Cleared contractor facility security officers (FSO) and
security specialists have a unique challenge. They protect classified
information and have lots of guidance on how to do so. However, they also have
to figure out how to best protect sensitive information based on competitive
budget requirements. Some of the forces acting on the budget include NISPOM, ITAR and other
regulatory requirements as well as actions required by a thorough risk
assessment
The NISPOM is a proscriptive policy, meaning that FSOs and
security specialists have a list of “to do” countermeasures to protect Government
identified classified
contract information. For example, a secret document should be stored in a
GSA approved security container.
Other solutions that appear proscribed are standard practices.
Some industry standards include access control, alarms and CCTV. One might
think they were required based on the general acceptance and wide use. For
example, the NISPOM states that SECRET should be stored in a GSA approved
container. However, some might find it shocking that alarms are NOT required.
It is important to distinguish the difference as non-proscribed countermeasures
protect classified information, but the trade off is high cost and focus on the
wrong protection measures.
Security is meant to provide the right amount of
countermeasures at the right place. Blanket countermeasures are costly and
burdensome; thereby abusing the intent of NISPOM.
Assigning security measures without real risk or security
assessment seemingly provides protection and makes us feel better. Such actions result in construction or
modifications of cleared facilities to create reinforced security fortresses
built to withstand repeated break in attempts. However, the threat of these
break-ins has not be established.
It makes sense to provide overwhelming physical security; if
the security assessment requires it. However, there may be more pressing issues
and real threats to address that compete with the same budget. Following the
proscriptive measures of NISPOM may be the minimum and engaging tougher
physical security measures may be the wrong course of action.
Suppose your risk assessment determines that the greatest threat
to sensitive information is forgetful and irresponsible employees. Adding badge
readers and alarms to negate the actions of a non existing threat of theft
doesn’t address the insider issue.
However an aggressive procedure, policy and training program
to focus on the real threat (bad habits) does help. For example, the real
threat may be lack of understanding of protecting intellectual property. How do
cleared
employees work with, discuss, or demonstrate their technology through
reports, tradeshows, patents or press release without inadvertently transferring
technical information? An intellectual
property identification, security training and
compliance program would do more to protect the information than guns and
guards.
Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . Jeff is an accomplished writer of non-fiction books, novels and periodicals. He also owns Red bike Publishing. Published books include: "Get Rich in a Niche-Insider's Guide to Self Publishing in a Specialized Industry" and "Commitment-A Novel". Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training" See Red Bike Publishing for print copies of: Army Leadership, The Ranger Handbook, The Army Physical Readiness Manual, Drill and Ceremonies, The ITAR,and The NISPOM
No comments:
Post a Comment