Security Executive Blog

In our security community, I see a lot of questions about studying for the ISP Certification. Some ask for additional ideas to augment good study groups formed in NCMS (Society of Industrial Security Professionals). These questions facilitate great response from ISPs to help the student prepare for their certification exam. Of the many reasons candidate testers might have for requesting additional study is to gain more experience and practice what they already know. It’s true that one of the testing pre-requisites is five years of experience protecting classified information or otherwise working in the national industrial security program (NISP) environment. However the five years of experience doesn’t necessarily mean that the candidate is executing all National Industrial Security Program Operating Manual (NISPOM) tasks. The tester is responsible for answering questions from the entire NISPOM though they may only personally touch small portions of NISPOM in all of those fiv...

It’s true, cleared defense contractors have uncleared employees. In larger organizations, these employees may work in shipping and receiving, maintenance, human resources and other non-program development areas. The organization should develop policy and training to incorporated into the procedures to protect classified information. How would an uncleared employee have access to classified information? Hopefully never, but mistakes happen when such instances are not identified. Cleared employees could possibly find unattended classified information, unlocked security containers or stumble into classified conversations. Sometimes classified information is delivered to the wrong recipient, absent minded cleared employees might leave classified information on a printer or in the common areas and cleared employees may have approved classified meetings but forget to verify clearance and need to know. Things happen and damage control as a last resort is all too prevalent in these situati...

The Self-Assessment Handbook for NISP Contractors provided by the Defense Security Services (DSS) provides an excellent way for a cleared defense contractor to prepare for the annual DSS inspection, form the enterprise self-inspection policy and assess the status of the organization's security plan to protect classified information. This is a great tool for many as it's probably the only way to measure aside from the inspection that counts. When I served in the Army , we had plenty of opportunities to assess our war fighting capability. One of those opportunities was provided by headquarters as an "assistance" visit. This usually preceded the much dreaded Inspector General (IG) inspections. These assistance visits were painful, but gladly received as we could have a "freebie" inspection before enduring the one that counted. My rule of thumb for these assistances visits was for everyone to do the proper work all the time. I never allowed any sol...

Defense Security Services (DSS) has new guidance on security enhancements and ratings that cleared defense contractors can earn. According to the publication 2013 DSS Vulnerability Assessment Rating Matrix Vulnerabilities and NISP Enhancement Categories there are 10 enhancements or opportunities to demonstrate protection of classified information beyond baseline National Industrial Security Program Operating Manual (NISPOM) standards. Before contractors can receive credit for NISP enhancements, there are a few ground rules or fundamental areas that must be address.  Back to the basics is a good mantra to follow here. A cleared defense contractor must first demonstrate the capability of protecting classified information before earning enhancements. For example, a cleared facility that has significant findings in the topic of Export Control or Foreign Ownership Control and Influence (FOCI) will not get enhancement credit in the FOCI topic until they overcome the deficienc...

There are a few rules of thumb when it comes to taking tests. These rules are almost constant and really have no technical bearing to the tested information. However, where used logically, these tips will increase chances of correctly answering questions you might not fully know the answer to. Here are some recommendations: Tip #1 Stop studying at a reasonable time before the test. You know that time before a test when your  head is spinning and studying does nothing but confuse you. It's that time when looking at reference material is nothing more than white noise; it never makes it to your brain. Instead, take a break. Just as an athlete tapers down her training before a race, give your brain a break. An overloaded brain before an exam is just as detrimental as a tired and aching body before a race. Tip #2  Take a few deep breaths before you get started. This will increase oxygen flow to your brain and help you concentrate. After all, you are going to be readi...

  It seems like we should be able to. The lessons are obvious, but the application may not always be so clear. The same threat methodology applied credit cards, customer data bases, and financial transaction websites exist for the defense industry. The products may be diverse, but the result is usually the same; very sensitive information is released and those slow to react are in the business of performing damage control. Last December, Target shoppers were disheartened to discover that their private information became available to bad guys as a result of some pretty detailed scheme to get that information. Now these shoppers 'credit information is vulnerable, threatening possibilities of data theft many times over. Many, such as my family, suddenly found ourselves in possession of newly issued credit cards as our banks cancelled suspect credit cards in response to the data breech. According to the article in the Wall Street Journal, Target Says Hackers Used Credentials...