Sunday, August 31, 2008

Disclosure is not up to the user

Let me complete the title by adding...it is a licensing issue. I've often spoke of the necessity for security professionals to understand their business, the contract and the people under the company employee. This is especially critical when executing security plans dealing with classified and technical information. I often thing that Facility Security Professionals or at least those in professional organizations should recite that as part of their creed.

In recent news, a former University of Tennessee professor is accused of passing sensitive information to foreign students under his supervision. He had also travelled to China with sensitive, export controlled information; a clear violation of State Department regulations and the International Traffic in Arms Agreement. How did this come to be? This is an answer for the courts.

The FSO and other readers can glean some valuable information from this article and several of the subject's comments. Mr. J. Reece Roth had argued that the information he passed along could not fall under the restrictions since it wasn't information from a complete project. It can be argued as well that he never opened the sensitive information while traveling to China (Computer forensics has supported that.

The arguments, maybe technically correct, clearly violate the spirit of the laws meant to protect our national defense. Though Mr. Roth is responsible for his own actions, we can see where security can play a larger role in helping to prevent such violations. However, in many companies, FSO's are not providing the compliance management their positions should. Far too often, FSO's are not in a position to raise important issues.

1. Companies should appoint competent Facility Security Officers. According to the NISPOM a company should appoint an employee as FSO and small companies, this could be an employee with an additional duty. Since the role of FSO is to implement and direct a security program to protect classified information, companies should consider very seriously those they appoint to the position. Often, lower positioned employees are given the responsibility but in reality have very little influence. The lack of influence may be the result of the lower position, lack of education, or lack of skill. In either case, the responsible DoD contractor company should look at the right qualifications.

2. The FSO, in a role of influence, should understand where the company is headed. Since the FSO is responsible for identifying Foreign Ownership Control and Influence, they should know the business direction the company is pursuing.

3. The FSO should also understand export licensing, how to advise senior officers and executives on safeguarding classified material and maintaining facility clearances. The business development,contracts, executive, purchasing, engineering and other managers should inherently consult with the FSO as is not often the case. As a DoD contractor with a facility clearance, the FSO liaisons between the contractor company and the congizant security agency to ensure compliance on anything that could affect their ability to protect classified material.

4. Two and three cannot apply without number one. Companies should take the role of FSO's seriously. Begin with looking for qualifications such as business savvy, college education and a certification. This will ensure that FSO has the credibility and ability to create a process and procedures for compliance.

To wrap up, the right FSO could see this trouble coming. A quick review of news and other historical documents of late show patterns of employee misbehavior as a main culprit in security violations. Also, economic espionage and exports violations are a direct result of employee malice and ignorance. The news doesn't indicate forced breakins or outsiders infiltrating company defenses. They just report errogance, ignorance and malice of the insider. FSOs worth their salt know how to train their companies and reduce the possibilities of security violations.

Wednesday, August 13, 2008

Facility Security Officers (FSO) and Compliance

The Facility Security Officer’s successful program depends on developing relationships with employees, managers and executives to facilitate execution of company policies, necessary security awareness training, willful employee self-admittance of security infractions or change of status, and proactive action toward expired, existing and future classified contracts. Any of the above mentioned success measures is difficult to obtain in a changing employee and contract environment, but is simplified through employee and executive buy-in.

One of the most important traits an FSO should possess, aside from technical competence, is the ability to gain executive, manager and work force buy-in. This buy-in is critical for integrating the security plan into all business units and company operations. For example, one major cause of security violations is the introduction or removal of classified material into or from a company without proper accountability. This is in contradiction to DoD regulations requiring that classified information in any form should be logged into the company accountability and stored properly according to the classification level. An FSO can train and write policy but without the enterprise’s full cooperation, will find it difficult to enforce.

A well integrated security plan will ensure that all units within an enterprise notify the FSO of any change in disposition of classified material storage. This integrated system will trigger the contracts, program manager, business development and other units to coordinate with the FSO and keep the FSO informed of expired, current, and future contract opportunities and responsibilities. The coordination will allow the FSO to be proactive and better support the company classified mission. Having a security program integrated into all aspects of the company produces award winning situations and dramatically reduces security violations.

An obviously important task that an FSO directing the security program faces is the successful accomplishment while supporting the company’s primary mission; to make money. The FSO owes allegiance to protecting nation’s secrets, but will not be able to do so if the company profits go straight into the security budget. In times past, FSO’s could recommend and receive support toward the security programs with little justification. Management viewed security as a necessary evil necessary for achieving the goal of conducting classified business with the government.

Find out more in our next posting or visit www.ispcert.com for more information and valuable training resources

Saturday, August 9, 2008

Industrial Security Professional (ISP) Certification

By: Jeffrey W. Bennett, ISP

Have you taken the next step to being competitive in the security arena? If not, this article will provide information and tips based on a proven method of studying for and passing the exam.

Out of the 2,000 NCMS members only 6% hold the ISP certification. In July 2005 there were only 75 ISPs and as of October 2006 the number has increased to 117. The test is challenging and the pass rate is 80%. However, this pass rate is expected to improve.

Why certify? The ISP holder demonstrates a high level of knowledge. The certification is based on the NISPOM but also covers electives such as: COMSEC, OPSEC, and other topics.

This certified professional communicates to upper management that they are committed to the business, the industry and the protection of national interests. It puts the company in a stronger position while bidding on contracts and lends credibility to relationships with the oversight agency the Defense Security Services (DSS). Most of all, it gives the bearer confidence in their ability to apply their knowledge. As this certification program evolves, more and more employers will require the certification.

According to the book, Now, Discover Your Strengths! s, the difference between mediocrity and excellence is a small margin. For example, a horse wins a race by fractions of a second and employees excel faster by completing only one more small action a day. In my case, I studied for a few minutes every day for five months. The few minutes made a big difference.

There are many excuses not to take the exam: the cost, time involved, or fear of failure. NCMS is doing a lot to train, mitigate the expense and studies show that salaries do increase with the certification.

I hope this tip will build your confidence. Take the online test! If you can perform a search in a PDF file, you can pass the test. The exam gives 110 multiple choice questions and takes up to 120 minutes. There is a clock that keeps track of the time and the test times out automatically. How convenient.

I recommend using two monitors. Open the test in one monitor and the PDF version of the NISPOM in the other. Open the search function in the NISPOM and type key words from the test question to find the reference. It’s that simple, but takes some practice.

The following are websites that offer reference for the ISP test study. The first website offers 20 free practice questions and PDF files of the NISPOM.
http://www.ispcert.com

The next two websites offers the NISPOM, test taking tips, study materials and conference calls.
http://www.ncms-isp.org/StudyReferences.html
http://www.classmgmt.com/ISP_Certification_Program/references.htm

You can pass this test! Use the study references and you will succeed.

For those security professionals and FSOs who have earned your certification, you know what feeling of accomplishment that is. For those who haven't started, what are you waiting for?

I studied for six months, before I had the courage to take the test. Once I passed, I took notes and began writing a book. I have a database of 400 questions that will definitely help guarantee your success.

Whether you’re employed in the security field as a government employee, contractor, loss prevention or IT, you need the competitive edge.

Security and Customer Relation Management

Customer Relationship ManagementSystems is a tactical and strategic tool that can be very useful in the security field. If used correctly, this tool can forecast trends and help a company with the top and bottom lines as well as help prevent security violations. Today, many businesses do not look the same as they may have many years ago.

They have definitely left their core competency to move onto something more profitable. The internet and information technology have made that possible.
General Motors and eBay are two companies who have reduced focus from their original purpose to reflect financing. They have both learned that keeping the customer in debt through interest bearing finance for longer periods of time is more beneficial to the business.

Another example is from the best seller Good to Great. This book lists Kimberly Clark as a successful company that thrived in a dying industry. This company moved from being a supplier of coated paper to consumer goods like Huggies and Kleenex.
How did these companies transform to this kind of success? I believe it was from a keen insight into customer relationship management. Even at its primitive form, before current software availability, the astute business leaders recognized the trend in the market place. It wasn’t hard for the visionaries at places like GM, eBay and Kimberly-Clark to see the potential for huge profits.

Like many explorers and adventurers, each of the CEOs and other leaders received harsh criticism and ne’er do wells from peers and medial alike. Many engrained in tradition expressed disappointment. The leaders were left with dreams, plans, execution and the true possibilities displayed in sales history, demographics, profiles, and shifts in buying trends.

This CRM uses sales force automation to expedite sales and assist the sales force, customer service and support to align sales with suppliers, and marketing management and analysis to find the market. These interact to align the business with customers’ needs and meeting them more promptly at the point of sale.
With evolving technology and high tech consumers, we can expect many more companies to leave their original core competencies to ones that earn them more money with fewer costs. Much business is growing on-line. Without the proper risk of visionaries, and data used properly from CRM a company may die in its antiquity.

Can you think of ways to apply CRM to security?

Porters Five Principles

According to Porter’s Five Forces Model, in my opinion, competition has increased in the in all areas as a result of the internet and e-Commerce, providing several challenges to security. By way of providing threat assessment, try to see how your security process can take this model into consideration.

The internet and IT has made it possible to both focus on the top and bottom lines and market share is expanded and costs are cut. Many products and services exist just online, major companies have gone online to successfully augment the brick and mortar corporations, and the playing field is all the way to edges of cyberspace, wherever that is. We will further evaluate this stepping through all five forces.

Buyer power is higher when buyers have more choices. Businesses are forced to add value to their products and services to get loyalty. Many loyalty programs include excellent services that customers demand on-line. Customers want to solve their problems and many times they are more successful on-line than on-phone. Also, we see internet savvy businesses springing up offering more valuable goods and services at lower costs. Now with the advent of eBay, many people are assuming roles as drop shippers. Individuals can have a thriving business selling goods of larger companies without having to carry inventory.

Supplier power is higher when buyers have fewer choices from whom to buy. As mentioned earlier, drop shipping has increased the amount of suppliers available. All an individual has to do is form and agreement to sell products for the company. The company takes care of all the logistics. The same is true of associates programs that amazon.com and google.com offer. Associates programs allow a webmaster to earn money by recommending products from others. This increases supplier offerings.
Threat of substitute products or services is high when there are many product alternatives. This is different than having many suppliers. Examples of alternatives are exchanging brand names, substituting credit card capabilities, and looking at better values from cheaper sources. The internet allows this with the “global economy”. I can substitute my product by purchasing from companies overseas where labor, services and products are cheaper, but of comparable quality.

Threat of new entrants is high when it is easy for new competition to enter the market. Well, what have we been talking about? Now, small operations can open shop with less than $10.00 per month and make a lot of money. As inventive as people are, there are always opportunities to do improve a product or service or just create and sell something new. Recently, many new entrants have made even more money authoring eBooks that tell others how to do what they did. Rivalry among competitors is high when competition is more intense within industries. On-line book stores and catalog companies are an excellent example. Amazon.com and Barnesandnoble.com are very competitive. However, ] there are many also smaller niche affiliate bookstores that when combined take a great deal of market share. They offer even more competition. However, both major bookstores have used IT to create value for their customers. These values include associates programs, ease of payment and shipping and many, many others.

The internet offers avenues of competition to existing companies and opportunities for start ups. Now businesses can enter the market on-line with few barriers to entry. Porter’s Five Forces Model can help demonstrate the attractiveness of starting your on-line business. A business person should use the model to identify competition, make a plan, and implement the process.

Tuesday, August 5, 2008

The Defensive Security Briefing

Prior to travel, a cleared employee should have a good understanding of their responsibilities to protect national security. A Defensive Security Briefing is for those who travel overseas and may be vulnerable to foreign entity recruiting methods. They should be constructed to make the cleared traveler aware of their responsibilities to protect employees, product, customers and those with which they do business. Topics of the defense security briefing should include threat recognition, how to assess and how to respond when approached for recruitment

Prior to travel, the employee should notify their security office of all foreign travel plans. This includes plans for Canada, Mexico and Caribbean Countries. The security department can then construct a plan for the specific area after researching the area to be travelled. The state department has a great website can fill security and the traveler in on all necessary travel documentation and what to expect while abroad. Traveling employees (and anyone traveling abroad) should familiarize themselves with the site and use it to become an informed international traveler www.state.gov.

As we have covered in previous posts, technical data can be transferred by reading a note, viewing a computer screen, conducting seminars and etc. Make sure you are authorized with a license and or TAA before discussing technical data that falls under exports compliance. Employees should know the boundaries in advance before sharing any technical information with the foreign hosts. Also, a sanitized computer provides no threat of exports violations or theft of economic or corporate data. Make sure your IT department provides a sanitized computer for the traveler’s administrative needs. Also, keep all documentation that could lead to export violations or the release of proprietary data close at hand.

Employees should practice good physical safety and security. A good practice is for them to conduct themselves as professionals at all times. Pretending the CEO is traveling with with the employee is a good idea as they go about representing the company. Also, stick with your host. They will ensure employee safety and hopefully refer them to reputable establishments.

Some threats an employee can face while abroad are economic and intelligence threat. Economic Threat is the theft of technology and commerce. The agent may be after formulas, financial gain and etc. Foreign entities may target classified or company sensitive information to gain a competitive edge. This costs millions of dollars in damage to U.S. business. Intelligence threats are similar but, they make up collection efforts against the U.S. to increase for government power and competitive edge.

We will examine more in detail training for employees traveling abroad. Be sure to check back often.