Tuesday, December 30, 2008

How can a new administration impact national security?

How do presidential elections impact the Department of Defense contractor community’s ability to compete for contracts? “In recent history two sequential presidents have provided separate executive orders directing how to protect classified information,” says security consultant and author Jeffrey W. Bennett. Presidents Clinton and Bush have issued policies directing what qualifies to receive a CONFIDENTIAL, SECRET or TOP SECRET classification.
Democrat presidents often reflect a policy of openness. Some policy changes President Clinton implemented tightened the reins on what could be classified and for how long. “President Clinton’s policy made it tougher to classify information and contributed to the declassification of thousands of documents,” says Bennett.
Republican Presidents tend to ease classification standards. However, President Bush kept pretty much the same structure as President Clinton’s Executive Order 12958. He later implemented Executive Order 13292. “The changes President Bush implemented included providing more flexibility of the classification process. He also added defense measures against transnational terrorism,” says Bennett.
Both examples of recent elections changed the way government agencies and DoD Contractors conduct business. President Clinton’s Executive Order set a specific duration of classified information. “Classified information outside of the established time frame had to either go through a process to retain the classification or be re-marked. If the information did not qualify for extended classification, then a classification change had to be annotated at a lower level or declassified all together,” says Bennett. President Bush made changes that required re-designation of classification markings and extended duration of classification when necessary.
Those are only a few examples of the changes affecting the DoD contractor industry. Reduction in classified holdings was a benefit of changes both administrations made. “Depending on the government report, between 10 percent and 90 percent of documents are over-classified. Tougher classification standards are good provided that national security is still protected,” adds Bennett. From a financial overhead point of view, a reduction in classified holdings helps lower overhead costs as fewer security containers and vaults are needed.
What changes can we expect from President Elect Obama? “The industry shouldn’t expect drastic changes. Though there may be an effort toward openness, our nation’s leaders understand the importance of protecting national security. Providing classification for the right reasons protects our country and reduces the amount of classified information needing specialized storage.” The trend will require materials and manpower to make the changes in markings and reduce the classified holdings.

Monday, December 29, 2008

Not another required training event

You’ve no doubt read the NISPOM and other federally regulated security requirements addressing training. These regulations list the topics to be covered (as a minimum) and how often they are to be given. Some of you may have worked in organizations where the security manager followed the guidance to the letter…that’s it. So, once a year cleared employees amble into the briefing room to attend “required training”.
“Why do I have to attend another security training event?” they ask.
“Because regulations state…,” you begin to respond.
STOP! Don’t complete the answer until you read the rest of this. Take a deep breath and save your credibility.
One of the primary reasons security training fails is our inability to demonstrate how the training affects the bottom line. Sure, we know the regulations and the impact of not conducting training. However, our primary training objective is to increase security awareness and include employees in the security program. Contrary to most training programs, the focus should not be on passing the annual DSS review.
The successful security manager understands the importance of running a program where all employees take part in protecting the company, employees and national security. Implementing a security program to protect classified information need not be the responsibility of a lone ranger as is often the situation. Developing key relationships through training and interaction facilitate extending security’s influence. Under a successful program contracts, HR, engineering, program management and other departments function as eyes, ears and muscle. They are security’s force multipliers stretching the effectiveness of the security department.
Security managers are expected to conduct annual training and file reports as required by the NISPOM for industry or applicable security regulations for other contractors and federal agencies. Instead of conducting training just to meet compliance, the training process can be an effective relationship building opportunity. An opportunity to protect classified material; detect attempts at espionage and other security violations; and report incidents, violations and status changes affecting personnel and facility clearances. In a good synergistic relationships the training manager will not face the question, “why do I have to attend another training event”. Instead employees may ask, “What’s on the agenda?” as they look forward to contributing to the security program.

Monday, December 8, 2008

Secure IT

Information systems allow businesses to increase work productivity at blinding speeds. Documents, images, and media can be duplicated, printed, emailed and faxed much quicker than technology allowed just a few years ago. The lightening fast capabilities enable enterprise to perform on contracts more efficiently and in less time. However, because of fast distribution and processing speeds, measures must be in place to prevent unauthorized disclosure, spillage and compromise of classified information. Once a spillage occurs, the errant person cannot take the action back. Information systems identified to process classified information is marked according to the highest classification.
As with protecting physical classified properties, information systems and their products must also be safeguarded at the appropriate level. Computers used for uploading, storing, processing, disseminating, printing and other functions are protected at the level of the information being worked. These protection levels include creating an environment where users of IS understand the policies, threat, and that they operate in such a way that security plays a primary role in the development, procurement, operating, processing, and storage of classified information.
As with the entire spectrum of a security program, the safeguarding of the information systems reflects the compliance with agency regulations as well as the results of thorough risk management. The security manager’s responsibility is not to look at the effectiveness of protection measures as they relate only to the computer or system, but as it affects the entire organization mission and perhaps even our national security. The FSO or security manager invites and involves senior organization officers to take part in the risk management to ensure the vision incorporates the protection of classified information. This allows industrial security specialists and others in a security discipline to provide proactive security measures and not play catch-up with expenses and security policy.
Key control custodians maintain accountability of combinations, locks and keys used in the storage of classified material. In the same way, an administrator controls the authentication and identification and ensures measures are in place for the proper access of the classified information stored or processed on the IS. The authentication, user identification and logon information acts as “keys” controlling when the classified information is available on the system. Without the strict control, there is no way to prevent unauthorized persons from getting to the data stored in computers or components.
To protect the data, all information regarding authentication is restricted to only those with the proper clearance and need to know. Each user has the ability to access only the data authorized. The segregation of access and need to know per user can be affected on either individual systems or components dedicated to only one access requirement or one entire system or component capable of allowing many user level accesses. The custodian, ISSM or ISSO can protect the authentication data by making it unreadable or file access controls. This system is the same theory as controlling access to security combinations and storing them in a security container affording the proper level of protection.
Just as combinations and keys are rotated and changed during certain events, user identification, removal and revalidation are also in place. These similar measured are used to ensure the proper users have access and those who have moved, lost their clearance or need to know, changed jobs or otherwise no longer require access are no longer given the capability to access the IS. This control is in place through removing the user identification. Additionally, each user identification is revalidated at least yearly for those who still require access. Authenticators such as the keys, passwords, smartcards, etc as discussed earlier are to be protected at the highest level of classified information accessed. The users are not authorized to share, loan out or otherwise give to others. They are personal and access to individual logons are audited.
Passwords are to be protected at the level of classification of the data stored or processed by the IS. If, as in our earlier example, XYZ Contractor’s IS is configured to process data classified at the SECRET level, then the password is classified at SECRET. It cannot be stored in a phone, personal data assistant, or otherwise written down unless stored in a security container. The pass words are at least eight characters long and are generated by an approved method. This approval is based on length of password, structure and size of password space as described in the SSP designed by the ISSM. The passwords are changed annually. Passwords already installed in software and operating systems are always replaced prior to giving users access to the IS.
Physical access to IS is controlled to prevent unauthorized personnel from obtaining and or otherwise compromising classified material. This also applies to the maintenance of IS. Information systems do often require repair, upgrades and other maintenance that is not normally performed by the ISSM or ISSO. When necessary and available, maintenance should be performed by cleared personnel with need to know or at least with an ability to control the need to know. This is the least risky of all options as a technically knowledgeable employee can escort and monitor the repairs and ensure security processes are in place.
However in many cases maintenance personnel without security clearances or if they do have clearances are not cleared to the level of IS classification. They are not employees of the company and do not have the need to know. These maintenance professionals must be U.S. citizens and require constant escort. The escort or other employee will conduct all login and logoff procedures as well as have a keystroke monitoring system in place. All classified data and media should be cleared and removed to deny access to the unauthorized repair persons. These controls prevent the un-cleared persons from gaining access to passwords, authentications and classified data. They are only allowed to work on the system after system access is granted. The system is similar to opening a combination and removing contents of a security container prior to granting authorization for a locksmith to make repairs.

Friday, November 28, 2008

What am I thankful for?

I have just finished reading the local paper the day after Thanksgiving newspaper. I am reminded of the reason that this year is by far the best Thanksgiving celebration ever and the paper delivers the resounding reason. On the front page, just below the fold and prior to any articles about shopping on Black Friday is a picture of my handsome nephew being greeted by friends and family. The article is called: It’s ‘best Thanksgiving ever’ for soldier’s kin.

Yesterday at approximately 11:30 am after traveling for four days from Iraq, my nephew landed safely. It was a great feeling be among over fifty friends and family ignoring typical tradition and surprising their favorite soldier at the airport. The trip was just part of the journey that brought him back to us…the good part.

Unfortunately, the reason SPC Smith came home revolved around an improvised explosive device (IED) that destroyed his vehicle, killing and injuring its occupants. My nephew escaped with no serious injuries and has no recollection of the event. Even so, we remain eternally grateful that he is back with us for a short time.

I am also grateful to the men and women serving our country daily and their families who endure their repetitive absences in the call to arms. They sacrifice time and their physical well being. Their loving families endure the hardships with hope and prayer. To all of you, I am truly thankful for the sacrifices you are making for us.

Tuesday, November 18, 2008

Classification Markings

Executive Order 12958 delivers guidelines assigning classifications to objects and information. When it comes to classifying information, the intent is to provide proper safeguarding to prevent unauthorized disclosure, loss or compromise and keep the amount of classified information to the minimum. Items are classified to direct the appropriate amount of protection necessary. Before an Original Classification Authority (OCA) can designate that a document needs protection at the TOP SECRET, SECRET or CONFIDENTIAL level, the following qualifications are to be met. In cases where items may be assigned an original classification, four conditions must be met.
1. An original classification authority is applying the
classification level
2. The U.S. Government owns, is producing, or is controlling the
3. Information meets one of eight categories
4. The Original Classification Authority determines unauthorized disclosure could cause damage to national security to include transnational terrorism and they can identify or describe the damage.
Information that has been given an original classification is owned by, produced for and in control of the U.S. Government. Those who assume responsibilities as original classification authority are appointed in writing. They are trained, cleared to the level of classification assigned, and know the limits of classification as shown in Figure 5-. The information they determine to be classified is marked properly and given the level of protection indicated and required by the classification markings.
Marking classified material is a part of an implied task of receiving classified material either delivered to or created within the facility. As in the previous chapter, classified information received has to be checked against a receipt or inventory, inspected for proper identification and marking and brought into accountability. If the delivered classified information has marking discrepancies, the receiver has to rectify the situation by either sending back to the sender, or fixing the mistake themselves. When classified information has been created as a result of original classification, compilation (derivative information) or reproduction notifications are applied. Classification markings are those notifications or indications strategically placed in certain areas of an item.
Markings have the primary role of calling attention to the fact that an item is classified and the special safeguarding necessary to protect the classified material. In many cases, not every part of the item is classified, but because the components (parts, pages, pieces,etc.) make up a whole, the entire item must be protected. However, if sections are meant to be removed, then they can be protected at different levels. For example if a document is classified at the SECRET level, the entire document must be protected as SECRET. However, if an appendix is labeled "UNCLASSIFIED" and is meant to be removed, then that part does not need to be protected as SECRET (more is covered later under "Components").
Identifying documents with the "TOP SECRET","SECRET", and "CONFIDENTIAL" labels provides the warning of special handling and protection. Specifically, items are designated with certain markings that serve to warn and inform a user that an item is indeed classified or sensitive. The bearer of the classified information has certain responsibilities to protect the classified material from loss or compromise.
Suppose an engineer of XYZ Contractor goes to the company's centralized document storage area and signs out a document classified as SECRET. According to company policy he or she is to return the item to document control prior to the end of the work day, or when they need to leave the office. Their company policy also permits the cleared employees to review classified material as long as the door is closed.
After a while his eyes get tired and he grabs his day planner to check his schedule. He is reminded of an upcoming meeting with the social committee and begins to reflect on the near term company picnic. He rises and walks to the window to look at proposed picnic location. While gathering his thoughts, he hears a knock at the door and automatically walks to open it. As he passes his desk his eyes glance at the document's markings of "SECRET" on the top and bottom of the opened pages. He then closes the classified book and picks it up. With the book closed and firmly secure in his hands he opens the door and sees his buddy from across the hall.
They both are working on two different contracts therefore his buddy has no need to know of the contents of the book.
"Let's get some lunch," his friend says in invitation.
"Sure, follow me to security and I'll get this locked up," the engineer replies.
The markings served to remind the possessor of the classified information on their desk and to ensure that they maintained proper control and accountability. The marking also reminded the owner that they were responsible for ensuring another person had a clearance and the "need to know" the classified information contained in the document.

Monday, November 10, 2008

Emergency procedures

Develop emergency procedures
On September 11, 2001 flight, slammed into the Pentagon. Fuel, fire and concussion waves poured out into the most secured of areas. Sensitive and Classified military information and material, communications equipment, secure containers and much more became vulnerable to loss or compromise. Security containers welded shut and unable to access in the extreme heat of the subsequent fires.
In 2005 Hurricane Katrina wreaked havoc as waves crested levees and flooded much of the Alabama, Mississippi and Louisiana low areas. Area residents and businesses evacuated the area leaving classified information locked in security containers. Flood waters caused tremendous damages that could have left unprepared businesses with unsecured classified material.
Regardless of the type of disaster, manmade or natural, those in possession of classified material should have a solid procedure for protecting classified information. This procedure supports the overall security program and is in harmony with the risk assessment and practical enough to execute when necessary. The contingency plan includes written policy and rehearsals to ensure everyone knows their role in protecting classified material.
For example, since classified work is performed at Widgets Contracting, the FSO knows that she has to have a plan in place to protect the classified material during any type of emergency. From her risk analysis, she discovers that fire and severe weather are his biggest and most disastrous of threats. Should any type of emergency can cause the evacuation of the facilities she needs a plan in place to account for the classified material. Together with the input of her team and the requirements of the executives she maps out a written policy that includes disaster rehearsals. The Widgets Contracting emergency plan requires that, when possible, all cleared personnel will evacuate their work areas with classified material. Document custodians will lock up security containers and grab the emergency kit bags and classified document sign out sheet. All employees will report to their designated assembly areas where security representatives can relieve them of their classified material.

*Emergency Kit Bags
• Marking supplies (Pen, stamp, preprinted labels, etc)
• Opaque bag or wrapping paper
• Opaque security tape
• Cleared personnel roster
• Classification level coversheets

*Suggested contents of emergency kit bags. These bags should be kept up to date and readily available during emergency evacuations

Sunday, November 9, 2008

Frequently Asked Questions

I am often asked questions about security question. Some are really good questions and I always appreciate them. Good quetions give me the opportunity to address security clearance and awareness issues that I don't always get to while giving formal training. These questions usually come up as I walk around the facilities or speak with folks informally. Here are just a few.

1. Is everyone guaranteed a security clearance?
No, having as security clearance is not one is not one of our inalienable rights. A security clearance is a determination of trustworthiness based upon an extensive background check conducted by some very professional and persistent investigators. The background checks help answer a person's ability to protect classified information based on the following criteria:
• Allegiance to the United States
• Foreign influence
• Foreign preference
• Sexual behavior
• Personal conduct
• Financial considerations
• Alcohol consumption
• Drug involvement
• Psychological conditions
• Criminal conduct
• Handling protected information
• Outside activities
• Use of Information Technology Systems

2. Is it true that the Government can deny a security clearance for something as simple as filing bankruptcy?
Yes, a security clearance can be denied for many reasons uncovered during the investigation reflecting the 13 criteria mentioned above. Remember, a clearance determination is based on whether or not you are trustworthy and stable. Any events or actions on your part that may subject you to release classified material to unauthorized personnel or prevent you from protecting it properly will make you subject to a decision to deny your clearance request.

3. Why should I earn a certification?
How badly would you like to stagnate in your career? Try using your favorite search engine to find a job in industrial security. You’ll find that employers are now looking for prospects with education and certification.

4. What certifications are available?
NCMS (Society of Industrial Security Professionals) offers the Industrial Security Professional (ISP) Certification to those who work with and protect classified material. Job descriptions include:
• Facility Security Officer
• Security Specialist
• Document Custodian
Our book ISP Certification-The Industrial Security Professional Exam Manual is designed to supplement a person’s study of the ISP Certification.

ASIS International Offers the CPP and other certifications. Also certifications include: CISSP, OPSEC, etc.

5. Suppose I don’t want a certification. Why should I buy your book?
ISP Certification-The Industrial Security Professional Exam Manual provides a career map for security professionals. The first few chapters are dedicated to education, networking, certification, and community involvement. Since security involves relationship building, this is what a security manager needs to know to establish themselves as an expert and therefore a credible source and influence. The final chapters are full of questions exercising an industrial security professional’s professional competence as compared to federal guidelines.

6. Why are so many people being arrested for stealing “secrets”?
In recent news, contractors and government employees have been arrested for taking classified material from the workplace, releasing it to unauthorized persons, and conducting export violations. In most cases, the employees did not have ill intent, but lacked training. More seasoned veterans of classified work have become “immune” to security procedures. A few have conducted espionage. It is important that security managers review security violations and look for patterns and include the information as part of the security awareness. Such information is an integral of developing a good security system designed to protect employee, corporate and national security.

7. My friend has a SECRET clearance just like me. However, she won’t talk with me about her SECRET stuff. What’s up with that?
You may recall in your security awareness training that classified conversations are conducted in approved areas. Dinner dates, car pools, movie theaters, etc are not approved areas. Also, just because you have a security clearance doesn’t automatically make you able to access classified material. You also have to have a valid need to know.

Develop relationships within your security professional network. Look for opportunities to help other professionals. Equally important are developing a positive relationship with those with whom you have security oversight. Be approachable so that they will trust you enough to ask the tough questions. Who knows, you may help prevent security violations.

Thursday, October 30, 2008

Security through walking around

Perhaps you have already used this term or have at least heard others refer to it on occasion. I have read several articles concerning the subject and am, quite frankly, a fan of the idea. For those new to the term, it means turn off the computer and show your smiling face. If you spend your day processing information at your computer, you don’t get the full security picture. If you only get out to play “gotcha” or to conduct preliminary inquiries into violations, then those you serve only get a partial picture of you.
Security through walking around requires a plan. Without the plan you are just milling about engaging in conversation and basically, wasting everyone’s time. A plan will keep you focused as well as prevent the temptations to have conversations and activities that can cause you to lose credibility. The plan doesn’t have to be complicated or lengthy. It just helps direct your purpose, attention and answers questions about your security program’s health.
The plan should allow opportunities to enforce your message as well as getting to know the names and characteristics of employees, team members and executives. It also allows you to get your face out there, thus making you more accessible to the very people you depend on to support the security program.
Have a prioritized list of milestones that help you measure your effectiveness. This list could reveal your effectiveness in matters of personnel, physical, IT, privacy, proprietary and, if applicable, classified information security. As a word of caution, research and know your topics before you go. Understand the policies in effect and level of security success. Know regulations and requirements your company complies with and how it affects the company’s business and team members. If you answer a question with a “best guess” or rattle off a party line, you can lose credibility and cause others to doubt your abilities.
While preparing for your walk, anticipate good and bad feedback. There will be some who praise your efforts and there will definitely be those who criticize or question your motives. Some may be the result of you personally implementing a security plan such as limiting access. These objections are perfect opportunities to talk about how door magnets prevent unwanted and unauthorized visitors and how they reduce energy spending by $12,000 annually. Others may be upset with having to comply with federal regulations. This is also a great time to NOT quote regulations, but demonstrate how they impact the company and the benefits of compliance. If any question arises that you can’t answer, be candid. “I don’t know, but I’ll get back with you,” is a perfect response. Be sure to follow through and get back with the person. Likewise, if anyone requests action that you can complete, do so in a timely manner.
Be sure to offer praise and kudos to those deserving. Do so publically and immediately. Avoid criticism or wry comments directed toward or about an employee who is critical, has committed violations, or just doesn’t understand security. Definitely stay away from getting into personal conversations, self-admittals, privacy or Health Information Privacy Act (HIPA) violations. These are better left for private, official occasions.
Security through walking around provides an excellent tool to measure the success of your security program. Asking open ended questions and developing rapport with company team members will help a security manager gain ground in selling their security program and meeting company needs. However, each session should be well planned to prevent wasting valuable time and the loss of credibility. After the event, write up findings, recommendations and Kudos. You represent your corporation and management. Keep conversations professional and avoid the temptation for getting into personal conversations that violate company policy or privacy and HIPA compliance.
For more security education and articles, visit Jeff’s website: www.ispcert.com

Saturday, October 25, 2008

DoD Security and Executive Order 13434

Have you taken the next step to being competitive in the security and intelligence arena? If not, this article will provide information and tips based on a proven method of studying for and passing the exam.

Why earn a security certification? There are several reasons to achieve certification. One of which allows security managers to take advantage of opportunities offered in the recent Presidential Executive Order: National Security Professional Development. The Executive order states: "In order to enhance the national security of the United States...it is the policy of the United States to promote the education, training, and experience of current and future professionals in national security positions (security professionals)..."

The National Strategy identified in the Executive Order provides a plan to give security professionals access to education, training to increase their professional experience in efforts to increase their skill level and ability to protect our nation's secrets.

The ISP Certification is sponsored by NCMS (Society for Industrial Security) a professional organization specializing in protecting classified information. The ISP holder demonstrates a high level of knowledge in this area. The certification is based on the National Industrial Security Professional Operating Manual (NISPOM) but also covers electives such as: COMSEC, OPSEC, and other topics.

The NISPOM may not be familiar to you, but the security functions identified within are. The NISPOM is the government contractor's guidance from DoD on how to receive, process and distribute classified information. It covers how to mark, document, store, disseminate and destroy classified as well as how to set up classified computing. If you have worked with contractors or plan to work with contractors, you should be familiar with the NISPOM. Chances are that you are already familiar with the processes from your military and government experiences.

This certified professional communicates to supervisors, the promotion board, and others that they are committed to the business, the industry and the protection of national interests. It equips the security manager with the knowledge and skills to perform critical tasks as well as relate well to what civilian counterpart requirements. Most of all, it gives the bearer confidence in their ability to apply their knowledge. As this certification program evolves, more and more employers will require the certification.

The ISP Certification Exam is an open book on line test consisting of 110 multiple choice questions and takes up to 120 minutes. There is a clock that keeps track of the time and the test times out automatically. You can download the NISPOM to your desktop and use it to help search the test questions.

The following websites offers the NISPOM, test taking tips, study materials and conference calls:


Offers study manual, online NISPOM and practice tests.


Great information on how to sign up for the test.

What can you do to increase your experience and skills? Professional certification is a great move for security managers. Whether or not you will make the military a career, you will find this certification a career enhancer. With the advent of the new Executive Order, certifications may become requirements in the civilian sector and perhaps even in government security positions. Also, consider joining a professional security organization. There are national and international chapters of the American Society of Industrial Security International (ASIS) www.asisonline.org and NCMS www.classmgmt.com. Visit their websites for more information.

Jeff Bennett, ISP is a retired army officer. He served 11 years in Army Intelligence as a 96B and 98C with German and Spanish language identifiers before becoming a Transportation Corps officer. He is happy to be back in the intelligence community serving as a Facility Security Officer for a Defense Contractor in Huntsville, Alabama.

Friday, October 10, 2008

An idea about violations

I was just thinking about the myriad security violations that could have been prevented by using good operations security, communication between cleared co-workers and practicing lessons learned during security training. Once of the biggest culprits of a well rounded security program is the lack of available security violation statistics. There are resources for discovering spy stories or data on espionage, but as far as information about the most common types of violations, mistakes, oversights, etc. the data does not seem to be there. We can’t learn from mistakes if we don’t know what the mistakes are.

Good security managers have data of security breaches, violations, reports of compromise or suspected compromise. However, this data rarely leaves their office. Because of the sensitive nature, it is held closely either for fear of retribution or fear of embarrassment. In truth, there is no retribution for security violation reports and information contained could be very valuable for security awareness.
Take for example that a security manager discovers a security violation with employees leaving the safe unlocked too many times, or leaves a closed area without setting the alarms. The security manager will probably have information detailing the frequency of violations, the persons committing the violations, resolutions and training to correct the behavior. This security manager could use the information to specifically train the business unit to inform them of the infraction, as well as provide meat for the annual security awareness training.

However, this information could be stripped of all identifying information and sent to a collection point for access by other security managers in the industry. Such an effort would only serve to strengthen OPSEC and the managing of security measures to protect classified information.

In the spirit of sharing, I will contribute a few violations I have investigated or have personally experienced.

• Transmission-Worker 1 reported with workers 2 and 3 to the communication center to pick up a classified device for encrypting information. Worker on carried a thin plastic shopping bag and the communications center loaded four heavy devices into the bag. The three workers then walked a quarter of a mile over urban terrain to their work areas. Upon arrival, worker 1 noticed a hole in the bag and one of the devices missing. Workers 1-3 conducted a search to no avail and reported the loss. Fortunately, the device had been found and turned in to the proper authorities.

• Violation of “Need to Know”-Worker 1 and Worker two shared an office where classified work could be performed. They each worked on two different programs, but at the same security level. Worker 1 had to run to the restroom and asked Worker 2 (same clearance level) to watch their classified documents. Worker 2 received a phone call, forgot about the classified material, and left the office and the material sitting unattended. Upon returning, both workers realized the classified material was left unattended and reported the violation to security. Security provided security awareness training emphasizing not to leave classified material unattended to Worker 2. However, Worker 1 received training on leaving material with a cleared employee not having “need to know”.

These are just two experiences of security violations discovered, addressed, and now shared for your use. No person or company is identified, so there is no retribution. Please feel free to include in your upcoming training.

Saturday, October 4, 2008

Those warning labels

I am currently working on Chapter Five of my new book, "Managing the Security of Classified Information and Contracts". Chapter Five reviews the Executive Orders and regulations relating to Classification Markings and there is some good information from all sources.

I believe this good information is fundamental to the profession of Intelligence and Security Officers. Understanding why and how information is classified is vital to knowing exactly what to protect and how. There are a few hard and fast rules for classifying information. In cases where items may be assigned an original classification, four conditions must be met.
• An original classification authority is applying the classification level
• The U.S. Government owns, is producing, or is controlling the information
• Information meets one of eight categories
• The Original Classification Authority determines unauthorized disclosure could cause damage to national security to include transnational terrorism and they can identify or describe the damage.

There are also critical reasons for assigning classification markings. Classification markings are applied to information for the following reasons. Classification markings:
• Warn and inform a user that an item is indeed classified or sensitive
• Conveys what exactly needs protection
• Identifies levels of classification or sensitivity assigned to the information
• Provides vital information and instruction on when to downgrade or declassify the material
• Gives sources and reason for classifying the item
• Warns of special access, control, dissemination or safeguarding requirements
Classification markings can be found on the top and bottom, front and back of classified items. Markings are also found in internal pages, paragraphs and other locations inside documents, books, manuals and other paper based products.

While with my last employer, I had a few responsiblilies which included: Facility Security Officer, Exports Compliance Officer, and Saftey Manager. These roles were incredibly inter-related and a lot of cross skills came into play. However, there was one thing in common; each position had its own inherent set of "classification markings". For example, as safety manager I supervised the hazardous communication process. Just as classified material must be marked properly and have a security classification guide and DD Form 254 to warn what is classified and how to protect it, HAZMAT has warning labels as well as MSDS's to warn the users what is hazardous and how to work with it.

Classified markings are fundamental to how we protect classified material. Markings should be checked when classified information is introduced in to a contractor facility as well as when the contractor reproduces, creates or derives a new item from another classified source.

Thursday, October 2, 2008

Kicking Down Institutional Walls

A critical review of security books

By: Jeffrey W. Bennett, ISP, Author of: ISP Certification-The Industrial Security Professional Exam Manual and Under the Lontar Palm

This book commands attention! The authors bring to light current security practices, methods and decision analysis and their many shortcomings. The authors' thesis; to provide sound argument toward a more modern and effective way of implementing security practices. The ideas are easy to apply, but contrary to what is taught by security seminars and vendors selling security products.

While security seminars and education efforts teach cataclysmic results of security breaches, "New School" demonstrates the need for collecting data to assess the threat in a scientific manner. Shostack and Stewart champion going back to raw data to identify the threats and then develop programs to address those threats.

Aside from evidence related to loss, espionage or other threats, risk managers cannot effectively apply security measures. The authors indicate that breech data exists, but the holders are reluctant to share. However, the authors do a good job of proving that companies who publically admitted failure recovered quickly from any scandal or fallout from information or data breeches.

The authors know down the traditional walls of security training institutions. They preach good solid evidence behind decision making; otherwise security managers can not effectively determine whether or not the lack of threat is a result of new security measures or just plain luck.

The book is easy to read implement in all areas of security. The physical security, loss prevention, DoD contractor, and many others in and out of the security profession can adapt the principles to their business units.

To purchase this book and more resources, visit www.ispcert.com

Sunday, September 28, 2008

Pentagon analyst Gregg William Bergersen, was recently sentenced to 57 months in prison for providing information classified at the SECRET level to the People's Republic of China. The information was classified SECRET, thus having the potential to cause serious damage to national security. The complicated espionage operation involved not only native born U.S. Citizens, but foreign born as well. Though this ring involved several people both U.S. and Non-U.S. citizens, let us spend our focus on the the cleared U.S. Citizen Mr. Bergersen.

The foreign operative received the largest sentence, however, let us not waste time tracking them, they are paid to spy and we have agencies dedicated to catching spies. We as security managers entrusted with safeguarding classified information, have to clean up our own back yards. Proactive security specialists are constantly on the look out for indicators of employee espionage. We cannot prevent employees from being corrupted with recruitment, but we can train employees to help good employees reduce the effectiveness of recruiting efforts and identify those prone to espionage and stop them early in the process. Some practical ways to do so include providing education and reporting for:
1. Espionage recruiting efforts.
2. Suspicious contacts.
3. Changes in cleared employee activity, behavior, mood, finances, allegiance and other key areas.

Security managers can also reassess their physical security, IT and document control procedures to bring into accountability and control our nation's secrets. All classified material is to be documented, safeguarded and provided proper disposition from the time it enters the facility until its authorized removal. Controlling pedestrian traffic and classified item movement at all steages is the most logical of security procedures.

The adversary is not spending resources breaking into classified areas and stealing SECRETS. So, why should we focus all of our efforts trying to prevent break-ins. Spies know their best efforts pay off with recruiting people to walk it out the doors for them. Recent cases of espionage involve older and more educated, foreign born, cleared employees.

Our best action is to reassess the threat, identify ways to oppose the adversary and dedicate time and resources designed toward that end. Any classified material introduced, copied, moved, removed, created or otherwise under jurisdiction of a contractor or Government entity should never be lost or compromised.

So, what can you do to reduce the chances of employees walking away with classified material? Are you implementing innovative ways to protect what is your responsibility, or are you just following "best practices". Remember, espionage is not successful with out willing parties. Those willing parties should have a very difficult time hiding their intentions (there are always indicators", and removing classified material (there are always available controls).

Tuesday, September 23, 2008

How important are those receipts?

I recently went through an annual audit with the Defense Security Services while working on my full time job as an FSO for a Defense Contractor. I have always held dear the responsibility of implementing a security program designed to protect classified material. In that role, I try to create a positive environment while remaining vigilant of suspicious activities and possible compromise.
During the course of the inspection, my attention was directed to our company's lack of warning sign. This sign was to be posted reminding employees and visitors that their personal effects are subject to search. I agreed that the NISPOM requires such a posting, but I did not understand how a sign would be helpful. We re-opened the NISPOM to try to better understand the intent.
The sign is part of the program to prevent unauthorized introduction or removal of classified material from a contractor facility. I had only understood half of the intent, to prevent unauthorized removal. With the full understanding, I now realize that a good security program ensures classified items are brought through the right channels and according to a contract.
Industrial security professionals working in document control, retention or disposition have a critical responsibility of caring for classified material from beginning to end. Classified material arriving to a contractor is received properly, brought into accountability and finally given a proper disposition.
This classified material is provided by the prime contractor or the Government customer as related to the work identified in the Contract Security Classification Specification. The contractor is required to keep accountability of all classified material and retrieve it within a reasonable amount of time. This requires an excellent accountability and cataloging system with the capability of locating, retrieving, lending and returning the classified material within the safeguarding area.
Classified material has to not only be removed from a facility in the correct manner, but has to be introduced through approved channels. Creating a good program to receive classified information is a vital part of the accountability process.

Sunday, August 31, 2008

Disclosure is not up to the user

Let me complete the title by adding...it is a licensing issue. I've often spoke of the necessity for security professionals to understand their business, the contract and the people under the company employee. This is especially critical when executing security plans dealing with classified and technical information. I often thing that Facility Security Professionals or at least those in professional organizations should recite that as part of their creed.

In recent news, a former University of Tennessee professor is accused of passing sensitive information to foreign students under his supervision. He had also travelled to China with sensitive, export controlled information; a clear violation of State Department regulations and the International Traffic in Arms Agreement. How did this come to be? This is an answer for the courts.

The FSO and other readers can glean some valuable information from this article and several of the subject's comments. Mr. J. Reece Roth had argued that the information he passed along could not fall under the restrictions since it wasn't information from a complete project. It can be argued as well that he never opened the sensitive information while traveling to China (Computer forensics has supported that.

The arguments, maybe technically correct, clearly violate the spirit of the laws meant to protect our national defense. Though Mr. Roth is responsible for his own actions, we can see where security can play a larger role in helping to prevent such violations. However, in many companies, FSO's are not providing the compliance management their positions should. Far too often, FSO's are not in a position to raise important issues.

1. Companies should appoint competent Facility Security Officers. According to the NISPOM a company should appoint an employee as FSO and small companies, this could be an employee with an additional duty. Since the role of FSO is to implement and direct a security program to protect classified information, companies should consider very seriously those they appoint to the position. Often, lower positioned employees are given the responsibility but in reality have very little influence. The lack of influence may be the result of the lower position, lack of education, or lack of skill. In either case, the responsible DoD contractor company should look at the right qualifications.

2. The FSO, in a role of influence, should understand where the company is headed. Since the FSO is responsible for identifying Foreign Ownership Control and Influence, they should know the business direction the company is pursuing.

3. The FSO should also understand export licensing, how to advise senior officers and executives on safeguarding classified material and maintaining facility clearances. The business development,contracts, executive, purchasing, engineering and other managers should inherently consult with the FSO as is not often the case. As a DoD contractor with a facility clearance, the FSO liaisons between the contractor company and the congizant security agency to ensure compliance on anything that could affect their ability to protect classified material.

4. Two and three cannot apply without number one. Companies should take the role of FSO's seriously. Begin with looking for qualifications such as business savvy, college education and a certification. This will ensure that FSO has the credibility and ability to create a process and procedures for compliance.

To wrap up, the right FSO could see this trouble coming. A quick review of news and other historical documents of late show patterns of employee misbehavior as a main culprit in security violations. Also, economic espionage and exports violations are a direct result of employee malice and ignorance. The news doesn't indicate forced breakins or outsiders infiltrating company defenses. They just report errogance, ignorance and malice of the insider. FSOs worth their salt know how to train their companies and reduce the possibilities of security violations.

Wednesday, August 13, 2008

Facility Security Officers (FSO) and Compliance

The Facility Security Officer’s successful program depends on developing relationships with employees, managers and executives to facilitate execution of company policies, necessary security awareness training, willful employee self-admittance of security infractions or change of status, and proactive action toward expired, existing and future classified contracts. Any of the above mentioned success measures is difficult to obtain in a changing employee and contract environment, but is simplified through employee and executive buy-in.

One of the most important traits an FSO should possess, aside from technical competence, is the ability to gain executive, manager and work force buy-in. This buy-in is critical for integrating the security plan into all business units and company operations. For example, one major cause of security violations is the introduction or removal of classified material into or from a company without proper accountability. This is in contradiction to DoD regulations requiring that classified information in any form should be logged into the company accountability and stored properly according to the classification level. An FSO can train and write policy but without the enterprise’s full cooperation, will find it difficult to enforce.

A well integrated security plan will ensure that all units within an enterprise notify the FSO of any change in disposition of classified material storage. This integrated system will trigger the contracts, program manager, business development and other units to coordinate with the FSO and keep the FSO informed of expired, current, and future contract opportunities and responsibilities. The coordination will allow the FSO to be proactive and better support the company classified mission. Having a security program integrated into all aspects of the company produces award winning situations and dramatically reduces security violations.

An obviously important task that an FSO directing the security program faces is the successful accomplishment while supporting the company’s primary mission; to make money. The FSO owes allegiance to protecting nation’s secrets, but will not be able to do so if the company profits go straight into the security budget. In times past, FSO’s could recommend and receive support toward the security programs with little justification. Management viewed security as a necessary evil necessary for achieving the goal of conducting classified business with the government.

Find out more in our next posting or visit www.ispcert.com for more information and valuable training resources

Saturday, August 9, 2008

Industrial Security Professional (ISP) Certification

By: Jeffrey W. Bennett, ISP

Have you taken the next step to being competitive in the security arena? If not, this article will provide information and tips based on a proven method of studying for and passing the exam.

Out of the 2,000 NCMS members only 6% hold the ISP certification. In July 2005 there were only 75 ISPs and as of October 2006 the number has increased to 117. The test is challenging and the pass rate is 80%. However, this pass rate is expected to improve.

Why certify? The ISP holder demonstrates a high level of knowledge. The certification is based on the NISPOM but also covers electives such as: COMSEC, OPSEC, and other topics.

This certified professional communicates to upper management that they are committed to the business, the industry and the protection of national interests. It puts the company in a stronger position while bidding on contracts and lends credibility to relationships with the oversight agency the Defense Security Services (DSS). Most of all, it gives the bearer confidence in their ability to apply their knowledge. As this certification program evolves, more and more employers will require the certification.

According to the book, Now, Discover Your Strengths! s, the difference between mediocrity and excellence is a small margin. For example, a horse wins a race by fractions of a second and employees excel faster by completing only one more small action a day. In my case, I studied for a few minutes every day for five months. The few minutes made a big difference.

There are many excuses not to take the exam: the cost, time involved, or fear of failure. NCMS is doing a lot to train, mitigate the expense and studies show that salaries do increase with the certification.

I hope this tip will build your confidence. Take the online test! If you can perform a search in a PDF file, you can pass the test. The exam gives 110 multiple choice questions and takes up to 120 minutes. There is a clock that keeps track of the time and the test times out automatically. How convenient.

I recommend using two monitors. Open the test in one monitor and the PDF version of the NISPOM in the other. Open the search function in the NISPOM and type key words from the test question to find the reference. It’s that simple, but takes some practice.

The following are websites that offer reference for the ISP test study. The first website offers 20 free practice questions and PDF files of the NISPOM.

The next two websites offers the NISPOM, test taking tips, study materials and conference calls.

You can pass this test! Use the study references and you will succeed.

For those security professionals and FSOs who have earned your certification, you know what feeling of accomplishment that is. For those who haven't started, what are you waiting for?

I studied for six months, before I had the courage to take the test. Once I passed, I took notes and began writing a book. I have a database of 400 questions that will definitely help guarantee your success.

Whether you’re employed in the security field as a government employee, contractor, loss prevention or IT, you need the competitive edge.

Security and Customer Relation Management

Customer Relationship ManagementSystems is a tactical and strategic tool that can be very useful in the security field. If used correctly, this tool can forecast trends and help a company with the top and bottom lines as well as help prevent security violations. Today, many businesses do not look the same as they may have many years ago.

They have definitely left their core competency to move onto something more profitable. The internet and information technology have made that possible.
General Motors and eBay are two companies who have reduced focus from their original purpose to reflect financing. They have both learned that keeping the customer in debt through interest bearing finance for longer periods of time is more beneficial to the business.

Another example is from the best seller Good to Great. This book lists Kimberly Clark as a successful company that thrived in a dying industry. This company moved from being a supplier of coated paper to consumer goods like Huggies and Kleenex.
How did these companies transform to this kind of success? I believe it was from a keen insight into customer relationship management. Even at its primitive form, before current software availability, the astute business leaders recognized the trend in the market place. It wasn’t hard for the visionaries at places like GM, eBay and Kimberly-Clark to see the potential for huge profits.

Like many explorers and adventurers, each of the CEOs and other leaders received harsh criticism and ne’er do wells from peers and medial alike. Many engrained in tradition expressed disappointment. The leaders were left with dreams, plans, execution and the true possibilities displayed in sales history, demographics, profiles, and shifts in buying trends.

This CRM uses sales force automation to expedite sales and assist the sales force, customer service and support to align sales with suppliers, and marketing management and analysis to find the market. These interact to align the business with customers’ needs and meeting them more promptly at the point of sale.
With evolving technology and high tech consumers, we can expect many more companies to leave their original core competencies to ones that earn them more money with fewer costs. Much business is growing on-line. Without the proper risk of visionaries, and data used properly from CRM a company may die in its antiquity.

Can you think of ways to apply CRM to security?

Porters Five Principles

According to Porter’s Five Forces Model, in my opinion, competition has increased in the in all areas as a result of the internet and e-Commerce, providing several challenges to security. By way of providing threat assessment, try to see how your security process can take this model into consideration.

The internet and IT has made it possible to both focus on the top and bottom lines and market share is expanded and costs are cut. Many products and services exist just online, major companies have gone online to successfully augment the brick and mortar corporations, and the playing field is all the way to edges of cyberspace, wherever that is. We will further evaluate this stepping through all five forces.

Buyer power is higher when buyers have more choices. Businesses are forced to add value to their products and services to get loyalty. Many loyalty programs include excellent services that customers demand on-line. Customers want to solve their problems and many times they are more successful on-line than on-phone. Also, we see internet savvy businesses springing up offering more valuable goods and services at lower costs. Now with the advent of eBay, many people are assuming roles as drop shippers. Individuals can have a thriving business selling goods of larger companies without having to carry inventory.

Supplier power is higher when buyers have fewer choices from whom to buy. As mentioned earlier, drop shipping has increased the amount of suppliers available. All an individual has to do is form and agreement to sell products for the company. The company takes care of all the logistics. The same is true of associates programs that amazon.com and google.com offer. Associates programs allow a webmaster to earn money by recommending products from others. This increases supplier offerings.
Threat of substitute products or services is high when there are many product alternatives. This is different than having many suppliers. Examples of alternatives are exchanging brand names, substituting credit card capabilities, and looking at better values from cheaper sources. The internet allows this with the “global economy”. I can substitute my product by purchasing from companies overseas where labor, services and products are cheaper, but of comparable quality.

Threat of new entrants is high when it is easy for new competition to enter the market. Well, what have we been talking about? Now, small operations can open shop with less than $10.00 per month and make a lot of money. As inventive as people are, there are always opportunities to do improve a product or service or just create and sell something new. Recently, many new entrants have made even more money authoring eBooks that tell others how to do what they did. Rivalry among competitors is high when competition is more intense within industries. On-line book stores and catalog companies are an excellent example. Amazon.com and Barnesandnoble.com are very competitive. However, ] there are many also smaller niche affiliate bookstores that when combined take a great deal of market share. They offer even more competition. However, both major bookstores have used IT to create value for their customers. These values include associates programs, ease of payment and shipping and many, many others.

The internet offers avenues of competition to existing companies and opportunities for start ups. Now businesses can enter the market on-line with few barriers to entry. Porter’s Five Forces Model can help demonstrate the attractiveness of starting your on-line business. A business person should use the model to identify competition, make a plan, and implement the process.

Tuesday, August 5, 2008

The Defensive Security Briefing

Prior to travel, a cleared employee should have a good understanding of their responsibilities to protect national security. A Defensive Security Briefing is for those who travel overseas and may be vulnerable to foreign entity recruiting methods. They should be constructed to make the cleared traveler aware of their responsibilities to protect employees, product, customers and those with which they do business. Topics of the defense security briefing should include threat recognition, how to assess and how to respond when approached for recruitment

Prior to travel, the employee should notify their security office of all foreign travel plans. This includes plans for Canada, Mexico and Caribbean Countries. The security department can then construct a plan for the specific area after researching the area to be travelled. The state department has a great website can fill security and the traveler in on all necessary travel documentation and what to expect while abroad. Traveling employees (and anyone traveling abroad) should familiarize themselves with the site and use it to become an informed international traveler www.state.gov.

As we have covered in previous posts, technical data can be transferred by reading a note, viewing a computer screen, conducting seminars and etc. Make sure you are authorized with a license and or TAA before discussing technical data that falls under exports compliance. Employees should know the boundaries in advance before sharing any technical information with the foreign hosts. Also, a sanitized computer provides no threat of exports violations or theft of economic or corporate data. Make sure your IT department provides a sanitized computer for the traveler’s administrative needs. Also, keep all documentation that could lead to export violations or the release of proprietary data close at hand.

Employees should practice good physical safety and security. A good practice is for them to conduct themselves as professionals at all times. Pretending the CEO is traveling with with the employee is a good idea as they go about representing the company. Also, stick with your host. They will ensure employee safety and hopefully refer them to reputable establishments.

Some threats an employee can face while abroad are economic and intelligence threat. Economic Threat is the theft of technology and commerce. The agent may be after formulas, financial gain and etc. Foreign entities may target classified or company sensitive information to gain a competitive edge. This costs millions of dollars in damage to U.S. business. Intelligence threats are similar but, they make up collection efforts against the U.S. to increase for government power and competitive edge.

We will examine more in detail training for employees traveling abroad. Be sure to check back often.

Wednesday, July 30, 2008


Some enterprises may want to get into the business of government contracting, but may not know where to begin. To help with classified contracts and contractor requirements I'll be posting excerpts of my upcoming book due out next summer. This first post from the book addresses the appointment of a Facility Security Officer.

Under the national industrial security program, a contractor is required to appoint an FSO to take on this responsibility of directing a security program to protect our nation's secrets while entrusted to the cleared facility. This FSO has a tremendous scope of responsibility and takes on the role as the provider of security and the link between the government contractor, the cognizant security agency (CSA) and the federal government. Fortunately, they have the National Industrial Security Program Operating Manual (NISPOM)to help.

The employer has the choice of hiring a new employee or assigning a current cleared employee as the FSO. The employee must meet two minimum requirements; be a United States citizen and possess a security clearance according to the company’s facility clearance level (FCL). In smaller companies, an assistant, engineer, program manager, human resources specialist or other capable employees assume the additional responsibility. Larger companies may have the luxury of hiring additional personnel for specific and defined security responsibilities.

The FSO should be cleared to the level of the facility clearance. A facility clearance is awarded to businesses that meet strict requirements and have a need to work with classified information. The personnel security clearance is awarded based on the need and the approval of a facility clearance. In either case, both the facility and the FSO have to be U.S. Entities and must have a history of integrity and conduct that prevents or limits exploitation or coercion to release classified material in an unauthorized manner.

However a company decides to appoint an FSO, that person should demonstrate keen leadership and team playing traits that complement the minimum requirements found in the NISPOM. As the director of the security program the main purpose is to prevent the unauthorized disclosure and release of classified information. Any unauthorized release can cause problems such as but not limited to: loss of reputation, loss of contracts, jail time or disciplinary actions against the employee, and loss of clearance for the employee and/or the business. The FSO has a tough task that they can not possibly do alone (for training resources visit our website).

Stay tuned for more posts on the subject of FSO, NISPOM and cleared contractors.

Saturday, July 19, 2008

Turning Meetings Into Doings

Recently a friend of mine asked me to run for officer of a professional committee we are involved in. “Jeff”, he said, “we only meet once a month for an hour. I’m sure you can spare that kind of time for a worthy cause.” How could I refuse such a promising proposition? I eagerly joined, wanting to make a difference. However, I quickly learned what most of us know; many meetings are a waste of time.
“We only meet once a month for an hour.” How many times have you heard that pitch? You bought-in only to be pulled into a group that met only because someone said they should. Then you end up meeting for an hour and a half of directionless conversations. These may even have been followed up with an agreement to meet again to continue the discussion. You then learned to lead and took the same lessons with you. This misuse of meetings has contributed to our earned reputations of having meetings just to conduct meetings.
Though meetings are an essential part of leading professional, many are far from necessary. Often meetings are put together for the wrong reasons, leaving group members feeling frustrated about the waste of time. Some leaders confuse having meetings with accomplishment or activity. Some misuse meetings as a method of passing information, exercising authority, visiting, or airing opinions. Members leave without having impact, input, or a feeling of accomplishment.
However this frustration can be avoided by following six simple steps. If you can address these rules your meetings will impact your projects with positive results: determine need, calculate the cost, set up the meeting, create the agenda, conduct the meeting, and finally follow up.
First, determine the need for a meeting. Most problems can be solved with a quick phone call, email, office call, or a chat in the hallway. If there is no reason to formally bring everyone in, then by all means avoid it. Save meetings for the timely and absolutely necessary times when everyone’s efforts are needed. Ask yourself the following questions: Can I accomplish this with better communication? Is there another way to get the needed results? Can someone make the decision for the whole group? Am I just lonely? If the answer is yes to any of those questions, then don’t have the meeting.
Next, calculate the cost. Once you decide that you do need a meeting, try to eliminate another determining factor; the cost. The Essential Manager’s Manual, a text book used in some graduate level communication courses, uses a simple formula for figuring how much a meeting will cost. Add the combined salaries of attendants plus expenses then divide by work hours per year. For example, if your meeting requires the attendance of someone from the church staff member and others from local businesses, you will need to figure everyone’s salaries. Once you have the total, add to that any miscellaneous costs. These costs include the rental of a conference room, cost of refreshments, per diem for guest speakers, and etcetera. Once you have the total, divide it by the work hours per year. Most businesses recognize 2,080 work hours per year. For example, if the combined salary of the group and miscellaneous expenses is $250,000 then the cost of a one hour meeting is $120.00. Ask yourself if the value of your meeting exceeds the cost.
Dollar amounts are not the only expenses to consider with volunteers. The next costs are intangible. Though there is no set formula, as the leader, you have to compare these costs with the potential benefits. Since most meetings take place on weekend or the evenings after work, you should consider these intangible costs for each member of your group. Badly planned meetings leave volunteers and committee members to unnecessarily experience missing meals, foregoing play time with grandchildren, not helping with household chores, being away from friends and family, spending gas money, rearranging schedules, reacting to last minutes events and putting off personal agendas. Motivated volunteers expect to sacrifice for the good work; however they shouldn’t expect to waste valuable time.
Setting up the meeting involves deciding who will attend and the purpose or what you hope to accomplish. After you have determined that the need and that the benefit of having the meeting will exceed the costs, then it’s time to set up. Your committee by-laws may require everyone’s presence, or you may decide that for planning purposes you need everyone’s input. Perhaps you only need the key players in the organization. You have diligently figured the financial and intangible costs and decided that minimum participation is better. Either way, this is a vital to the group’s ability to act and the impact it will have.
Next, you should outline what success looks like and backward plan from there. If your meeting is to conduct training for prayer walking in surrounding neighborhoods during the next school break, use this to set measurable milestones. Identify the projected date, determine how long training will take and decide when to begin and how you will measure the results. From there you can identify the teachers develop the curriculum. Knowing and communicating the point of the meeting is a major factor in making it a huge success.
Create an agenda to reinforce the purpose of the meeting. Up to now we have discussed how to determine the need and actions leading to the meeting. The agenda is a powerful and effective tool to use well before the actual meeting. An agenda is nothing more than a chronological order of topics to be discussed during the meeting.
At this preparation stage, pre-publishing the agenda to all invitees is a valuable time saving tool. This allows them to prepare information, decisions, or resources. With advance warning and a thorough agenda, your group will be more informed about what is expected, how to arrange their schedules and will feel valued as members. Later, call on all those you have invited to remind them of the agenda. This will prepare you for tough questions as well as help you streamline and fine tune before the meeting.
Finally, you can conduct the meeting. Show up early and prepare the room. Work out where participants will sit or stand. Placing key people strategically will ensure maximum participation. Make sure you have your resources, your notes and especially your agenda on hand. As people arrive, greet them and guide them to their places. Start with a positive attitude and have everyone warmed up for the meeting. If you can “break the ice” before the meeting, you will have more time for the objective.
Begin the meeting using the agenda. Set the ground rules and agree how you will handle disputes, confidentiality, input and who will present. If you haven’t done so already, select someone to take the minutes of the meeting. Minutes are nothing more than a record of time, location, discussion and agreements made. Have the person take detailed notes to be converted to minutes at a later time. At this stage their priority is to capture a snapshot of the meeting.
Go over the agenda to refresh everyone. As you go through the events, encourage input by asking open ended questions. For example you might ask, “Who do you recommend that we approach about helping our deployed soldiers’ families?” If you are good, you may get more suggestions and input than you expected. Much of it may be off the agenda so be prepared to guide the conversations back. If anyone wishes to add something new, write it down and agree to cover it at a later time or date.
Finally, conduct the follow up. When the meeting is finished, review the agenda and the agreements made and solutions brought up. Summarize key points made and agree to follow up to check on progress. Set goals and decide who has the next action, and use milestones to measure accomplishments. Republish the agenda and distribute the minutes at a later date to keep the group mindful of the meeting’s results.
Whether or not to hold a meeting is a big decision. Meetings held for the sake of meeting are a waste of time and resources. Using the six steps identified above will ensure that your necessary meetings have more impact. Such accomplishments improve the morale and help volunteers to keep themselves motivate and focused on the objective. Then, when you invite someone to join your committee for an hour a month you will have established credibility and they will be happy to be a part of something powerful.

Thursday, July 10, 2008

Being vigilant while protecting the money makers

A former engineer with Boeing Company has pleaded guilty to possessing classified information in an unauthorized location. Does anyone want to guess where? Yes, that’s right, his house. He thought he could take the information home with him and work on it there. You can read more about the information in the article Boeing Engineer is found guilty.

While many security managers are focused on good training and may think that they have it in the bag, don’t rest just yet. Chances are that the involved engineer is not the only one breaking the rules of safeguarding classified material. Those who work on classified contracts need to be reminded again and again how to do so while following the laws of our country.

Let’s break this case down. Engineer has access to computer processing. He then down loads the information to a data stick and brings it home with him. Though he probably meant no harm, his actions created tons of it and he will be punished for it.

Chances are, he had attended and understood all security awareness training events. His former employer probably had warning signs and controls in place to remind the engineer of the proper use of classified IT. The probably followed NISPOM requirements to perform random checks, control classified processing, account for classified material and all actions necessary to prevent unauthorized disclosure. However, he still got through.

This serves to remind security professionals to be creative in their risk analysis. This involves thinking like those you support and answering questions like the following: How could an employee sneak or inadvertently remove classified material? Are there any ways to remove, copy, destroy or disclose information without leaving a trail? Can employees be duped into releasing classified, export controlled or proprietary information at a convention?

Find the answers and address them as soon as possible. For example, our engineer downloaded classified information on a data stick. Security managers could return to policies of two person use rules for all tasks requiring the use of classified material, or require each employee to verify verbally that they do not have cameras, data sticks, or recording devices before entering facilities.

Security managers have the tough job of protecting classified material. While many may feel they are in the business alone, professionals create an environment including the whole company in the plan and activities of protecting our nation’s secrets. Security managers have to learn to be as creative as the employees they support to better counter threats of unauthorized disclosure.

Wednesday, July 2, 2008

Safeguarding 101

Since the Federal Government allows contractors to use classified information on the performance of contracts, the Department of Defense regulates a classified contractor’s ability to work with classified material. The Federal Government has published a policy appropriately titled: The National Industrial Security Program Operating Manual (NISPOM). This page turner is sponsored by the Presidential Executive Order (E0)12829 for the protection of information classified under E.O. 12958. Having poured over both publications and the updates, I can confidently assure you that they take this business very seriously.

When specific work calls out performance on classified efforts, provisions of the applicable DD Form 254 and Security Classification Guide (SCG) shall govern. Both the DD 254 and SCG spell out what specific work a contractor can and cannot perform and what exactly is classified. Both of these documents not only should be available prior to execution but read and understood by all performing employees.

Classified information is marked with CONFIDENTIAL, SECRET and TOP SECRET designations and must be afforded protection at the appropriate level. For example, unauthorized disclosure of CONFIDENTIAL information could reasonably be expected cause damage; SECRET could reasonably be expected to cause serious damage; and TOP SECRET could reasonably be expected to cause exceptionally grave damage to national security. Prior to discussing or providing classified data, employees are required to ascertain the receiving party’s clearance level and need-to-know. They will advise the receiving party of the classification level of information provided.

Facility security officers and industrial security professionals should develop measures to safeguard classified information at the highest level indicated. Employees should be trained to pay close attention to the classification and the identified protective measures. As part of the awareness, DoD contractor employees should notify security of any meetings involving performing on classified contracts. The primary objective is to work with the customer to identify specified needs according to the contract. If working on a classified effort, the customer will provide the above mentioned DDForm254 and an SCG specific to the contract or delivery order. Both publications identify the classified work to be performed and describe the classification level of materials, documents, tasks, and details as required. The FSO will also work out details concerning the proper storage, handling and maintaining of classified material, documents and items.

Thursday, June 26, 2008

A New Level of Classification?

A buzz is sweeping the security community since May as folks are notified of the new CUI program. The President has published a Memorandum with the subject, Designation and sharing of Controlled Unclassified Information. This memorandum implements a program designed to encourage the speedy sharing of information to those authorized and to better protect the information, privacy and legal rights of Americans. The Controlled Unclassified Information program is designed to promote proper safeguarding and dissemination of unclassified information.
Many readers may be familiar with the program CUI has replaced. Sensitive But Unclassified (SBU) information had enjoyed protection to a certain level but was not conducive to the necessary information sharing. Controlled Unclassified Information (CUI) provides procedures for a more appropriate Information Sharing Environment.
Controlled Unclassified Information is a designation of unclassified information that does not meet the requirements of Executive Order 12958, as amended (Classified National Security Information). However the protection is necessary for national security or the interests of entities outside the Federal Government. The unclassified information also falls under the law or policy advocating protection from unauthorized disclosure, proper safeguarding and limiting dissemination. Though not a classification, the controls in place may prove to require significant administrative action.
These controls include assigning two levels of protection procedures identified as standard or enhanced. The standard is marked “Controlled” and the enhanced is marked “Controlled Enhanced”. Likewise, there are two dissemination controls identified with “Standard Dissemination” and “Specified Dissemination”. These controls are combined into one of three possibilities indicating how the unclassified information is to be protected and disseminated:
• Controlled with Standard Dissemination
• Controlled with Specified Dissemination
• Controlled enhanced with Specified Dissemination
The responsibilities under this memo continue to look like requirements as identified in Classified National Security Information. All information must:
• be protected from unauthorized disclosure
• be properly marked
• the markings must distinguish whether or not the text is CUI and non-CUI
• markings are necessary for all media of dissemination including verbal
Designation of CUI can only be based on mission requirements, business prudence, legal privilege, protection of personal or commercial rights, safety or security. Finally information cannot be labeled CUI for the purposes of concealing violation of law, inefficiency, or administrative error. The designation cannot be used to prevent embarrassment to the Federal Government or an official, organization or agency, improperly or unlawfully interfere with competition in the private sector or prevent or delay the release of information that does not require such protection.
What does this mean for affected businesses and government agencies? Be prepared to implement the program to allow for proper storage and dissemination. This requires the ability to properly mark the material or provide proper warning before discussing the information. Things to think about include: training employees, developing mail, fax, email and reception procedures, and ordering marking supplies. Also, keep information technology and other business units in the loop of communication. They will need to provide the right support at the right time.
Post 9/11 America is experiencing many new changes as directed from the executive government level. These changes include new ethics, security, safety, and business practices. Those who work with the Federal Government on contract should be prepared to meet the challenges quickly.

Wednesday, June 25, 2008

The Contract Security Classification Specification

As we have addressed over the course of this blog space, industrial security specialists and FSO’s play a vital role in protecting our Nation’s secrets. Aside from guidance in the NISPOM, there is another critical piece of information necessary to practicing good classification management; enter the DD Form 254.
The Contract Security Classification Specification (DD Form 254) is a basic agreement between the Contractor/Subcontractor and the User Agency. It conveys the security classification specifications and guidelines for classification, regrading, and downgrading of documents used in the performance of a classified contract.
This agreement authorizes access to classified information in performance of a contract. The DD Form 254 will be provided to both the supplier and cognizant security offices when work is subcontracted to a supplier/vendor requiring access to or generation of classified material.
So why is this important to you? First of all it provides authorization for a contractor company to hold and or perform on classified contracts. The DD 254 justifies the need to access classified information and how and where the contractor is expected to perform. This justification also addresses the level of clearance at which the facility and employees should be approved.
It also provides the following information:
• The classification level the work will be performed.
• Any caveat access or any special briefing needed.
• Whether we can receive or generate classified information at our facility.
• Whether or not AIS processing is allowed.
• Exchange classified information/or visit another facility.
• Classify/declassify information and what Security Classification Guides will be used.
• Disposition of classified material involved with the contract
• Whether or subcontracting is authorized
• Any other requirements as set forth by the User Agency.
The DD Form 254 is and should be important to you as the security manager. This tool cuts through the fog of classification management and if addressed correctly, provides a detailed expectancy. This will allow you to better control and account for the materials supporting the work. The DD Form 254 serves as a basis for constructing a detailed and efficient security awareness program.
Be familiar with the contract(s) you are working on. Know the contract numbers as well as what is allowed since each contract is unique. Be able to provide contract or subcontract numbers to security for logging in documents, processing clearances, and preparing visit requests. Better yet, use this tool to become and expert on protecting what your company has been awarded.
The FSO is most effective when involved prior to the contract award. During the premeetings, the FSO can coordinate with other business units and the customer to contribute and request critical information involved in the performance of the contract. The earlier the involvement, the more detailed and less confusing the requirements of the contract.

Friday, June 20, 2008

Elicitation, One Fine Example

The Washington Post ran an article called, Man, 84, Is Charged With Spying for Israel in 1980s. Ben-Ami Kadish had worked for the Army as an engineer. For some years in the 1980’s until 1985, he passed documents to his contact, named as Yosef Yagur. Yosef was an experienced agent who had also handled Pollard, another spy convicted and sentenced to life in prison.

Elicitation is a recruiting method using subtleness to gain information. It is not an overt or threatening type of interrogation, but one of building relationships and creating consent for further communication and finally dedication or commitment to providing information. In the case of Kadish, his handler paved the way by asking Kadish to provide documents to help Israel maintain her security.

Kadish never accepted payment other than small gifts. Thiers was a relationship of socializing. According to the article, Kadish removed documents from his office and provided them to his handler.

You may recall a more recent article where we discussed assessing and addressing real threats to national security. Government agencies and DoD contractors spend incredible amounts of money building fortified structures to keep people out. However, the main threats of secrets leaving the buildings remain.

Industrial Security Professionals can make a difference by providing proper security training and putting controls in place to prevent the removal of classified material. For example, Kadish may or may not have attended training on how to recognize recruiting methods. He may have been an engineer who had a soft spot for Israel. An effective training program would have helped him recognized a recruitment effort and given him options of how to handle it. Many training programs skip over this very important concept.

For example, the training I had received in the 80’s warned us of recruiting effort putting emphasis on blackmail and more aggressive means of foreign recruitment. However, not much was said about relationship building or how to recognize subtle attempts to gain information. Please do not misunderstand, I am not giving Kadish a break here, he violated national security and should be punished. I am, however, advocating having a security awareness program that addresses real and not perceived threats.

As far as controls, have them in place. Education will create a positive and hopefully voluntarily compliant security culture, but administrative, physical and technical controls need to be in place. For example, Kadish, and others engaged in espionage left controlled environments with classified material. How can that go unnoticed? Proper controls to prevent such action include but are not limited to:
• Lock printers and copying devices until approved reproduction occurs. Open printers and copy machines can be used without control and accountability. Assign access codes and monitor the meter.
• Use two person rule for classified processing at all levels.
• Conduct a regular inventory. NISPOM requires annual inventory in all cases, but a risk assessment may indicate need for monthly or quarterly. Inventories will tell exactly what is missing and can provide timely investigation data
• Account and receipt all classified material at all levels. Review access logs to make sure material has been returned at the end of the day

Spectacular security depends on training and controls that matches the legitimate threat. A fortified building is good, but when was the last time the news reported someone blasting a safe to get to classified materials? The education and controls program should reflect your analysis of the threat.

Thursday, June 12, 2008

Reinvigorating the Network

Even after reading Dig Your Well Before You’re Thirsty by Harvey Mackay; Brag!: The Art of Tooting Your Own Horn Without Blowing It! by Peggy Klaus, nothing less than experience can prepare the professional for the necessity of good old fashion networking. This is especially true if security is a new career field, or you are continuing your career in a new company or location.

A career in security is rewarding and challenging. The work is important and people genuinely appreciate our service. The security profession requires a high degree of interaction as our paths cross in training or through contractual execution. However, we are somewhat guarded discussing our business with new or otherwise unknown persons. Security professionals require time to develop trusting working relationships. It’s the nature of the business. Try conducting business over the phone with someone you don’t know. Chances are you had to be cautious and it took a few more interactions before finally recognized names and working relationships.

So, how do we accelerate this networking curve? That’s right, through fostering relationships on the job and professional organizations such as NCMS or ASIS. Security professionals have a lot of experience that is definitely worth sharing. You may also consider joining committees, volunteering in the community, or sharing your expertise in a few key areas. There are skills that you have and others who are willing to learn.

Some of us are the only ones in the security department. Others are part of a huge security organization. In either case, chances are that you rely on teamwork within your industry, the community and the government. To help become more influential in the good fight of “selling security”, it is necessary to involve all the players. Those in the security industry should network with each other, business leaders, police, firefighters, public safety, local and national government agencies and any other members of the community. The best way to protect our industry and our national resources is to use our force multipliers.

It doesn't take much to network; just willingness to both help and to learn. What you contribute is invaluable and you are never too old to learn from others.