Saturday, June 16, 2012

Beyond Gates and Guards-Protecting Company Secrets

Gates and guards seem to be the back stop of most security efforts. However, without a real risk or security assessment, these efforts only go so far. Many Facility Security Officers (FSO) and cleared employees work within the walls of impenetrable fortress like structures. These reinforced security bunkers are built to withstand repeated break in attempts as well as maintain state of the art alarms, close circuit television cameras, and card readers that can resist and detect most types of intrusion, but…

…when was the last time you’ve read of an intruder breaking into a cleared facility and cracking a security container to run off with secrets? What do DSS, security educators and security practitioners preach as the biggest threat? Sensitive information available in the public sector, trusted employees transferring technical data to adversaries through seminars, emails, or just walking out of secure facilities with it.

Without addressing the real threat, the security community continuously pumps resources into protecting sensitive information primarily with physical security.  Cleared employees are trained how to properly mark, store and disseminate classified information, but not taught how to effectively communicate without inadvertently disclosing sensitive information. For example, a scientist disclosing intellectual property, proprietary information or export controlled data at a conference or symposium. In other words, how do sensitive program employees work with, discuss, or demonstrate their technology without transferring technical information?

There’s another threat. According to this article,, there is an imminent cyber threat. Even though we are aware of this vulnerability, we are unprepared to protect information on servers and computers.

Recognizing that there are more obvious threats than cat burglars, here are 5 ways you can develop real countermeasures and strengthen security in your facility.

1. Perform risk analysis. Make sure you know what you know. Conduct a crime search by zip code, research the weather, form working groups and determine what needs to be protected. List the treats and vulnerabilities and impact. Then form your security plan.

2. Determine government requirements. If you fall under NISPOM, HIPAA or other regulation, these trump your risk analysis and must be considered. Make sure your security plan is equal to or exceed the government requirements.

3. Understand contractual requirements. FSOs can get valuable information from the DDForm254, statements of work and security classification guides.

4. Develop security program based on numbers 1-3. Include the risk and develop countermeasures and implement those countermeasures as well as regulated NISPOM and other requirements. Identify the threat, determine the risk of threat, and document impact and countermeasure costs.

5. Train employees to meet the security program requirements.

Gates and guards are the most visible and popular method of security. Considering the real threat, they may be the least useful. It is almost impossible for an adversary to break in, but very easy for an authorized employee to walk out with the secret sauce.

For more information on conducting risk analysis and creating countermeasures, see “DoD Security Clearance and Contracts Guidebook

See article about cyber threats below.
Leading cyber experts warned of a shortage of talented computer security experts in the United States, making it difficult to protect corporate and government networks at a time when attacks are on the rise. Symantec Corp Chief Executive Enrique Salem told the Reuters Media and Technology Summit in New York that his company was working with the U.S. military, other government agencies and universities to help develop new programs to train security professionals.

"We don't have enough security professionals and that's a big issue. What I would tell you is it's going to be a bigger issue from a national security perspective than people realize," he said on Tuesday. The warnings come at a time when the security industry is under fire for failing to detect increasingly sophisticated pieces of malicious software designed for financial fraud and espionage and failing to prevent the theft of valuable data. More <

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . Jeff is an accomplished writer of non-fiction books, novels and periodicals. He also owns Red bike Publishing. Published books include: "Get Rich in a Niche-Insider's Guide to Self Publishing in a Specialized Industry" and "Commitment-A Novel". Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training" See Red Bike Publishing for print copies of: Army Leadership, The Ranger Handbook, The Army Physical Readiness Manual, Drill and Ceremonies, The ITAR,and The NISPOM

No comments: