Wednesday, December 23, 2015

Keeping the knowledge of security container combinations to a minimum.

In this weeks article continuing the coverage of the Defense Security Service (DSS) Self Inspection Handbook for NISP Contractors, we'll review the National Industrial Security Program Operating Manual (NISPOM), Paragraph 5-308.

5-308 Is the number of people possessing knowledge of the combinations to security containers kept to a minimum?

Not every employee needs the combination to the security container.

The combinations should be provided to those with the proper clearance and need to know. This is the maximum number of individuals who should have it, but a minimum standard as far as combination accountability. After all, the security container combination is classified at the same level as the highest level of information stored in the container. 

Clearance and need to know of the contents aside, maintaining control of combinations should include keeping access to the security container at a minimum amount necessary to manage good information security. For example, 10 cleared employees may need access to a document. However, these 10 cleared employees may not need access to the security container.

There are many ways to monitor and approve combination distribution.

One consideration might be shared container space. For example in the example of the 10 cleared employees above, the 10 may have classified documents collocated in the same security container with the classified documents of another group. All are classified at the same level, but not everyone has a need to know of each group’s information. Need to know would be approved for those who are granted the combination. These few would be granted need to know then given the combination. They could then distribute the contents as required.

Another consideration is classification of the combination. Not only is the classified information protected based on access and need to know, but the combination is also classified to the level of the information stored in the container. Therefore it also must be protected by verifying employee clearance level and need to know controls. If the combination is written, then the written combination should be marked properly and also stored in a security container. Protecting, documenting and accounting for the classified security container combination provides the controls necessary for proper information security. Combinations should be memorized. A good memory jogger is a word that matches the combination numbers. A combination reminder magnet helps.

Another consideration is availability. Out of the above example of 10 cleared employees, those granted with access should be available throughout the working day to open and close the container.

Though not an exhaustive list of examples, each of the above cases require thought. Out of the cleared employees, which have need to know of the information in the security container. Then providing and maintaining access to the combination at a minimum.

Where the classified combination is provided, it must be properly documented. The FSO should record the names of those to whom the combination is provided.

In cases where a cleared contractor involves a one-person operation, that person serves as the FSO for that entity. The single employee FSO is as critical as any other FSO. The main difference is that the single employee FSO is the only one who has access to safe or vault combinations and access control and alarm codes. If the employee dies or is incapacitated a backup plan is necessary to better protect the classified material. In cases of sole employees, the FSO will give the combinations to DSS or the home office if part of a larger organization

VALIDATION:                                                                                   
  • Determine who has access to the security container combination.
  • Document the process to limit access to the combination to the minimum necessary.
  • Interview those who have access to the container and document how they enforce need to know of the contents before distributing classified information.
  • Demonstrate that the combination is treated as classified information. Verify that if written or recorded, that it is marked correctly and stored in a GSA approved container.   
  • Demonstrate written policy that limits the number of those with access to the security container combination to the minimum necessary
  • Security awareness training is provided that enforces the protection of combinations as classified and with limited distribution.

No comments: