Though
applied to those with government security clearances, it can be adopted to
benefit other enterprises as well. Of course you will have to consider legal
guidance and protection of personal information.
Here’s
how it works in the defense contractor community. An employer determines an employee requires a
security clearance based on a defense
contract requirement. Once the contractor submits a security clearance
request, the employee is subject to a rigorous background investigation and
adjudication process. If results are favorable, the employee is granted a security
clearance.
So, why
not continue this process through the cleared employee’s employment?
Responsibilities
don’t stop with granted access. These now cleared employees are given a
periodic review every 5 to 15 years depending on clearance level. During the
periodic review, the investigation and adjudication process is repeated.
Throughout
the employment, cleared employees are required to report any information that
would lead to a decision that involved cleared employees could become a
security risk. This is called adverse information reporting. Cleared employees
are required to report adverse information on themselves and other cleared
employees. Failure to report could be discovered during the review.
Why the drastic
measures?
You
might recall news articles about captured spies. Many were enterprise employees
who provided unauthorized information to unauthorized persons. Experience
demonstrates that these employees had displayed signs and habits related to
their intent. Extra time at the copy machines, unauthorized collection of data
on storage devices, taking work home, emailing sensitive information and etc
provided indicators of mal-intent. These days, it should be well understood in
the National Industrial Security Program (NISP) community that employees help
monitor insider threat
The
NISP has tied such reporting to job performance and future employment through
(think report or perish). To be successful, FSOs provide NISPOM based
programs with well trained, knowledgeable and dedicated employees. This plan
will help curb insider threat.
Continuous
evaluation involves identifying reportable information. So, why not apply a
degree of continuous evaluation to address any behaviors that would identify a
employee security risks or insider threats. If your company performs sensitive
work, you are already aware of risks to product, proprietary information, trade
secrets, personal information and etc.
So,
why go through the excruciating work of identifying classified, sensitive,
proprietary, intellectual data or other information, only to be unable to
control what employees do with it?
How does reporting
help?
Reportable
information involves a long list of events that may be way too involved to
memorize. That’s where your NISPOM
training comes in. It’s not so important to be able to recite the
reportable incidents as it is to just understand what is reported. In other
words it’s the impact of adverse information over the laundry list of
reportable items.
The
best approach is to explain the impact that spies have had. Many cleared
employees had observed reportable behavior and failed to report it. The impact
of not reporting cost lives, programs and damage to national security.
What’s the best method
for instituting a reporting program?
Break
down the long list of events into bite size portions or categories and define
the impact to the enterprise and national security failure to report the
adverse information.
As
an example, you will not see an exhaustive list of the reportable information
in this article. However, I can relay to you that:
Continuous
evaluation involves identifying reportable information. Though you might not
have employees with security clearances, you’ve hopefully instituted background
checks. These checks typically look into:
- Credit
- Education
- Past jobs
- References
- Criminal records
Many
sources are used to get a clear 360 degree understanding of the person that the
company is hiring. So, why not apply a degree of continuous observation to
address any behaviors that would identify a risky employee. If your company
performs sensitive work, you are already aware of risks to product, proprietary
information, trade secrets, personal information and etc. The following is a
list of events you might adopt into your continuous observation criteria:
- Corporate espionage
- Theft
- Sabotage
- Sexual harassment
- Drug and alcohol abuse
- Employee relations
Some
reporting requires a great deal of personal integrity because subjects are
co-workers, friends or personal violation issues justifying security violations
The
point is that the greatest risk to proprietary information and product comes
from within the organization. Yes, trusted and vetted employees pose a
significant risk. The cloak and dagger image of spies is just a small portion.
Since
this is the greatest threat, why not take time to develop a program to ensure
employees continue to demonstrate ethical and legal activity that ensured their
employment in the first place. Identify what needs to be protected, enforce
clearance and need to know, and foster a healthy reporting environment. If not, an employee could volunteer, be
pressured or coerced to steal data or items.
For more information on the NISPOM and related security matter, see DoD Clearances and Contracts Guidebook. Many of the lessons can be applied at non-DoD enterprises.
Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . Jeff is an accomplished writer of non-fiction books, novels and periodicals. He also owns Red bike Publishing. Published books include: "Get Rich in a Niche-Insider's Guide to Self Publishing in a Specialized Industry" and "Commitment-A Novel". Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training" See Red Bike Publishing for print copies of: Army Leadership, The Ranger Handbook, The Army Physical Readiness Manual, Drill and Ceremonies, The ITAR,and The NISPOM
No comments:
Post a Comment