You
might already know how to write policy that reflects the NISPOM and export
compliance or ITAR regulations. That might very well be an easy task for you. Just like ISP certification mentioned in an earlier post, the policy itself should not be the
catch all solution. Just as the certification compliments the bearer’s
capabilities, the policy should complement the processes and procedures you
have in place.
Policy
tells what should happen and is in itself easier to write and have approved
than the how to do it found in processes and procedures. Even if you do not
know how to write policy, you can always download a boilerplate standard
practice procedures, technology control plan, or sample security policies downloaded
from Defense Security Services (DSS), or shared by fellow security professional
organization contacts. What won’t be so easy to find is policy tailored to your
specific needs and how to incorporate them into company business. That will
require teamwork with other business unit managers.
Some
of the reading audience might understand better than others that most policies
exist as “gotchas”. In other words, policies can be used as a basis for
discipline. However, unless part of the company DNA, most employees may not
know the policy even exists.
For
example, suppose you are trying to implement procedures to support your
customer’s requirement of approving public release information as identified in
the DD Form 254 for cleared contractors. You know it’s a requirement, but your company continues to
publish contract related information in news releases and on the website
without customer approval. To solve this problem, you could:
1.
Write a policy and wait for employees to read and comply. If they do not, you
can nab them later, pointing out their short falls.
2.
Create policy, coordinate with others to create supporting trigger points and
courses of action, shop it to all the managers, work together to develop a
workflow, and check the progress.
Option
two works best because it will be part of an organizational solution and not
“just another thing to do.” Option one will cause all kind of trouble and leave
the situation unresolved.
An
FSO is designated to develop security policy to protect classified information.
However, this is not a solution that should be undertaken alone. The entire
organization should take part. Just as human resources, facilities, finance and
other business units seek the cooperation of the enterprise, the FSO should get
similar buy in. With approved and accepted procedures in place, the policy will
be easily supported.
For more information on establishing security procedures, see DoD Security Clearances and Contracts Guidebook
Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . Jeff is an accomplished writer of non-fiction books, novels and periodicals. He also owns Red bike Publishing. Published books include: "Get Rich in a Niche-Insider's Guide to Self Publishing in a Specialized Industry" and "Commitment-A Novel". Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training" See Red Bike Publishing for print copies of: Army Leadership, The Ranger Handbook, The Army Physical Readiness Manual, Drill and Ceremonies, The ITAR,and The NISPOM
No comments:
Post a Comment