Sunday, August 31, 2008

Disclosure is not up to the user

Let me complete the title by is a licensing issue. I've often spoke of the necessity for security professionals to understand their business, the contract and the people under the company employee. This is especially critical when executing security plans dealing with classified and technical information. I often thing that Facility Security Professionals or at least those in professional organizations should recite that as part of their creed.

In recent news, a former University of Tennessee professor is accused of passing sensitive information to foreign students under his supervision. He had also travelled to China with sensitive, export controlled information; a clear violation of State Department regulations and the International Traffic in Arms Agreement. How did this come to be? This is an answer for the courts.

The FSO and other readers can glean some valuable information from this article and several of the subject's comments. Mr. J. Reece Roth had argued that the information he passed along could not fall under the restrictions since it wasn't information from a complete project. It can be argued as well that he never opened the sensitive information while traveling to China (Computer forensics has supported that.

The arguments, maybe technically correct, clearly violate the spirit of the laws meant to protect our national defense. Though Mr. Roth is responsible for his own actions, we can see where security can play a larger role in helping to prevent such violations. However, in many companies, FSO's are not providing the compliance management their positions should. Far too often, FSO's are not in a position to raise important issues.

1. Companies should appoint competent Facility Security Officers. According to the NISPOM a company should appoint an employee as FSO and small companies, this could be an employee with an additional duty. Since the role of FSO is to implement and direct a security program to protect classified information, companies should consider very seriously those they appoint to the position. Often, lower positioned employees are given the responsibility but in reality have very little influence. The lack of influence may be the result of the lower position, lack of education, or lack of skill. In either case, the responsible DoD contractor company should look at the right qualifications.

2. The FSO, in a role of influence, should understand where the company is headed. Since the FSO is responsible for identifying Foreign Ownership Control and Influence, they should know the business direction the company is pursuing.

3. The FSO should also understand export licensing, how to advise senior officers and executives on safeguarding classified material and maintaining facility clearances. The business development,contracts, executive, purchasing, engineering and other managers should inherently consult with the FSO as is not often the case. As a DoD contractor with a facility clearance, the FSO liaisons between the contractor company and the congizant security agency to ensure compliance on anything that could affect their ability to protect classified material.

4. Two and three cannot apply without number one. Companies should take the role of FSO's seriously. Begin with looking for qualifications such as business savvy, college education and a certification. This will ensure that FSO has the credibility and ability to create a process and procedures for compliance.

To wrap up, the right FSO could see this trouble coming. A quick review of news and other historical documents of late show patterns of employee misbehavior as a main culprit in security violations. Also, economic espionage and exports violations are a direct result of employee malice and ignorance. The news doesn't indicate forced breakins or outsiders infiltrating company defenses. They just report errogance, ignorance and malice of the insider. FSOs worth their salt know how to train their companies and reduce the possibilities of security violations.

No comments: