Thursday, October 30, 2008

Security through walking around

Perhaps you have already used this term or have at least heard others refer to it on occasion. I have read several articles concerning the subject and am, quite frankly, a fan of the idea. For those new to the term, it means turn off the computer and show your smiling face. If you spend your day processing information at your computer, you don’t get the full security picture. If you only get out to play “gotcha” or to conduct preliminary inquiries into violations, then those you serve only get a partial picture of you.
Security through walking around requires a plan. Without the plan you are just milling about engaging in conversation and basically, wasting everyone’s time. A plan will keep you focused as well as prevent the temptations to have conversations and activities that can cause you to lose credibility. The plan doesn’t have to be complicated or lengthy. It just helps direct your purpose, attention and answers questions about your security program’s health.
The plan should allow opportunities to enforce your message as well as getting to know the names and characteristics of employees, team members and executives. It also allows you to get your face out there, thus making you more accessible to the very people you depend on to support the security program.
Have a prioritized list of milestones that help you measure your effectiveness. This list could reveal your effectiveness in matters of personnel, physical, IT, privacy, proprietary and, if applicable, classified information security. As a word of caution, research and know your topics before you go. Understand the policies in effect and level of security success. Know regulations and requirements your company complies with and how it affects the company’s business and team members. If you answer a question with a “best guess” or rattle off a party line, you can lose credibility and cause others to doubt your abilities.
While preparing for your walk, anticipate good and bad feedback. There will be some who praise your efforts and there will definitely be those who criticize or question your motives. Some may be the result of you personally implementing a security plan such as limiting access. These objections are perfect opportunities to talk about how door magnets prevent unwanted and unauthorized visitors and how they reduce energy spending by $12,000 annually. Others may be upset with having to comply with federal regulations. This is also a great time to NOT quote regulations, but demonstrate how they impact the company and the benefits of compliance. If any question arises that you can’t answer, be candid. “I don’t know, but I’ll get back with you,” is a perfect response. Be sure to follow through and get back with the person. Likewise, if anyone requests action that you can complete, do so in a timely manner.
Be sure to offer praise and kudos to those deserving. Do so publically and immediately. Avoid criticism or wry comments directed toward or about an employee who is critical, has committed violations, or just doesn’t understand security. Definitely stay away from getting into personal conversations, self-admittals, privacy or Health Information Privacy Act (HIPA) violations. These are better left for private, official occasions.
Security through walking around provides an excellent tool to measure the success of your security program. Asking open ended questions and developing rapport with company team members will help a security manager gain ground in selling their security program and meeting company needs. However, each session should be well planned to prevent wasting valuable time and the loss of credibility. After the event, write up findings, recommendations and Kudos. You represent your corporation and management. Keep conversations professional and avoid the temptation for getting into personal conversations that violate company policy or privacy and HIPA compliance.
For more security education and articles, visit Jeff’s website: www.ispcert.com

Saturday, October 25, 2008

DoD Security and Executive Order 13434


Have you taken the next step to being competitive in the security and intelligence arena? If not, this article will provide information and tips based on a proven method of studying for and passing the exam.

Why earn a security certification? There are several reasons to achieve certification. One of which allows security managers to take advantage of opportunities offered in the recent Presidential Executive Order: National Security Professional Development. The Executive order states: "In order to enhance the national security of the United States...it is the policy of the United States to promote the education, training, and experience of current and future professionals in national security positions (security professionals)..."

The National Strategy identified in the Executive Order provides a plan to give security professionals access to education, training to increase their professional experience in efforts to increase their skill level and ability to protect our nation's secrets.

The ISP Certification is sponsored by NCMS (Society for Industrial Security) a professional organization specializing in protecting classified information. The ISP holder demonstrates a high level of knowledge in this area. The certification is based on the National Industrial Security Professional Operating Manual (NISPOM) but also covers electives such as: COMSEC, OPSEC, and other topics.

The NISPOM may not be familiar to you, but the security functions identified within are. The NISPOM is the government contractor's guidance from DoD on how to receive, process and distribute classified information. It covers how to mark, document, store, disseminate and destroy classified as well as how to set up classified computing. If you have worked with contractors or plan to work with contractors, you should be familiar with the NISPOM. Chances are that you are already familiar with the processes from your military and government experiences.

This certified professional communicates to supervisors, the promotion board, and others that they are committed to the business, the industry and the protection of national interests. It equips the security manager with the knowledge and skills to perform critical tasks as well as relate well to what civilian counterpart requirements. Most of all, it gives the bearer confidence in their ability to apply their knowledge. As this certification program evolves, more and more employers will require the certification.

The ISP Certification Exam is an open book on line test consisting of 110 multiple choice questions and takes up to 120 minutes. There is a clock that keeps track of the time and the test times out automatically. You can download the NISPOM to your desktop and use it to help search the test questions.

The following websites offers the NISPOM, test taking tips, study materials and conference calls:

www.ispcert.com

Offers study manual, online NISPOM and practice tests.

http://www.ncms-isp.org.

Great information on how to sign up for the test.

What can you do to increase your experience and skills? Professional certification is a great move for security managers. Whether or not you will make the military a career, you will find this certification a career enhancer. With the advent of the new Executive Order, certifications may become requirements in the civilian sector and perhaps even in government security positions. Also, consider joining a professional security organization. There are national and international chapters of the American Society of Industrial Security International (ASIS) www.asisonline.org and NCMS www.classmgmt.com. Visit their websites for more information.

Jeff Bennett, ISP is a retired army officer. He served 11 years in Army Intelligence as a 96B and 98C with German and Spanish language identifiers before becoming a Transportation Corps officer. He is happy to be back in the intelligence community serving as a Facility Security Officer for a Defense Contractor in Huntsville, Alabama.

Friday, October 10, 2008

An idea about violations

I was just thinking about the myriad security violations that could have been prevented by using good operations security, communication between cleared co-workers and practicing lessons learned during security training. Once of the biggest culprits of a well rounded security program is the lack of available security violation statistics. There are resources for discovering spy stories or data on espionage, but as far as information about the most common types of violations, mistakes, oversights, etc. the data does not seem to be there. We can’t learn from mistakes if we don’t know what the mistakes are.

Good security managers have data of security breaches, violations, reports of compromise or suspected compromise. However, this data rarely leaves their office. Because of the sensitive nature, it is held closely either for fear of retribution or fear of embarrassment. In truth, there is no retribution for security violation reports and information contained could be very valuable for security awareness.
Take for example that a security manager discovers a security violation with employees leaving the safe unlocked too many times, or leaves a closed area without setting the alarms. The security manager will probably have information detailing the frequency of violations, the persons committing the violations, resolutions and training to correct the behavior. This security manager could use the information to specifically train the business unit to inform them of the infraction, as well as provide meat for the annual security awareness training.

However, this information could be stripped of all identifying information and sent to a collection point for access by other security managers in the industry. Such an effort would only serve to strengthen OPSEC and the managing of security measures to protect classified information.

In the spirit of sharing, I will contribute a few violations I have investigated or have personally experienced.

• Transmission-Worker 1 reported with workers 2 and 3 to the communication center to pick up a classified device for encrypting information. Worker on carried a thin plastic shopping bag and the communications center loaded four heavy devices into the bag. The three workers then walked a quarter of a mile over urban terrain to their work areas. Upon arrival, worker 1 noticed a hole in the bag and one of the devices missing. Workers 1-3 conducted a search to no avail and reported the loss. Fortunately, the device had been found and turned in to the proper authorities.

• Violation of “Need to Know”-Worker 1 and Worker two shared an office where classified work could be performed. They each worked on two different programs, but at the same security level. Worker 1 had to run to the restroom and asked Worker 2 (same clearance level) to watch their classified documents. Worker 2 received a phone call, forgot about the classified material, and left the office and the material sitting unattended. Upon returning, both workers realized the classified material was left unattended and reported the violation to security. Security provided security awareness training emphasizing not to leave classified material unattended to Worker 2. However, Worker 1 received training on leaving material with a cleared employee not having “need to know”.

These are just two experiences of security violations discovered, addressed, and now shared for your use. No person or company is identified, so there is no retribution. Please feel free to include in your upcoming training.

Saturday, October 4, 2008

Those warning labels

I am currently working on Chapter Five of my new book, "Managing the Security of Classified Information and Contracts". Chapter Five reviews the Executive Orders and regulations relating to Classification Markings and there is some good information from all sources.

I believe this good information is fundamental to the profession of Intelligence and Security Officers. Understanding why and how information is classified is vital to knowing exactly what to protect and how. There are a few hard and fast rules for classifying information. In cases where items may be assigned an original classification, four conditions must be met.
• An original classification authority is applying the classification level
• The U.S. Government owns, is producing, or is controlling the information
• Information meets one of eight categories
• The Original Classification Authority determines unauthorized disclosure could cause damage to national security to include transnational terrorism and they can identify or describe the damage.

There are also critical reasons for assigning classification markings. Classification markings are applied to information for the following reasons. Classification markings:
• Warn and inform a user that an item is indeed classified or sensitive
• Conveys what exactly needs protection
• Identifies levels of classification or sensitivity assigned to the information
• Provides vital information and instruction on when to downgrade or declassify the material
• Gives sources and reason for classifying the item
• Warns of special access, control, dissemination or safeguarding requirements
Classification markings can be found on the top and bottom, front and back of classified items. Markings are also found in internal pages, paragraphs and other locations inside documents, books, manuals and other paper based products.

While with my last employer, I had a few responsiblilies which included: Facility Security Officer, Exports Compliance Officer, and Saftey Manager. These roles were incredibly inter-related and a lot of cross skills came into play. However, there was one thing in common; each position had its own inherent set of "classification markings". For example, as safety manager I supervised the hazardous communication process. Just as classified material must be marked properly and have a security classification guide and DD Form 254 to warn what is classified and how to protect it, HAZMAT has warning labels as well as MSDS's to warn the users what is hazardous and how to work with it.

Classified markings are fundamental to how we protect classified material. Markings should be checked when classified information is introduced in to a contractor facility as well as when the contractor reproduces, creates or derives a new item from another classified source.

Thursday, October 2, 2008

Kicking Down Institutional Walls


A critical review of security books


By: Jeffrey W. Bennett, ISP, Author of: ISP Certification-The Industrial Security Professional Exam Manual and Under the Lontar Palm

This book commands attention! The authors bring to light current security practices, methods and decision analysis and their many shortcomings. The authors' thesis; to provide sound argument toward a more modern and effective way of implementing security practices. The ideas are easy to apply, but contrary to what is taught by security seminars and vendors selling security products.

While security seminars and education efforts teach cataclysmic results of security breaches, "New School" demonstrates the need for collecting data to assess the threat in a scientific manner. Shostack and Stewart champion going back to raw data to identify the threats and then develop programs to address those threats.

Aside from evidence related to loss, espionage or other threats, risk managers cannot effectively apply security measures. The authors indicate that breech data exists, but the holders are reluctant to share. However, the authors do a good job of proving that companies who publically admitted failure recovered quickly from any scandal or fallout from information or data breeches.

The authors know down the traditional walls of security training institutions. They preach good solid evidence behind decision making; otherwise security managers can not effectively determine whether or not the lack of threat is a result of new security measures or just plain luck.

The book is easy to read implement in all areas of security. The physical security, loss prevention, DoD contractor, and many others in and out of the security profession can adapt the principles to their business units.

To purchase this book and more resources, visit www.ispcert.com