How do effective FSOs and security managers develop a culture of compliance with regulations and security programs? Quoting regulations only exasperates cleared employees and the very act does little
to foster a climate of cooperation. However, developing relationships based on a good understanding of business, the company mission and influence goes a long way toward implement the successful security
program.
1. FSO influences corporate culture-Security of classified information should be part of the organization's DNA. Instead of stove piping security functions, they should tie into the corporate mission. Though each office has a different product, funding or budget item, each fulfills their obligation in a chain of responsibilities necessary to get the product to market. When a business unit breaks down or fails to fulfill its mission,
other business units are affected.
2. FSO performs a vital mission of protecting classified information. Failure to safeguard classified material
could result in a defense contractor losing the facility clearance and ultimately cost current and future contracts. Security as an afterthought or viewed as a “necessary evil” has contributed to a loss in influence and commitment. Though the NISPOM applies to classified projects, FSOs would be mistaken to assume that only cleared persons and cleared programs
are worthy of their attention.
3. FSO trains and treats ALL employees as security “force multipliers”. With security ingrained in the performance and actions of employees, the organization has a united front and all employees exist to protect classified information. For example, even employees without security clearances can help protect classified information by learning to recognize classification markings reporting suspicious behavior or contacts.
The corporate culture of successful organizations is published organization wide and employees are well versed. Each employee should understand how they fit into the company mission and the importance
of their contribution toward the enterprise’s success.
For more detailed information, be sure to get DoD Security Clearance and Contracts Guidebook
Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . Jeff is an accomplished writer of non-fiction books, novels and periodicals. He also owns Red bike Publishing. Published books include: "Get Rich in a Niche-Insider's Guide to Self Publishing in a Specialized Industry" and "Commitment-A Novel". Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training" See Red Bike Publishing for print copies of: Army Leadership, The Ranger Handbook, The Army Physical Readiness Manual, Drill and Ceremonies, The ITAR,and The NISPOM
Showing posts with label cpp. Show all posts
Showing posts with label cpp. Show all posts
Thursday, January 5, 2012
Tuesday, November 1, 2011
FSO Security Staff Training
Category 3 of the NISP Enhancement continues with Security Education.
This category addresses internal security staff professionalization. Specifically, it measures whether or not security staff training exceeds NISPOM training and DSS FSO certification requirements to include obtaining on-going professional certifications and incorporating the knowledge through the organic security program. There are currently several certifications and training available to the security professional, including some recommendations by DSS:
- Industrial Security Professional (ISP) FSOs could set the ISP Certification as a goal and encourage staff employees to achieve. When employees study for the ISP Certification, they learn: how to read and apply the NISPOM, the importance of forming professional relationships with cleared employees, how the cleared contractor and the DSS representatives interact, and much more. DSS also understands the importance of individuals who achieve the ISP Certification as well as the organizations that hire them. The FSO can display the certificate and refer to it during the annual inspection as continued ISP and FSO training.
- Certified Protection Professional (CPP)-The CPP certification is for those who have a broad range of security experience to meet complex security issues. Holders of the CPP certification understand the threats that face the workplace, employees, product and the public. This has a significant application in the defense industry as industrial security professionals, security specialists and FSOs demonstrate their knowledge of physical security, personnel security, business management, security principles, information security, emergency procedures, investigations and legal aspects.
- SPeD Certification-This is Security Professional educational Development. DSS has developed this program as a means of training government security professionals. This test begins at the fundamental level and includes information, general, physical and other security disciplines. Additional certifications are available that address more advanced and specific security areas.. More information can be found @ http://www.dss.mil/seta/sped/sped_what.html
- Computer Information Systems Security Professional (CISSP)-The Certified Information Systems Security Professional (CISSP) is sponsored by International Information Systems Security Certification Consortium or ISC2. For those working as an Information System Security Manager, Information System Security Officer, Chief Information Officer or other mid to senior level management positions in information security should consider the CISSP. The CISSP measures competency and experience in 10 key areas: Access Control, Application Security, Business Continuity and Disaster Recovery Planning, Cryptography, Information Security and Risk Management, Legal, Regulations, Compliance and Investigations, Operations Security, Physical (Environmental) Security, Security Architecture and Design and Telecommunications and Network Security.
- The OPSEC Certification Program (OCP)-The OCP is for those who are actively engaged in identifying vulnerabilities of sensitive government activities and denying an adversary’s ability to collect information on the activities. In addition to the five years of experience, the candidate for the OCP should have a four year degree and at least 48 hours of formal OPSEC training. The applicant submits a 10 page paper on the topic of OPSEC using one or more of the five OPSEC processes (identification of critical information; analysis of threats; analysis of vulnerabilities; assessment of risks; and the application of appropriate countermeasures).
See pages 304 to 306 of DoD Security Clearance and Contracts Guidebook for more detailed information.
Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . Jeff is an accomplished writer of non-fiction books, novels and periodicals. He also owns Red bike Publishing. Published books include: "Get Rich in a Niche-Insider's Guide to Self Publishing in a Specialized Industry" and "Commitment-A Novel". Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training" See Red Bike Publishing for print copies of: Army Leadership, The Ranger Handbook, The Army Physical Readiness Manual, Drill and Ceremonies, The ITAR,and The NISPOM
Sunday, April 3, 2011
Disclaimer from Upcoming DoD Security Clearances And Contracts Guidebook
 |
| Get it here |
Here is the disclaimer from our upcoming book. Just a little flavor of what you can expect. Please forward for others who might be interested
This book is designed to give defense contractors insight into the National Industrial Security Program. Our intention is to help defense contractors understand what is required of them should they become cleared facilities working on classified contracts. Any security and compliance related issues that an organization may face should be pursued with the Cognizant Security Agency (CSA), Government Contracting Activity (GCA) or other Federal agencies and legal activities.
This book is meant to compliment the federal regulations and executive orders bringing about the National Industrial Security Program. It is also designed to help the reader draw from experience and suggests ways to improve security programs. Those who are new to the field can use this as a guide, but should consult their CSA. We have made every effort to make this book as accurate and complete as possible. It has been written by an ISP Certified author and has been reviewed and edited by some of the most experienced Facility Security Officers , defense contractors and ISP’s in the business.
Not every defense contractor is the same. Classified contracts further differentiate requirements. Each contractor may have a unique mission based on skill sets and core competencies. Each contract has unique requirements based on product and service needs. Defense contractors working on classified contracts will have further defined roles based on requirements listed in the Contract Security Classification Specification (DD Form 254) and contract clauses and language. Specifically, cleared contractors have unique security requirements based on the DD Form 254 identifying the clearance level and classified storage level. The following are two examples out of many possible scenarios:
Example 1: A defense contractor is required to have a Facility Security Clearance (FCL) of TOP SECRET while having a classified storage level of TOP SECRET. In this case they can expect to have employees with TOP SECRET security clearances supporting contracts on site with TOP SECRET work and TOP SECRET information. In the course of their work they will store tens of thousands of classified items. Their security requirements are complex depending on the amount of classified items, level of classified information, amount of international contracts, and etc.
Example 2: In another example a contractor has a SECRET FCL and no authorization to store or perform classified work on site. They require the SECRET FCL for the sole purpose of providing employees with security clearances to perform work off site at a customer location. They will have no requirement for security containers or in-depth security to protect classified information on site.
The purpose of this book is not to provide exact solutions for each of thousands of possible scenarios. There are too many variables to be contained in any one book. It is written to inform and provide resources that the defense contractor can use to either seek additional expert help from the CSA, GCA, Prime Contractor or competent consultant. This book is written to reflect guidance from the National Industrial Security Program Operating Manual (NISPOM), but is not written to be used instead of the NISPOM. Additionally, there is guidance in the NISPOM not covered in this book. This book is written to familiarize and inform defense contractors with NISPOM requirements. The NISPOM is the manual cleared contractors should use to build their security programs to protect classified information. This book covers general areas most cleared contractors may encounter. It is meant to help the reader determine which parts of NISPOM apply, direct the reader to available resources and suggest general ways of implementing the NISPOM. The reader should always consult NISPOM, GCA, Prime Contractor and the CSO concerning policy and contract requirements.
Sunday, May 10, 2009
Establishing credibility as an FSO in a defense contractor
Recently, I had the opportunity to speak with a facility security officer who was ready to move on to another job. He was frustrated because he had not been able to get his senior leaders on board with the security plan. It seemed no matter what he had sent for approval, his policies were not taken seriously. Since I had only heard one side of the argument, I could not come to a conclusion about the root cause of his frustration. However, I do know that he is not alone as many FSO’s of small defense contractors face similar issues within their own companies.
Problems such as those mentioned above stem from two possible reasons in small defense contractor companies. The first is the FSO has not developed a reputation of understanding how to apply security measures to the way the company makes money. The second is that the senior officers have appointed a lover level employee to the FSO position.
Understanding how security fits into the organization is vital. Security managers who over-react or use unsubstantiated scare tactics can lose credibility quickly. They should present security programs in a way that makes business sense to the senior leaders. FSO’s should also understand that the security program belongs to the company and is not theirs. It is a business decision and not a personal success or failure. For example, a security practitioners may present security requirements above and beyond the NISPOM when they are not necessary. When challenged to justify expenses or rational for change in policy, the FSO’s may defend their decisions by recalling conference or training events and may take such requests as personal challenges. The experienced FSO understands that security decisions are based on careful risk assessment, and not on general or best practices that may not fit a company’s business model or culture.
The second problem addresses the level of the hired or appointed FSO. Suppose the FSO does make a sensible request based on threat assessment and NISPOM requirements. The program is presented professionally, but the management does not understand the role of the FSO as compliance officer and they are typically left underutilized. Perhaps they consider the FSO as a strictly administrative function. In these instances, the FSO has little input into the culture of the company and struggles to implement critical security measures.
Consider successful security models in Fortune 500 companies. They are larger and usually part of a mature corporate structure. Even larger defense contractors fit this category. Successful companies have security managers, chief security officers and compliance officers that are able to address security, privacy, and sensitive company information. These officers usually hold positions and responsibilities at the executive level as well as possess management skills and graduate degrees.
FSO’s in smaller DoD contractors have a unique challenge as far as the company culture and corporate structure. Perhaps the FSO was appointed from a lower management or assistant position. The management has mistakenly believed that the position is strictly administrative and is in place to request clearances and file away classified material. In other situations, these smaller companies grow larger with new contract requirements and responsibilities and work requirements grow with them. Those lower level employees are now faced with situations of growth, but their influence has not increased. The growth is happening and changes are made without their input, leaving them to play catch-up.
Look and act like senior leaders-So, how does the described security manager create influence and credibility that counts? First of all, they should observe the managers and imitate them. If management is dressed professionally, then the FSO should dress similar. If management requires professional and college education, the FSO should complete theirs.
Learn how the company earns money-Understand the acquisition and buying system and become an expert. When the security manager understands the contracts process, they can contribute and present the security program in such a way that everyone understands. Instant credibility is gained when management knows the security manager is on board with cost reduction and compliance.
Presenting the security program does not have to be a frustrating event. If an FSO is in a position lacking credibility and influence, then they should do whatever it takes to move to the next step. Establishing credibility is a must and it involves making the transition from an administrative clerk to a risk analyzing and compliance professional. Learning to look and act like management and demonstrating an understanding of the business cycle is key to making that move toward excellence.
Read more about this article and follow Jeff's other ariticles, newsletters and updates @ http://www.redbikepublishing.com/index_files/Page412.htm
Jeffrey W. Bennett is the owner of Red Bike Publishing (http://www.redbikepublishing.com). He is an accomplished writer of non-fiction books, novels and periodicals. Published books include: "ISP Certification-The Industrial Security Professional Exam Manual"-Red Bike Publishing
Visit our site often for in formation on the upcoming book "Managing the Security of Classified Information and Contracts".
About Red Bike Publishing: Our company is registered as a government contractor company with the CCR and VetBiz (DUNS 826859691). Specifically we are a service disabled veteran owned small business.
Jeffrey W. Bennett
Author of ISP Certification-The Industrial Security Professional Exam Manual
www.redbikepublishing.com
Join our newsletter
http://www.redbikepublishing.com/index_files/Page412.htm
Follow me on twitter
http://twitter.com/jwbenne
Linkedin Profile
http://www.linkedin.com/in/redbike
Join the Linkedin Industrial Security Professional Group
http://www.linkedin.com/groups?gid=1816119
Problems such as those mentioned above stem from two possible reasons in small defense contractor companies. The first is the FSO has not developed a reputation of understanding how to apply security measures to the way the company makes money. The second is that the senior officers have appointed a lover level employee to the FSO position.
Understanding how security fits into the organization is vital. Security managers who over-react or use unsubstantiated scare tactics can lose credibility quickly. They should present security programs in a way that makes business sense to the senior leaders. FSO’s should also understand that the security program belongs to the company and is not theirs. It is a business decision and not a personal success or failure. For example, a security practitioners may present security requirements above and beyond the NISPOM when they are not necessary. When challenged to justify expenses or rational for change in policy, the FSO’s may defend their decisions by recalling conference or training events and may take such requests as personal challenges. The experienced FSO understands that security decisions are based on careful risk assessment, and not on general or best practices that may not fit a company’s business model or culture.
The second problem addresses the level of the hired or appointed FSO. Suppose the FSO does make a sensible request based on threat assessment and NISPOM requirements. The program is presented professionally, but the management does not understand the role of the FSO as compliance officer and they are typically left underutilized. Perhaps they consider the FSO as a strictly administrative function. In these instances, the FSO has little input into the culture of the company and struggles to implement critical security measures.
Consider successful security models in Fortune 500 companies. They are larger and usually part of a mature corporate structure. Even larger defense contractors fit this category. Successful companies have security managers, chief security officers and compliance officers that are able to address security, privacy, and sensitive company information. These officers usually hold positions and responsibilities at the executive level as well as possess management skills and graduate degrees.
FSO’s in smaller DoD contractors have a unique challenge as far as the company culture and corporate structure. Perhaps the FSO was appointed from a lower management or assistant position. The management has mistakenly believed that the position is strictly administrative and is in place to request clearances and file away classified material. In other situations, these smaller companies grow larger with new contract requirements and responsibilities and work requirements grow with them. Those lower level employees are now faced with situations of growth, but their influence has not increased. The growth is happening and changes are made without their input, leaving them to play catch-up.
Look and act like senior leaders-So, how does the described security manager create influence and credibility that counts? First of all, they should observe the managers and imitate them. If management is dressed professionally, then the FSO should dress similar. If management requires professional and college education, the FSO should complete theirs.
Learn how the company earns money-Understand the acquisition and buying system and become an expert. When the security manager understands the contracts process, they can contribute and present the security program in such a way that everyone understands. Instant credibility is gained when management knows the security manager is on board with cost reduction and compliance.
Presenting the security program does not have to be a frustrating event. If an FSO is in a position lacking credibility and influence, then they should do whatever it takes to move to the next step. Establishing credibility is a must and it involves making the transition from an administrative clerk to a risk analyzing and compliance professional. Learning to look and act like management and demonstrating an understanding of the business cycle is key to making that move toward excellence.
Read more about this article and follow Jeff's other ariticles, newsletters and updates @ http://www.redbikepublishing.com/index_files/Page412.htm
Jeffrey W. Bennett is the owner of Red Bike Publishing (http://www.redbikepublishing.com). He is an accomplished writer of non-fiction books, novels and periodicals. Published books include: "ISP Certification-The Industrial Security Professional Exam Manual"-Red Bike Publishing
Visit our site often for in formation on the upcoming book "Managing the Security of Classified Information and Contracts".
About Red Bike Publishing: Our company is registered as a government contractor company with the CCR and VetBiz (DUNS 826859691). Specifically we are a service disabled veteran owned small business.
Jeffrey W. Bennett
Author of ISP Certification-The Industrial Security Professional Exam Manual
www.redbikepublishing.com
Join our newsletter
http://www.redbikepublishing.com/index_files/Page412.htm
Follow me on twitter
http://twitter.com/jwbenne
Linkedin Profile
http://www.linkedin.com/in/redbike
Join the Linkedin Industrial Security Professional Group
http://www.linkedin.com/groups?gid=1816119
Subscribe to:
Posts (Atom)