Saturday, February 20, 2021

Is Security Certification a New Year's Resolution?




Wow, New Year’s Eve has come and gone, and many of us are reflecting on our goals. It’s traditional to plan events as the calendar rolls over to a new year. It’s great to dream big and visualize these goals, it’s quite another to actually reach them. So let’s talk professional goals, the NCMS’ ISP Certification and CDSE's ISOC are great ones to strive for.


It’s one thing to dream and another to plan. The difference is what you do from the vision to make it a reality. Here are some deliberate actions you can use to help develop a plan to become ISP Certified.

1.  Begin at the NCMS, ISP Certification information website @ http://www.ncms-isp.org/ISP_Certification/index.asp. There you can find ISP Certification testimonials, brochures, application and other information about the certification. When you review the qualification, study and application information, begin with the end in mind. If your goal is to become ISP Certified
, gather all the data needed and determine the possibility. If the application, approval and study timeline is too timely, consider changing your goal the next year. The goal is to study the requirements and build a realistic plan to achieve your goal. Let preparation set the way and not a calendar date. Once you determine how long it will take to get prepared (6 months, 1 year, etc.) build a plan based on the date and work backward.

If your goal is ISOC certification, begin at the CDSE website

2. Understand the application process. There are minimum experience requirements that applicants must meet as well as administrative tasks built into the process. If an applicant does not meet minimum requirements, they can begin study, but will have to wait to meet those requirements before applying. This should be built into the timeline. Applicants who meet the minimum, should build in the administrative tasks into the timeline. This includes filling out applications, payment, getting approval to take the exam and setting up a test date.

3. Understand the testable topics. Gather the relevant test information from the website. Understand the requirements and get a feel of where you are professionally and any gaps you need to breach to bring your knowledge of NISPOM and ISP or ISOC  Certification categories to where it needs to be. It’s not necessary to be an expert in all areas or to be able to quote regulations and requirements. What’s important is a knowledge of where to find information in source documents and apply that knowledge to question based scenarios. In other words, understand where the information can be found and applied to the situation in a quick manner. For example, a person appointed as FSO may have substantial experience with personnel and contract security after working those areas exclusively for many years. However, they are still responsible for understanding information security as outlined in the NISPOM. This means that they will need to spend some time understanding where to find topic related information and answer questions in context.

4. The following are some things that you can do to prepare to fill those knowledge gaps:

a. Study the NISPOM and other reference document structure and understand where to find topic related information. Also, become familiar with key industry standard words found in the source documents. Some of these words are original classification authority, government contracting agency, DCSA, security clearance, cognizant security agency, and etc. The NISPOM and source documents are available in print and electrons and can be used in the exam. Understand where certain information can be found or how to search an electronic copy is a very good technique for real life and test based scenarios.

b. Join a study group. There you can study their material, ask questions and get feedback.

c. Find a mentor. They understand the stress of working full time and studying for a professional level exam. Mentors can calm fears, answer questions, put rumors to rest, and put the right perspective on stress, studying and life in general.

5. Set a date.  Once that date is set and approved, you have a certain amount of to take the test before having to reapply. Setting the date will keep you motivated to study and stay focused.

Dreaming is one this, but achieving is another. The best way to ensure success is to build a plan and follow it. Begin with the end in mind, understand the limitations, meet those limitation, set a date and stay focused. 





Join our reader list for more articles.

 Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "How to Get U.S. Government Contracts and Classified Work", "ISP(R) and ISOC Master Exam Prep", and NISPOM/FSO Training".

Monday, February 8, 2021

How FSOs can determine security budgets

A Facility Security Officer (FSO) should put careful consideration into the security budget. This is a primary opportunity in the continuing plan of building credibility. The manager who arbitrarily throws in a number with meritless base is sending the wrong message. However, a well thought out line item count based on risk management, company mission and NISPOM requirements is more apt to impress and build instant respect. The budget contribution should enforce and support a message the FSO is constantly communicating. The budget request should not be first time executives are introduced to figures.

Management support or lack of support of a security budget demonstrates either a well received or an unsupported security program. The intuitive FSO understands business, the company mission and how the role of protecting classified material fits. In that environment, the FSO provides a risk assessment based on the threat appraisal and speaks intelligently of the procedures, equipment and costs associated with protecting classified information. For example the FSO understands how to contract security vendors to install alarms, access control and other life safety and protective measures. The FSO is also able to demonstrate how the expense will benefit the company either in cost reduction or other tangible results.

The FSO presents the budget in a manner that all business units understand. For example, if part of the budget line is to provide access control there is a significant associated cost. Incorporating management involvement and support builds credibility and puts the company in a better position to provide the funding. Not only is a projected return on investment required, due diligence should be conducted. Sample questions and answers the FSO should be prepared to address are:

• Why is access control necessary? Prevents unauthorized persons from entering the premises and gives an extra layer of protection for classified and sensitive information.

• What happens if we do not implement access controls? The organization would have to commit persons to controlling the access to the company. At a manager’s salary of between $20.00 - $30.00 per hour, this could become expensive over time. The FSO could demonstrate the cost of the access controls against the time a manager takes to ensure someone provides visibility of the doors.

• What is the return on investment for access control? The intangible return on investment is the prevention of damage, injury, theft, and other risks inherent to unauthorized visitors. More tangible is the amount of energy saved while keeping the doors closed and saving energy. In one such study an FSO estimated a cost reduction of $12,000 per year cost reductions on the electric bill.

Other questions abound and the FSO should not hesitate to forward such questions to vendors. These vendors have statistics that they use as selling points for their products.
Speaking the language of business will serve the FSO well and ensure that executives understand the significance of a well supported security program. Security managers who just quote regulations or use “best practices” without putting much thought into the costs or talking points will quickly lose credibility. 

More information is available in the books below:

Join our reader list for more articles.

 Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "How to Get U.S. Government Contracts and Classified Work", "ISP(R) and ISOC Master Exam Prep", and NISPOM/FSO Training".

Sunday, February 7, 2021

Receiving Classified Information into Accountability



I catch myself watching fun Youtube videos. Some of my favorites are watching consumers open my favorite products and orienting me on how to use them. The unpacking causes excitement and the by item unpacking and layout of what to expect helps me understand my product better. 

In the National Industrial Security Program Operating Manual (NISPOM), we have a similar package "reveal". Security specialists, document control professionals, facility security officers and others in possessing facilities may receive classified information, depending on the contract. Part of the receipt is the critical inspection of the package during the integration process. 

As they unwrap the package, the inspector is orienting themselves to better understand what they should be receiving. This begins by inspecting the package physically, then comparing the contents with the receipt. They are also searching for evidence of tampering or to otherwise to inspect that there has been no compromise of classified material since leaving the sender’s organization. 

Classified material is protected by a two layer wrapping job. Each layer consists of material that is impossible to see through such as: an envelope, paper, box or other strong wrapping material. To prevent opening, the seams of the layers are covered with anti-tampering rip proof tape to create a solid layer of covering. The initial inspection is more cosmetic as the inspector looks for evidence of tearing, ripping, re-wrapping or some other means of unauthorized access to the material.

Next, review the address labels for approved classified mailing address, return address and which does not identify any recipient by name. The label is addressed to the “Commander” if a Government entity or the name and approved classified mailing address of the contractor facility. Additionally, check to see that there are no classification markings on the outer layer. The outer layer should is designed not to draw attention that it contains classified contents. Classification markings and named individuals on the outer layer are security violations because they direct unwanted attention.

The inside wrapping contains the full address of the recipient as well as classification markings on the top, bottom, front and back. Classified information should have receipts included. Receipts are not necessary with the shipment of CONFIDENTIAL material. Sign all receipts and return them to the sender.

The receiver then checks the receipt against the titles to ensure the item has been identified correctly. The receipt lists all the pertinent information to identify the contents. The properly filled out receipt identifies the sender, the addressee and correctly identifies the contents by the correct and preferably unclassified title and appropriate quantity. The title should be unclassified. If not, then the receipt is to be protected at the classification level identified in the title. When practical, contact the sender to see if it can be issued an unclassified title or prepare to store the receipt long term in a GSA approved container.

The receiver then compares the classification identified in the receipt with that annotated on the inner wrapper. These will ensure the package is handled correctly once the outer wrapping has been opened or removed. The receiver of the classified item compares the classification marking on the contents with the wrapper and the receipt to once again verify the accuracy of the classified information and prevent unauthorized disclosure. 

Once all the checks and verifications are complete, the receiver can then sign a copy of the receipt and return to the sender, thus closing the loop on the sender’s accounting responsibilities. The copies of receipts are filed away and the classified information is put into a database and the items are stored according to the classification.

See below for an inspection checklist.





Join our reader list for more articles.

 Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "How to Get U.S. Government Contracts and Classified Work", "ISP(R) and ISOC Master Exam Prep", and NISPOM/FSO Training".

Protect Classified Conversations and Instructions Keeping These in Mind

In the course of performing on classified defense contracts, exchange of classified information is inevitable. While, the movement of classified information outside of a secure environment is to be kept to a minimum, there are times it must be moved in fulfillment of requirements. 

When movement is necessary, the party responsible for movement should determine whether or not the classified information is necessary at the gaining organization, the organization is cleared to the appropriate level, and that there is a contractual need to know. Then they should provide the classified information in the appropriate format, using the approved methods. For example, a SECRET document can be hand carried, provided on a disc, emailed, or faxed.
   
Once the classified information is on-site, the receiving CDC takes over. There are many reasons for transporting classified material. These include conferences, classes, engineering, services or any other environment where it is needed. 

As the senior industrial security manager in CDCs, the FSO leads the security program designed to protect classified information and prevent unauthorized disclosure. While working in the secure environment, contractors protect classified information under their control and cleared employees protect classified information entrusted to them. 

Without this protection, national security could face varying degrees of damage depending on what information is disclosed and how it was used. This protection applies to documents as well as classified discussions. 

Classified verbal communications should only occur in controlled environments. For example, classified conversations are authorized in locations where access and need to know have been verified. They should never take place in hallways, around the water cooler, in public places or car pools where eavesdropping cannot be prevented or access and need to know cannot be verified. Just as the holder of classified documents verifies a receiver’s need to know and security clearances before handing them over, the same is true for releasing classified information in verbal form.

Prior to the start of a classified meeting either the government sponsor or the contractor representative should provide a security briefing notifying attendees of the classification of information to be discussed, whether or not taking notes is permitted and if so, how they will be controlled. For example, when classified notes are permitted, they will have to be properly marked, introduced into accountability and prepared for dissemination (hand carry with the attendee or mailed at a later date). The presentation is controlled to prevent the inadvertent and unauthorized release. Each attendee should also be reminded to remove any cell phones or other electronic devices.

Impromptu Discussions:
When working on classified material in approved locations, keep in mind that uncleared persons in the area may be within voice range. Some companies and security managers may allow cleared employees to take classified work back to their cubicles and desks. They are able to protect the information from prying eyes, but eavesdropping cannot be prevented outside of a closed area. 

Limit opportunities for unauthorized access to classified information by limiting opportunities for these discussions. Impromptu discussions could provide unauthorized access to repair persons, uncleared employees, and others. For example, while everyone in the immediate area may be cleared and with need to know, they could be on the phone with uncleared people.  

Another factor to consider is need to know. While everyone within earshot may have the appropriate security clearance, they may not have the need to know. 

Here are three ideas you can apply immediately:
1. Post signs where classified contracts are authorized and likewise where unauthorized.
2. Provide reminders of the dangers of impromptu conversations.
3. Provide
guidance and training
on how to introduce classified information into your organization.


Join our reader list for more articles.

 Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "How to Get U.S. Government Contracts and Classified Work", "ISP(R) and ISOC Master Exam Prep", and NISPOM/FSO Training".