Thursday, November 12, 2009

Identification and the Defense Contractor’s Rolodex

Identification is a critical part of our business. Those who possess classified information cannot just disclose it to anyone who asks; verification is necessary to ensure that those who are authorized to receive such information are who they say they are. Sometimes identification is made visually through recognition of a friend, colleague or co-worker. More often than not the visual recognition is backed up with technology. Many contractor and government organizations and agencies have internal identification systems using software and hardware designed to recognize biological and electronic information. There are many configurations of card reading technology. Some use picture badges unique to organizations coupled with small chips providing a code for entry into access controlled areas.
At any given time you can identify such employees by the card dangling at the end of a lanyard. Perhaps even some are laden with multiple cards pushing the lanyard’s published tensile strength to the limit. A card is used to enter the employer’s facility and the remaining cards are for entry to contract related organizations; each agency issuing its own recognition requirements.
A few months back I was flying away on business. I like to arrive early enough to get through security and usually have a form of government issued identification and my boarding pass ready to go. When I get to the TSA checkpoint, I display the required credentials and am given access. I recently saw a fellow traveler approach the TSA checkpoint just as I was about to do. However, instead of passing smoothly through the process, he became show stopper. The flow had been interrupted considerably.
The traveler made it to the checkpoint, but he was not prepared to present his access credentials. Well, he presented information, but it was the wrong kind. When he approached the TSA official, he began to work through what I call “the contractor rolodex”. He had worn his lanyard with about 10 access cards around his neck through the entire security line and began showing each card one by one. The patient TSA officer rejected each card until the traveler successfully produced the government issued one. This could have been a driver’s license or a common access card for all I know, but it was the right one.
Aside from the comic relief the incident provided, there is somewhat of a traveler and employee security issue to deal with. Employees are trained to put away our organization’s access card when not in the facility, though some apparently do not quite understand the “secrecy”. At the very least risk, the access card may identify the wearer as a government official or a defense contractor employee, depending on where they live. It also may provide the employee’s specific place of work and in some instances their clearance level. Worst case scenario, the card could be stolen and allow unauthorized access to a facility. Perhaps, a subject can be targeted for exploitation based on identification of line of work and employer.
Identification is a major part of doing business. Access and need to know can be verified with proper recognition provided by information printed or embedded in access card technology. Security professionals should provide education and training that help employees understand the importance of protecting their identification and how they are associated with sensitive information or business.

No comments: