Personalize Your Self-Inspection - jsac
Download
Report
Transcript Personalize Your Self-Inspection - jsac
Sheri Escobar
Escobar Security Consulting
JSAC April 17-18-2013
Why Conduct a
Self-Inspection?
It’s a NISPOM requirement, NISPOM 1-206b
It’s a good way to develop a relationship with programs
and employees
It’s a key security tool, providing evidence of strong and
weak programs
You don’t want to be surprised during DSS assessment
Your company management doesn’t want to be surprised
during DSS assessment
Your DSS rep doesn’t want to be surprised during DSS
assessment
2
When to Conduct
Self-Inspection
Midway between DSS assessment cycle
When there’s an issue that needs to be addressed
Monthly/quarterly (do quick follow-up before DSS
assessment)
Program/functional area prior to customer visit
3
Getting Started
Company structure
Large company or MFO with multiple security personnel
Bring in someone from another site
Use local personnel to inspect areas other than their own
area of responsibility
Small company
Employee from another department? HR, IT for IS portion
Consider bringing in someone from the outside
If you must conduct the self-inspection, make sure you
physically look at everything
Don’t pencil whip the inspection
Don’t conduct the inspection from your chair
4
Getting Started
Don’t be defensive; be open to another opinion
If you conduct a self-inspection for another facility,
don’t talk about issues. Provide report to FSO and
management
Management must ensure the inspection is not used
as an opportunity to discipline, but to learn and
improve
Involve senior leaders in the process
Include all employees (cleared and uncleared)
5
Personalize
Use NISP Self-Inspection Handbook for Contractors
You may have an internally created checklist (use both)
Create your own checklist for “above and beyond” items
(security enhancements) to help you reach Commendable
and Superior ratings
Cover all areas that pertain to your operation
Inspect operations in accordance with your SPP to ensure
operations and documentation match
If you don’t have SPP, are your processes documented?
Review contracts for specific requirements
Inspect areas where most of your issues arise more often
Classification markings, classified IS, international visits,
etc.
6
Personalize
Meet with the people who perform security processes to
make sure they understand and perform processes
correctly and can relay the information to DSS during a
formal assessment
Ask questions
Listen
Take notes
Don’t assume everything is in good shape
Even the best people make mistakes - make employees
show you, not tell you
Provide a takeaway for people who work with classified
information
Marking brochure, DSS assessment survival guide, etc.
Token to say “thanks” for doing a good job
7
Personalize
Document your discrepancies and corrective actions
required and date for expected completion
Send summary report identifying “above and
beyond” items as well as discrepancies to
management
Recognize employees who are doing a good job, cc
their supervisor; give goodie (ask for small budget)
Help those who need it
8
Elements of Inspection
First Three Elements of Inspection Apply to Every
Facility
Facility Security Clearance (FCL)
Access Authorization
Security Education
Add additional elements that pertain to your facility
International
Information Security
Etc.
9
Suspicious Contact Reports
You should have a process for employees to report
suspicious contacts
Employees should understand what constitutes
“suspicious contact”
Face-to-face, email solicitation
Brief employees before overseas travel
Report suspicious contact to FBI and DSS as well as
customer, if appropriate
Educate, Educate, Educate
No suspicious contact reports on file or reporting
requirements not included in initial or refresher briefing
could keep you from getting the best security rating
10
Elements of Inspection
Facility Security Clearance
KMP list did not reflect current Key Management
Personnel or information was incorrect
SF 328 was not updated when change occurred or
every five years as required
DD Form 441/441-1 was not on file or incorrect
FCL was being used for advertising
Other changes affecting FCL were not reported
11
Elements of Inspection
Access Authorizations
JPAS/JCAVS records not correct for employees
Sharing account username or password
Clearances not held to minimum
Failure to destroy SF 86 upon granting of clearance
No documented policy for verifying citizenship
Reports on cleared employees not submitted as
required
12
Elements of Inspection
Security Education
FSO has not received special security briefings and
debriefings as required
Initial security briefing does not contain minimum required
information
No refresher training or no documentation of training
Employees do not understand reporting requirements
Lack of documented disciplinary action in the event of
violations or negligence
Employees unaware of Defense Hotline Number; what it is
for and where it is posted
Employees not debriefed upon termination
13
Elements of Inspection
Consultants
Consultant security agreement not on file or not compliant
Consultants not participating in security briefings
Standard Practice Procedures (SPP)
SPP does not reflect current facility operations
Subcontracting
Classification guidance/DD254 not provided to sub or
incorrect for contract work
Failure to verify clearance status and safeguarding
capability of sub
14
Elements of Inspection
Visits
No procedures in place for identification of visitors
No procedures for long-term visitors
Classified Meetings
Attendees not cleared to level of meeting or lack of need-toknow
No documentation of classified meeting
No government authorization
Classification
Derivative classification training
Documents and media not appropriately marked
Missing classification guidance or outdated guidance
Downgrading and declassification not accomplished
15
Elements of Inspection
Employee Identification
Lack of identification for couriers and escorts
Employees don’t understand badge details
FOCI
SF 328 not up-to-date
No TCP
Accessing classified before authorized
Public Release
No documented public release process or review for
classified not included in process
Approval not requested by customer prior to release of
information related to classified contracts
16
Elements of Inspection
Classified Storage
End of Day security checks not being performed
Right to Search policy and signage missing
Names of employees who have combinations not accurate
Combinations for containers holding NATO (annual) and
COMSEC (every 2 years) not changed as required
Emergency procedures for protection of classified missing
Open storage without approval
Failure to lock containers, closed areas when not under control
of cleared person
Controlled Access Areas
Not maintaining alarm records
Missing UL 2050 CRZH certificate
17
Elements of Inspection
Marking
Mismarked documents
Printed documents with handwritten data not
properly marked
Media not marked properly
Unclassified media not marked “Unclassified”
Parts or hardware not marked
Presentations not properly marked
18
Elements of Inspection
Transmission
Failing to verify clearance of receiving facility
Improper marking
Improper shipping method
Tracers for classified material not being sent
Classified Material Controls
Employees don’t understand safeguarding
responsibilities
Accountability records not retained or accurate
19
Elements of Inspection
Reproduction
Reproduction equipment with memory not properly
authorized
No procedure to review and destroy waste or overruns
No authorization for reproduction of Top Secret
Disposition
No process in place to review and reduce classified
holdings
Documents retained beyond authorization
No process for closing out programs and dispositioning
classified
Destruction containers not marked appropriately
20
Elements of Inspection
Information Systems
Operating IS without approval
IATO/ATO expired
SSP not current (employees make changes all the time)
Passwords set to never expire
Software/hardware lists not maintained or updated
Users not briefed or briefings not on file
Virus software not current
Protection measures not set as stated in SSP
System logged on but unattended
Audits not being accomplished
Employees can’t answer questions
Other equipment containing hard drive (i.e., copy machine) not
approved before use
21
Elements of Inspection
COMSEC
DSS can inspect COMSEC accounts
Missing user briefings
Material received in account, but not accounted for
Destruction of material was not done properly
OPSEC
OPSEC requirements not implemented when required
Employees don’t understand OPSEC
Special Access Programs (SAP)
If SAP is under DSS cognizance, it will be inspected.
Use SAP inspection checklist
22
Elements of Inspection
International Operations
Lack of appropriate authorization prior to disclosure of
classified to foreign entity
DSS not notified of foreign contracts involving classified
Marking and storage of foreign classified and US
documents containing foreign classified (no comingling)
Receipt of foreign classified without going through proper
channels
Lack of transportation plan for freight
Lack of TCP to control access to export controlled
information
Storing classified at contractor facility without approval
Missing NATO briefings/debriefings
NATO documents comingled with other documents
23
Elements of Inspection
Employee Interviews
Basic information cleared employees should be aware of
Their clearance level
Company badge format (clearance indicators)
Should know who FSO is
Two things that must be met before access to classified can be
given (clearance and need-to-know)
Definition of Adverse Information and Suspicious Contacts and
when to report
Security Classification Guide concept
Uncleared employees
What to do if they find a badge, classified document, etc.
Suggested questions contained in Self-Inspection Handbook
Employees should be able to demonstrate their ability to
perform classified tasks
24
Preparing for the
DSS Assessment
Educate employees about the assessment
Send out basic information to all employees (cleared and
uncleared) on questions they could be asked
Make sure you have the DoD Hotline poster prominently
displayed
Right to search policy
Security Posters (change them out)
If files or documents are in a mess, get them in order
The security rating is awarded to the facility, not the FSO
It’s important that all employees understand this and the
impact of their actions on the outcome of the assessment
25
Preparing for the
DSS Assessment
Maintain email template for self-inspection and DSS
assessment so you can email employees about activities
Answer employee questions
Ask your DSS rep about anything you don’t understand
Complete required advance paperwork and return as
requested
Remember, you don’t want to be surprised during a DSS
assessment, neither does your management, and neither does
your DSS rep, so be prepared
26
Summary
Make the self-inspection count
Schedule the time and commit to doing it right
Do what works for you and your facility
Self-inspection is not difficult if you don’t let the
process sit idly until the week before the DSS
assessment
Can’t do it sitting down
27