succumb to the persuasion, cause you’ll find yourself in a nasty trap. One minute you’re enjoying the safety of a warm swimming experience through cyberspace, the next you’re hauled in, and prepped for dinner.

There’s a reason the subject line and message are so compelling. They play on your hopes or your fears. Sometimes they play on your fears and give you hope, but almost always, they lead to destruction.  These scams do nothing more than at the most innocent level, collect personal information or lead you to a website they want you to visit.

One of the most obvious ways to tell a scam is that the hyperlinks don’t lead where the wording says. In these examples, they claim to take you to the IRS. But just as a trophy bass strikes a lure hoping for a yummy meal, we are fooled the same.

Check out the example from the "IRS":

It's real cheeky. You can bet these hyperlinks don't go to the IRS.


                                                                                                                                   
 Here's one from my "bank":

Your Transaction Report(s) have been uploaded to the web site:

https://www.flexdirect.adp.com/client/login.aspx

Please note that your bank account will be debited within one banking
business day for the amount(s) shown on the report(s).

Please do not respond or reply to this automated e-mail. If you have any
questions or comments, please Contact your ADP Benefits Specialist.

Thank You,
ADP Benefit Services




Remember, be smarter than the trap. Just delete these messages and other suspicious emails that supposedly come from your bank, government agencies, PayPal and etc. Make phone calls and check the facts. You can even google the subject line and find out whether or not they are legitimate.

Be safe

Red Bike Publishing 



These folks write really compelling Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . Jeff is an accomplished writer of non-fiction books, novels and periodicals. He also owns Red bike Publishing. Published books include: "Get Rich in a Niche-Insider's Guide to Self Publishing in a Specialized Industry" and "Commitment-A Novel". Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training" See Red Bike Publishing for print copies of: Army Leadership, The Ranger Handbook, The Army Physical Readiness Manual, Drill and Ceremonies, The ITAR,and The NISPOM


Monday, September 24, 2012

Here's the latest Scam

Here's the latest scam from some misguided individuals pretending to be Amazon.com. I've received two so far. Be on the lookout for these emails. Do yourself a favor, don't open them, just delete and forget it.





Here's how you can tell it's a fake:

1.  Sent from a private email address, not an Amazon.com address
2.  The product delivery address is not mine.
3.  The hyperlinks don't go to amazon.com.



Returns are easy. Visit our Online Return Center.
If you need any assistance with your order, please visit Merchant Contact Form.
We hope to see you again soon! Amazon.com



For your protection, I've disabled the hyperlink. However, if you receive a similar email and if you scroll your mouse over the hypelink you'll see something totally different: http://earl2.jamesbeard.org/fhd42i3d.html

I didn't bother clicking, because I may get a nasty surprise.

So, scams are alive and well. Protect yourself and your employees by understanding what you click.


Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . Jeff is an accomplished writer of non-fiction books, novels and periodicals. He also owns Red bike Publishing. Published books include: "Get Rich in a Niche-Insider's Guide to Self Publishing in a Specialized Industry" and "Commitment-A Novel". Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training" See Red Bike Publishing for print copies of: Army Leadership, The Ranger Handbook, The Army Physical Readiness Manual, Drill and Ceremonies, The ITAR,and The NISPOM

Tuesday, September 18, 2012


As I struggled through a neighborhood jog, my thoughts wandered to adding more distance. My jogging route includes a core distance of 2 miles. However to increase stamina and speed I have to add distance. So, I began adding more cul-de-sacs and side routes.

At first my body responded to the request with “not another requirement, this run is perfectly fine as is.”

However, my mind rationalized in reply, “If you ever want to get better, stronger and faster, you’ll have to accept more challenges.”

Soon, I began to incorporate the added distance to my daily run and now my body expects three miles. Gone is the expectation of a two mile distance. The three miles is now the standard and “not just another added requirement.”

Suddenly, I realized this conversation sounded very familiar. In fact, it reminded me of some recent conversations I’ve had as an FSO. You’ve heard it before, so let’s shout it out loud:

“NOT ANOTHER SECURITY REQUIREMENT!”

The annual security awareness training should be considered part of doing business; a core competency. After all, the enterprise is performing on a classified contract and training is the expectation and not the exception.

There are ways to incorporate it as the standard that make it transparent to the enterprise. This makes the FSO’s job easier as they will hear fewer sighs of exasperation. The following suggestion incorporates training with the contract review requirement. All you need to do is document the training with signatures.
1  
   1.      Gather all the documentation and references necessary. For this task you’ll need:
a.     The contract documentation
                                                             i.      DD Form 254
                                                           ii.      Contract
                                                        iii.      Security Classification Guide
b.    Government documentation
                                                             i.      National Industrial Security Program Operating Manual (NISPOM)
                                                           ii.      Latest Industrial Security Letters
c.     Enterprise documentation
                                                             i.      Security Policies and procedures
                                                           ii.      Policies and procedures from supporting and operational business units
   
   2.    Form an interim protection team. This is a team led by you, the FSO and consists of cleared employees on a given contract. The team members are chartered and therefore documented as such. Guess what? Those signatures and dates on the charter are also training documentation The members are subject matter experts that you lead through the technical details. They provide the situation and you provide the protection measures.

With the resources and subject matter experts available, use them to lead the security training. This is highly desired technique as all contribute to understanding the requirements. Everyone (including the FSO) receives training, but you also document results such as protection measures realized during the IPT. Use this to develop a winning training session that is fresh every year.

    1.      Review the DD Form 254 with the cleared employees supporting the classified contract. The 254 provides classification level, work to be performed, where it is to be performed and special instructions. Ask questions and expect answers from the participants. Seek to clarify requirements and offer security solutions.
   
   2.    Review the contract with cleared employees. This provides how work will be performed and to what standard. The employees get to discuss their plan of action in support of the contract and you provide protection measures to apply to classified and sensitive unclassified information.
   
   3.    Go over the Security Classification Guide and discuss impact to the program and enterprise.
   
   4.    Measures 1-3 will be applied with input from government and enterprise oversight requirements.

Just as you might increase distance to improve stamina, an FSO can improve quality of training to increase effectiveness. Instead of seeing NISPOM training as “another requirement”, it will be part of the contract expectations. The end result is the ability to remain in compliance while documenting training requirements, improved security posture and value to cost, performance and schedule. Such in depth classified contract review clarifies roles and are viewed by cleared employees as value added. 



Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . Jeff is an accomplished writer of non-fiction books, novels and periodicals. He also owns Red bike Publishing. Published books include: "Get Rich in a Niche-Insider's Guide to Self Publishing in a Specialized Industry" and "Commitment-A Novel". Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training" See Red Bike Publishing for print copies of: Army Leadership, The Ranger Handbook, The Army Physical Readiness Manual, Drill and Ceremonies, The ITAR,and The NISPOM

Monday, September 3, 2012

4 Outstanding and Beyond NISPOM Ways to Add Value to the Cleared Defense Contractor Enterprise

One way to be a world class Facility Security Officer at a cleared defense contractor facility is to provide value to the enterprise. The National Industrial Security Program Operating Manual (NISPOM) describes the FSO as responsible for developing and implementing a security program to protect classified information. But is that all FSOs are supposed to do? How about providing more value to the enterprise by assisting other business units based on skills FSOs develop and demonstrate beyond NISPOM.
FSOs are highly trained through FSO and  NISPOM training. FSOs can better their bonefides with the Industrial Security Professional (ISP) Certification

For example, in fortune 500 companies, the Chief Security Officer or other similar title is responsible for IT security, physical security, loss prevention and etc. So, are these roles covered adequately in your enterprise? It’s not so clear cut at defense contractor facilities. There is so much more that can be done and the enterprise will be grateful for the assistance.

So, how do FSOs  get to the point where the enterprise respects critical skills and desire their service, advice and assistance?

First of all, FSO responsibilities should be part of enterprise DNA. In other words, the FSO is part of the winning team that is the enterprise and not just another stove piped department. For example, what skills do FSOs possess that can assist HR in protecting personal identifiable information? How can FSOs advise business development in getting foreign business or partnering with uncleared defense contractors?

To function effectively in the corporate culture the FSO should implement policies that are championed or accepted by other departments. Human resources may include in their policy the progressing levels of discipline that NISPOM requires. Safety may put into policy the care and maintenance of egress and entry doors that are also used to protect classified information. Likewise, security policy could include areas that impact other business units.

NISPOM and security clearances? They’ve got it. Cleared employees know how  to protect classified information. What about the other stuff?

Other areas that concern the enterprise are the protection of unclassified efforts. High value items, trade secrets, proprietary information, and research and development efforts. Where the FSO understands NISPOM, ITAR and other regulations, there is little guidance on protecting raw data and other proprietary information.
Here are three ways FSOs can provide more value outside of NISPOM:
  1. Help HR develop program to protect PII and be compliant with the Health Insurance Portability and Accountability Act of 1996 -HIPAA
  2. Put controls in place to enforce need to know of company trade secrets, intellectual property and proprietary information
  3. Develop a public release process to prevent accidental spillage of technical information
  4. Assist business development with protecting company information while presenting capabilities briefings.

FSOs are highly trained through FSO certification and  NISPOM training to protect classified information. However as such, they should use transferable skills and initiative and look for ways to contribute to the enterprise that go outside of NISPOM. Doing so adds value and protects the enterprise.

For more information on adding value to your organization, read DoD Security Clearance and Contracts Guidebook

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . Jeff is an accomplished writer of non-fiction books, novels and periodicals. He also owns Red bike Publishing. Published books include: "Get Rich in a Niche-Insider's Guide to Self Publishing in a Specialized Industry" and "Commitment-A Novel". Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training" See Red Bike Publishing for print copies of: Army Leadership, The Ranger Handbook, The Army Physical Readiness Manual, Drill and Ceremonies, The ITAR,and The NISPOM

Saturday, September 1, 2012

Three Items that Provide Facility Clearance Justification



Some defense contractors mistakenly assume that they can request a Facility Security Clearance (FCL) for business development purposes or to better position themselves future classified contract opportunities.  Though that is not how FCLs are awarded there is a process and methodology to justify the FCL. 

The FCL justification is the trigger point for a Cognizant Security Agency like DSS to investigate a defense contractor for a security clearance. A well documented justification indicates that the contractor is or will be required to work on classified contracts .  The justification should include information regarding the nature of the classified work performance that requires the company to access classified information. Some examples are:

1.      A DD Form 254 – This lists exactly what a cleared company is expected to do and how they are to perform on the contract. It provides name of company, DSS covering organization, clearance level, storage level, place of performance and etc. The sponsored company should review the 254 with the sponsor for accuracy and completeness.

2.    A contract or statement of work –This provides great justification as it states how the contractor is to perform. The administrative details may not be as great as the 254, however the SOW does list technical and security related tasks.

3.    A request for proposal-When a government agency or prime contractor has a need, they send a request for proposal listing the need and the performance standards.  The intent is to find competent contractors or vendors to compete and win the contract. If the work requires access to classified information, this can be used to strengthen justification.

There are a few things to consider that could cause DSS to reject an FCL request. This includes a lack of justification and incomplete or inaccurate information. The requestor and sponsor should review packets for accuracy and make corrections as needed.  



Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . Jeff is an accomplished writer of non-fiction books, novels and periodicals. He also owns Red bike Publishing. Published books include: "Get Rich in a Niche-Insider's Guide to Self Publishing in a Specialized Industry" and "Commitment-A Novel". Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training" See Red Bike Publishing for print copies of: Army Leadership, The Ranger Handbook, The Army Physical Readiness Manual, Drill and Ceremonies, The ITAR,and The NISPOM