Tuesday, January 29, 2019

NISPOM Based Questions For SPeD, Industrial Security Oversight Certification (ISOC), and ISP Study

NISPOM Based Questions For SPeD, Industrial Security Oversight Certification (ISOC), and ISP Study

 By Jeffrey W. Bennett, ISP, SAPPC
Get your copy @ www.redbikepublishing.com
These NISPOM based questions could be helpful in passing the NCMS ISP Certification and the DoD's SPeD Certification exams including the most recent Industrial Security Oversight Certification (ISOC).
Taking practice tests is a great way to prepare for an exam. Successful students in grade school and college study using guides and exam preparation questions based on the test subject material. This same successful methodology can also help prepare for professional exams like ISP Certification and SPeD Certification. 
Practice tests augment certification exam preparation. Red Bike Publishing's Unofficial Study Guide features four complete test length practice exams based on NISPOM
We've updated our manual for NISPOM Change 2. 


1.      Receipts must be provided for which level of classified material?

a.            SECRET 
b.            CONFIDENTIAL
c.             UNCLASSIFIED
d.            A and b
e.             All the above


2.      Working papers shall be marked the same as finished documents and at the same classification level.  Which answer is correct concerning retention:

a.            Transmitted within the facility
b.            Retained for more than 30 days from creation for TOP SECRET
c.             Retained for more than 180 days from creation for SECRET 
d.            Retained for more than 120 days from creation for SECRET
e.             Retained for more than 120 days from creation for CONFIDENTIAL


3.      Classified material may be destroyed by which of the following methods

a.            Mutilation
b.            Chemical decomposition
c.             Pulverization
d.            Melting
e.             All the above 



4.      What methods are approved to protect miscellaneous openings of greater than 96 square inches and over 6 inches in smallest dimension?

a.            ½ inch diameter steel bar with no more than 6 inches between bars
b.            Grills consisting of 18-gauge expanded metal
c.             Grills consisting of 18-gauge expanded wire mesh
d.            B and c
e.             All the above


Scroll Down For Answers







1.      Receipts must be provided for which level of classified material?

a.            SECRET (NISPOM 5-401)



2.      Working papers shall be marked the same as finished documents and at the same classification level.  Which answer is correct concerning retention:

c.             Retained for more than 180 days from creation for SECRET (NISPOM 5-203b)



3.      Classified material may be destroyed by which of the following methods

e.             All the above (NISPOM 5-705)



4.      What methods are approved to protect miscellaneous openings of greater than 96 square inches and over 6 inches in smallest dimension?

e.             All the above (NISPOM 5-801h)



So,  how did you do? These questions and more can be found in Red Bike Publishing's Unofficial Guide to ISP Certification,                                
DoD Security Clearance and Contracts Guidebook, as well as in NISPOM Training. Both resources provide excellent study material that may help with passing the ISP and SPeD certification exams.

According to reader comments and emails to the author, many who have bought this book, the ISP Test Tips, and used our techniques to augment their preparation have performed very well on certification exams.


Join our newsletter for more articles: 
http://www.redbikepublishing.com/newsletter/

Operational Controls and Classified Information Systems

Operational Controls and Classified Information Systems
By: Jeffrey W. Bennett, SFPC, SAPPC, ISOC, ISP


This article addresses the protection of Information Systems and the information that resides on them and is modeled after questions from the Self Inspection Handbook for NISP Contractors. We feel this is a great format to walk through the self-inspection criteria. We begin with the topic question, the NISPOM reference, an explanation of requirements, and finally how to inspect compliance.

Topic Question(s):
How is the IS physically protected? (Check all that apply)

NISPOM Reference(s):
8-302b Operational Controls

Discussion:

Each of the countermeasures above are already covered in sections of NISPOM chapter 5. Neither NISPOM nor the Self-Inspection Handbook desire to define these countermeasures. The intent is to determine which countermeasures are applied to demonstrate their application. These countermeasures should reflect the three controls identified in NISPOM for the protection of IS (Figure 1):
•         Management
•         Operational
•         Technical



Figure 1 Security Controls

NISPOM 8-302, Operational Controls “…operational controls are methods primarily implemented and executed by people (as opposed to systems) to improve system security..”. The specific Operational Control in NISPOM 8-302b is Physical and Environmental Protection (Figure 2) which includes the following topics:

1.       Limit physical access into ISs operating environments to authorized individuals

2.      Protect the physical plant and support infrastructure for ISs

3.      Provide supporting utilities for ISs, protect ISs against environmental hazards, and provide appropriate environmental controls in facilities containing ISs, when required by contract


Figure 2 Security Controls
Explanation:

 Limiting physical access into ISs operating environment. Contractors are to limit access into the operational environment to that necessary to protect national security information as defined in Executive Order 13526.  This E.O. identifies what national security information is and who has access to that information. As a review, the contractor establishes the security program designed to protect classified information. Where classified information contractually resides on information systems, the contractor is responsible for protecting the information at the appropriate classification level and releasing it to only those with the clearance and need to know. It is up to the contractor to protect the information and determine who has authorized access. Since the contractor has a contractual need to possess the classified information on an IS they are responsible for protecting the infrastructure that the classified information resides on. This includes the facility, the room in the facility, the classified IS and any classified storage equipment.

Protect the physical plant and support infrastructure for ISs.  This requires preventing unauthorized persons from physically accessing the location where the classified IS resides. The computers, printers, etc should reside in a protected area that has limited access. Not only should there be measures to keep unauthorized persons from gaining authorized access, but there should be protection against breaking into the operational areas. Alarms, hardened equipment, approved locks and infrastructure should be part of the measures provided to and approved by the CSA.

Provide supporting utilities for ISs, protect ISs against environmental hazards, and provide appropriate environmental controls in facilities containing ISs, when required by contract.  The ISs require environmental support such as air-conditioning, power, humidity control, to function correctly, overheating and lack of power will cause the IS to fail. This also may require hardening the area containing classified IS from natural disasters.

Additionally, the protective measures such as alarms and access controls require power to operate. NISPOM requires confidentiality or protection of classified information from unauthorized access and contractor security programs should protect classified information. However, protection concerning loss of availability or integrity of the information on the system are not a NISPOM requirement but may be directed by contract.

Validation:
1.       Inspect Operational controls and determine how IS is protected (ie alarms, closed areas, alarms, guards.)

2.      Determine how well controls in place are adequate for limiting access to information on IS.

3.      Determine how well controls in place are adequate for limiting access to areas where classified IS resides.

4.      When required by contract, determine how well controls in place are adequate for protecting IS against environmental hazards.

Join our newsletter for more articles: 


Am I Required to Take a Drug Test as Part of The Security Clearance Process

Am I Required to Take a Drug Test as Part of The Security Clearance Process
By: Jeffrey W. Bennett, SFPC, SAPPC, ISOC, ISP
Drug Involvement is one of the 13 adjudicative criteria which could lead to the denial or revocation of a security clearance. Even so, marijuana and opioids continue to be a concern for many applicants.
While drug involvement can raise questions about loyalty, reliability, and ability to protect classified information for initial security clearance assessments, currently there are no requirements to conduct recurring or random drug testing as a part of the security clearance process.

Listen to the Podcast episode:

Obtaining a clearance vs getting hired

Security clearance applicants complete a Standard Form 86, Questionnaire for National Security Positions, better known as SF-86. The questionnaire requests information about drug usage that the applicant should populate accurately and completely. For initial security clearances, a drug test may be required after the SF-86 is completed. This would not be a part of the standard security clearance process, but a suitability requirement triggered by the agency granting eligibility.
The most obvious drug test trigger appears to occur as part of the initial position suitability or the general hiring process, which ensures the employee has not used drugs within a certain amount of time of testing. Some agencies have internal requirements such as the Department of Energy, which requires drug testing for initial security clearance granting or reinstating security clearances, but not for continuous monitoring once the clearance is granted.

Employee suitability vs security clearance suitability

Government agencies and their cleared defense contractors require drug testing or screening prior to hiring new employees to address the issues of the employee’s suitability. Regardless of the security clearance needs, the new employee is often required to test as part of the hiring process. For example, a cleared employee changing jobs most likely will take a drug test while changing employers, as would the non-cleared employees. However, the same cleared employee may not be required to take a drug test while remaining at their current job. Cleared employees may experience random drug testing as part of an internal requirement as would non-cleared employees, but there are no consistent requirements for ongoing testing (they’re often called random for a reason).

Implications of a failed drug test

The results of a positive drug test are devastating. A drug test as a result of a safety violation or random employee selection will provide enough information to revoke a security clearance. While it may be possible to fight the results of a ‘failed positive’ – the chances are slim. The bottom line is that cleared employees should remain drug free. While there may not be a security clearance requirement to be randomly tested, cleared employees may be required to pass a drug test as part of the initial hiring process and may be required to do so again if drug use is suspected or randomly conducted regardless of whether or not the employee has a clearance.

Join our newsletter for more articles: 
http://www.redbikepublishing.com/newsletter/