Wednesday, February 19, 2014

How FSOs Evaluate Their Security Programs

The Self-Assessment Handbook for NISP Contractors provided by the Defense Security Services (DSS) provides an excellent way for a cleared defense contractor to prepare for the annual DSS inspection, form the enterprise self-inspection policy and assess the status of the organization's security plan to protect classified information. This is a great tool for many as it's probably the only way to measure aside from the inspection that counts.

When I served in the Army, we had plenty of opportunities to assess our war fighting capability. One of those opportunities was provided by headquarters as an "assistance" visit. This usually preceded the much dreaded Inspector General (IG) inspections. These assistance visits were painful, but gladly received as we could have a "freebie" inspection before enduring the one that counted.

My rule of thumb for these assistances visits was for everyone to do the proper work all the time. I never allowed any soldier to work overtime in preparation. I wanted an honest assessment of the actual work being performed. This left our success and ultimate responsibility squarely on my ability to measure the standards and evaluate our unit's execution before the IG came around.

Part of the assessment in the Army days and while serving more recently as an FSO is to develop and document processes, then measure those processes in an audit. As a leader, you can carry a clipboard and ask basic questions designed to check the block. Or, you might take the more successful route of asking open ended questions and allowing employees to demonstrate their processes.

As Defense Security Services recommends, good questions will facilitate good answers. It's like to old 80's adage "Garbage In; Garbage Out". You basically get what you ask for.

General Interviewing Techniques include the following from the guide:

All questions should be asked in the present and future sense. Here's an example: "If you are reviewing a classified document and you have to take a break, what do you do with the classified information?"

Talk in a conversational tone and maintain eye contact. Again, put the clipboard away and just talk to the employees. Develop the questions based on the mission of the group you are interviewing. If you are interviewing an engineer who regularly creates derivatively classified documents, then develop conversations to determining how she might arrive at a derivative classification decision.

Let people tell their story. Ask open ended questions (using who, what, where, when, why, and how). In the above example you might ask "Show me a document that you derived using classified information." After they provide the document, review it with them and walk through the process.

Avoid leading questions. This is great, just like the show LA Law where the defense attorney yells: "Objection, leading the witness". A leading question might be: "So, you report to security every time you hand carry classified information into the company; don't you?" all the time nodding your head waiting for the right answer. 

Keep good notes for future reference and document corrective actions. The intent is to capture the processes the employees are using and make a determination about whether they have had the proper NISPOM training, using approved processes and if they actually protect classified information. The self-inspection guide is a great resource to evaluate employee application for security policies. This is your only "freebie", so use it to your advantage.

For more information about evaluating your security program see our book DoD Security Clearance and Contracts Guidebook

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

No comments: