Monday, September 23, 2013

Try the ISP Certification Practice Questions

Are you studying for the ISP Certification Exam? If so, try these questions. There are 440 more just like them in Red Bike Publishing's Unofficial Study Guide for: ISP Certification

1. Subcontracted guards must be under a classified contract with which of the following:

a. GCA, CSA

b. CSA, DSS

c. Cleared contractor facility, Installing alarm company

d. Monitoring station, Installing alarm company

e. All the above


2. Contractors who extract classified information are making _____ decisions:

a. Reasons for classification

b. Security Classification Guidance

c. Derivative classification

d. Classification

e. Classified document


3. A U.S. contractor’s requirement to maintain custody, control and storage of classified information abroad is the responsibility of:

a. GCA

b. U.S. Government

c. CSA

d. State Department

e. DGR


4. U.S. RESTRICTED AND FORMERLY RESTRICTED Data is marked all EXCEPT:

a. COSMIC TOP SECRET ATOMAL

b. NATO RESTRICTED ATOMAL

c. NATO CONFIDENTIAL ATOMAL

d. NATO SECRET ATOMAL

e. None of the above



Scroll down for answers:




1. Subcontracted guards must be under a classified contract with which of the following:
c. Cleared contractor facility, Installing alarm company (NISPOM 5-903a4)

2. Contractors who extract classified information are making _____ decisions:
c. Derivative classification (NISPOM 4-102)
3. A U.S. contractor’s requirement to maintain custody, control and storage of classified information abroad is the responsibility of:
b. U.S. Government (NISPOM 10-602a)

4. U.S. RESTRICTED AND FORMERLY RESTRICTED Data is marked all EXCEPT:
b. NATO RESTRICTED ATOMAL (NISPOM 10-701)







Saturday, September 21, 2013

Applying Risk Analysis to Cleared Defense Contractors

DSS has announced new Vulnerability Assessment Rating Matrix 2013 Update. The matrix does provide a good way to gauge the security program. Even though the threat, vulnerability and impact are already identified, an FSO should still use a risk assessment model. The way to get to good evaluations and enhanced measures is to analyze the protection of classified information and demonstrate how the NISPOM is implemented. A risk analysis provides that answer.

The NISPOM and other guidance make our jobs easy. For example, if it’s classified lock it up in a GSA approved container and limit access to those with clearance and need to know. The above is simplified for discussion purposes, but it makes the point, there is another piece to protection; analysis.

You might be familiar with the terms susceptibility, vulnerability and risk analysis. These are analyses that we in the defense industry should be regularly practicing, but as demonstrated above, NISPOM makes it easy for us to get by without analysis.

Let’s look at the terms in ways we can apply them. Susceptibility is the evaluation of assets on hand and prioritizing them for protection. However, there is no defined threat. For example, I am susceptible to malaria. However, I do not have to take any countermeasures as long as I don't become exposed to someone who has malaria or travel to an area that is known for malaria outbreaks, I need to take precaution.

Suppose, a contractor makes helicopter harnesses. Their assets are proprietary processes, harnessing material, know how, customer drawings, inventory and facilities. For susceptibility, a security manager would work with shareholders and customers to prioritize the assets and determine which is more valuable and worthy of the most security effort. The security manager would then implement best practices to protect those efforts against general threats. We don't know who the bad guys are or what they want, we just want to make the product hard to get. Security might put sensitive items under lock, key and alarm, limit access to sensitive information and issue employee badges to keep non employees out of the work area.

Vulnerability is susceptibility in presence of a threat. I am susceptible to malaria, but now I'm going on a trip to Nepal where malaria is documented. I now have documented evidence of a threat and impact; I could become very sick and possibly die. Now I am vulnerable to a threat.

Back to the contractor making harnesses for helicopters. The project manager has just learned that employees from other contracts are "borrowing" inventory to fulfill their customer requirements. This team is vulnerable to not having enough resources to meet customer requirements. We now have documented evidence of a valid threat with the impact of the possible shift in schedule.

A risk analysis looks at the identified vulnerability and applies tailored countermeasures to reduce the threat activity. I don't want to die so I conduct a risk analysis. I could take the risk adverse direction and just not go to Nepal, but that's out of the question. Another option is to accept all the risk and take my chances that I could be one of the fortunate ones. However I could go the doctor and get a treatment to prevent malaria even as I am exposed to it. My further risk assessment would include the different kinds of treatment with the various dosage schedules and side effects.

The contractor making helicopter harnesses should conduct similar risk analysis. He could become risk averse and move his employees to a dedicated area and control access exclusively, but the cost would outweigh the risk. He could accept all the risk and continue as before, but the threat would reduce his capability. He could also conduct further analysis and come up with lost cost/no cost solutions to address the threat. These solutions would be to move inventory bin to a better location to be observed. Inform the program managers of other programs of their employees' unacceptable behavior and etc.
A risk analysis begins with susceptibility analysis and ends with ensuring adequate countermeasures exist to prevent loss. Even though the NISPOM addresses requirements for operating under the National Industrial Security Program, the FSO should address susceptibility, vulnerability and risk for all assets at the cleared facility. Each cleared contractor works with classified information in varying environments and degrees of difficulty. The NISPOM can’t address every situation but risk analysis can.




  Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Vulnerability Assessment Rating Matrix 2013 Update

In case you haven't seen the release, http://www.dss.mil/isp/fac_clear/security-rating-matrix.html, DSS has announced new Vulnerability Assessment Rating Matrix 2013 Update. This matrix provides DSS with a way to gauge a cleared defense contractor's compliance with NISPOM. But, it also gives the contractor a methodology to evaluate their own performance. Think of it as a way to enhance your own self-inspection.

But let’s go back to DSS, what are they looking for in this analysis?

During the annual review, DSS will look at a cleared facility and run through a consistent and reliable process to determine whether or not procedures are in place to adequately protect classified information. As mentioned earlier, the threat and impact are already identified. So, vulnerability is simply a reflection of the proscribed protection measures outlined in NISPOM and the inspection and not an analysis conducted by the FSO.

Vulnerability per DSS occurs when a contractor is not in compliance with the requirements of the NISPOM. Then DSS categorizes the vulnerability as either an "Acute Vulnerability", a "Critical Vulnerability" or a "Vulnerability".
Per the DSS website, the following further defines each category:

*Acute Vulnerability: Those vulnerabilities that put classified information at imminent risk of loss or compromise, or that have already resulted in the compromise of classified information. Acute vulnerabilities require immediate corrective action.
*Critical Vulnerability: Those instances of NISPOM non-compliance vulnerabilities that are serious, or that may foreseeably place classified information at risk or in danger of loss or compromise. 


Once a vulnerability is determined to be Acute or Critical, it shall be further categorized as "Isolated", "Systemic", or "Repeat".

*Isolated - Single occurrence that resulted in or could logically lead to the loss or compromise of classified information.
*Systemic -Deficiency or deficiencies that demonstrate defects in an entire specific subset of the contractor's industrial security program (e.g., security education and awareness, AIS security) or in the contractor's overall industrial security program. A systemic critical vulnerability could be the result of the contractor not having a required or necessary program in place, the result of an existing process not adequately designed to make the program compliant with NISP requirements, or due to a failure of contractor personnel to comply with an existing and adequate contractor policy. These defects in either a subset or the overall program may logically result in either a security violation or administrative inquiry if not properly mitigated.
*Repeat - Is a repeat of a specific occurrence identified during the last DSS security assessment that has not been properly corrected. Note: Although some repeat vulnerabilities may be administrative in nature and not directly place classified information at risk to loss or compromise, it is documented as critical.
Vulnerability: All instances of non-compliance with the NISPOM that are not acute or critical vulnerabilities.

But what can you do as a cleared defense contractor? Do you have to sit back and wait for an inspection? Do you just implement the NISPOM without thought into the security program? Well, you could, but…

In the case of NISPOM and DSS, vulnerability is already identified. We already know what the threat is, unauthorized access to classified information. We already know what impact is, potential damage to national security. We already know what the risk analysis recommendation is; follow the proscribed practices in NISPOM. If you just do that, you might get by. But what if you went the distance to conduct a risk analysis? Think enhancement as you implement risk analysis in the following steps

Susceptibility analysis: We know what assets are, we know what the threat is and we know what impact of loss is. We might be tempted to skip this step. However, what if you could demonstrate that you not only had a program for protecting classified information, but you also a program to identify proprietary information, processes, export controlled information, FOUO and etc equally important, but not covered in NISPOM.

Vulnerability analysis: We know what the assets are from the susceptibility analysis, but we might not have a clear threat. There are other places we can go to identify a general threat: State Department, Department of Justice, FBI, DSS and other agencies have reports dedicated to documented theft of contractor information. This is enough to get an idea of who bad guys might be and what they want. You just have to identify the impact of loss or compromise. Do you lose a product, does an audit team descend on you, do you get a fine from the State Department or Commerce Department?

Risk Analysis: Weigh threat and impact and determine whether or not you need to implement protective measures that are more stringent than best practices.

DSS has announced new Vulnerability Assessment Rating Matrix 2013 Update. The matrix does provide a good way to gauge the security program. Even though the threat, vulnerability and impact are already identified, an FSO should still use a risk assessment model. The way to get to good evaluations and enhanced measures is to analyze the protection of classified information and demonstrate how the NISPOM is implemented. A risk analysis provides that answer. See our next article for more tailored ways to set up risk analysis.



Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Wednesday, September 4, 2013

Try these ISP Certification Training Questions

Get your copy today

I'm preparing to take the SPeD exam for another of their certifications. I'm reminded that good study habits and practice tests HELP, prepare for the exam. Study builds confidence and practice questions build endurance. Whether protecting classified information at a cleared defense contractor facility or federal agency, Red Bike Publishing’s Guide to ISP Certification-The Industrial Security Professional is for you. If you are serious about advancing in your field, get ISP certified. Some are reluctant to take the test, but they just need the confidence earned through practice.

First, to meet minimum test requirements an applicant should have five years experience working in the NISPOM environment. If that’s you, then you are a technical expert and know the business of protecting classified information.

Second, study this book to practice, practice, and practice. It can help you prepare for the test.

Using practice tests to augment your ISP exam preparation will help. This book is the only one featuring four complete test length practice exams available for the ISP Certification. 


It teaches insightful study tips designed to show you how to: form study groups, network, seek out opportunities, learn your way around the NISPOM and includes four exam length practice tests. According to reader comments and emails to the author, many who have bought this book, the ISP Test Tips, and used our techniques to augment their preparation
 have performed very well on the exam.

Again, this is the most important resource offering the largest volume and most comprehensive study questions available.

Try these questions to see how you do:

1.    All of the following should be documented on the SF86 EXCEPT:
a.            Deceased parents
b.            Deceased father in law
c.             Deceased mother in law
d.            Deceased cousins
e.            All should be reported
2.    How long will the FSO maintain a copy of an employee’s SF 86?
a.            Five years
b.            Ten years
c.             Until clearance is granted or denied 
d.            Until employee terminates employment
e.            180 days
3.    Refresher security training for cleared employees must be completed at least:
a.            Every six months
b.            Annually 
c.             Quarterly
d.            Every three months
e.            Upon discretion of FSO
4.    Central monitoring stations shall be required to:
a.            Indicate whether or not system is working
b.            Have video surveillance
c.             Have remote access to doors
d.            Report hourly to guards
e.            Call periodically during storms

Scroll down for answers




1.    All of the following should be documented on the SF86 EXCEPT:
d.            Deceased cousins

2.    How long will the FSO maintain a copy of an employee’s SF 86?
c.             Until clearance is granted or denied (NISPOM 2-202b)

3.    Refresher security training for cleared employees must be completed at least:
b.            Annually (NISPOM 3-107)

4.    Central monitoring stations shall be required to:
a.            Indicate whether or not system is working(NISPOM 5-902c)




Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Sunday, September 1, 2013

Security Education for both experienced and novice cleared employees


Why does everyone have to have the same training? Sure, every cleared employee receives the initial training and the annual refresher training, but do they have to be the same presentations? After all, we are not cut from the same cloth; we've got varying degrees of experience, right?


New Employees, New Clearance


Great questions and perhaps you have heard them from your employees. I know I have. In response, FSOs could consider dedicating more security awareness training to new employees who will have a security clearance for the first time. The rational is because they will be newly introduced to sensitive and classified government information under the National Industrial Security Program Operating Manual, they should learn the fundamentals:



The nature of classified material and how to protect itNotice of their responsibilities to protect classified information and the consequences of unauthorized disclosure
Recognizing and protecting U.S. and foreign government classified materialCriteria for authorizing access to classified information
Responding to classified information released to the public
Security chain of command and support structure for addressing security incidents and violations
Cleared employees on foreign travel 
Defining CONFIDENTIAL, SECRET and TOP SECRET 

Keep it fundamental and appropriate. For example, the newly cleared employee may not understand how to dial a combination or determine who to allow access to classified material. Without proper training, the newly cleared employees may make honest mistakes leading to security violations.


Cleared facilities with new employees who have already have security clearances


Cleared facilities with new employees who have already received security clearances still have a responsibility to provide the initial security briefing. The new employees may have experience protecting classified material, but there is no way to verify the type and strength of the experience. Unique contractual requirements may have specialized performance requirements. Therefore a modified security awareness briefing specific to the company policies as they relate to the
NISPOM may be in order. This briefing may focus more on the specifics of performance on classified contracts and less on security fundamentals.


Annual Refresher Training


In addition to the initial security briefing, cleared contractors are required to provide annual refresher training. This training should build upon the NISPOM fundamentals and on the job training. The training covers the same topics as the initial security briefing with the addition of any new changes in the NISP since the last training event. These changes occur anytime an executive order is amended; DSS updates regulations, or any other administrative or procedural updates affecting cleared facilities and employees.

Closer to home, the additional subjects could include security requirements of new classified contracts, updated security hardware, software, alarms or procedures impacting the work force. The addition of newly constructed facilities; updated emergency procedures and local security policies and procedures; addition of classified computer processing or any other new classified work introduced to the organization are excellent topics for training

A good security program might document continuous training on a recurring basis; not just one session per year. Whatever the frequency, the training should be documented to demonstrate each cleared employee’s participation.

Take a lesson from schools, as students progress in knowledge, so do courses in technical difficulty. Employees have varying skill levels and should be trained accordingly. Keep training fresh and alive, know your audience and seek to improve their skills. It will make your security program easy to manage.





For more training ideas, see DoD security Cearances and Contracts Guidebook
Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

FSO Led, Employee Owned Policy-Making Poplicy Through Leadership

Security managers sometimes fight lonely battles to get policy in place to protect enterprise assets. Sometimes we’ve created multi-page documents outlining the do’s and don’ts of sound business practices and how to prevent spillages and leaks of sensitive information. These products are then staffed, hacked up and sent back, re-written and maybe a year later, they are part of a growing number of compliance policies in the enterprise warehouse. Policy is incredibly important, but can be implemented with much less effort on the security manager’s part. More impact with less effort? Sounds like a winning combination.Step one, sound security practices are best implemented when they are someone else’s idea. These policy battles don’t have to be won single handedly if they are part of everyone’s fight. For example, depending on the enterprise structure, the following could be true:

hiring the right employees is Human Resources (HR) job
research and development belongs to program management
buildings belong to facilities
public release reviews belong to business development
Instead of writing a lengthy security policy, review existing policy and make sure HR requires background checks on all employees, program management practices system security engineering to engineer out risks, business development has a public release process that protects trade secrets and customer information.
Step two, interview business units to determine what assets require protection. The subject matter experts understand their business and know what is valued and what that value is. HR protects personal identifiable information, program management can identify sensitive processes and facilities has the layout for physical security. 

Step three, identify impact of loss. Will it shut down business, will loss be negligible, will the customer pull contracts? Determine the impact to get an understanding of what resources need to be allocated and protective measures put in place.

Step four, brief the SME policy makers on the identified assets and impact of loss or damage. This is to emphasize what was discussed and the agreed upon actions. “We’ve identified that all requests for public release must go through the subject matter expert, the first VP in the rating chain, security and forwarded to the customer. Do we have that process documented and in practice?” If so, there’s your policy to protect sensitive information. If not, then the owner of the process (in this case business development) takes responsibility to add this to the enterprise policy.


Continue this throughout the organization. As a risk or security manager, you’ve just had other business units develop and implement policy that supports your role in asset protection. Though the working groups are security led, others own the process, document and enforce it. You get all the credit.

For more ideas of security policy see DoD Security Clearances and Contracts Guidebook


 

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".