Friday, May 25, 2012

5 Reasons FSOs Should Perform Self Inspections


Some would argue that self inspections are conducted ONLY at the midpoint between Defense Security Service (DSS) reviews. After all, that's the only requirement according to the National Industrial Security Program Operating Manual (NISPOM). For possessing cleared facilities, the midpoint is 6 months from the next annual review. For non possessing, then 9 months from the 18 month review. However, if you wait until the midpoint, then you might be missing a great opportunity to proactively assess the state of security within your cleared contractor facility. Facility security officers (FSO) can take the initiative to incorporate the security program into the organizations makeup.

The following are Five valid reasons to conduct a self inspection:
  1. When a new FSO takes over-When I was in the army, we always held an inventory when someone on the hand receipt took over.  For example, when I took command, we walked through all the property to account for it being both on hand and able to perform its stated purpose. Without such accountability, the incoming commander might inherit problems they may not otherwise be aware of.
  2. The same logic applies to performing a self inspection. The incoming FSO should determine what kind of organization and security program they will inherit. The self inspection would indicate the state of classified documents on hand, whether or certifications, accreditations and required clearance documentation were current and on hand, what classified contracts exist, the status of cleared personnel, records and whether or not security policies are effective.
  3. Classified contracts newly awarded-The FSO and supporting personnel should be intimately knowledgeable of classified contract requirements. The DD Form 254, statement of work, security classification guides and classified work requirements notify cleared employees of their performance measures. The FSO should understand these requirements and how they impact the company, security program and training needs. Performing a self inspection will help the FSO understand whether or not current policies, procedures and program designed to protect classified information are effective.
  4. Changes occur in company, ownership, relocation-Anything affecting the facility security clearance or personnel security clearance should be reported to DSS. Changes in key management personnel, company relocation, re-designation of corporate structure, company buy out, foreign influence and loss of classified contracts are just a few. The self inspection process can indicate the impact the changes will have on how the company protects classified information. This will also assist the FSO and DSS on any reporting criteria, changes in documentation, or necessary security program adjustments.
  5. Problems in security program-FSOs are responsible for maintaining a security program designed to protect classified information. If any of the protection is not effective, security violations increase, or training is ineffective, a self inspection should be conducted to determine the root problem.




FSOs should use the self inspection to both check the state of security as well as understand how to better support classified contracts. Information derived from self inspections can be used as milestones to correct courses of action, improve training, and provide feedback to other managers. The FSO will better understand challenges, identify and fix, and advise the enterprise on improving performance. The FSO is the key to maintaining the facility clearance; the self inspection is a tool to measure effectiveness of programs.


Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . Jeff is an accomplished writer of non-fiction books, novels and periodicals. He also owns Red bike Publishing. Published books include: "Get Rich in a Niche-Insider's Guide to Self Publishing in a Specialized Industry" and "Commitment-A Novel". Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training" See Red Bike Publishing for print copies of: Army Leadership, The Ranger Handbook, The Army Physical Readiness Manual, Drill and Ceremonies, The ITAR,and The NISPOM

Tuesday, May 22, 2012

Why Cleared Contractors and FSOs Should Perform Self Inspections

 I could write the same old same old about government and National Industrial Security Operating Manual (NISPOM) requirements. However, such hammering would overshadow a great opportunity. Sure the NISPOM requires that cleared contractors perform self inspections sometime between Cognizant Security Office (CSO) reviews, but that is not the compelling reason or many of the supporting rewards for those who capture results of self inspections.

The Defense Security Services (DSS, the CSO for the Department of Defense) will look for self inspection results during regularly scheduled security reviews. If you have a possessing cleared facility, then DSS will review annually. If non-possessing, then this review will occur every 18 Months. The NISPOM requires a self review be performed midway between CSO reviews.

Now that we have the regulatory guidance out of the way, we can focus on the real reasons to perform the self reviews. The Facility Security Officer (FSO) tying security into the DNA of the corporation can approach the self inspection, has more valuable reasons for assessing their state of security. The following are some very valuable lessons to share and reasons for getting corporate buy in.

Here are 5 compelling reasons for cleared contractors to conduct self inspections:

1. Validate security procedures-An FSO can write a security procedure or policy. But unless validated, these policies aren’t worth the paper they are written on. A self review can identify what works and doesn’t work toward the ultimate goal of designing and document security programs designed to protect classified information. A self review can document, item by item, topic by topic, what procedures work. Results can be used to improve existing successful measures.

2. Educate employees-All employees can benefit from the self inspection. This event can be used to remind employees of procedures, interview them to demonstrate whether or not procedures work or train them on the fundamentals. Engaging employees ensures the self inspection is a corporate event and not just something created by security. Results provide great security training as well.

3. ID problem areas and make corrections-Self-inspections not only reinforce successful programs, but also hi-light areas for improvement. This includes inspecting personnel, information, contracts and other security disciplines. Whatever doesn’t work can be investigated and improved.

4. Prepare for government inspections-The CSO will review the self-inspection documentation. Be sure to not only download the self-inspection handbook from the DSS website, but identify topics that apply to your organization, inspect, and document the results. Be prepared to demonstrate the effectiveness of your program.

5. Verify protection of classified information-Self-inspections can solidify your program. By asking questions, investigating processes, inspecting markings, following the paper trail and using proper procedures, you can verify whether or not your program is working. By testing security procedures, educating employees and identifying problem areas, you validate your organizations ability to safeguard classified information. This is directly linked to DSS reviews and your ability to maintain your clearance and ability to perform on classified contracts.

Self inspections are certainly a part of the DSS or CSO security review process. It is also required in the NISPOM. However, if you want good results as well as an improved security program to protect classified information, use the five reasons we provided. Use these five goals as compelling arguments for getting the entire organization involved provide the best results.

For more information see  DoD Security Clearances and Contracts Guidebook.

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . Jeff is an accomplished writer of non-fiction books, novels and periodicals. He also owns Red bike Publishing. Published books include: "Get Rich in a Niche-Insider's Guide to Self Publishing in a Specialized Industry" and "Commitment-A Novel". Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training" See Red Bike Publishing for print copies of: Army Leadership, The Ranger Handbook, The Army Physical Readiness Manual, Drill and Ceremonies, The ITAR,and The NISPOM

The Defense Security Agreement-An Explanation


Required forms for facility security clearances
Aside from the SF 328, another required form for the facility security clearance process is the Department of Defense Security Agreement (DD Form 441). The Cognizant Security Office (Defense Security Services (DSS) for the Department of Defense) will advise the contractor on how to fill out the forms and answer any questions the contractor may have.
Department of Defense Security Agreement, DD Form 441
The DD Form 441 is a security agreement between the contractor and the DoD and documents responsibilities of both the cleared contractor and the government in the protection of classified information. For example, the contractor agrees to implement and enforce the security controls necessary to prevent unauthorized disclosure of classified material in accordance with the National Industrial Security Program Operating Manual (NISPOM). The contractor also agrees to verify that the subcontractor, customer, individual and any other person has the proper need to know and has been awarded the proper security clearance level necessary to access classified information.
The U.S. Government agrees to provide security clearances to qualifying defense contractor facilities and personnel. They will also notify the cleared contractor of the security classification level assigned to classified information. The agreement states that the government will not over classify material and that they will notify the cleared contractor of any changes in the classification level. The Government will also instruct the contractor on the proper handling, storage and disposition of classified material. The Government also agrees to provide security clearances to eligible contractor employees. Classification and classified contract information is found in the contract related Security Classification Guide and DD Form 254.
The Government will also assess the contractor’s ability to protect classified material. For the DoD, this is done through an audit or review performed by designated DSS special agents. DSS will make an initial determination of a contractor’s ability to protect classified information. They will also assess and review at reasonable intervals the security process; procedures and methods the cleared facilities use and determine whether or not they are in compliance with the NISPOM.

The DD Form 441 is a requirement prior to a defense contractor getting their facility security clearance. Once complete and approved, the form is maintained at both the contractor location and DSS. It is a required item, subject to DSS review.



Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . Jeff is an accomplished writer of non-fiction books, novels and periodicals. He also owns Red bike Publishing. Published books include: "Get Rich in a Niche-Insider's Guide to Self Publishing in a Specialized Industry" and "Commitment-A Novel". Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training" See Red Bike Publishing for print copies of: Army Leadership, The Ranger Handbook, The Army Physical Readiness Manual, Drill and Ceremonies, The ITAR,and The NISPOM

Friday, May 18, 2012

How to Keep Company Secrets | Inc.com

Another business saving advice includes identifying and marking intellectual property or proprietary information. Many organizations just neglect to document. Ask the hard questions about what makes your product so special. That's what you want to protect. Identify what's special, document those findings and create steps to limit exposure. Consider Kentucky Fried Chicken. They are able to sell their product, but very few actually know the secret blend of herbs and spices.
How to Keep Company Secrets | Inc.com

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . Jeff is an accomplished writer of non-fiction books, novels and periodicals. He also owns Red bike Publishing. Published books include: "Get Rich in a Niche-Insider's Guide to Self Publishing in a Specialized Industry" and "Commitment-A Novel".Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training"See Red Bike Publishing for print copies of:Army Leadership,The Ranger Handbook,The Army Physical Readiness Manual,Drill and Ceremonies,The ITAR,and The NISPOM

Saturday, May 12, 2012

What You Should Know Before Taking the ISP Certification Exam


WHAT YOU SHOULD KNOW ABOUT THE ISP Certification-The Industrial Security Professional Exam 

  • Almost all of the test answers can be found in NISPOM, if you can answer most of the questions, you can pass the exam.
    • Pass or fail is based on entire test
    • Not penalized for failing portions or electives; only overall score counts
  • Practice using searchable electronic NISPOM version with ISLS. Practice the way you expect to test.
  • Use sample questions and use "search" function to find answers in the online NISPOM.
    • Reduce time/increase pass probability



Some questions can be answered with word for word search. Know how to search PDF documents (NISPOM)

  • Some questions can be answered with topical search
  • Know which chapter an answer can be found by topic (Chapter 1-policy, structure and inter-agency coordination and hierarchy, Chapter 3-Training, Chapter 8 Information System Security, etc)
    •  Don’t memorize the NISPOM, just know how to word search or narrow information to appropriate chapter.
    • Be familiar with chapter headings and contents



We hope this has been helpful with your ISP Certification studies. Our intent is to complement your preparation with a beneficial study guide. If you found this training beneficial, consider ordering our book: ISP Certification-The Industrial Security Professional Exam Manual or the ISP Certification preparation training.


Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . Jeff is an accomplished writer of non-fiction books, novels and periodicals. He also owns Red bike Publishing. Published books include: "Get Rich in a Niche-Insider's Guide to Self Publishing in a Specialized Industry" and "Commitment-A Novel". Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training" See Red Bike Publishing for print copies of: Army Leadership, The Ranger Handbook, The Army Physical Readiness Manual, Drill and Ceremonies, The ITAR,and The NISPOM

5 Challenging Industrial Security Professional Exam Questions

Try these 5 challenging questions from Red Bike Publishing's "ISP Certification-The Industrial Security Professional Exam Manual", by Jeffrey W. Bennett, ISP, SFPC.


1. A facility at which only one person is assigned shall establish procedures for CSA notification
after _____ or _____.
a. Death, incapacitation
b. Termination, resignation
c. Compromise, unauthorized disclosure
d. Bomb threat, natural disaster
e. New hire, replacement

2. Contractors shall conduct formal self inspections at intervals consistent with:
a. Risk management principals
b. DSS inspection dates
c. FSO determination
d. Previous results
e. All of the above

3. Concerning the Information Sensitivity Matrix for confidentiality, what qualifiers match the
Basic level of concern?
a. TOP SECRET and SECRET Restricted Data
b. Confidential
c. SECRET and SECRET Restricted Data
d. UNCLASSIFIED
e. FOUO

4. In the Protection Profile Table for Integrity, which Backup and Restoration of Data is required for
High?
a. Backup 1
b. Backup 2
c. Backup 3
d. Backup 5
e. Backup 6

5. Pure servers are systems with which of the following characteristics?
a. User code is present on the system
b. All users can access the system
c. The system provides non-interactive services to clients
d. The risk of attack against the Security Support Structure is high
e. The hardware providing network services doesn’t meet security requirements

6. The _____ has the authority to create or discontinue SAP’s.
a. NSA
b. DoD
c. DNI
d. DOA
e. GCA


Answers:

1. a
2. a
3. b
4. c
5. c
6. c




Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . Jeff is an accomplished writer of non-fiction books, novels and periodicals. He also owns Red bike Publishing. Published books include: "Get Rich in a Niche-Insider's Guide to Self Publishing in a Specialized Industry" and "Commitment-A Novel". Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training" See Red Bike Publishing for print copies of: Army Leadership, The Ranger Handbook, The Army Physical Readiness Manual, Drill and Ceremonies, The ITAR,and The NISPOM

Wednesday, May 9, 2012

Help, We've Been Hacked




For those of you who may have noticed, my website has been hacked, pranked or whatever. I don't know what the intent was or why someone would target a small niche company? What's the ROI or bang for the buck? Not sure, nor am I sure anyone will notice.

So, just to be sure they get the full exposure, and since I don't know how to remove it, I'll embrace it. Thanks random hacker....




















You can see it for yourself at

www.redbikepublishing.com/about

Crazy, right....




Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . Jeff is an accomplished writer of non-fiction books, novels and periodicals. He also owns Red bike Publishing. Published books include: "Get Rich in a Niche-Insider's Guide to Self Publishing in a Specialized Industry" and "Commitment-A Novel". Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training" See Red Bike Publishing for print copies of: Army Leadership, The Ranger Handbook, The Army Physical Readiness Manual, Drill and Ceremonies, The ITAR,and The NISPOM

Thursday, May 3, 2012

How Personnel Security Clearances are Granted


How Personnel Security Clearances are Granted

Employee Access to Classified Information
The Defense Industrial Security Clearance Office (DISCO) processes security clearances for organizations falling under the NISP. According to Executive Order 12968—Access to Classified Information, employees should not be granted access to classified information unless they possess a security clearance, have a need to know the classified information involved, received an initial security briefing and have signed a nondisclosure agreement.

Oversight of NISP Within Cleared Contractor Facility
The Facility Security Officer (FSO) is a position that the defense contractor must appoint during the Facility Clearance (FCL) approval process. The FSO implements a security program to protect classified in information. They also request investigations for employees who require a security clearance. What this means is, all cleared contractors must appoint an FSO. It could be the business owner in a small organization or an employee with an additional duty. The primary qualifications of an FSO are to be a US Citizen and have a Personnel Clearance (PCL) at the same level as the FCL. It is possible for an FSO to be the sole employee in the company.

Oversight of Defense Contractor to Government
The contractor and DSS have joint responsibilities with the PCL process as they do with the FCL process. When the FCL is being granted, key employees should complete a Questionnaire for National Security Positions, also known as Standard Form (SF 86). Part of the process includes ensuring that the applicants are US Citizens. They should submit the application to the FSO who then submits applications to DISCO. An investigation is conducted and the central adjudication facility (CAF) makes a security clearance determination. The determination is then entered into the Joint Personnel Adjudication (JPAS), the Department of Defense provided system where security clearance information is stored. Other government organizations may have different systems. Once entered into JPAS, the FSO can grant access based on need to know and the clearance level.


Security Clearance Process
The SF 86 is the main area the applicant can affect the speed of the security clearance process. A properly filled out application form is the key. Incomplete or inaccurate information is the number one cause of clearance delays. Names, addresses, telephone numbers, and dates of birth for relatives should be gathered as background research. Fortunately the SF 86 form is online and requires only filling out once. When a clearance is up for renewal, the applicant can log in their SF 86 and make updates.

DSS and FSOs use JPAS to update personnel information. This system allows instantaneous updates of records as well as notification of access, denial or revocation of clearances. At the time of this writing, there are more than 89,000 users of JPAS and 23,000 are from defense contractors.

Not everyone investigated is guaranteed a security clearance. In some instances a clearance can be denied, revoked or suspended. The employee’s background is investigated thoroughly for the initial clearance and again every five to fifteen years while maintaining a clearance and depending on the required security clearance level. In the event that a security clearance is denied, suspended or revoked, DSS will also notify the FSO. The FSO will then deny access to classified material to that employee and update JPAS.


Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . Jeff is an accomplished writer of non-fiction books, novels and periodicals. He also owns Red bike Publishing. Published books include: "Get Rich in a Niche-Insider's Guide to Self Publishing in a Specialized Industry" and "Commitment-A Novel". Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training" See Red Bike Publishing for print copies of: Army Leadership, The Ranger Handbook, The Army Physical Readiness Manual, Drill and Ceremonies, The ITAR,and The NISPOM

Industrial Security Management Overview


Industrial Security Management Overview

Learn how to make your organization compliant with protecting classified information and win more contracts. This course is designed for security managers, officers, contracts personnel, human resource personnel, and others who wish to increase their knowledge of the National Industrial Security Program Operating Manual (NISPOM) and ability to correctly interpret and apply the specifications detailed in the NISPOM. Those already performing on classified contracts can sharpen their skills, prepare for the Industrial Security Professional Certification exam, as well as, develop new ideas on how to implement and direct a security program to protect classified information. Included with the course is the text, DoD Security Clearance and Contracts Guidebook: What Contractors Need to Know About Their Need to Know.

REGISTER

Topics Include:
Overview of the NISP and NISP Operating Manual
Performance expectations on classified contracts
Responsibilities of the Facility Security Officer
Facility/Personnel Security Clearances
Receiving, documenting, accountability, and dissemination of classified information
Employee security awareness
Shipping and reporting requirements
Prepare for the DSS annual review

Session: C2512048
Schedule:

Every day, starting on 05/21/12 and ending on 05/23/12

Times:
08:00am - 05:00pm

Price:
$795.00

Instructor Biography:

Jeff Bennett, ISP, MBA is a former Army Officer with logistics, intelligence and security knowhow. He is experienced as a Facility Security Officer with compliance responsibilities for DoD contractors. He holds both the FSO Program Management Certification and Industrial Security Professional Certification and is the author of ISP Certification - The Industrial Security Professional Exam Manual and Managing the Security of Classified Information and Contracts.

REGISTER 

Facility Name:
Wilson Hall Room 212

Address:
John Wright Drive, UAHuntsville Campus

City:
Huntsville
State:
AL

Zip: 35899

REGISTER 

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . Jeff is an accomplished writer of non-fiction books, novels and periodicals. He also owns Red bike Publishing. Published books include: "Get Rich in a Niche-Insider's Guide to Self Publishing in a Specialized Industry" and "Commitment-A Novel". Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training" See Red Bike Publishing for print copies of: Army Leadership, The Ranger Handbook, The Army Physical Readiness Manual, Drill and Ceremonies, The ITAR,and The NISPOM