Example Security Awareness Briefing - tri

advertisement
Enterprise Information Services, Inc. (EIS)
EAGLE Enterprise Joint Venture (EEJV)
Alliant Enterprise Joint Venture (AEJV)
Security Awareness Briefing
&
Annual Security Awareness
Refresher Briefing
as revised 2012-08-03
Security Awareness Briefing
Executive Order 12958
as amended
The SF312 references Executive Order
(EO) 12958 – Classified National
Security Information, issued by
President Clinton on April 17, 1995
 Established the National
Industrial Security Program;
 Set new guidelines for the protection of
classified information.
Security Awareness Briefing
Introduction
•
U.S. industry develops and produces the majority of our nation’s
defense technology – much of which is classified – and thus plays a
significant role in creating and protecting the information that is vital to
our nation’s security. The National Industrial Security Program (NISP)
was established in 1995 by Executive Order 12958 to ensure
that cleared U.S. defense industry safeguards the classified
information in their possession while performing work on contracts,
programs, bids, or research and development efforts.
•
The Defense Security Service (DSS) administers the NISP on behalf of
the Department of Defense and 23 other federal agencies within the
Executive Branch. There are approximately 12,000 contractor facilities
that are cleared for access to classified information.
Security Awareness Briefing
Introduction (continued)
•
To have access to U.S. classified information and participate in the NISP, a facility
– a designated operating entity in private industry or at a college/university –
must have a bona fide procurement requirement. Once this requirement has been
established, a facility is eligible for a Facility Security Clearance (FCL). A Facility
Security Clearance is an administrative determination that a facility is eligible to
access classified information at the same or lower classification category as the
clearance being granted.
•
The Facility Security Clearance may be granted at the Top Secret, Secret or
Confidential level.
•
In order to obtain the clearance, the contractor must execute a Defense Security
Agreement which is a legally binding document that sets forth the responsibilities
of both parties and obligates the contractor to abide by the security requirements
of the National Industrial Security Program Operating Manual (NISPOM).
Security Awareness Briefing
Overview
• EIS, Inc. is a cleared company in
the National Industrial Security
Program (NISP)
• Employees are bound by
Department of Defense (DoD) rules
and regulations to properly protect
and control all classified material in
their possession per the National
Industrial Security Program
Operating Manual (NISPOM) and as
appropriate, other Cognizant
Security Agency directives.
• You must familiarize yourself with
specific contract provisions on
‘how’ protection and control
measures apply to each program
you support.
Security Awareness Briefing
Security Briefings
• The NISPOM requires that you be provided:
– with an Initial Security Briefing prior to being permitted access to classified
information,
– and that you be provided with an Annual Security Refresher Briefing.
• The NISPOM also states that personnel granted clearances are
required to sign a Classified Information Nondisclosure
Agreement (Standard Form 312)
– which further outlines responsibilities for the protection and safeguarding of
classified information.
– This is essentially an agreement between the individual and the U.S.
Government (discussed later in this briefing).
• Additionally, government site security managers may require
other security briefings specific to the needs of the onsite
government client.
Security Awareness Briefing
DD-254 Form
(Contract Security Classification Specification)
• Makes the facility clearance (FCL) possible
• Must accompany every classified contract
• Maintained by FSO and by Contracts
• Supports the need for Personnel Security Clearances (PCL)
• Absence of DD-254 is cause for termination of FCL or
removal of PCL on any given contract …
(managers beware!)
Security Awareness Briefing
Clearance Information
•
EIS maintains a TOP SECRET facility clearance (FCL).
Just as you are required to sign an agreement with the U.S.
Government, as a defense contractor, the company has signed a
Security Agreement with the U.S. Government.
•
Your security responsibilities are real:
– They are magnified as a result of your employment in a vital defense
industry. It is essential that you realize the importance of this.
– Unauthorized disclosure or failure to properly safeguard classified
information is punishable under the Espionage Laws and Federal
Criminal Statutes.
– Your responsibilities affect the security of our government and the
technological advancement of our nation.
Security Awareness Briefing
Types of Security Investigations
• EIS processes two different investigations (SF-86):
– Collateral: Confidential, Secret and Top Secret clearance
– SCI: Caveat sometimes attached to Top Secret clearances, to
allow access to Sensitive Compartmented Information (SCI);
processed through the government
• Government client processes another investigation (SF-85P):
– Position of Trust : Employees may have a need to work on a
project that is Sensitive But Unclassified, and may be processed
for a background investigation that does not result in clearance,
but gives access to SBU material (VA, DHS, FAA among others).
Security Awareness Briefing
Overview of Security
Classification System
•
As outlined by Executive Order 12958, as
amended, classified information is official government
information that has been determined to require
protection in the interest of national security.
•
All classified information (with only one exception) is
under sole ownership of the U.S. Government, and
employees possess no right, interest, title, or claim to
such information.
Security Awareness Briefing
Introduction to
Classified Information
•
Classified National Security Information (“classified information”):
information that has been determined pursuant to Executive Order 12958
to require protection against unauthorized disclosure and is marked to
indicate its classified status when in documentary form.
•
Information is classified when it is determined that its unauthorized
disclosure can reasonably be expected to cause damage to national
security. Such information is assigned a classification of TOP SECRET,
SECRET, or CONFIDENTIAL and is appropriately marked.
•
Unauthorized disclosure means disclosure to someone NOT authorized by
the government to have access to classified information. Unauthorized
disclosure is punishable as detailed in the Extracts of the Espionage and
Sabotage Acts.
Classified information is discussed in more depth later in this briefing.
Security Awareness Briefing
Classified Information (continued)
•
Three levels have been established based on the criticality of the
information or material to national interests:
1. TOP SECRET: Information or material whose unauthorized
disclosure could be expected to cause exceptionally grave
damage to the national security.
2. SECRET: Information or material whose unauthorized
disclosure could be expected to cause serious damage to
the national security.
3. CONFIDENTIAL: Information or material whose
unauthorized disclosure could be expected to cause
damage to the national security.
Security Awareness Briefing
Identifying Classified Information
• Classified documents are boldly marked with
the highest classification on the top and bottom
of each page.
• Individual Paragraphs have markings: (U), (C),
(S), (TS).
• Use the Program Security Classification Guide
for help when marking classified for your
contract. This guide will instruct you on what
types of information should be classified at
which levels.
• If you believe information is over-classified,
contact the FSO/CSSO for guidance.
Security Awareness Briefing
Procedures for Handling
Classified Information
• Detailed instructions will be provided to you by
the client/site security officer before you access
classified information.
• You will be advised about identifying, handling
and safeguarding classified information.
• Always ask questions when in doubt.
Security Awareness Briefing
Sensitive But Unclassified
Information (SBU)
• Warrants a degree of protection and administrative control
that meets the criteria for exemption from the public
• SBU information includes, but is not limited to:
– Medical, Personal, Financial, Investigatory,
Visa, and Law Enforcement Records
– If released, could result in harm or unfair treatment
to any individual or group, or could have a negative
impact upon foreign policy
Security Awareness Briefing
SBU Handling Procedures
 SBU information should be transmitted through
means that limit the potential for unauthorized
public disclosure
 Secure FAX, Phone, or other encrypted means is
preferable
 Custodian of SBU data needs to make this
determination
 During off-duty hours, SBU information must be
secured within a locked office, or in a locked
container
Security Awareness Briefing
Safeguarding
Classified Information
• One of the most fundamental requirements
of the NISP is the proper safeguarding and
storage of classified information. It is
essential that classified information be at
all times properly safeguarded or stored
in accordance with the requirements of
the NISPOM.
• “Safeguarding” means measures and
controls that are prescribed to protect
classified information.
Security Awareness Briefing
Destruction of Data
• All Sensitive but Unclassified
(SBU) data on disk, tape or
other portable media must be
formatted and over-written
multiple times to prevent
unauthorized access of the
data.
• Hard Drives must be erased
and reformatted. Shredding
is also acceptable.
Security Awareness Briefing
Classified Information
• Classified information exists in many forms. It may
be a piece of hardware, a photograph, a film,
recording tapes, notes, a drawing, a document or
spoken words.
• Material is classified by the originator.
• It comes to industry via security classification
guides.
• The degree of safeguarding required depends on
the information's classification category.
Security Awareness Briefing
Sharing of
Classified Information
•
Determining access to classified material - When an individual is
granted a security clearance, it means that an individual is eligible to
have access to classified information on a “need-to-know” basis.
Access is granted only when the following two conditions are met:
1. The recipient has a valid and current security clearance
at least as high as the information to be released.
(Contact your FSO if in doubt about a person’s clearance status)
AND
2. The recipient requires access in order to perform tasks essential
to the fulfillment of a classified Government contract or program.
This is called “need-to-know.”
(Contact the recipient’s supervisor if in doubt about a person’s
“need-to-know”)
Security Awareness Briefing
Need-to-Know
• Need-to-know confirmation for both internal employees
and visitors should come from a security department
advisor or representative.
• If there is doubt as to whether or not a person has a
need-to-know, you should check with the proper
authority prior to release of any classified information.
• Establishment of need-to-know is essential.
• It is far better to delay release to an authorized person
than to disclose classified information to one who is
unauthorized.
•
It is the responsibility of the possessor of classified
information to ensure that the prospective recipient meets
BOTH of these conditions.
Security Awareness Briefing
SF312
(Classified Information Nondisclosure Agreement)
•
The SF312 is essentially a lifetime contract between you and the U.S. Government
in which you agree to protect U.S. classified information from unauthorized
disclosure.
•
The agreement may limit you from freely discussing your work with colleagues,
relatives, and others.
•
Violation of the agreement can result in a wide array of legal action against you,
ranging from civil suits to a succession of more severe penalties. Penalties for
breaking the nondisclosure contract may include loss of clearance, fines and
criminal prosecution under several statutes.
•
The original signed copy of the SF312 is forwarded to DSS for their records, while
a copy is maintained in the individual’s security file by the company.
•
Failure to sign the agreement will result in revocation of your clearance.
Security Awareness Briefing
SF312
(Classified Information Nondisclosure Agreement)
Security Awareness Briefing
Reporting Requirements
Suspicious Contacts
•
Employees are required to report any suspicious behavior or occurrences that
may occur at any time. This includes all contacts with known or suspected
intelligence officers from any country, or any contact that suggests you may be
the target of an attempted exploitation by a foreign intelligence service (NISPOM
1-302b). More specifically, employees must report to security any of the following
events:
–
–
–
–
–
Any efforts, by any individual, regardless of nationality, to obtain illegal or unauthorized
access to classified or sensitive but unclassified information (SBU).
Any efforts, by any individual, regardless of nationality, to compromise a cleared
employee.
Any contact by a cleared employee with a known or suspected intelligence officer from
any country.
Any contact which suggests an employee may be the target of an attempted exploitation
by the intelligence services of another country.
If there is any problem as to whether any specific situation is reportable, questions
should be directed to your Facility Security Officer.
Security Awareness Briefing
Reporting Requirements (continued)
Foreign Travel
•
If you travel to another country, whether for
business or pleasure, if at all possible, you
must report your travel to your Facility
Security Officer prior to departure.
Information regarding travel in a foreign
country will be provided to you. Foreign
travel must be reported; if not prior, then
immediately after travel.
•
EIS form, “Foreign Travel Reporting for EIS
Staff,” should be completed and returned to
the facility Security Officer prior to foreign
travel, whether personal or for business.
•
Don’t forget this requirement includes
Mexico and Canada.
Security Awareness Briefing
You Must Report …
• Adverse Information. Examples are:
– Financial … this includes garnishments,
lawsuits, bankruptcies, unexplained affluence and
excessive indebtedness.
– Arrests … even if you are arrested and found
“not guilty” this needs to be reported. In addition,
any traffic violation with a fine over $300 should
be reported.
– Psychological … mental or emotional
counseling, or counseling for personality
disorders (marital, family and grief counseling are
excluded).
– Substance Abuse … this includes the use of
illegal drugs and/or excessive use of alcohol.
Security Awareness Briefing
Reporting Requirements (continued)
Adverse Information Examples …
• Arrest for any serious violation of the law
– (including DUI or DWI)
• Excessive use of alcohol or abuse of prescription
drugs
• Any use of illegal drugs
• Bizarre or notoriously disgraceful conduct
• Sudden unexplained affluence
• Treatment for mental or emotional disorders
Security Awareness Briefing
Reporting Requirements (continued)
Adverse Information
•
The Aldrich Ames case provides a lesson on what can happen if
adverse information is not reported (case is addressed again later in the
briefing).
– Ames, a CIA employee, had clear signs of adverse behavior, including
excessive drinking and unexplained affluence. While noticed, these
behaviors were not reported until much too late.
– In 1984, motivated by financial troubles, Ames volunteered highly
SECRET and sensitive CIA information to Soviet and Russian
intelligence.
– After 9 years of selling secrets for over $2.5 million, Ames showed signs
of living beyond the means afforded by his government income.
– As a result of Ames’ treason, 11 agents lost their lives and a large amount
of information regarding the CIA's Soviet intelligence efforts was lost.
Security Awareness Briefing
Reporting Requirements (continued)
Loss or Compromise
•
Employees are required to report any loss, compromise or
suspected compromise of classified information, foreign or
domestic, to the appropriate security office (NISPOM 1-303).
Reporting provides employees with an opportunity to extricate
themselves from a compromising situation and enhances the
protection of national security information.
•
Not reporting a known security compromise may in itself
constitute a major security violation, regardless of the severity of
the unreported incident.
•
Violations may include acts such as misplacing, losing,
improperly storing, improperly transmitting, and leaving
classified material unattended.
Security Awareness Briefing
You Must Report …
• Loss, compromise, (or
suspected loss or
compromise) of classified or
proprietary information,
including evidence of
tampering with a container
used for storage of classified
information.
• When in doubt, check it out …
consult with your onsite
security manager, FSO, or the
NISPOM.
Security Awareness Briefing
Other Reporting Requirements
•
Employees are required to report any
– act of sabotage or possible sabotage,
– espionage or attempted espionage,
– and any subversive or suspicious activity.
•
Employees should also
report any
–
–
–
–
–
attempts to solicit classified information,
unauthorized persons on company property,
unwillingness to work on classified information,
and disclosure of classified information to an unauthorized person,
along with any other condition that would qualify as a security violation
or which common sense would dictate as worth reporting.
Security Awareness Briefing
Information
Security
(INFOSEC)
Security Awareness Briefing
Possible Threats to a System

Hackers and Crackers

Malicious Code

Viruses, Worms, Trojans, Time Bombs

Terrorism

Internet Access

Social Engineering

Insider Threat
Security Awareness Briefing
Vulnerabilities
•
•
A vulnerability is a weakness that can be exploited to develop an
attack against a system, network or individual computer.
Examples:
▪ Users
▪ Software
▪ Improper storage
▪ Weak passwords
▪ Out-of-date patches
▪ Unneeded services
▪ Poor management
There is no such thing as
a completely secure system!
Security Awareness Briefing
Why We Are Vulnerable
NIPRNET = “non-secure”
 The Internet was not designed with
Most Popular Sites Visited by DoD Users—
yahoo.com
google.com
streamtheworld.com ……….….. music
weather.com
96% of DoD web
cnn.com
windowsupdate.com
traffic is
foxnews.com
commercial web
msn.com
browsing
aol.com
deezer.com ….....……..……….… music
facebook.com ….... social networking
liveu.tv ……….…….... video streaming
go.com …………..…. news and sports
vtunnel.com ...…....………… proxy site
security in mind.
 Development often focuses on “Slick,
Stable, Simple” not necessarily
“Secure”
 NIPRNET is an extension of the
commercial Internet
 User awareness is
unacceptably low
Security Awareness Briefing
Confidentiality
• Confidentiality, when applied to computer
systems, means data processed and/or stored
via a specific computer system is accessible
only to authorized individuals.
This applies to:
– Privacy data
– Employment data
– ID theft
Security Awareness Briefing
Integrity
• Integrity, in the arena
of computer security,
means no unauthorized
changes have been made
to system components or
data processed or stored
within a computer system.
This applies to:
– Payroll
– Client Info
– Employment data
Security Awareness Briefing
Ways to Protect the Network

Comply with EIS guidelines for use of Internet and E-mail

No Instant Messaging (IM), cryptography, music or software
downloads

Change your network log-on password regularly (as applicable)
– Make it easy to remember but hard to crack
– Try a “sentence” password – 1st letter of each word
For example: “I went down to 3rd street yesterday.” = iwdt3sy

Lock your workstation when you leave your desk
– CTRL+ALT+DELETE, then choose “Lock”
or
– “Windows” key + L
Security Awareness Briefing
Protecting Your Workstation
• When leaving your work area, be sure and lock your
screen with a password protected screensaver OR if you
are going to be away for long periods of time…LOG
OFF!
• Ensure your workstation has a password protected
screensaver that automatically activates after a period of
time.
Security Awareness Briefing
Creating a Good Password
 Creating a “good password” means that your password
cannot be easily guessed or cracked
– At a minimum, a case sensitive 8-character mix of upper/lower case
letters, numbers, and special characters, including at least two of each
– Example - it be a phrase that can be repeated when logging in:
R#1,iie2casp,bPSWDie!
….Which is derived from
Rule #1, It is easy to create a safe password, but PSWD is easier!
– Do NOT use common words (Family names, dictionary words, birth
dates, anniversary etc.)
– Never share your password with others!
DO NOT write down your password and leave it near your computer!!!!
Security Awareness Briefing
Responsibilities of the User
(Some DOs and DON’Ts)
 Environmental Concerns
– DO protect your work area; keep liquids away from
PC/keyboard
 Software Accountability
– DON’T load unauthorized software
– DO report any unauthorized personnel loading software
on your workstation
– DON’T be afraid to question technicians if you don’t
know them
 Network Access
– DO be aware of visitors to your site
Security Awareness Briefing
Responsibilities of the User
(Some DOs and DON’Ts continued)
 Contingency Planning
– DO save your work to the network drive, not local drive
– DO remember that you are ultimately accountable for
activities that occur under your user name
 Anti Virus Program
– DO check your update file regularly
– DON’T bring files from other computers
Security Awareness Briefing
PEDs and Removable
Media Handling
• Portable Electronic Devices (PEDs) and Removeable Media include:
Blackberry, cell phone, PDA, thumb/flash drive, CD/DVD, external
hard drive
• Blackberries, cell phones, PDAs, MP3 players are prohibited in
controlled spaces
• In accordance with CTO 08-08, thumb drive use on Navy networks
is prohibited until further notice
• Government issued external hard drives are authorized for use –
devices should be regularly scanned
Security Awareness Briefing
Internet Access
• Official Business Use
• Reasonable personal use
– No jokes, Instant Messaging (IM),
downloading music or software,
political or religious content,
fundraising, etc.
– Nothing offensive
• Anti-Virus protection
• Exercise caution
• Remember, you represent EIS and your client.
Security Awareness Briefing
Safe Home Computing
Your home computer is a popular target for intruders.
Why? Because intruders want what you’ve stored there.
They look for credit card numbers, bank account
information, and anything else they can find. By stealing
that information, intruders can use your money to buy
themselves goods and services.
Security Awareness Briefing
Safe Home Computing
What Should I Do To Secure My Home Computer?
1 – Install and Use Anti-Virus Programs
2 – Keep Your System Patched
3 – Use Care When Reading Email with Attachments
4 – Install and Use a Firewall Program
5 – Make Backups of Important Files and Folders
6 – Use Strong Passwords
7 – Use Care When Downloading and Installing
Programs
8 – Install and Use a Hardware Firewall
9 – Install and Use a File Encryption Program and
Access Controls
Security Awareness Briefing
Operations
Security
(OPSEC)
Threat Awareness
Defensive Security
Security Awareness Briefing
What is OPSEC ?
• Operations Security (OPSEC) is all
about keeping potential adversaries from
discovering our critical information.
• Success of the military mission depends
on secrecy and surprise;
• Likewise, protecting company proprietary
and confidential information, and related
information is a priority …
Security Awareness Briefing
Some OPSEC Guidelines
• xxxs all about keeping potential adversaries
from discovering our critical information.
• xxxxs of the military mission depends on
secrecy and surprise;
• xxxxprotecting company proprietary and
confidential information, and related
information is a priority …
Security Awareness Briefing
Threat Awareness
The Foreign Intelligence Threat
•
The gathering of information by intelligence agents, especially
in wartime, is an age-old strategy for gaining superiority over
enemies.
•
Intelligence officers, those individuals working for government
intelligence services, are trained to serve their country by
gathering information.
•
Spies, on the other hand, betray their country by espionage.
•
Preventing this kind of betrayal is the ultimate goal of the entire
U.S. personnel security system.
Security Awareness Briefing
Threat Awareness (continued)
The Foreign Intelligence Threat
•
The FBI believes that nearly 100 countries are currently running economic espionage
operations against the United States. Targets are shifting away from the classified
military information sought in the old Cold War days toward basic research and
development processes.
•
Espionage targets also include technology and trade secrets of U.S. high-tech
companies – everything from cost analyses, marketing plans, contract bids and
proprietary software to high-tech data itself.
•
Any information or process – whether classified, unclassified or proprietary – that
leads to cutting-edge technology is plainly in demand.
•
Some products are bought (or stolen) in this country and then physically smuggled
abroad. Often the technology is not a physical product; it may be a plan, formula or
idea that can be transported on computer or fax machine, or simply carried away
inside scientists' heads.
Security Awareness Briefing
Threat Awareness (continued)
The Foreign Intelligence Threat
•
Many U.S. high-tech industries have been targeted but, according to a recent
government report, the following areas are the most vulnerable: biotechnology,
aerospace, telecommunications, computer software and hardware, advanced
transportation and engine technology, advanced materials and coatings including
stealth technologies, energy research, defense and armaments technology,
manufacturing processes, and semiconductors.
•
The industries listed above are of strategic interest to the U.S. because they contribute
so greatly to critical, leading-edge technologies.
•
Not yet classified proprietary business information is aggressively targeted.
•
A 1995 report by the National Counterintelligence Center adds that foreign collectors
have also exhibited an interest in government and corporate financial and trade data.
Security Awareness Briefing
Threat Awareness (continued)
The Foreign Intelligence Threat
•
The "best" way to acquire information from an organization or company
is – in classic spy style – to recruit a mole on the inside, or to send one
of your own people in on a ruse, posing as someone else.
•
Another method is to blackmail vulnerable employees of U.S. companies
or to recruit foreign nationals working in U.S. subsidiaries abroad.
•
Not all spies have been recruited. Some past or present employees of
U.S. companies, have stolen materials and then sold them to foreign
companies – the volunteer of classic espionage.
Security Awareness Briefing
Threat Awareness (continued)
The Foreign Intelligence Threat
•
Equally as unscrupulous, and also patently illegal, is the
outright bribing of employees* to steal plans, reports and
other proprietary documents, or hiring so-called consultants to
spy on competitors, a practice that can include bugging
competitors' offices.
•
Other methods include theft and smuggling of goods, theft of
intellectual property, tampering with companies' electronics,
extortion, and so forth.
* This is a reason for concern for people with financial issues that are applying
for a security clearance.
Security Awareness Briefing
Threat Awareness (continued)
The Foreign Intelligence Threat
•
We continue to have our classical spy cases.
The most famous case, has been Aldrich Ames,
a veteran CIA intelligence officer, who
volunteered highly secret and sensitive CIA
information to Soviet and Russian intelligence
from 1985 to 1994. It is known that at least 11
agents lost their lives and that Ames gave the
KGB tens of thousand of classified documents.
•
On the heels of Ames came a second CIA
operations officer, Harold Nicholson, arrested
at the end of 1996 on espionage charges that he
had sold secrets to Moscow for 29 months.
Aldrich Ames
Security Awareness Briefing
Threat Awareness (continued)
The Foreign Intelligence Threat
•
Classical espionage cases still occur, but now we are seeing a
bourgeoning of a different kind of spying, an espionage based
not just on the theft of classified information, but on theft of
high-technology information, classified or not.
•
This economic espionage is not a new phenomenon. It is just
that in recent years its frequency has increased greatly.
•
Estimates of current yearly U.S. loss of proprietary business
information now range between $20 billion and $100 billion.
Security Awareness Briefing
Threat Awareness - Espionage
 You may be the target of foreign intelligence activity.
 Foreign powers may seek to collect U.S. industrial
proprietary economic information and technology, the
loss of which would undermine the U.S. strategic
industrial position.
 Foreign intelligence collectors are targeting US
corporate marketing information in order to gather
data that would help their respective countries.
 Overseas travel, foreign contact, and joint ventures
increase your company’s exposure to the efforts of
foreign intelligence collectors.
Security Awareness Briefing
Threat Awareness - Video
Let’s take a look at real life threats to our
nation’s military and industrial secrets …
(30-minute video not available to personnel reviewing these slides via e-mail msg;
those persons need to complete and fax security briefing certification at end of
this slide presentation, to verify having read the annual security refresher briefing)
DVD: “Critical Security Issues:
The reality of Economic Espionage”
from the CI Centre, Alexandria, VA
Security Awareness Briefing
You Must Report …
• To report any of the instances previously cited,
or other suspicious acts, contact:
– Your immediate supervisor
– Your FSO/CSSO
• In the event you cannot reach the above, you
may contact the HOTLINE…
DEFENSE HOTLINE
(800) 424-9098
The Pentagon
Washington, D.C. 20301-1900
Security Awareness Briefing
Safeguarding
PII
Security Awareness Briefing
What is PII ?
• Personally Identifiable information (PII) is any
information that relates to you as an individual:
• Full name
• SSN
• Bank accounts
• Address & phone number
• … and many other forms of information …
Security Awareness Briefing
Protect PII
• Loss or compromise of PII may result in
Identity theft
• Privacy laws require that it be protected
• Report any breach of PII (loss or
compromise) immediately
Security Awareness Briefing
Forms of PII
“High risk” PII which may cause
Business related PII, all releasable
harm to an individual if
lost/compromised
under FOIA or authorized use under
DON policy and considered “low risk”
 Financial information














- bank account #, credit card #, bank
routing #
Medical Data
- diagnoses, treatment, medical history
Full Social Security Number
- use of truncated SSN is better but still
a risk
NSPS/Personnel ratings and pay pool
information
Place and date of birth
Mother’s maiden name
Passport #
Numerous low risk PII elements when
aggregated and linked to a name
Badge number
Job title
Pay grade
Office phone number
Office address
Office email address
Full name*
*Cautionary note: Growing problem
with email phishing
Security Awareness Briefing
Accountability for PII
• Focus on correcting human error and
malicious intent
• Ensure contracts include FAR PII language
• Take corrective action where there are
program deficiencies and follow up
• Consider identity theft protection
Security Awareness Briefing
Basic Facts about Identity Theft
• Identity theft is real
• FTC reports that 8M+ of US adults have
experienced identity theft
• Crimes are still more offline than online
• ½ of all identity thieves were known by
the victim; ¼ were dishonest employees
• SSN’s are the most valuable commodity
for an identity thief
Security Awareness Briefing
Final thought on PII
PII has a shelf life of
FOREVER …
Safeguard it
Security Awareness Briefing
The next series of slides are taken from a presentation to the National
Classification Management Society
Washington, D.C.
by
deborah russell collins
Executive Director
National Security Training Institute (NSTI)
www.nstii.org
Security Awareness Briefing
The World We Live In...
Is the murder of one worker
every eight hours
acceptable as a cost of doing business
in the United States?
Security Awareness Briefing
Some Link Economy with Spate of Killings
In One Month, 57 Die In Eight Mass Murders
In Binghamton, N.Y., a Vietnamese immigrant upset about losing his job burst
into an immigration center and killed 13 people before killing himself. In
Pittsburgh, police said a gun enthusiast recently discharged from the Marine
Corps opened fire and killed three police officers. And in Graham, Wash.,
investigators said a man whose wife was leaving him shot and killed five of his
children in their mobile home before taking his own life.
The carnage that occurred during less than 48 hours last week capped a recent
string of unusually brazen mass killings, which crime experts say have touched
more people and occurred in more public settings than in any time in recent
memory. Comparative statistics are difficult to come by, but during the past
month alone, at least eight mass homicides in this country have claimed the
lives of 57 people. Just yesterday, four people were discovered shot to death in
a modest wood-frame home in a remote Alabama town. The factor underlying
the violence, some experts think, is the dismal state of the nation's economy.
Criminologists theorize that the epidemic of layoffs, the meltdown of storied
American corporations and the uncertainty of recovery have stoked fear,
anxiety and desperation across society and unnerved its most vulnerable and
dangerous.
"I've never seen such a large number [of killings] over such a short period of
time involving so many victims," said Jack Levin, a noted criminologist at
Northeastern University who has authored or co-authored eight books on mass
murder. The simple fact, criminologist James Alan Fox said, is that more
Americans are struggling.
By
Philip Rucker
Washington Post
Staff Writer
April 8, 2009
Security Awareness Briefing
Staggering Statistics Tell The Story
• Staggering statistics
• Two million victims every year
• Leading cause of death at work for women “domestic boil-over”
• Most cases go unreported
• Two thirds of cases are preceded by ‘red flags’
• How would you define it?
• More than homicide
• Verbal threats, physical attacks top the list...
Security Awareness Briefing
What Is Workplace Violence?
The threat or actual use of force by anyone
against another person or persons in the
workplace…
This includes physical attacks; any threats spoken,
written or electronically transmitted; intimidating or
threatening behavior; harassment; coercion; and
other behavior or comments that attempts to harm
or give reasonable cause to believe that it
places others at risk.
Security Awareness Briefing
What are the Warning Signs?
•
•
•
•
•
•
•
•
•
•
Irrational beliefs and ideas
Unwarranted perception of unfairness
Displays of unwarranted anger
Self image of being “irreplaceable”
Isolation - depression, suicide threats
Erratic job performance, inability to take criticism
Use of threats - verbal, non-verbal, written
History of drug or alcohol abuse
Obsession with weapons
Recent family, financial or other personal problems
Security Awareness Briefing
Whole Person Concept
• A catalog of traits is no substitute for
informed observation and judgment
• More than one or two traits -a pattern of behavior
“We are dealing with a sick person
who needs help.”
Park Dietz, Forensic Psychologist
Security Awareness Briefing
The ESL Story
The tragedy of workplace violence was made evident in the February 16, 1988
shootings at ESL, in Sunnyvale, CA, which prompted a made-for-TV movie,
“I Can Make You Love Me: The Stalking of Laura Black.”
Security Awareness Briefing
No amount of prevention can stop a person who is
determined to commit an act of violence in the
workplace...
Being Proactive, Being Prepared
Proper planning can reduce the likelihood
of an incident happening and can prepare an
organization to deal with one if necessary
Security Awareness Briefing
In a changing world ... the challenges we face …
The another tragedy of inappropriate behavior leading to violence was made
evident at a youth hockey game in Massachusetts, when an altercation
between two fathers resulted in the death of one at the hands of the other.
Security Awareness Briefing
The Challenges We Face
• Being rude is acceptable…
– Increasing anger, hostility toward others
– Complacency – it’s old news, we’re numb to it
• And it goes well beyond the office…
– On the ball field, how we drive, on the airplane,
even at the store
- In our schools…churches and homes…
You can make a difference…
every single day!
Security Awareness Briefing
How will you respond?
Do what you can to help
those around you who need help...
Make a personal commitment to
be proactive in ending this epidemic
in our society…
And remember what
matters most in this life...
Security Awareness Briefing
Take-aways
• Know the Reporting Requirements *
• Be Aware of the Threat *
– Practice good INFOSEC
– Practice good OPSEC
– Be aware of violence in the workplace
• Safeguard PII *
• Understand the “Need-to-Know” *
• Know your FSO *
Security Awareness Briefing
Something to Remember …
CLEARANCE
+
=
ACCESS
NEED TO KNOW
 Employees will only be permitted access to classified information
with the proper clearance AND the need to know.
 If you ever need to disclose classified information to anyone,
make sure they have the proper clearance AND need to know.
Not sure of the clearance level? Check with your FSO.
Security Awareness Briefing
Recap - Reporting Requirements
Don’t Hesitate
• In general, don’t hesitate
to report anything you feel
could be detrimental to
the security of:
– our company,
– our employees,
– our government
customers; or
– our country.
Security Awareness Briefing
Security is …
EVERYONE’s
business !!!
Security Awareness Briefing
NISPOM Hotlines
•
Federal agencies maintain hotlines to provide an unconstrained
avenue for government and contractor employees to report, without
fear of reprisal, known or suspected instances of serious security
irregularities and infractions concerning contracts, programs, or
projects. These hotlines do not supplant contractor responsibility
to facilitate reporting and timely investigation of security matters
concerning its operations or personnel, and contractor personnel
are encouraged to furnish information through established
company channels. However, the hotline may be used as an
alternative means to report this type of information when
considered prudent or necessary.
DoD Hotline: (800) 424-9098
The Pentagon, Washington, D.C. 20301-1900
Security Awareness Briefing
Know Your Facility
Security Officer (FSO)
•
You should know who your company
security officer is. The title is “FSO”
for Facility Security Officer:
– Joe Curry, FSO
703-752-5537
– Bonnie Grishkat, Asst. FSO
703-752-5541
•
Any security related questions
should be brought to the
FSO’s attention.
Security Awareness Briefing
“I don’t care how skilled you are as a
diplomat, how brilliant you may be at
meetings, or how creative you are as
an administrator …
if you are not professional about
security …
you are a failure.”
Madeleine Albright
Former Secretary of State
Security Awareness Briefing
This concludes the
Security Awareness Briefing
also serving as the
Annual Security Refresher Briefing
Security Awareness Briefing
Conclusion
• Thank you for taking the time to read and understand
this briefing.
• Should you have any questions regarding what you have
just read, or any other security matters, please contact
either your onsite security manager or company FSO.
• Please sign the briefing certificate on the following page
and return to the EIS FSO, @ FAX 301-749-0215.
Security Awareness Briefing
Security Briefing Certificate
(for self-certifying individuals in lieu of in-person briefing)
I confirm that I have read & understood the EIS Security Awareness Briefing,
as revised for
CY 2012.
Please complete and return to:
_____________________________
Printed Name
_____________________________
Signature
_____________________________
Date
Joe Curry
1945 Old Gallows Road, Suite 500
Vienna, VA 22182
or FAX to:
703-749-0215
or scan and email to:
jcurry@goeis.com
Send upon completion.
Security Awareness Briefing
Response Required
You have now completed the
Security Awareness Briefing,
also serving as the
Annual Security Refresher Briefing.
Please respond, so that we may print a
verification that you have received this
briefing.
Thank you.
Security Awareness Briefing
Download