One thing that I like about security professional organizations like American Society of Industrial Security Professionals International (ASIS) is their emphasis on giving to the community. The group sponsors scholarships, provides security services and training opportunities designed to help non-profit or not for profit organizations. Churches, charities, and students benefit from the generosity of local and national security professionals. In my own community I began to look at examples of how security professionals could contribute in a meaningful way.
The best examples I can give are what we have done in my neighborhood. For one organization in particular, I arranged for an FBI agent to present a small presentation on cyber security. The audience consisted of interested parties representing the community and various demographics. We had teachers, children, baseball teams and senior citizens all together for breakfast and training on a fine Saturday morning. The presenter gave valuable information derived from real data. The audience was appreciative and provided positive comments. This, of course was a few years ago. We are thinking of presenting it again since social networks like Face book, LinkedIn, and MySpace are so prevalent.
Just recently I invited a fellow security professional to present “Active Shooter” training for my church. I’ve known the presenter for the past few years as a result of NCMS (Society of Industrial Security Professionals) and ASIS. We’ve both spoken in the professional organizations’ seminars and luncheons. We’ve set up booths next to each other during conventions. One day while he thumbed through my latest book I had on display, he told me of his side business. I asked him his expertise and he said that he consults churches and non-profit organizations on security.
Coincidently, in a church meeting the next month our leadership raised concerns of recent violence in religious institutions during the past year. I thought of my friend and offered a solution. After a few months of planning, we hired him as a consultant. One Monday night, with over 50 people present, we learned how to possibly prevent or reduce the impact of an active shooter incident. Interestingly, we have police officers and federal agents at our church and many were in attendance. However, just because one is in law enforcement, does not necessarily mean they are an expert in a certain discipline. What we learned was how to plug law enforcement into the scenario and rehearse responses. The best part was that even though my buddy presented the training, my church leadership began to view my skills and training as a security professional in a new light.
So, how can you contribute to your community? The first step is to look at needs and trends. Look at the crime rate, high risk neighbors, gang affiliations, unique issues and national trends. You might consider identity protection, family security, loss prevention, anti-terrorism or cyber security training. Your security, operations security and risk management training offer very valuable opportunities to train volunteer based organizations with tiny budgets. Each community’s needs are different; however you may just have the necessary skills or connection to fill in vital gaps.
Information for the CIO, CSO, FSO, ISSO and other security professionals. Understanding NISPOM and ITAR compliance is tough. With over 12,000 cleared defense contractors, a majority of those don't have a security staff. We'll hope to help fill the gap. From security clearances to performing on classified contracts, you can find help here.
Friday, September 18, 2009
Thursday, September 17, 2009
Why FSOs and Defense Contractors Protect Classified Information
FSOs implement and direct security programs to protect classified information. As an FSO or a supporting security professional in this role, have you ever wondered how the classified information you protect gets its designation? We can find the answer in Presidential Executive Order 13292 . You may have heard and read reports of how over-classification results in unnecessary costs. You might also understand from similar reports of how under-classification can lead to compromise of sensitive information. To better prevent unauthorized disclosure and ensure that classification is assigned to only that information needing protection, the President has issued special guidelines. In cases where items may be assigned an original classification, four conditions must be met:
According to E.O. 13292, Sec. 1.1. Classification Standards. (a) Information may be originally classified if all of the following conditions are met:
(1) an original classification authority is classifying the information; Specifically, only the President and in certain circumstances the Vice President, agency heads designated by the President in the Federal Register, and appointed U.S. Government Officials can serve as OCA’s. Agency heads are responsible for ensuring that only the minimum amount of subordinate officials are delegated original classification authority. It is these Government checks and balances that ensure responsibility and accountability.
The President, Vice President, agency heads, and officials designated by the President can delegate TOP SECRET original classification authority. SECRET and CONFIDENTIAL original classification authority also may be given to senior agency officials who are designated by agency heads in writing. The authority may not be automatically re-delegated.
The original classification authorities attend training as identified in the executive order and other directives. The education is similar to annual security awareness training the FSOs are required to offer employees with security clearances. For example, they learn how to protect classified information, how to mark it, and how to handle dissemination in addition to learning how to determine the classification level.
(2) the information is owned by, produced by or for, or is under the control of the United States Government; An original classification authority may not determine a classification on anything that is not owned, produced or controlled by the U.S. Government. For example, the Government contracts a company to make a product important to national security. As part of the contract, the government will require that the company construct and assemble items that must be safeguarded at the SECRET level of classification. They will work with the contractor and provide direction and means for production, protection measures in addition to the stipulations of the contract. The company is then contracted to make defense articles or provide services that the Government owns.
(3) the information falls within one or more of the categories of information listed in section 1.4 of this order; and Classification levels are assigned to classified materials and information only if they fall into one of eight categories designated in the EO.
a. Military plans, weapons systems or operations
b. Foreign government information
c. Intelligence activities, sources or methods or cryptology
d. Foreign relations or activities of the United States including confidential sources
e. Scientific, technological, or economic matters relating to national security, including defense against transnational terrorism
f. U.S. programs for safeguarding nuclear materials or facilities
g. Vulnerabilities of systems, installations, infrastructures, projects, plans or protection services related to national security including terrorism
h. Weapons of mass destruction
(4) the original classification authority determines that the unauthorized disclosure of the information reasonably could be expected to result in damage national security, which includes defense against transnational terrorism, and the original classification authority is able to identify or describe the damage. This is the fourth and final requirement that must be met before an original classification authority can assign a classification level. Classification levels are designed to implement the proper level of protection. It is part of the risk management component of security. The consequence of loss of the information is part of the categorization process.
The impact of disclosure is categorized from reasonably causing “damage” for CONFIDENTIAL information through “serious damage” for SECRET information to “seriously grave damage” for TOP SECRET information. The EO 13292 states that the impact of loss or compromise of the information must be at one of the three defined levels in order to be assigned a classification. The other part is that the classifier should be able to describe or identify the damage. This measure again informs the user that the information is to be safeguarded at a necessary level and also to prevent the original classification authority from assigning a classification level needlessly.
According to E.O. 13292, Sec. 1.1. Classification Standards. (a) Information may be originally classified if all of the following conditions are met:
(1) an original classification authority is classifying the information; Specifically, only the President and in certain circumstances the Vice President, agency heads designated by the President in the Federal Register, and appointed U.S. Government Officials can serve as OCA’s. Agency heads are responsible for ensuring that only the minimum amount of subordinate officials are delegated original classification authority. It is these Government checks and balances that ensure responsibility and accountability.
The President, Vice President, agency heads, and officials designated by the President can delegate TOP SECRET original classification authority. SECRET and CONFIDENTIAL original classification authority also may be given to senior agency officials who are designated by agency heads in writing. The authority may not be automatically re-delegated.
The original classification authorities attend training as identified in the executive order and other directives. The education is similar to annual security awareness training the FSOs are required to offer employees with security clearances. For example, they learn how to protect classified information, how to mark it, and how to handle dissemination in addition to learning how to determine the classification level.
(2) the information is owned by, produced by or for, or is under the control of the United States Government; An original classification authority may not determine a classification on anything that is not owned, produced or controlled by the U.S. Government. For example, the Government contracts a company to make a product important to national security. As part of the contract, the government will require that the company construct and assemble items that must be safeguarded at the SECRET level of classification. They will work with the contractor and provide direction and means for production, protection measures in addition to the stipulations of the contract. The company is then contracted to make defense articles or provide services that the Government owns.
(3) the information falls within one or more of the categories of information listed in section 1.4 of this order; and Classification levels are assigned to classified materials and information only if they fall into one of eight categories designated in the EO.
a. Military plans, weapons systems or operations
b. Foreign government information
c. Intelligence activities, sources or methods or cryptology
d. Foreign relations or activities of the United States including confidential sources
e. Scientific, technological, or economic matters relating to national security, including defense against transnational terrorism
f. U.S. programs for safeguarding nuclear materials or facilities
g. Vulnerabilities of systems, installations, infrastructures, projects, plans or protection services related to national security including terrorism
h. Weapons of mass destruction
(4) the original classification authority determines that the unauthorized disclosure of the information reasonably could be expected to result in damage national security, which includes defense against transnational terrorism, and the original classification authority is able to identify or describe the damage. This is the fourth and final requirement that must be met before an original classification authority can assign a classification level. Classification levels are designed to implement the proper level of protection. It is part of the risk management component of security. The consequence of loss of the information is part of the categorization process.
The impact of disclosure is categorized from reasonably causing “damage” for CONFIDENTIAL information through “serious damage” for SECRET information to “seriously grave damage” for TOP SECRET information. The EO 13292 states that the impact of loss or compromise of the information must be at one of the three defined levels in order to be assigned a classification. The other part is that the classifier should be able to describe or identify the damage. This measure again informs the user that the information is to be safeguarded at a necessary level and also to prevent the original classification authority from assigning a classification level needlessly.
Subscribe to:
Posts (Atom)