Saturday, June 21, 2014

Self-Inspection of the Enterprise

As a continuation from the last article, let’s look at a few more security education questions. The last article discussed some time-proven practices to present and document NISPOM training for cleared employees. This article will look at required reports as security education will be reviewed during the scheduled DSS visit.

While answering these self-inspection questions, FSOs might consider interviewing cleared employees to gauge 
understanding of requirements. The interview should also include opportunities for the employees to demonstrate how they execute policy. Knowledge of policy is not enough. FSOs should document a cleared employee’s response of what to do and how to perform when required as a means to demonstrate that knowledge. 

The following are some questions from the self-inspection handbook:

Are cleared employees debriefed at the time of a PCL’s termination, suspension, revocation, or upon termination of the FCL?

Just because a cleared employee is no longer provided access to classified information doesn’t mean all of their knowledge and experience is sanitized from their brains. It also doesn’t mean that they will completely understand what to do with that knowledge if challenged to reveal it. 

Knowledge is hard to control and even harder when the former employee is outside of the defense network. They are no longer under continuous evaluation and we don't know what the employee will do with all the great stuff stored in their head. The best thing an FSO can do is to debrief them, have them understand their continued responsibility to not disclose classified information and have them sign acknowledgement stating their understanding. FSOs should not leave this to chance. When at all possible, a face to face briefing is the best method.

Terminated employees can be a challenge. It’s very difficult to conduct a debrief interview with a person who feels wronged by the organization. But, it’s national security and classified information is at stake. FSOs should not be satisfied with an administrative actions, meaning, allowing an employee to leave without the actual face to face debriefing. This requires coordination with Human Resources and having them comprehend the importance of keeping the FSO abreast of hiring and firing actions. 

Document the debriefings with signatures and dates. This can be easily done by reminding them of their continued responsibility to protect classified information and having them sign and date.

Is there an effective procedure for submission of required reports to the FBI and to DSS? 

There are reports required of each office. However, the employees should understand that the first stop is the FSO. Not that the FSO should attempt to arbitrate issues, but many employers have policy stating that employees should not report company issues without the enterprise’s knowledge unless as a last resort. Many companies have policy dictating how to report information outside of the organization. There is no reason to violate this policy in most circumstances.

This reporting method should also be enforced for instances of:

Instances of fraud through the DoD Hotline-DSS inspects on the availability of posters in obvious areas. Bulletin boards make a great location as announcements are usually posted there. FSOs might also post them where required OSHA posters exist. Write up a map with all posters, flyers, pamphlets and other security education tools are available. Document their presence and show them to DSS during the review.

Cyber Intrusions-monitor and report all intrusions. Work out the analysis and reporting details with the IT and cyber professionals and ensure they know to report these intrusions. Document the events as well as when and what is reported.

Adverse information-Develop a culture where employees can report credible information about a cleared employee’s (including themselves) ability to protect classified information. Report and document all reports to demonstrate during the DSS audit.

Security Violations-save all reports of security violations and the results of investigations. For security violations that include loss, compromise or suspected compromise, these could include preliminary, initial, follow-up, final and culpability reports. Keep reports on file and any records of submissions to the cognizant security activity.

Suspicious contacts-cleared employees should understand to report any efforts to obtain illegal or unauthorized access to classified information or to compromise a cleared employee, contacts by a foreign intelligence officer from any country or information that a cleared employee may be targeted. Document training and any submitted reports.

Security awareness training includes checking on how the employees implement training as required by NISPOM. It’s one thing to show a presentation of required reports and debriefing employees. It’s another to have requirements woven into corporate policy and work instructions. Asking cleared employees to demonstrate their responsibilities or employing scenarios are great ways to check on knowledge. If actual events are reported to the FSO, they should be documented for review during the DSS visits.


No comments: