Gates
and guards seem to be the back stop of most security efforts. However, without
a real risk or security assessment, these efforts only go so far. Many Facility
Security Officers (FSO) and cleared employees work within the walls of
impenetrable fortress like structures. These reinforced security bunkers are
built to withstand repeated break in attempts as well as maintain state of the
art alarms, close circuit television cameras, and card readers that can resist
and detect most types of intrusion, but…
…when
was the last time you’ve read of an intruder breaking into a cleared facility
and cracking a security container to run off with secrets? What do DSS,
security educators and security practitioners preach as the biggest threat?
Sensitive information available in the public sector, trusted employees
transferring technical data to adversaries through seminars, emails, or just
walking out of secure facilities with it.
Without
addressing the real threat, the security community continuously pumps resources
into protecting sensitive information primarily with physical security. Cleared
employees are trained how to properly mark, store and disseminate
classified information, but not taught how to effectively communicate without
inadvertently disclosing sensitive information. For example, a scientist
disclosing intellectual property, proprietary information or export controlled
data at a conference or symposium. In other words, how do sensitive program
employees work with, discuss, or demonstrate their technology without
transferring technical information?
There’s
another threat. According to this article, http://www.reuters.com/article/2012/06/13/us-media-tech-summit-symantec-idUSBRE85B1E220120613,
there is an imminent cyber threat. Even though we are aware of this vulnerability,
we are unprepared to protect information on servers and computers.
Recognizing
that there are more obvious threats than cat burglars, here are 5 ways you can develop
real countermeasures and strengthen security in your facility.
1.
Perform risk analysis. Make sure you know what you know. Conduct a crime search
by zip code, research the weather, form working groups and determine what needs
to be protected. List the treats and vulnerabilities and impact. Then form your
security plan.
2.
Determine government requirements. If you fall under NISPOM, HIPAA or
other regulation, these trump your risk analysis and must be considered. Make
sure your security plan is equal to or exceed the government requirements.
3.
Understand contractual requirements. FSOs can get valuable information from the
DDForm254,
statements of work and security classification guides.
4.
Develop security program based on numbers 1-3. Include the risk and develop
countermeasures and implement those countermeasures as well as regulated NISPOM
and other requirements. Identify the threat, determine the risk of threat, and
document impact and countermeasure costs.
5.
Train employees to meet the security program requirements.
Gates
and guards are the most visible and popular method of security. Considering the
real threat, they may be the least useful. It is almost impossible for an
adversary to break in, but very easy for an authorized employee to walk out
with the secret sauce.
For
more information on conducting risk analysis and creating countermeasures, see
“DoD
Security Clearance and Contracts Guidebook”
See
article about cyber threats below.
Leading
cyber experts warned of a shortage of talented computer security experts in the
United States, making it difficult to protect corporate and government networks
at a time when attacks are on the rise. Symantec Corp Chief Executive Enrique
Salem told the Reuters Media and Technology Summit in New York that his company
was working with the U.S. military, other government agencies and universities
to help develop new programs to train security professionals.
"We
don't have enough security professionals and that's a big issue. What I would
tell you is it's going to be a bigger issue from a national security
perspective than people realize," he said on Tuesday. The warnings come at
a time when the security industry is under fire for failing to detect
increasingly sophisticated pieces of malicious software designed for financial
fraud and espionage and failing to prevent the theft of valuable data. More
<http://www.reuters.com/article/2012/06/13/us-media-tech-summit-symantec-idUSBRE85B1E220120613>
Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . Jeff is an accomplished writer of non-fiction books, novels and periodicals. He also owns Red bike Publishing. Published books include: "Get Rich in a Niche-Insider's Guide to Self Publishing in a Specialized Industry" and "Commitment-A Novel". Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training" See Red Bike Publishing for print copies of: Army Leadership, The Ranger Handbook, The Army Physical Readiness Manual, Drill and Ceremonies, The ITAR,and The NISPOM
No comments:
Post a Comment