Sunday, April 12, 2009

Manage Defense Contractor Security Training

What defines this room as approved for open storage?” I had asked while consulting on a project a few years ago.

I had been in the middle of an extreme security discussion. The whole time I realized that the security employees I consulted understood their responsibilities, but did not know why the security measures were in place or where to find the guidance.

“This area is approved for open storage. So, when we leave, we don’t have to set the alarm or spin the dial,” they said.

“So, does that mean your document control folks in the other area can leave their safe open as long as they shut the door?” I asked, picking up on their logic.

“No, they are not approved for open storage.” They have to lock the security containers in their office prior to leaving them unattended.

“Correct, classified items should be secured prior to leaving the area,” I replied. “However, an area approved for open storage should be secured before leaving. That means setting the alarms and “spinning the dial” prior to leaving for any length of time, not just after hours. Again, what defines open storage?” asked.

I could see they were having trouble with this one.

“Open storage is simply having the government’s permission to keep classified information on shelves or out in the open. But only as long as it is contained in an approved room that can be secured with a GSA approved lock and approved alarms. During working hours, supplanting access control devices such as badge readers with PIN numbers or bio readers are employed.”

“Exactly,” they replied.

“But you didn’t say that. You said that you could just shut the door and leave for lunch without locking it and setting the Alarm,” I countered.

“We can, because it’s approved for open storage,”

And round and round it went, my asking questions without getting the answer I was looking for. Clearly these folks had been taught to perform a certain task, but had not received “real” security training.

So, what’s the fix? Doing just what I recommended to the security manager. Industrial security is a complex profession. There are many moving parts that require in depth thinking and proactive protection measures based on threat assessment and OPSEC. Develop training and certification for your security employees. If your company is a defense contractor or government agency, set aside time to train security employees on the NISPOM and the President’s Executive Orders or agency policies. Develop employee certification that can be validated, especially concerning new employees. Only after they have proven that they understand how to support a security program designed to protect classified information should they be turned loose to do so.

No comments: