You might already know how to write policy that reflects the NISPOM and export compliance or ITAR regulations. That might very well be an easy task for you. Just like ISP certification mentioned in an earlier post, the policy itself should not be the catch all solution. Just as the certification compliments the bearer’s capabilities, the policy should complement the processes and procedures you have in place.
Policy tells what should happen and is in itself easier to write and have approved than the how to do it found in processes and procedures. Even if you do not know how to write policy, you can always download a boilerplate standard practice procedures, technology control plan, or sample security policies downloaded from Defense Security Services (DSS), or shared by fellow security professional organization contacts. What won’t be so easy to find is policy tailored to your specific needs and how to incorporate them into company business. That will require teamwork with other business unit managers.
Some of the reading audience might understand better than others that most policies exist as “gotchas”. In other words, policies can be used as a basis for discipline. However, unless part of the company DNA, most employees may not know the policy even exists.
For example, suppose you are trying to implement procedures to support your customer’s requirement of approving public release information as identified in the DD Form 254 for cleared contractors. You know it’s a requirement, but your company continues to publish contract related information in news releases and on the website without customer approval. To solve this problem, you could:
1. Write a policy and wait for employees to read and comply. If they do not, you can nab them later, pointing out their short falls.
2. Create policy, coordinate with others to create supporting trigger points and courses of action, shop it to all the managers, work together to develop a workflow, and check the progress.
Option two works best because it will be part of an organizational solution and not “just another thing to do.” Option one will cause all kind of trouble and leave the situation unresolved.
An FSO is designated to develop security policy to protect classified information. However, this is not a solution that should be undertaken alone. The entire organization should take part. Just as human resources, facilities, finance and other business units seek the cooperation of the enterprise, the FSO should get similar buy in. With approved and accepted procedures in place, the policy will be easily supported.
For more information on establishing security procedures, see DoD Security Clearances and Contracts Guidebook
Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . Jeff is an accomplished writer of non-fiction books, novels and periodicals. He also owns Red bike Publishing. Published books include: "Get Rich in a Niche-Insider's Guide to Self Publishing in a Specialized Industry" and "Commitment-A Novel". Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training" See Red Bike Publishing for print copies of: Army Leadership, The Ranger Handbook, The Army Physical Readiness Manual, Drill and Ceremonies, The ITAR,and The NISPOM
Post a Comment