NCMS & the Industrial Security
Professional (ISP) Certification Preparation
William L. Uttenweiler, ISP
Lead Mentor, ISP Exam Prep Program
Florida Space Coast Chapter, Cape Canaveral AFS, FL
Three Topics
What is NCMS & why should you belong?
What is the Industrial Security
Professional certification program & why
you should be one?
How can you best prepare for the ISP
exam?
Question:
What is NCMS & why
should you belong?
Organization
Society of Information Security
Professionals
Founded in 1964
Headquartered in Wayne, PA
24 chapters in USA, 1 in Europe, & 1
“virtual”
~ 2,600 members
Official Scope – #1
Develop & promote education & training of
members in the application of
requirements of industrial security in
support of the security of the United States
and its allies as described in the National
Industrial Security Program (NISP).
- Classified information (mostly DOD, DOE, CIA
& NRC but 23 other agencies included)
Official Scope – #2
Develop and promote education and
training of members in the application of
classification management principles,
practices, procedures, & techniques in
protecting government designated
unclassified information & intellectual
property in all forms.
- Government FOUO
- Company Proprietary/Competition Sensitive,
etc.
- Operations Security (OPSEC)
How NCMS Meets Scope #1 & #2
Web site, especially the Members Only
section
Annual National Training Seminar
CM Bulletin
Chapter level activities and
communications
NCMS Web Site
www.classmgmt.com
New news you can use
Resource library
-
Counterintelligence information; security education/awareness training
tools, security briefings
-
Government reports (NISPOM, Industrial Security Letters, Executive
Orders, Presidential Decision Directives, PERSEREC Reports)
-
Classification management, physical security, COMSEC, OPSEC,
information security, information assurance
-
Protecting FOUO, sensitive-but-unclassified information, proprietary
information
-
Homeland Security, Emergency Preparedness
-
JPAS, e-QIP
-
International security, NATO, Export Control
-
Facility Security Officer Training
-
And much, much more
NCMS Web Site
www.classmgmt.com
Membership Assistance Publication Series
(MAPS) – tied to sections of NISPOM
-
Self-Inspection guide for collateral facilities
-
Administrative inquiry checklist
-
Handbook on DD 254 preparation (subcontracting)
-
Sample resolution for exclusion of certain directors or officers
-
Briefing “The Foreign Intelligence Threat”
-
Sample annual security refreshers
-
Instructions for changing safe & lock combinations
-
Where to get clips for false/drop ceilings in closed areas
-
Writing a master systems security plan for classified AIS
-
And much, much more
Annual National Training Seminar
43rd was held June 2007 in Reno NV included
- General and break-out sessions on topics like
•
DISCO & JPAS behind the scenes; basic/advanced JPAS & e-QIP training
•
Threat integration in your security program
•
Security clearance adjudication
•
SCI overview; special access program training
•
FOCI, export control, proxy agreements, special security agreements
•
Classified AIS security issues
•
OPSEC – “They Really Didn’t Do That, Did They?”
•
Ray Semko “Unleashed”
- Summaries of sessions published in CM Bulletin; when
available, slides posted on-line
- Facility Security Officer Program Management course
offered by DSS Academy
- Proctored ISP certification exam
45th Annual National Training Seminar
CM Bulletin
Bi-monthly NCMS newsletter
- Official means of communication between
leadership & members
- Articles by members on topics of interest, for
example
•
Results of polygraph survey
•
Perils of the Internet
•
How to build a better security team
•
Verbal attestations
•
US port deal highlights foreign investments
•
Data spills – cleanup & prevention
•
Effective speaking tips
Chapter level activities & communications
Chapter-sponsored seminars
Chapter meetings with speakers
E-mail from chapter chair with news,
updates, etc.
Association with government audit/
inspection personnel in a professional,
non-adversarial environment
Networking – you are never alone
Official Scope – #3
Advance the professionalism of Members
through a formal certification program
recognized by government & industry.
- Industrial Security Professional (ISP)
certification
•
http://www.ncms-isp.org/
- More in a moment
Official Scope – #4
Advance its purpose by representation &
participation on U.S. government &
professional security councils,
committees, boards & forums & through
formal comment, proposal, petition, &
coordination.
- Memorandum of Understanding (MOU) Group
- NISP Policy Advisory Committee (NISPPAC)
- Close rapport with ISOO, DSS, etc.
The MOU Group
MOU Group
- Membership includes: NCMS & 5 other groups
NISP Policy Advisory Committee
- By invitation but usually includes NCMS
members
Both represent industry’s voice to top-level
government security policy makers
Information Flowing Up
Example: High Security Lock Legislation
- Pushed by Sen Jim Bunning (R-KY) in FY 2002
Defense Authorization Bill
- Would have accelerated requirement X0-8/9
locks (replacement kits cost $1,200 each;
cabinets cost $1,570 - $5,679 each)
- Industry surveyed costs ($231 million) and
concluded they were not justified by risk
- Bunning’s district includes headquarters of
MAS-Hamilton, the only manufacturer of
compliant locks
Information Flowing Up
Example: personnel security investigation
backlog
- Explained the costs in unaccomplished work
while PSIs languish uncompleted
- DSS agreed to allowing facilities to each
prioritize a small number of if cases and to
accelerate their completion
- Early notification of DSS plans and requests
for future PSI needs
Special Relationships
Special relationships with ISOO, DSS, etc.
- High level staff frequently with Board of
Directors on issues of mutual interest
- High level staff regular present at NCMS
National Training Center
- Permanent host for presentation of DSS’s
James S. Cogswell Award for outstanding
industrial security programs
Evaluating the Value of Memberships
DSS James S. Cogswell Award for
Outstanding Industrial Security Program
- 2006: NCMS members for 13 of the 28
selected firms
- 2007: NCMS members for 20 of the 30
selected firms
An NCMS member was one of the firm’s representatives at the awards ceremony.
Management Support Is Critical
Security professionals need enthusiastic
support from their management
- More than signing the occasional policy or
giving the intro at annual company refresher
- Reimbursement for dues and expenses
- Permission to attend functions and work on
NCMS business (both for training and good PR
within the DOD contractor community)
- Demonstrates to other employees that security
is important to the company
Question:
What is NCMS & why should you
belong?
Answer:
NCMS is the Society of Information
Security Professionals. If you belong
to NCMS, you & your company are
never “hanging out there” alone. You
have access to local & national level
resources & experts when a question
or a problem occurs.
Question:
What is the Industrial
Security Professional
certification program &
why should you be
one?
ISP Certification
The security certification universe in 2003
- Some of existing ones were too broad
•
Certified Protection Professional (CPP)
- Others were narrowly focused but on other
disciplines
•
•
•
•
•
Physical Security Professional (PSP)
Certified Fraud Examiner (CFE)
Certified Information Systems Security
Professional (CISSP)
Global Information Assurance Certificate (GIAC)
Certified in Homeland Security (CHS)
ISP Certification
Security certification universe in 2003
- None focused on the National Industrial
Security Program (NISP) or the NISPOM
- None included areas like Counterintelligence
(CI) and Communications Security/TEMPEST
- NCMS grassroots wanted a certification would
closely match what a Facility Security Officer
(FSO) and his/her staff actually do
Industrial Security Professional
Industrial Security Professional (ISP)
certification
- For individuals involved in classified
government contracts
- Introduced in 2004
- Aimed at “journeyman” level professionals
- ~ 190 currently certified world-wide
ISP Certification
ISP Certification requirements
- 5 years’ experience (can be part-time if >10%
of duties)
- Pass a proctored exam
•
110 questions (100 “core” plus 5 each on 2 electives
chosen from 4 available – counterintelligence,
COMSEC/TEMPEST, intellectual property, OPSEC)
•
2 hours long; open book
- Recommended by supervisor or NCMS
National Director
- Subscribe to high ethical standards
ISP Certification
Recertification required every 3 years
- Shows continued professional development
- Demonstrates that person has kept current on
both threats and defenses
- Can be accomplished by
•
Training/seminar attendance
•
Leadership in security activities
•
Authoring articles/classes on security topics
•
Etc.
ISP Certification
“Accreditation”
- Only recently provided for the ASIS-sponsored
CPP; ISP isn’t far behind
- However, can be a valuable assurance in the
case of a new program like the ISP
- NCMS is working with the American National
Standards Institute (ANSI) to get formal
“accreditation” for the ISP
ISP Certification
Accreditation process has driven the
requirement to have on-line test takers
proctored
- Proctors insure that the candidate is the person
who takes the exam
- Chapter Chairs help locate current ISPs to
serve as proctors
- For those not near an ISP, NCMS Headquarters
will approve qualified proctors (including
Government Industrial Security
Representatives, College/ University teachers,
etc.)
ISP On-Line
http://www.ncms-isp.org
Separate ISP web site to consolidate
resources
- Certification Booklet
- Application Form
- ISP Code of Ethics
- Test References & Sources
- Frequently Asked Questions
- List of Current ISPs
- ISP Exam Preparation Program
ISP Certification: Why Certify?
The ISP program provides a high-level baseline
for the knowledge required of an Industrial
Security FSO with at least five years of
experience;
It certifies that the holder of the ISP has the
requisite knowledge of the NISPOM and other
related directives used by the average FSO on
a daily basis;
It demonstrates on the part of the ISP a degree
of professionalism and willingness to go the
extra yard to develop professionally;
ISP Certification: Why Certify?
It demonstrates self-confidence & willingness to take
a risk (of flunking the certification exam in this
case);
It demonstrates that the ISP has the academic and
intellectual skills to not only perform as an FSO but
also to develop further as a security professional;
It puts a company that has ISP's on their staff in a
stronger position for contract bids and re-bids in the
area of security; and
It provides a FSO with an ISP added credibility when
dealing with DSS representatives
A couple of testimonials
Crystal Chambers, ISP, CENTRA Technology Inc., Arlington,
VA. Having ISP after my name MEANS something! When I applied
for a new position, not only did my new boss know what it meant,
he was impressed! I have an ability now to confidently use, refer
to and quote the NISPOM! This class made me open up the book
and LOOK at chapters I hadn’t needed previously, like Chapter 8.
Did I mention I got a perfect score on that section?
Leonard Moss Jr., ISP, CHS-V, AAI Corporation, Hunt Valley, MD. In
October 2006 I moved cross-country for a promotion to the
Director of Corporate Security at AAI Corporation. It's a great
opportunity and it's the promotion I had been seeking. You will be
happy to know that when I applied for this position one of the
things the job called for was "ISP preferred.” I thought that was
great and worth sharing. It shows the value of our credential.
Question:
What is the Industrial Security
Professional certification program
& why should you be one?
Answer:
The only professional certification
aimed at staff working to protect
classified information. It pays
dividends both in knowledge &
reputation.
Next Question:
How can you best
prepare for the
ISP exam?
ISP Exam Preparation
Barrier to testing – The Fear Factor
Overcoming The Fear Factor through
preparation
The Fear Factor
Applicants are apprehensive about taking
the exam
- I’m not good enough (or experienced enough)
- I’ve been out of school for a long time, I don’t
test well & I might fail.
- I’m too busy (workload, personal problems, etc.)
- If I fail, I’ll look bad in the eyes of supervisors,
coworkers & colleagues.
- If I fail, I’ll be out several hundred dollars.
(Some companies don’t fund the exam until
employee passes.)
Overcoming the Fear Factor
The two keys are networking & preparation
Networking
- “I’m not good enough” dispelled by contact
with colleagues (difference between test takers
in Reno NV in 2004 & Seattle WA in 2005)
Preparation
- Knowledge provides self-confidence
- Some nervousness always remains for any
“high stakes” test, but the adrenalin helps
Main methods of preparation
- Self-study
- ISP Examination Preparation Program
- ISPCERT.COM
Self-Study
http://www.ncms-isp.org/StudyReferences.html
Self-study was the only study method
available before 2006
All of the source documents for the ISP
exam are unclassified and widely on-line
Anxiety was high because candidates
didn’t know if their preparation was
“adequate”
Now – the ISP Exam Prep Program
workbook can be used for self-study
ISP Exam Preparation Program
Arose during 2005 ramp-up
- Candidates met telephonically to discuss
“hard” chapters (Chap 8 on AIS, Chap 10 on
international)
- Expanded & formalized at 41st Annual
National Training Seminar in Seattle WA
- Sponsored by ISP Committee (co-Chairs:
Barbara Taylor, ISP & Priscilla Crawford, ISP)
ISP Exam Preparation Program
Prep Program purpose
- Develop better security professionals
conducting comprehensive training on
fundamentals like the NISPOM, ISLs, OPSEC, CI,
etc.
- Assist those who do not have local ISPs to be
their “mentors”
- Encourage “unsure” candidates that they can
complete appropriate preparation for the exam
- “Cooperate & Graduate”
ISP Exam Preparation Program
Overview
- Students will obtain materials & study in
advance of the telecons
- Telecons with mentors & other candidates to
answer questions, help pace the preparation,
etc.
•
About 1 hour long each
•
Once a week
•
All but electives occur 3x weekly so
Candidates can pick the most convenient one
ISP Exam Prep Program
Materials
- Electronic copies of key references
- Workbook to help candidates’ review of
NISPOM & other materials (cost $15)
- The Annotated NISPOM, a great tool for all
security professionals, is available at:
http://www.ncms-isp.org/NISPOM_200602_with_ISLs.pdf
ISP Exam Preparation Program
Mentors
- All are current ISPs
- 2-person Mentor teams will provide a variety of
experiences/viewpoints
Timeline
- Next “Round” in the program started in July 2008
- Timed so that Candidates finish in time to test before
the Thanksgiving & end-of-year holidays
- To sign up or get more information, contact the ISP
Lead Mentor Team by e-mail ISP_Mentor@hotmail.com
ISP Exam Preparation Program
Lesson strategy
- Call #1A - get started, go over "Test Tips" article for
information/techniques/tips, evaluate class size, etc.
- #Call #1B - look up practice (5 questions w/paper
NISPOM, 5 questions w/electronic search of The
Annotated NISPOM in PDF)
- Lesson #2 - #10 - cover about 10% of the NISPOM in
each session
- Lesson #11 - last minute questions, wrap-up
ISP Exam Preparation Program
Lesson Strategy (continued)
- Four optional calls; 1 for each of the four
electives
•
COMSEC/TEMPEST
•
Counterintelligence
•
Intellectual Property
•
Operations Security
ISPCERT.COM
Creation of Jeffrey W. Bennett, ISP,
ISPCERT.com, Madison AL; Secretary of
NCMS Mid-South Chapter
The Complete Guide for Industrial Security
Professional (ISP) Exam Preparation
- Practice test with 400+ multiple choice
questions (with answer sheets)
- Practical tips for candidates
- Cost is $39.99
Final Comments on ISP Exam
Available on-line 24/7
Available “on paper” at 2009 NCMS Annual
National Training Seminar in Anaheim CA
next June
Exam isn’t easy but you will pass if you
- Pay attention to test discipline (110 answers in
120 minutes)
- Prepare in advance
Question:
How can you best prepare for the
ISP exam?
Answer:
There are several methods,
from independent study to use
of prepared workbooks to taking
the ISP Exam Prep Program.
Choose the one you believe will
work best for you.
Final Notes: Security Awareness Posters
http://www.ncms-channelislands.org/posters.html
Speaker Contact Information
William L Uttenweiler, ISP
- William.L.Uttenweiler@aero.org
- Work Phone: 321-853-0803
- Cell Phone:
321-506-7427
- FAX:
310-563-2959
Any More
Questions?