Thursday, April 29, 2010

How FSOs Develop a Risk Assessment Model to Protect Classified information

I’ve posted a few articles on risk assessment and using the risk assessment results to implement and direct a security program to protect classified information. I’ve even written about how risk assessment can help you determine whether or not you need alarms, cameras and other protective measures above what may be required of the NISPOM. However, what I have not written about is how to do a risk assessment.

You might recall in earlier articles that I’ve emphasized the importance of finding out what the threats to classified information are to your particular organization. One of my concerns is that a lot of FSOs may financially commit their companies to expensive endeavors that may not even be required. Industry standards and common practices may almost seem like requirements. To some, it may be unheard of not to have alarms, cameras or access control systems (door magnets and card readers). However, these are not required in NISPOM (except for intrusion detection systems as identified in NISPOM) and may even be unnecessary in many circumstances.

What’s needed is a risk assessment. If cameras and alarms are necessary, then provide the evidence to your company officers and get it in the budget. If not, provide the findings to your management to demonstrate your value at reducing unnecessary costs. They will appreciate your assessment and ability to provide realistic and useful input.

Risk assessments can be as scientific and involved as you need them to be. However, I prefer simplicity and am willing to accept the small risk of error that the simple assessment tool may bring. As simple as this design is, its value has always been tremendous. Again, a risk assessment is to be used to compliment requirements of NISPOM, not replace them. For example, classified information is ALWAYS required to be stored according to NISPOM, regardless of risk level you might identify.

Begin with a list of what you would like to protect. Classified information, product, employees and visitors, export controlled items and etc. These will go under the column called assets. These are what you as the FSO and/or senior security manager want to protect. The list can be as long or short as you want it to be, but should indicate the most important items you and your organization want to protect.

Next, what are the threats? Do you live in an area subject to theft, break ins, violence or severe weather? Is your company next to a transportation terminal involving explosives or dangerous chemicals? Is the organization in a high risk area for potential security violations? Does your company have poorly trained cleared employees? This information will go in the threat column.

The next column is the probability of occurrence. I like to use a scale of 1-5, 1 being the lowest level of probability and 5 being the highest. This column is for predicting the chances of the threat occurring. The next column is the level of impact, again using a scale of 1-5. Here you will predict the severity of the damage and impact to the asset.

In this example, I looked at three threats to classified information stored at a fictional cleared facility. The first threat is insider espionage. I gave it a score of 3 meaning that the probability of classified information getting out by way of an insider was high. The impact is a 5 meaning that the insider would know exactly what to take and may be able to do so without detection.

The next threat is a break in. I’ve determined that based on threat data and crime reports that spies have not been breaking into the company and gaining access to classified information. The impact of a break in will be relatively low as an outsider will be hard pressed to determine what to steal and where it is stored (outside of help from an employee or insider).

The next threat is severe weather. The probability of wind damage is pretty solid where we live and tornados form often. The probability of a tornado or high winds destroying a facility exists. The impact of the facility’s destruction is high and the scattering of classified information cannot be negated or predicted.

Based on my assessment, the number one threat is insider espionage. With a score of 15, I will ensure that my countermeasures primarily address this threat. My budget may be constructed to include employee training on how to identify the insider threat. I may also develop procedures to limit access to classified processing, copying, or other interaction with classified material.

The next priority is severe weather. With a total score of 8 I will focus my efforts on developing and rehearsing how to protect classified information when disaster strikes. I would also spend time identifying and training cleared employees on how to search for and recover classified information after a disaster.
I would not spend much of my budget or effort addressing the break in and theft of classified material.

Committing tens of thousands of dollars in alarms, cameras and access control to counter a small threat is not justified. However, if part of your assessment includes life and health safety (violence, theft of product and other non-classified threats) then yes, consider these measures.

This exercise was developed only to demonstrate how to meet risks to classified information in an intelligent manner. Again, this was just a snapshot. A real conclusion on the way ahead cannot be made until all assets and threats have been identified. Once finished, you will have a list of priorities in which to focus security efforts. From there you can develop your countermeasures and mitigate the impact of a threat. Keep assessing as you get new contracts and requirements and be sure to keep your management informed.

Tuesday, April 20, 2010

Should Cleared Employees Travel With Classified Information-FSOs Can Make Intelligent Assessments

I am writing this article just after a trip with multiple plane changes. I had travelled by air on many occasions, but this latest adventure had a new twist. Never in my life had I travelled without luggage and I must say it was quite liberating. It all started innocently enough and with a bit of routine. I am an experienced flyer and I had always begun each trip with a checklist to ensure I had packed everything and almost always load my car ahead of time.

However, this time was different. I packed my luggage with almost a careless flair. “Wouldn’t it be funny if I forgot my suitcase?” I had said to myself for no apparent reason. The next thing I remember is getting out of my car in long term parking and opening my suitcase. Remember, I am an experienced traveler and I am supposed to remember these things. Perhaps my experience caused me to have a forgetful or may cavalier attitude.

I promptly walked to my gate with purpose and a spring in my step. I had checked in online and had my boarding pass. No luggage; no reason to stop at the ticket counter. I had what I really needed in my carryon bag; my computer for the new book I’m writing, and some necessary paperwork for my business trip.

I continued with this feeling of freedom, thinking it was nice to get off the plane and go to my rental car. I didn’t even have to go to baggage claim. I just had to make a stop for clothes from the department store on the way to the hotel. Change of clothes purchased, I went to my hotel and prepared for the next morning’s meeting. On my way back home, I repeated the process: Checked in on line, printed boarding pass, passed through security and went straight to gate. Upon arrival I by passed baggage claim and drove home.

You can also help others experience a similar freedom by not travelling with sensitive or classified information. Sure, your cleared employees may have a million reasons for you to prepare classified information for travel. However there may be alternatives. Let’s take a look a risk first.

Fatigue and forgetfulness-Just like my example of an experience traveler, even those who protect classified information on a daily basis can become forgetful. Long hours, constant movement, cramped quarters, convenience breaks, restaurant visits and etc can contribute to fatigue or distractions that can cause someone to possibly lose their luggage (classified package). Other contributions include cancelled flights or other changes that cause longer layovers or possible overnight stays.

Alternatives-Cleared employees should consider other alternatives prior to travelling with classified information. For starters, ensure that the classified information is indeed necessary. If so, is it already located on site? If not onsite, can it be sent ahead of time via approved mailing or overnight delivery, or can it be transmitted through approved fax or email?

If classified information is not necessary according to the contract or if work can be performed without it; don’t bring it. If similar classified information is already onsite, use it. If there is enough notice, send the classified information ahead without having to burden your cleared employee with carrying it.
When applying these alternatives, be sure to coordinate with the receiving FSO or sponsoring organization. Classified information may have to be introduced into their facility via their policies. Also, if hard copies are needed or other administrative and time consuming measures are necessary to prepare the classified for use, make sure it is pre-arranged and approved.

Sometimes travel with classified or sensitive information is the only option. However, there may be opportunities for safe and security methods of transmitting classified information without using a courier or cleared employee. Conduct a risk assessment, review options and make an intelligent decision.

Tuesday, April 13, 2010

Are Alarms Always Required For Contractors and FSOs according to NISPOM?

The National Industrial Security Program (NISPOM) is THE guidance for Defense Contractor Facility Security Officers. However, it doesn’t always answer some questions these FSOs might have about protecting classified information. For example, suppose a defense contractor company has an Indefinite Delivery/Indefinite Quantity Contract. In that contract, the facility is required to store information classified at the SECRET level. Do they need an alarm?
In this scenario, the FSO has only had to request the security clearance of employees required to perform on classified work at another facility. To date, classified work had not been performed or stored at the cleared facility. So far, she has done an excellent job of managing the clearances and has received a COMMENDABLE in her last DSS review.
Now, a delivery order requires the storage of SECRET documents on site. Fortunately the FSO has been preparing for such an opportunity. She has recently purchased an approved security container adequate for holding the classified items. However, she isn’t sure whether or not the company needs to have an intrusion detection system (IDS).
So, does the cleared contractor storing SECRET information require an IDS? Do you think you know the answer?
Well, according to NISPOM, this situation does not require an IDS. SECRET information is only required to be stored in a GSA- approved security container. IDS is required for TOP SECRET and SECRET not stored in a GSA-approved container in a closed area. How many of you thought that IDS is always required?
This is where risk management comes in. IDS may be required, but not by NISPOM. However, if you live in a high crime area or life safety considerations require it, get the IDS. But only do so after assessing the risks. Many small companies do not have the vast security budgets of their larger colleagues. Many large companies may have CCTV, magnetic card readers, IDS systems and many other state of the art security measures as a “best practice” consideration. But many times, the return on investment may not be there if risks are low or non-existent.
An FSO can demonstrate value added by determining whether or not the need for IDS exists and then presenting the pros and cons to management. A terrible and costly mistake is to request security measures just because they are “industry standard”. Know what NISPOM says, implement NISPOM requirements, but make an intelligent determination for all other security