5-308 Is the number of people possessing knowledge of
the combinations to security containers kept to a minimum?
Not every
employee needs the combination to the security container.
The combinations should be provided to
those with the proper clearance and need to know. This is the maximum number of
individuals who should have it, but a minimum standard as far as combination
accountability. After all, the security container combination is classified at
the same level as the highest level of information stored in the container.
Clearance and need to know of the
contents aside, maintaining control of combinations should include keeping
access to the security container at a minimum amount necessary to manage good
information security. For example, 10 cleared employees may need access to a
document. However, these 10 cleared employees may not need access to the
security container.
There are
many ways to monitor and approve combination distribution.
One consideration might be shared
container space. For example in the example of the 10 cleared employees above,
the 10 may have classified documents collocated in the same security container with
the classified documents of another group. All are classified at the same
level, but not everyone has a need to know of each group’s information. Need to
know would be approved for those who are granted the combination. These few
would be granted need to know then given the combination. They could then
distribute the contents as required.
Another consideration is classification
of the combination. Not only is the
classified information protected based on access and need to know, but the
combination is also classified to the level of the information stored in the
container. Therefore it also must be protected by verifying employee clearance
level and need to know controls. If the combination is written, then the
written combination should be marked properly and also stored in a security
container. Protecting, documenting and accounting for the classified security
container combination provides the controls necessary for proper information
security. Combinations should be memorized. A good memory jogger is a word that
matches the combination numbers. A combination reminder magnet helps.
Another consideration is availability.
Out of the above example of 10 cleared employees, those granted with access
should be available throughout the working day to open and close the container.
Though not an exhaustive list of examples,
each of the above cases require thought. Out of the cleared employees, which
have need to know of the information in the security container. Then providing
and maintaining access to the combination at a minimum.
Where the classified combination is
provided, it must be properly documented. The FSO should record the names of
those to whom the combination is provided.
In cases where a cleared contractor
involves a one-person operation, that person serves as the FSO for that entity.
The single employee FSO is as critical as any other FSO. The main difference is
that the single employee FSO is the only one who has access to safe or vault
combinations and access control and alarm codes. If the employee dies or is incapacitated
a backup plan is necessary to better protect the classified material. In cases
of sole employees, the FSO will give the combinations to DSS or the home office
if part of a larger organization
VALIDATION:
- Determine who has access to the security container combination.
- Document the process to limit access to the combination to the minimum necessary.
- Interview those who have access to the container and document how they enforce need to know of the contents before distributing classified information.
- Demonstrate that the combination is treated as classified information. Verify that if written or recorded, that it is marked correctly and stored in a GSA approved container.
- Demonstrate written policy that limits the number of those with access to the security container combination to the minimum necessary
- Security awareness training is provided that enforces the protection of combinations as classified and with limited distribution.