The Self-Assessment Handbook for NISP Contractors
provided by the Defense Security Services (DSS) provides an excellent way for a
cleared defense contractor to prepare for the annual DSS inspection, form the
enterprise self-inspection policy and assess the status of the organization's
security plan to protect classified information. This is a great tool for many
as it's probably the only way to measure aside from the inspection that counts.
When I served in the Army, we had plenty of opportunities
to assess our war fighting capability. One of those opportunities was provided
by headquarters as an "assistance" visit. This usually preceded the
much dreaded Inspector General (IG) inspections. These assistance visits were
painful, but gladly received as we could have a "freebie" inspection
before enduring the one that counted.
My rule of thumb for these assistances visits was for
everyone to do the proper work all the time. I never allowed any soldier to
work overtime in preparation. I wanted an honest assessment of the actual work
being performed. This left our success and ultimate responsibility squarely on
my ability to measure the standards and evaluate our unit's execution before
the IG came around.
Part of the assessment in the Army days and while serving
more recently as an FSO is to develop and document processes, then measure
those processes in an audit. As a leader, you can carry a clipboard and ask
basic questions designed to check the block. Or, you might take the more
successful route of asking open ended questions and allowing employees to
demonstrate their processes.
As Defense Security Services recommends, good questions
will facilitate good answers. It's like to old 80's adage "Garbage In;
Garbage Out". You basically get what you ask for.
General Interviewing Techniques include the following
from the guide:
All questions should be asked in the present and future
sense. Here's an example: "If you are reviewing a classified document and
you have to take a break, what do you do with the classified information?"
Talk in a conversational tone and maintain eye contact.
Again, put the clipboard away and just talk to the employees. Develop the
questions based on the mission of the group you are interviewing. If you are
interviewing an engineer who regularly creates derivatively classified
documents, then develop conversations to determining how she might arrive at a
derivative classification decision.
Let people tell their story. Ask open ended questions
(using who, what, where, when, why, and how). In the above example you might
ask "Show me a document that you derived using classified
information." After they provide the document, review it with them and
walk through the process.
Avoid leading questions. This is great, just like the
show LA Law where the defense attorney yells: "Objection, leading the
witness". A leading question might be: "So, you report to security
every time you hand carry classified information into the company; don't
you?" all the time nodding your head waiting for the right answer.
Keep good notes for future reference and document
corrective actions. The intent is to capture the processes the employees are
using and make a determination about whether they have had the proper NISPOM training, using approved processes and if they actually protect classified information. The self-inspection guide
is a great resource to evaluate employee application for security policies.
This is your only "freebie", so use it to your advantage.
For more information about evaluating your security program see our book DoD Security Clearance and Contracts Guidebook
Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".
No comments:
Post a Comment