Personalize Your Self-Inspection - jsac

advertisement
Sheri Escobar
Escobar Security Consulting
JSAC April 17-18-2013
Why Conduct a
Self-Inspection?

 It’s a NISPOM requirement, NISPOM 1-206b
 It’s a good way to develop a relationship with programs
and employees
 It’s a key security tool, providing evidence of strong and
weak programs
 You don’t want to be surprised during DSS assessment
 Your company management doesn’t want to be surprised
during DSS assessment
 Your DSS rep doesn’t want to be surprised during DSS
assessment
2
When to Conduct
Self-Inspection

 Midway between DSS assessment cycle
 When there’s an issue that needs to be addressed
 Monthly/quarterly (do quick follow-up before DSS
assessment)
 Program/functional area prior to customer visit
3
Getting Started

 Company structure
 Large company or MFO with multiple security personnel
 Bring in someone from another site
 Use local personnel to inspect areas other than their own
area of responsibility
 Small company
 Employee from another department? HR, IT for IS portion
 Consider bringing in someone from the outside
 If you must conduct the self-inspection, make sure you
physically look at everything
 Don’t pencil whip the inspection
 Don’t conduct the inspection from your chair
4
Getting Started

 Don’t be defensive; be open to another opinion
 If you conduct a self-inspection for another facility,
don’t talk about issues. Provide report to FSO and
management
 Management must ensure the inspection is not used
as an opportunity to discipline, but to learn and
improve
 Involve senior leaders in the process
 Include all employees (cleared and uncleared)
5
Personalize

 Use NISP Self-Inspection Handbook for Contractors
 You may have an internally created checklist (use both)
 Create your own checklist for “above and beyond” items
(security enhancements) to help you reach Commendable
and Superior ratings
 Cover all areas that pertain to your operation
 Inspect operations in accordance with your SPP to ensure
operations and documentation match
 If you don’t have SPP, are your processes documented?
 Review contracts for specific requirements
 Inspect areas where most of your issues arise more often
 Classification markings, classified IS, international visits,
etc.
6
Personalize

 Meet with the people who perform security processes to
make sure they understand and perform processes
correctly and can relay the information to DSS during a
formal assessment
 Ask questions
 Listen
 Take notes
 Don’t assume everything is in good shape
 Even the best people make mistakes - make employees
show you, not tell you
 Provide a takeaway for people who work with classified
information
 Marking brochure, DSS assessment survival guide, etc.
 Token to say “thanks” for doing a good job
7
Personalize

 Document your discrepancies and corrective actions
required and date for expected completion
 Send summary report identifying “above and
beyond” items as well as discrepancies to
management
 Recognize employees who are doing a good job, cc
their supervisor; give goodie (ask for small budget)
 Help those who need it
8
Elements of Inspection

 First Three Elements of Inspection Apply to Every
Facility
 Facility Security Clearance (FCL)
 Access Authorization
 Security Education
 Add additional elements that pertain to your facility
 International
 Information Security
 Etc.
9
Suspicious Contact Reports

 You should have a process for employees to report
suspicious contacts
 Employees should understand what constitutes
“suspicious contact”
 Face-to-face, email solicitation
 Brief employees before overseas travel
 Report suspicious contact to FBI and DSS as well as
customer, if appropriate
 Educate, Educate, Educate
 No suspicious contact reports on file or reporting
requirements not included in initial or refresher briefing
could keep you from getting the best security rating
10
Elements of Inspection

 Facility Security Clearance
 KMP list did not reflect current Key Management
Personnel or information was incorrect
 SF 328 was not updated when change occurred or
every five years as required
 DD Form 441/441-1 was not on file or incorrect
 FCL was being used for advertising
 Other changes affecting FCL were not reported
11
Elements of Inspection

 Access Authorizations






JPAS/JCAVS records not correct for employees
Sharing account username or password
Clearances not held to minimum
Failure to destroy SF 86 upon granting of clearance
No documented policy for verifying citizenship
Reports on cleared employees not submitted as
required
12
Elements of Inspection

 Security Education
 FSO has not received special security briefings and
debriefings as required
 Initial security briefing does not contain minimum required
information
 No refresher training or no documentation of training
 Employees do not understand reporting requirements
 Lack of documented disciplinary action in the event of
violations or negligence
 Employees unaware of Defense Hotline Number; what it is
for and where it is posted
 Employees not debriefed upon termination
13
Elements of Inspection

 Consultants
 Consultant security agreement not on file or not compliant
 Consultants not participating in security briefings
 Standard Practice Procedures (SPP)
 SPP does not reflect current facility operations
 Subcontracting
 Classification guidance/DD254 not provided to sub or
incorrect for contract work
 Failure to verify clearance status and safeguarding
capability of sub
14
Elements of Inspection

 Visits
 No procedures in place for identification of visitors
 No procedures for long-term visitors
 Classified Meetings
 Attendees not cleared to level of meeting or lack of need-toknow
 No documentation of classified meeting
 No government authorization
 Classification




Derivative classification training
Documents and media not appropriately marked
Missing classification guidance or outdated guidance
Downgrading and declassification not accomplished
15
Elements of Inspection

 Employee Identification
 Lack of identification for couriers and escorts
 Employees don’t understand badge details
 FOCI
 SF 328 not up-to-date
 No TCP
 Accessing classified before authorized
 Public Release
 No documented public release process or review for
classified not included in process
 Approval not requested by customer prior to release of
information related to classified contracts
16
Elements of Inspection

 Classified Storage
End of Day security checks not being performed
Right to Search policy and signage missing
Names of employees who have combinations not accurate
Combinations for containers holding NATO (annual) and
COMSEC (every 2 years) not changed as required
 Emergency procedures for protection of classified missing
 Open storage without approval
 Failure to lock containers, closed areas when not under control
of cleared person




 Controlled Access Areas
 Not maintaining alarm records
 Missing UL 2050 CRZH certificate
17
Elements of Inspection

 Marking
 Mismarked documents
 Printed documents with handwritten data not
properly marked
 Media not marked properly
 Unclassified media not marked “Unclassified”
 Parts or hardware not marked
 Presentations not properly marked
18
Elements of Inspection

 Transmission




Failing to verify clearance of receiving facility
Improper marking
Improper shipping method
Tracers for classified material not being sent
 Classified Material Controls
 Employees don’t understand safeguarding
responsibilities
 Accountability records not retained or accurate
19
Elements of Inspection

 Reproduction
 Reproduction equipment with memory not properly
authorized
 No procedure to review and destroy waste or overruns
 No authorization for reproduction of Top Secret
 Disposition
 No process in place to review and reduce classified
holdings
 Documents retained beyond authorization
 No process for closing out programs and dispositioning
classified
 Destruction containers not marked appropriately
20
Elements of Inspection

 Information Systems












Operating IS without approval
IATO/ATO expired
SSP not current (employees make changes all the time)
Passwords set to never expire
Software/hardware lists not maintained or updated
Users not briefed or briefings not on file
Virus software not current
Protection measures not set as stated in SSP
System logged on but unattended
Audits not being accomplished
Employees can’t answer questions
Other equipment containing hard drive (i.e., copy machine) not
approved before use
21
Elements of Inspection

 COMSEC




DSS can inspect COMSEC accounts
Missing user briefings
Material received in account, but not accounted for
Destruction of material was not done properly
 OPSEC
 OPSEC requirements not implemented when required
 Employees don’t understand OPSEC
 Special Access Programs (SAP)
 If SAP is under DSS cognizance, it will be inspected.
 Use SAP inspection checklist
22
Elements of Inspection
 International Operations 
 Lack of appropriate authorization prior to disclosure of
classified to foreign entity
 DSS not notified of foreign contracts involving classified
 Marking and storage of foreign classified and US
documents containing foreign classified (no comingling)
 Receipt of foreign classified without going through proper
channels
 Lack of transportation plan for freight
 Lack of TCP to control access to export controlled
information
 Storing classified at contractor facility without approval
 Missing NATO briefings/debriefings
 NATO documents comingled with other documents
23
Elements of Inspection

 Employee Interviews
 Basic information cleared employees should be aware of
Their clearance level
Company badge format (clearance indicators)
Should know who FSO is
Two things that must be met before access to classified can be
given (clearance and need-to-know)
 Definition of Adverse Information and Suspicious Contacts and
when to report
 Security Classification Guide concept




 Uncleared employees
 What to do if they find a badge, classified document, etc.
 Suggested questions contained in Self-Inspection Handbook
 Employees should be able to demonstrate their ability to
perform classified tasks
24
Preparing for the
DSS Assessment

 Educate employees about the assessment
 Send out basic information to all employees (cleared and
uncleared) on questions they could be asked
 Make sure you have the DoD Hotline poster prominently
displayed
 Right to search policy
 Security Posters (change them out)
 If files or documents are in a mess, get them in order
 The security rating is awarded to the facility, not the FSO
 It’s important that all employees understand this and the
impact of their actions on the outcome of the assessment
25
Preparing for the
DSS Assessment

 Maintain email template for self-inspection and DSS
assessment so you can email employees about activities
 Answer employee questions
 Ask your DSS rep about anything you don’t understand
 Complete required advance paperwork and return as
requested
 Remember, you don’t want to be surprised during a DSS
assessment, neither does your management, and neither does
your DSS rep, so be prepared
26
Summary

 Make the self-inspection count
 Schedule the time and commit to doing it right
 Do what works for you and your facility
 Self-inspection is not difficult if you don’t let the
process sit idly until the week before the DSS
assessment
 Can’t do it sitting down
27
Download