Just five short years ago several changes came out almost simultaneously. The changes challenged the thinking of many security specialists because the ideas were so new. The proactive employees put plans into place that made the changes easier to implement within their organizations. The others found themselves implementing the changes at the last minute.
I cannot imagine working without the Joint Personnel Adjudication System (JPAS). However, when it first came out the protest was pretty loud. One of the many objections identified using JPAS to submit visit authorization requests instead faxing personal identifiable information to a hosting cleared facility. I heard one FSO comment that “need to know” could not be properly controlled by such an impersonal system. Though unfounded, such objections still needed to be met. T o prepare industry for the new process, Defense Security Services and professional organizations such as NCMS (Society of Industrial Security Professionals) began preparing ways to educate Facility Security Officers and other JPAS users. Now, JPAS is required throughout the Department of Defense.
Remember the thick personnel files? FSOs maintained huge volumes of cleared employee information. SF86 applications, medical and information release forms, SF 312 forms and more were packed into manila folders and stuffed into bulging lateral cabinets. I remember hearing of one security professional stating that they had requested a new lateral filing cabinet. Their supervisor balked at such an expense and the employee argued the need for it. Fortunately another employee who kept up with changes in the NISP reminded the two of a then recent change; the FSO could no longer maintain SF 86 information once a security clearance determination had been made. As a result, the cleared employee files withered to a few pieces of paper and some of the lateral cabinets were emptied.
The point here is that new changes are bound to come because of amendments to Presidential Executive Orders or policy updates. FSOs and security specialists should begin a plan immediately to implement the new requirements. While incorporating the changes into the security program, prepare another report of the impact to your organization. Will the new requirements increase costs of doing business or are there significant cost reductions? Document the findings and keep management informed. Finally, prepare to hi-light significant changes for presentation during annual security awareness training.
Friday, November 13, 2009
Thursday, November 12, 2009
Need to Know-the Rest of the Story or Establishing Need to Know within the National Industrial Security Program
According to E.O. 12869, no one can have access to classified information unless they have been determined eligible for a security clearance and have “need to know”. Access is a determination made by an expert based on the results of a proper investigation. This eligibility is easy to determine after the U.S. Government provides the notification of a granted security clearance or upon validation of an approved cognizant security agency database. When an employee is granted a CONFIDENTIAL, SECRET or TOP SECRET clearance they are eligible for access to classified information at the level of clearance and below.
However, the rest of the story concerns “need-to-know”. Need to know is a determination made by the possessor of classified information. This cleared employee not only has to determine that recipients of the information have the proper clearance, but that the cleared person is authorized to perform classified work based on a true government requirement. Just as security clearances should be kept to the minimum amount necessary to perform the classified work, access to that classified information must be kept to only those with a valid need to perform on the government work.
A Facility Security Officer conducted a preliminary inquiry to determine whether or not a security incident led to the loss, compromise or suspected compromise of classified information. She had received a phone call from an employee stating that a co-worker had left classified information out on his desk. Investigation revealed that a worker had left for lunch and asked a co-worker to “keep an eye on” her classified information. Not too much time later, the second employee was summoned to his bosses office to answer some questions. He left in a hurry, forgetting about the classified information on the desk.
At first glance, the unattended classified information is the most obvious security incident. However, once the inquiry concluded another incident came to light. The co-workers shared he same office, but did not work on the same contract. The first co-worker entrusted the safeguarding of classified information to an employee cleared at the proper level, but who did not have the “need to know”.
However, the rest of the story concerns “need-to-know”. Need to know is a determination made by the possessor of classified information. This cleared employee not only has to determine that recipients of the information have the proper clearance, but that the cleared person is authorized to perform classified work based on a true government requirement. Just as security clearances should be kept to the minimum amount necessary to perform the classified work, access to that classified information must be kept to only those with a valid need to perform on the government work.
A Facility Security Officer conducted a preliminary inquiry to determine whether or not a security incident led to the loss, compromise or suspected compromise of classified information. She had received a phone call from an employee stating that a co-worker had left classified information out on his desk. Investigation revealed that a worker had left for lunch and asked a co-worker to “keep an eye on” her classified information. Not too much time later, the second employee was summoned to his bosses office to answer some questions. He left in a hurry, forgetting about the classified information on the desk.
At first glance, the unattended classified information is the most obvious security incident. However, once the inquiry concluded another incident came to light. The co-workers shared he same office, but did not work on the same contract. The first co-worker entrusted the safeguarding of classified information to an employee cleared at the proper level, but who did not have the “need to know”.
Identification and the Defense Contractor’s Rolodex
Identification is a critical part of our business. Those who possess classified information cannot just disclose it to anyone who asks; verification is necessary to ensure that those who are authorized to receive such information are who they say they are. Sometimes identification is made visually through recognition of a friend, colleague or co-worker. More often than not the visual recognition is backed up with technology. Many contractor and government organizations and agencies have internal identification systems using software and hardware designed to recognize biological and electronic information. There are many configurations of card reading technology. Some use picture badges unique to organizations coupled with small chips providing a code for entry into access controlled areas.
At any given time you can identify such employees by the card dangling at the end of a lanyard. Perhaps even some are laden with multiple cards pushing the lanyard’s published tensile strength to the limit. A card is used to enter the employer’s facility and the remaining cards are for entry to contract related organizations; each agency issuing its own recognition requirements.
A few months back I was flying away on business. I like to arrive early enough to get through security and usually have a form of government issued identification and my boarding pass ready to go. When I get to the TSA checkpoint, I display the required credentials and am given access. I recently saw a fellow traveler approach the TSA checkpoint just as I was about to do. However, instead of passing smoothly through the process, he became show stopper. The flow had been interrupted considerably.
The traveler made it to the checkpoint, but he was not prepared to present his access credentials. Well, he presented information, but it was the wrong kind. When he approached the TSA official, he began to work through what I call “the contractor rolodex”. He had worn his lanyard with about 10 access cards around his neck through the entire security line and began showing each card one by one. The patient TSA officer rejected each card until the traveler successfully produced the government issued one. This could have been a driver’s license or a common access card for all I know, but it was the right one.
Aside from the comic relief the incident provided, there is somewhat of a traveler and employee security issue to deal with. Employees are trained to put away our organization’s access card when not in the facility, though some apparently do not quite understand the “secrecy”. At the very least risk, the access card may identify the wearer as a government official or a defense contractor employee, depending on where they live. It also may provide the employee’s specific place of work and in some instances their clearance level. Worst case scenario, the card could be stolen and allow unauthorized access to a facility. Perhaps, a subject can be targeted for exploitation based on identification of line of work and employer.
Identification is a major part of doing business. Access and need to know can be verified with proper recognition provided by information printed or embedded in access card technology. Security professionals should provide education and training that help employees understand the importance of protecting their identification and how they are associated with sensitive information or business.
At any given time you can identify such employees by the card dangling at the end of a lanyard. Perhaps even some are laden with multiple cards pushing the lanyard’s published tensile strength to the limit. A card is used to enter the employer’s facility and the remaining cards are for entry to contract related organizations; each agency issuing its own recognition requirements.
A few months back I was flying away on business. I like to arrive early enough to get through security and usually have a form of government issued identification and my boarding pass ready to go. When I get to the TSA checkpoint, I display the required credentials and am given access. I recently saw a fellow traveler approach the TSA checkpoint just as I was about to do. However, instead of passing smoothly through the process, he became show stopper. The flow had been interrupted considerably.
The traveler made it to the checkpoint, but he was not prepared to present his access credentials. Well, he presented information, but it was the wrong kind. When he approached the TSA official, he began to work through what I call “the contractor rolodex”. He had worn his lanyard with about 10 access cards around his neck through the entire security line and began showing each card one by one. The patient TSA officer rejected each card until the traveler successfully produced the government issued one. This could have been a driver’s license or a common access card for all I know, but it was the right one.
Aside from the comic relief the incident provided, there is somewhat of a traveler and employee security issue to deal with. Employees are trained to put away our organization’s access card when not in the facility, though some apparently do not quite understand the “secrecy”. At the very least risk, the access card may identify the wearer as a government official or a defense contractor employee, depending on where they live. It also may provide the employee’s specific place of work and in some instances their clearance level. Worst case scenario, the card could be stolen and allow unauthorized access to a facility. Perhaps, a subject can be targeted for exploitation based on identification of line of work and employer.
Identification is a major part of doing business. Access and need to know can be verified with proper recognition provided by information printed or embedded in access card technology. Security professionals should provide education and training that help employees understand the importance of protecting their identification and how they are associated with sensitive information or business.
Friday, September 18, 2009
How Facility Security Officers and other Security Professionals Contribute to their Communities
One thing that I like about security professional organizations like American Society of Industrial Security Professionals International (ASIS) is their emphasis on giving to the community. The group sponsors scholarships, provides security services and training opportunities designed to help non-profit or not for profit organizations. Churches, charities, and students benefit from the generosity of local and national security professionals. In my own community I began to look at examples of how security professionals could contribute in a meaningful way.
The best examples I can give are what we have done in my neighborhood. For one organization in particular, I arranged for an FBI agent to present a small presentation on cyber security. The audience consisted of interested parties representing the community and various demographics. We had teachers, children, baseball teams and senior citizens all together for breakfast and training on a fine Saturday morning. The presenter gave valuable information derived from real data. The audience was appreciative and provided positive comments. This, of course was a few years ago. We are thinking of presenting it again since social networks like Face book, LinkedIn, and MySpace are so prevalent.
Just recently I invited a fellow security professional to present “Active Shooter” training for my church. I’ve known the presenter for the past few years as a result of NCMS (Society of Industrial Security Professionals) and ASIS. We’ve both spoken in the professional organizations’ seminars and luncheons. We’ve set up booths next to each other during conventions. One day while he thumbed through my latest book I had on display, he told me of his side business. I asked him his expertise and he said that he consults churches and non-profit organizations on security.
Coincidently, in a church meeting the next month our leadership raised concerns of recent violence in religious institutions during the past year. I thought of my friend and offered a solution. After a few months of planning, we hired him as a consultant. One Monday night, with over 50 people present, we learned how to possibly prevent or reduce the impact of an active shooter incident. Interestingly, we have police officers and federal agents at our church and many were in attendance. However, just because one is in law enforcement, does not necessarily mean they are an expert in a certain discipline. What we learned was how to plug law enforcement into the scenario and rehearse responses. The best part was that even though my buddy presented the training, my church leadership began to view my skills and training as a security professional in a new light.
So, how can you contribute to your community? The first step is to look at needs and trends. Look at the crime rate, high risk neighbors, gang affiliations, unique issues and national trends. You might consider identity protection, family security, loss prevention, anti-terrorism or cyber security training. Your security, operations security and risk management training offer very valuable opportunities to train volunteer based organizations with tiny budgets. Each community’s needs are different; however you may just have the necessary skills or connection to fill in vital gaps.
The best examples I can give are what we have done in my neighborhood. For one organization in particular, I arranged for an FBI agent to present a small presentation on cyber security. The audience consisted of interested parties representing the community and various demographics. We had teachers, children, baseball teams and senior citizens all together for breakfast and training on a fine Saturday morning. The presenter gave valuable information derived from real data. The audience was appreciative and provided positive comments. This, of course was a few years ago. We are thinking of presenting it again since social networks like Face book, LinkedIn, and MySpace are so prevalent.
Just recently I invited a fellow security professional to present “Active Shooter” training for my church. I’ve known the presenter for the past few years as a result of NCMS (Society of Industrial Security Professionals) and ASIS. We’ve both spoken in the professional organizations’ seminars and luncheons. We’ve set up booths next to each other during conventions. One day while he thumbed through my latest book I had on display, he told me of his side business. I asked him his expertise and he said that he consults churches and non-profit organizations on security.
Coincidently, in a church meeting the next month our leadership raised concerns of recent violence in religious institutions during the past year. I thought of my friend and offered a solution. After a few months of planning, we hired him as a consultant. One Monday night, with over 50 people present, we learned how to possibly prevent or reduce the impact of an active shooter incident. Interestingly, we have police officers and federal agents at our church and many were in attendance. However, just because one is in law enforcement, does not necessarily mean they are an expert in a certain discipline. What we learned was how to plug law enforcement into the scenario and rehearse responses. The best part was that even though my buddy presented the training, my church leadership began to view my skills and training as a security professional in a new light.
So, how can you contribute to your community? The first step is to look at needs and trends. Look at the crime rate, high risk neighbors, gang affiliations, unique issues and national trends. You might consider identity protection, family security, loss prevention, anti-terrorism or cyber security training. Your security, operations security and risk management training offer very valuable opportunities to train volunteer based organizations with tiny budgets. Each community’s needs are different; however you may just have the necessary skills or connection to fill in vital gaps.
Thursday, September 17, 2009
Why FSOs and Defense Contractors Protect Classified Information
FSOs implement and direct security programs to protect classified information. As an FSO or a supporting security professional in this role, have you ever wondered how the classified information you protect gets its designation? We can find the answer in Presidential Executive Order 13292 . You may have heard and read reports of how over-classification results in unnecessary costs. You might also understand from similar reports of how under-classification can lead to compromise of sensitive information. To better prevent unauthorized disclosure and ensure that classification is assigned to only that information needing protection, the President has issued special guidelines. In cases where items may be assigned an original classification, four conditions must be met:
According to E.O. 13292, Sec. 1.1. Classification Standards. (a) Information may be originally classified if all of the following conditions are met:
(1) an original classification authority is classifying the information; Specifically, only the President and in certain circumstances the Vice President, agency heads designated by the President in the Federal Register, and appointed U.S. Government Officials can serve as OCA’s. Agency heads are responsible for ensuring that only the minimum amount of subordinate officials are delegated original classification authority. It is these Government checks and balances that ensure responsibility and accountability.
The President, Vice President, agency heads, and officials designated by the President can delegate TOP SECRET original classification authority. SECRET and CONFIDENTIAL original classification authority also may be given to senior agency officials who are designated by agency heads in writing. The authority may not be automatically re-delegated.
The original classification authorities attend training as identified in the executive order and other directives. The education is similar to annual security awareness training the FSOs are required to offer employees with security clearances. For example, they learn how to protect classified information, how to mark it, and how to handle dissemination in addition to learning how to determine the classification level.
(2) the information is owned by, produced by or for, or is under the control of the United States Government; An original classification authority may not determine a classification on anything that is not owned, produced or controlled by the U.S. Government. For example, the Government contracts a company to make a product important to national security. As part of the contract, the government will require that the company construct and assemble items that must be safeguarded at the SECRET level of classification. They will work with the contractor and provide direction and means for production, protection measures in addition to the stipulations of the contract. The company is then contracted to make defense articles or provide services that the Government owns.
(3) the information falls within one or more of the categories of information listed in section 1.4 of this order; and Classification levels are assigned to classified materials and information only if they fall into one of eight categories designated in the EO.
a. Military plans, weapons systems or operations
b. Foreign government information
c. Intelligence activities, sources or methods or cryptology
d. Foreign relations or activities of the United States including confidential sources
e. Scientific, technological, or economic matters relating to national security, including defense against transnational terrorism
f. U.S. programs for safeguarding nuclear materials or facilities
g. Vulnerabilities of systems, installations, infrastructures, projects, plans or protection services related to national security including terrorism
h. Weapons of mass destruction
(4) the original classification authority determines that the unauthorized disclosure of the information reasonably could be expected to result in damage national security, which includes defense against transnational terrorism, and the original classification authority is able to identify or describe the damage. This is the fourth and final requirement that must be met before an original classification authority can assign a classification level. Classification levels are designed to implement the proper level of protection. It is part of the risk management component of security. The consequence of loss of the information is part of the categorization process.
The impact of disclosure is categorized from reasonably causing “damage” for CONFIDENTIAL information through “serious damage” for SECRET information to “seriously grave damage” for TOP SECRET information. The EO 13292 states that the impact of loss or compromise of the information must be at one of the three defined levels in order to be assigned a classification. The other part is that the classifier should be able to describe or identify the damage. This measure again informs the user that the information is to be safeguarded at a necessary level and also to prevent the original classification authority from assigning a classification level needlessly.
According to E.O. 13292, Sec. 1.1. Classification Standards. (a) Information may be originally classified if all of the following conditions are met:
(1) an original classification authority is classifying the information; Specifically, only the President and in certain circumstances the Vice President, agency heads designated by the President in the Federal Register, and appointed U.S. Government Officials can serve as OCA’s. Agency heads are responsible for ensuring that only the minimum amount of subordinate officials are delegated original classification authority. It is these Government checks and balances that ensure responsibility and accountability.
The President, Vice President, agency heads, and officials designated by the President can delegate TOP SECRET original classification authority. SECRET and CONFIDENTIAL original classification authority also may be given to senior agency officials who are designated by agency heads in writing. The authority may not be automatically re-delegated.
The original classification authorities attend training as identified in the executive order and other directives. The education is similar to annual security awareness training the FSOs are required to offer employees with security clearances. For example, they learn how to protect classified information, how to mark it, and how to handle dissemination in addition to learning how to determine the classification level.
(2) the information is owned by, produced by or for, or is under the control of the United States Government; An original classification authority may not determine a classification on anything that is not owned, produced or controlled by the U.S. Government. For example, the Government contracts a company to make a product important to national security. As part of the contract, the government will require that the company construct and assemble items that must be safeguarded at the SECRET level of classification. They will work with the contractor and provide direction and means for production, protection measures in addition to the stipulations of the contract. The company is then contracted to make defense articles or provide services that the Government owns.
(3) the information falls within one or more of the categories of information listed in section 1.4 of this order; and Classification levels are assigned to classified materials and information only if they fall into one of eight categories designated in the EO.
a. Military plans, weapons systems or operations
b. Foreign government information
c. Intelligence activities, sources or methods or cryptology
d. Foreign relations or activities of the United States including confidential sources
e. Scientific, technological, or economic matters relating to national security, including defense against transnational terrorism
f. U.S. programs for safeguarding nuclear materials or facilities
g. Vulnerabilities of systems, installations, infrastructures, projects, plans or protection services related to national security including terrorism
h. Weapons of mass destruction
(4) the original classification authority determines that the unauthorized disclosure of the information reasonably could be expected to result in damage national security, which includes defense against transnational terrorism, and the original classification authority is able to identify or describe the damage. This is the fourth and final requirement that must be met before an original classification authority can assign a classification level. Classification levels are designed to implement the proper level of protection. It is part of the risk management component of security. The consequence of loss of the information is part of the categorization process.
The impact of disclosure is categorized from reasonably causing “damage” for CONFIDENTIAL information through “serious damage” for SECRET information to “seriously grave damage” for TOP SECRET information. The EO 13292 states that the impact of loss or compromise of the information must be at one of the three defined levels in order to be assigned a classification. The other part is that the classifier should be able to describe or identify the damage. This measure again informs the user that the information is to be safeguarded at a necessary level and also to prevent the original classification authority from assigning a classification level needlessly.
Thursday, July 23, 2009
Defense Contractors, Consultants and NISPOM
Consultants are hired by a company to fill a need the organization is not prepared to meet. The consultants share office furniture, the water cooler and are hopefully made to feel as part of the team. In spite of being a well respected contributor to the cause, consultants do not always enjoy the same benefits of a regular employee. However, this difference should occur when working on classified contracts the consultant has been hire to perform on.
According to NISPOM 2-212 “A consultant is an individual under contract to provide professional or technical assistance to a contractor in a capacity requiring access to classified information. The consultant shall not possess classified material off the premises of the using (hiring) contractor except in connection with authorized visits. The consultant and the using contractor shall jointly execute a consultant certificate setting forth respective security responsibilities. The using contractor shall be the consumer of the services offered by the consultant it sponsors for a PCL. For security administration purposes, the consultant shall be considered an employee of the using contractor."
Simply stated, though a consultant is not a regular employee, the NISPOM considers them an employee of the company that they represent. The contractor is expected to maintain the consultant’s clearance and assign classified work as specified in a contract. As with other employees, the consultant should also attend annual security awareness training and follows set procedures for working with classified information. For example, suppose a consultant is required to attend a classified meeting at a government location. There should be no problem with them couriering classified information as long as visit request and authorizations are in place. That could be as simple as providing a visit request to the government facility through JPAS. However, consult with the Government organization’s security department for specific requirements.
According to NISPOM 2-212 “A consultant is an individual under contract to provide professional or technical assistance to a contractor in a capacity requiring access to classified information. The consultant shall not possess classified material off the premises of the using (hiring) contractor except in connection with authorized visits. The consultant and the using contractor shall jointly execute a consultant certificate setting forth respective security responsibilities. The using contractor shall be the consumer of the services offered by the consultant it sponsors for a PCL. For security administration purposes, the consultant shall be considered an employee of the using contractor."
Simply stated, though a consultant is not a regular employee, the NISPOM considers them an employee of the company that they represent. The contractor is expected to maintain the consultant’s clearance and assign classified work as specified in a contract. As with other employees, the consultant should also attend annual security awareness training and follows set procedures for working with classified information. For example, suppose a consultant is required to attend a classified meeting at a government location. There should be no problem with them couriering classified information as long as visit request and authorizations are in place. That could be as simple as providing a visit request to the government facility through JPAS. However, consult with the Government organization’s security department for specific requirements.
Career Advice for Defense Contractor Security Specialists
I receive a lot of emails from people who wonder how to get into the security field. Many are looking for a career change and are curious about what kind of education and experience is needed to work as a security specialist in the defense and contractor industry. Others are just starting out in life and looking for a job with challenges and opportunities the security field offers. There are plenty of great opportunities in with large and small contractor companies providing the venue. Here is what I have discovered about our industry and some of you may have other experiences and advice you can pass to those who ask about a career in security.
Industrial security is an outstanding field for someone with all ranges of experience to enter into. Some have been hired at an entry level job and have received promotions and additional responsibilities. Others have transferred full time to security after enjoying serving in an additional duty capacity. Career growth occurs as the contract and company expands or the employee takes on more responsibilities after hiring on with another company. Security managers can also move to higher level security positions as chief security officer or corporate security officer as experience meets opportunity.
Employees just entering the work force can benefit from entry level jobs. These opportunities are great for building skills and filling a critical need while filing receipts, wrapping packages, checking access rosters, applying information system security, or bringing classified information into an accountability system. Those skills combined with learning to implement programs designed to safeguard classified information provides a great foundations to build careers on. Additionally, many employees attend university and other adult education opportunities while serving full time in the security field. The experience, education, certification and security clearance gained while on the job prove very valuable.
Taking a look at want ads and job announcement, one can see that education and certification is beginning to be more of a requirement. Past listings for entry level and some FSO jobs required only the ability to get a security clearance and having a high school diploma or a GED. However, more and more job announcements require formal education to include college and a preference for security certification. The defense security industry still provides a good career field to gain entry level experience and move up quickly. Being well entrenched in a good career provides the perfect environment and opportunity for simultaneous education and certification. This will make the prepared ready for future positions and raises.
For those starting their careers in smaller enterprises have a keen opportunity to perform in various security disciplines. Some actually assume appointed FSO responsibilities as an extra duty and learn as they go. Many of the defense contractor organizations are small and may only have one person in the security role. The sole security manager may only work in one discipline such as personnel security. Others have a larger scope, working with a guard force, information security, and compliance issues such as exports.
Large Defense Contractors and Government agencies also provide entry level security jobs. The job title is often security specialist and job descriptions allow for many experiences. Some descriptions use words to the affect as the following: “The candidate must be eligible for a security clearance. Job responsibilities include receiving, cataloging, storing, and mailing classified information. Maintain access control to closed areas. Provide security support for classified information processing and destruction. Initiate security clearance requests and process requests for government and contract employees conducting classified visits. Implement security measures as outlined in NISPOM.” Administrative, military, guard, and other past job experience may provide transferrable skills to allow a person to apply for the job. Once hired, the new employee learns the technical skills, they can quickly advance applying their other experiences and education.
Our industry is still a great place to learn and grow. Career advancement and promotions are continually available for the prepared. Opportunities continue to exist in companies large enough to provide increasing challenges and rewards. Some may have to apply for jobs with other enterprises to reach their potential. Others may be satisfied performing their valuable functions in an organization where their skills are valued and rewarded. Consider reading ISP Certification-The Industrial Security Professional Exam Manual. Our book provides excellent career advice and provides just the right review of NISPOM to prepare you for that important job interview. Regardless of your professional goals, what are you doing to remaining competitive?
Industrial security is an outstanding field for someone with all ranges of experience to enter into. Some have been hired at an entry level job and have received promotions and additional responsibilities. Others have transferred full time to security after enjoying serving in an additional duty capacity. Career growth occurs as the contract and company expands or the employee takes on more responsibilities after hiring on with another company. Security managers can also move to higher level security positions as chief security officer or corporate security officer as experience meets opportunity.
Employees just entering the work force can benefit from entry level jobs. These opportunities are great for building skills and filling a critical need while filing receipts, wrapping packages, checking access rosters, applying information system security, or bringing classified information into an accountability system. Those skills combined with learning to implement programs designed to safeguard classified information provides a great foundations to build careers on. Additionally, many employees attend university and other adult education opportunities while serving full time in the security field. The experience, education, certification and security clearance gained while on the job prove very valuable.
Taking a look at want ads and job announcement, one can see that education and certification is beginning to be more of a requirement. Past listings for entry level and some FSO jobs required only the ability to get a security clearance and having a high school diploma or a GED. However, more and more job announcements require formal education to include college and a preference for security certification. The defense security industry still provides a good career field to gain entry level experience and move up quickly. Being well entrenched in a good career provides the perfect environment and opportunity for simultaneous education and certification. This will make the prepared ready for future positions and raises.
For those starting their careers in smaller enterprises have a keen opportunity to perform in various security disciplines. Some actually assume appointed FSO responsibilities as an extra duty and learn as they go. Many of the defense contractor organizations are small and may only have one person in the security role. The sole security manager may only work in one discipline such as personnel security. Others have a larger scope, working with a guard force, information security, and compliance issues such as exports.
Large Defense Contractors and Government agencies also provide entry level security jobs. The job title is often security specialist and job descriptions allow for many experiences. Some descriptions use words to the affect as the following: “The candidate must be eligible for a security clearance. Job responsibilities include receiving, cataloging, storing, and mailing classified information. Maintain access control to closed areas. Provide security support for classified information processing and destruction. Initiate security clearance requests and process requests for government and contract employees conducting classified visits. Implement security measures as outlined in NISPOM.” Administrative, military, guard, and other past job experience may provide transferrable skills to allow a person to apply for the job. Once hired, the new employee learns the technical skills, they can quickly advance applying their other experiences and education.
Our industry is still a great place to learn and grow. Career advancement and promotions are continually available for the prepared. Opportunities continue to exist in companies large enough to provide increasing challenges and rewards. Some may have to apply for jobs with other enterprises to reach their potential. Others may be satisfied performing their valuable functions in an organization where their skills are valued and rewarded. Consider reading ISP Certification-The Industrial Security Professional Exam Manual. Our book provides excellent career advice and provides just the right review of NISPOM to prepare you for that important job interview. Regardless of your professional goals, what are you doing to remaining competitive?
Subscribe to:
Posts (Atom)
Posts
