Security Awareness Briefing & Annual Security Awareness Refresher Briefing as revised 2012-08-03

Security Awareness Briefing

Enterprise Information Services, Inc. (EIS)

EAGLE Enterprise Joint Venture (EEJV)

Alliant Enterprise Joint Venture (AEJV)

Security Awareness Briefing&

Annual Security Awareness Refresher Briefing

as revised 2012-08-03


Executive Order 12958as amended

The SF312 references Executive Order

(EO) 12958 – Classified National

Security Information, issued by

President Clinton on April 17, 1995

Established the National

Industrial Security Program;

Set new guidelines for the protection of

classified information.


• U.S. industry develops and produces the majority of our nation’s defense technology – much of which is classified – and thus plays a significant role in creating and protecting the information that is vital to our nation’s security. The National Industrial Security Program (NISP)

was established in 1995 by Executive Order 12958 to ensure that cleared U.S. defense industry safeguards the classified information in their possession while performing work on contracts, programs, bids, or research and development efforts.

• The Defense Security Service (DSS) administers the NISP on behalf of the Department of Defense and 23 other federal agencies within the Executive Branch. There are approximately 12,000 contractor facilities that are cleared for access to classified information.

Introduction


• To have access to U.S. classified information and participate in the NISP, a facility – a designated operating entity in private industry or at a college/university – must have a bona fide procurement requirement. Once this requirement has been established, a facility is eligible for a Facility Security Clearance (FCL). A Facility Security Clearance is an administrative determination that a facility is eligible to access classified information at the same or lower classification category as the clearance being granted.

• The Facility Security Clearance may be granted at the Top Secret, Secret or Confidential level.

• In order to obtain the clearance, the contractor must execute a Defense Security Agreement which is a legally binding document that sets forth the responsibilities of both parties and obligates the contractor to abide by the security requirements of the National Industrial Security Program Operating Manual (NISPOM).

Introduction (continued)


• EIS, Inc. is a cleared companyEIS, Inc. is a cleared company in in the National Industrial Security the National Industrial Security Program (NISP)Program (NISP)

• Employees are Employees are boundbound by by Department of Defense (DoD) rulesDepartment of Defense (DoD) rules and regulations to properly protect and regulations to properly protect and control all classified material in and control all classified material in their possession per the National their possession per the National Industrial Security Program Industrial Security Program Operating Manual (NISPOM) and as Operating Manual (NISPOM) and as appropriate, other Cognizant appropriate, other Cognizant Security Agency directives.Security Agency directives.

• You must familiarize yourself with You must familiarize yourself with specific contract provisionsspecific contract provisions on on ‘how’ protection and control ‘how’ protection and control measures apply to each program measures apply to each program you support.you support.

Overview


• The NISPOM requires that you be provided:– with an Initial Security Briefing prior to being permitted access to classified

information,– and that you be provided with an Annual Security Refresher Briefing.

• The NISPOM also states that personnel granted clearances are required to sign a Classified Information Nondisclosure Agreement (Standard Form 312)

– which further outlines responsibilities for the protection and safeguarding of classified information.

– This is essentially an agreement between the individual and the U.S. Government (discussed later in this briefing).

• Additionally, government site security managers may require other security briefings specific to the needs of the onsite government client.

Security Briefings


DD-254 Form(Contract Security Classification Specification)

• Makes the facility clearance (FCL) possible

• Must accompany every classified contract

• Maintained by FSO and by Contracts

• Supports the need for Personnel Security Clearances (PCL)

• Absence of DD-254 is cause for termination of FCL or removal of PCL on any given contract …

(managers beware!)


Clearance Information

• EIS maintains a TOP SECRET facility clearance (FCL).

Just as you are required to sign an agreement with the U.S. Government, as a defense contractor, the company has signed a Security Agreement with the U.S. Government.

• Your security responsibilities are real: – They are magnified as a result of your employment in a vital defense

industry. It is essential that you realize the importance of this. – Unauthorized disclosure or failure to properly safeguard classified

information is punishable under the Espionage Laws and Federal Criminal Statutes.

– Your responsibilities affect the security of our government and the technological advancement of our nation.


Types of Security Investigations

• EIS processes two different investigations (SF-86):EIS processes two different investigations (SF-86):

– CollateralCollateral: Confidential, Secret and Top Secret clearance: Confidential, Secret and Top Secret clearance

– SCISCI: Caveat sometimes attached to Top Secret clearances, to : Caveat sometimes attached to Top Secret clearances, to allow access to Sensitive Compartmented Information (SCI);allow access to Sensitive Compartmented Information (SCI);

processed through the governmentprocessed through the government

• Government client processes another investigation (SF-85P):Government client processes another investigation (SF-85P):

– Position of Trust Position of Trust : Employees may have a need to work on a : Employees may have a need to work on a project that is project that is SSensitive ensitive BBut ut UUnclassified, and may be processed nclassified, and may be processed for a background investigation that for a background investigation that does not result in clearancedoes not result in clearance, , but gives access to but gives access to SBUSBU material (VA, DHS, FAA among others). material (VA, DHS, FAA among others).


Overview of Security Classification System

• As outlined by Executive Order 12958, as amended, classified information is official government information that has been determined to require protection in the interest of national security.

• All classified information (with only one exception) is under sole ownership of the U.S. Government, and employees possess no right, interest, title, or claim to such information.


Introduction toClassified Information

• Classified National Security Information (“classified information”): information that has been determined pursuant to Executive Order 12958 to require protection against unauthorized disclosure and is marked to indicate its classified status when in documentary form.

• Information is classified when it is determined that its unauthorized disclosure can reasonably be expected to cause damage to national security. Such information is assigned a classification of TOP SECRET, SECRET, or CONFIDENTIAL and is appropriately marked.

• Unauthorized disclosure means disclosure to someone NOT authorized by the government to have access to classified information. Unauthorized disclosure is punishable as detailed in the Extracts of the Espionage and Sabotage Acts.

Classified information is discussed in more depth later in this briefing.


Classified Information (continued)

• Three levels have been established based on the criticality of the information or material to national interests:

1. TOP SECRET: Information or material whose unauthorized disclosure could be expected to cause exceptionally grave damage to the national security.

2. SECRET: Information or material whose unauthorized disclosure could be expected to cause serious damage to the national security.

3. CONFIDENTIAL: Information or material whose unauthorized disclosure could be expected to cause damage to the national security.


Identifying Classified Information

• Classified documents are boldly marked with Classified documents are boldly marked with the highest classification on the top and bottom the highest classification on the top and bottom of each page.of each page.

• Individual Paragraphs have markings: (U), (C), Individual Paragraphs have markings: (U), (C), (S), (TS).(S), (TS).

• Use the Program Security Classification Guide Use the Program Security Classification Guide for help when marking classified for your for help when marking classified for your contract. This guide will instruct you on what contract. This guide will instruct you on what types of information should be classified at types of information should be classified at which levels.which levels.

• If you believe information is over-classified, If you believe information is over-classified, contact the FSO/CSSO for guidance.contact the FSO/CSSO for guidance.


Procedures for Handling Classified Information

• Detailed instructions will be provided to you by the client/site security officer before you access classified information.

• You will be advised about identifying, handling and safeguarding classified information.

• Always ask questions when in doubt.


Sensitive But Unclassified Information (SBU)

• Warrants a degree of protection and administrative control that meets the criteria for exemption from the public

• SBU information includes, but is not limited to:– Medical, Personal, Financial, Investigatory,

Visa, and Law Enforcement Records– If released, could result in harm or unfair treatment

to any individual or group, or could have a negativeimpact upon foreign policy

SBU


SBU Handling Procedures

SBU information should be transmitted through means that limit the potential for unauthorized public disclosure

Secure FAX, Phone, or other encrypted means is preferable

Custodian of SBU data needs to make this determination

During off-duty hours, SBU information must be secured within a locked office, or in a locked container


SafeguardingClassified Information

• One of the most fundamental requirements of the NISP is the proper safeguarding and storage of classified information. It isessential that classified information be atall times properly safeguarded or storedin accordance with the requirements ofthe NISPOM.

• “Safeguarding” means measures andcontrols that are prescribed to protectclassified information.


Destruction of Data

• All Sensitive but Unclassified (SBU) data on disk, tape or other portable media must be formatted and over-written multiple times to prevent unauthorized access of the data.

• Hard Drives must be erased and reformatted. Shredding is also acceptable.


Classified Information

• Classified information exists in many forms. It may be a piece of hardware, a photograph, a film, recording tapes, notes, a drawing, a document or spoken words.

• Material is classified by the originator.

• It comes to industry via security classification guides.

• The degree of safeguarding required depends on the information's classification category.


Sharing ofClassified Information

• Determining access to classified material - When an individual is granted a security clearance, it means that an individual is eligible to have access to classified information on a “need-to-know” basis. Access is granted only when the following two conditions are met:

1. The recipient has a valid and current security clearance

at least as high as the information to be released.

(Contact your FSO if in doubt about a person’s clearance status)

AND

2. The recipient requires access in order to perform tasks essential

to the fulfillment of a classified Government contract or program.

This is called “need-to-know.”

(Contact the recipient’s supervisor if in doubt about a person’s

“need-to-know”)


Need-to-Know• Need-to-know confirmation for both internal employees

and visitors should come from a security department advisor or representative.

• If there is doubt as to whether or not a person has a need-to-know, you should check with the proper authority prior to release of any classified information.

• Establishment of need-to-know is essential.

• It is far better to delay release to an authorized person than to disclose classified information to one who is unauthorized.

• It is the responsibility of the possessor of classified information to ensure that the prospective recipient meets BOTH of these conditions.


SF312(Classified Information Nondisclosure Agreement)

• The SF312 is essentially a lifetime contract between you and the U.S. Government in which you agree to protect U.S. classified information from unauthorized disclosure.

• The agreement may limit you from freely discussing your work with colleagues, relatives, and others.

• Violation of the agreement can result in a wide array of legal action against you, ranging from civil suits to a succession of more severe penalties. Penalties for breaking the nondisclosure contract may include loss of clearance, fines and criminal prosecution under several statutes.

• The original signed copy of the SF312 is forwarded to DSS for their records, while a copy is maintained in the individual’s security file by the company.

• Failure to sign the agreement will result in revocation of your clearance.


SF312(Classified Information Nondisclosure Agreement)


Reporting RequirementsSuspicious Contacts

• Employees are required to report any suspicious behavior or occurrences that may occur at any time. This includes all contacts with known or suspected intelligence officers from any country, or any contact that suggests you may be the target of an attempted exploitation by a foreign intelligence service (NISPOM 1-302b). More specifically, employees must report to security any of the following events:

– Any efforts, by any individual, regardless of nationality, to obtain illegal or unauthorized access to classified or sensitive but unclassified information (SBU).

– Any efforts, by any individual, regardless of nationality, to compromise a cleared employee.

– Any contact by a cleared employee with a known or suspected intelligence officer from any country.

– Any contact which suggests an employee may be the target of an attempted exploitation by the intelligence services of another country.

– If there is any problem as to whether any specific situation is reportable, questions should be directed to your Facility Security Officer.


Reporting Requirements (continued)Foreign Travel

• If you travel to another country, whether for business or pleasure, if at all possible, you must report your travel to your Facility Security Officer prior to departure. Information regarding travel in a foreign country will be provided to you. Foreign travel must be reported; if not prior, then immediately after travel.

• EIS form, “Foreign Travel Reporting for EIS Staff,” should be completed and returned to the facility Security Officer prior to foreign travel, whether personal or for business.

• Don’t forget this requirement includes Mexico and Canada.


You Must Report …• Adverse Information. Adverse Information. ExamplesExamples are: are:

– FinancialFinancial … … this includes garnishments, this includes garnishments, lawsuits, bankruptcies, unexplained affluence and lawsuits, bankruptcies, unexplained affluence and excessive indebtedness.excessive indebtedness.

– ArrestsArrests … … even if you are arrested and found even if you are arrested and found “not guilty” this needs to be reported. In addition, “not guilty” this needs to be reported. In addition, any traffic violation with a fine over $300 should any traffic violation with a fine over $300 should be reported.be reported.

– PsychologicalPsychological … … mental or emotional mental or emotional counseling, or counseling for personality counseling, or counseling for personality disorders (marital, family and grief counseling are disorders (marital, family and grief counseling are excluded).excluded).

– Substance AbuseSubstance Abuse … … this includes the use of this includes the use of illegal drugs and/or excessive use of alcohol.illegal drugs and/or excessive use of alcohol.


Reporting Requirements (continued)Adverse Information Examples …

• Arrest for any serious violation of the law– (including DUI or DWI)

• Excessive use of alcohol or abuse of prescription drugs

• Any use of illegal drugs

• Bizarre or notoriously disgraceful conduct

• Sudden unexplained affluence

• Treatment for mental or emotional disorders


Reporting Requirements (continued)Adverse Information

• The Aldrich Ames case provides a lesson on what can happen if adverse information is not reported (case is addressed again later in the

briefing).– Ames, a CIA employee, had clear signs of adverse behavior, including

excessive drinking and unexplained affluence. While noticed, these behaviors were not reported until much too late.

– In 1984, motivated by financial troubles, Ames volunteered highly SECRET and sensitive CIA information to Soviet and Russian intelligence.

– After 9 years of selling secrets for over $2.5 million, Ames showed signs of living beyond the means afforded by his government income.

– As a result of Ames’ treason, 11 agents lost their lives and a large amount of information regarding the CIA's Soviet intelligence efforts was lost.


Reporting Requirements (continued)Loss or Compromise

• Employees are required to report any loss, compromise or suspected compromise of classified information, foreign or domestic, to the appropriate security office (NISPOM 1-303). Reporting provides employees with an opportunity to extricate themselves from a compromising situation and enhances the protection of national security information.

• Not reporting a known security compromise may in itself constitute a major security violation, regardless of the severity of the unreported incident.

• Violations may include acts such as misplacing, losing, improperly storing, improperly transmitting, and leaving classified material unattended.


You Must Report …• Loss, compromiseLoss, compromise, (or , (or

suspected loss or suspected loss or compromise) compromise) of classifiedof classified or or proprietary information, proprietary information, including evidence of including evidence of tampering with a container tampering with a container used for storage of classified used for storage of classified information.information.

• When in doubt, check it out …When in doubt, check it out … consult with your onsite consult with your onsite security manager, FSO, or the security manager, FSO, or the NISPOM.NISPOM.


Other Reporting Requirements

• Employees are required to report any – act of sabotage or possible sabotage,– espionage or attempted espionage,– and any subversive or suspicious activity.

• Employees should alsoreport any

– attempts to solicit classified information,– unauthorized persons on company property,– unwillingness to work on classified information, – and disclosure of classified information to an unauthorized person,– along with any other condition that would qualify as a security violation

or which common sense would dictate as worth reporting.


Information Security

(INFOSEC)


Possible Threats to a System

Hackers and Crackers

Malicious Code

Viruses, Worms, Trojans, Time Bombs

Terrorism

Internet Access

Social Engineering

Insider Threat


Vulnerabilities

• A vulnerability is a weakness that can be exploited to develop an attack against a system, network or individual computer.

• Examples: ▪ Users ▪ Out-of-date patches

▪ Software ▪ Unneeded services

▪ Improper storage ▪ Poor management

▪ Weak passwords

There is no such thing asa completely secure system!


Why We Are Vulnerable

The Internet was not designed with security in mind.

Development often focuses on “Slick, Stable, Simple” not necessarily “Secure”

NIPRNET is an extension of the commercial Internet

User awareness is unacceptably low

NIPRNET = “non-secure”

Most Popular Sites Visited by DoD Users—

yahoo.com google.comstreamtheworld.com ……….….. musicweather.comcnn.comwindowsupdate.comfoxnews.commsn.comaol.comdeezer.com ….....……..……….… music facebook.com ….... social networkingliveu.tv ……….…….... video streaminggo.com …………..…. news and sportsvtunnel.com ...…....………… proxy site

Most Popular Sites Visited by DoD Users—

yahoo.com google.comstreamtheworld.com ……….….. musicweather.comcnn.comwindowsupdate.comfoxnews.commsn.comaol.comdeezer.com ….....……..……….… music facebook.com ….... social networkingliveu.tv ……….…….... video streaminggo.com …………..…. news and sportsvtunnel.com ...…....………… proxy site

96% of DoD web traffic is commercial web browsing

96% of DoD web traffic is commercial web browsing


Confidentiality• Confidentiality, when applied to computer

systems, means data processed and/or stored via a specific computer system is accessible only to authorized individuals.

This applies to:– Privacy data

– Employment data

– ID theft


Integrity

• Integrity, in the arenaof computer security,means no unauthorizedchanges have been madeto system components ordata processed or storedwithin a computer system.This applies to:– Payroll

– Client Info

– Employment data


Ways to Protect the Network

Comply with EIS guidelines for use of Internet and E-mail

No Instant Messaging (IM), cryptography, music or software downloads

Change your network log-on password regularly (as applicable)– Make it easy to remember but hard to crack– Try a “sentence” password – 1st letter of each word

For example: “I went down to 3rd street yesterday.” = iwdt3sy

Lock your workstation when you leave your desk– CTRL+ALT+DELETE, then choose “Lock”

or– “Windows” key + L


Protecting Your WorkstationProtecting Your Workstation

• When leaving your work area, be sure and lock your screen with a password protected screensaver OR if you are going to be away for long periods of time…LOG OFF!

• Ensure your workstation has a password protected screensaver that automatically activates after a period of time.


Creating a Good Password Creating a “good password” means that your password

cannot be easily guessed or cracked – At a minimum, a case sensitive 8-character mix of upper/lower case

letters, numbers, and special characters, including at least two of each

– Example - it be a phrase that can be repeated when logging in:

R#1,iie2casp,bPSWDie! ….Which is derived from

Rule #1, It is easy to create a safe password, but PSWD is easier!

– Do NOT use common words (Family names, dictionary words, birth dates, anniversary etc.)

– Never share your password with others!

DO NOT write down your password and leave it near your computer!!!!


Responsibilities of the User(Some DOs and DON’Ts)

Environmental Concerns– DO protect your work area; keep liquids away from

PC/keyboard

Software Accountability– DON’T load unauthorized software– DO report any unauthorized personnel loading software

on your workstation– DON’T be afraid to question technicians if you don’t

know them

Network Access– DO be aware of visitors to your site


Responsibilities of the User(Some DOs and DON’Ts continued)

Contingency Planning– DO save your work to the network drive, not local drive– DO remember that you are ultimately accountable for

activities that occur under your user name

Anti Virus Program– DO check your update file regularly– DON’T bring files from other computers


PEDs and Removable Media Handling

• Portable Electronic Devices (PEDs) and Removeable Media include: Blackberry, cell phone, PDA, thumb/flash drive, CD/DVD, external hard drive

• Blackberries, cell phones, PDAs, MP3 players are prohibited in controlled spaces

• In accordance with CTO 08-08, thumb drive use on Navy networks is prohibited until further notice

• Government issued external hard drives are authorized for use – devices should be regularly scanned


Internet Access• Official Business Use

• Reasonable personal use– No jokes, Instant Messaging (IM),

downloading music or software,political or religious content, fundraising, etc.

– Nothing offensive

• Anti-Virus protection

• Exercise caution

• Remember, you represent EIS and your client.


Safe Home Computing

Your home computer is a popular target for intruders. Why? Because intruders want what you’ve stored there. They look for credit card numbers, bank account information, and anything else they can find. By stealing that information, intruders can use your money to buy themselves goods and services.


Safe Home Computing

What Should I Do To Secure My Home Computer?

1 – Install and Use Anti-Virus Programs2 – Keep Your System Patched3 – Use Care When Reading Email with Attachments4 – Install and Use a Firewall Program5 – Make Backups of Important Files and Folders6 – Use Strong Passwords7 – Use Care When Downloading and Installing Programs8 – Install and Use a Hardware Firewall9 – Install and Use a File Encryption Program and Access Controls


Operations Security(OPSEC)Threat AwarenessDefensive Security


• Operations Security (OPSEC) is all about keeping potential adversaries from discovering our critical information.

• Success of the military mission depends on secrecy and surprise;

• Likewise, protecting company proprietary and confidential information, and related information is a priority …

What is OPSEC ?


• xxxs all about keeping potential adversaries from discovering our critical information.

• xxxxs of the military mission depends on secrecy and surprise;

• xxxxprotecting company proprietary and confidential information, and related information is a priority …

Some OPSEC Guidelines


Threat Awareness The Foreign Intelligence Threat

• The gathering of information by intelligence agents, especially in wartime, is an age-old strategy for gaining superiority over enemies.

• Intelligence officers, those individuals working for government intelligence services, are trained to serve their country by gathering information.

• Spies, on the other hand, betray their country by espionage.

• Preventing this kind of betrayal is the ultimate goal of the entire U.S. personnel security system.


Threat Awareness (continued) The Foreign Intelligence Threat

• The FBI believes that nearly 100 countries are currently running economic espionage operations against the United States. Targets are shifting away from the classified military information sought in the old Cold War days toward basic research and development processes.

• Espionage targets also include technology and trade secrets of U.S. high-tech companies – everything from cost analyses, marketing plans, contract bids and proprietary software to high-tech data itself.

• Any information or process – whether classified, unclassified or proprietary – that leads to cutting-edge technology is plainly in demand.

• Some products are bought (or stolen) in this country and then physically smuggled abroad. Often the technology is not a physical product; it may be a plan, formula or idea that can be transported on computer or fax machine, or simply carried away inside scientists' heads.



• Many U.S. high-tech industries have been targeted but, according to a recent government report, the following areas are the most vulnerable: biotechnology, aerospace, telecommunications, computer software and hardware, advanced transportation and engine technology, advanced materials and coatings including stealth technologies, energy research, defense and armaments technology, manufacturing processes, and semiconductors.

• The industries listed above are of strategic interest to the U.S. because they contribute so greatly to critical, leading-edge technologies.

• Not yet classified proprietary business information is aggressively targeted.

• A 1995 report by the National Counterintelligence Center adds that foreign collectors have also exhibited an interest in government and corporate financial and trade data.



• The "best" way to acquire information from an organization or company is – in classic spy style – to recruit a mole on the inside, or to send one of your own people in on a ruse, posing as someone else.

• Another method is to blackmail vulnerable employees of U.S. companies or to recruit foreign nationals working in U.S. subsidiaries abroad.

• Not all spies have been recruited. Some past or present employees of U.S. companies, have stolen materials and then sold them to foreign companies – the volunteer of classic espionage.



• Equally as unscrupulous, and also patently illegal, is the outright bribing of employees* to steal plans, reports and other proprietary documents, or hiring so-called consultants to spy on competitors, a practice that can include bugging competitors' offices.

• Other methods include theft and smuggling of goods, theft of intellectual property, tampering with companies' electronics, extortion, and so forth.

* This is a reason for concern for people with financial issues that are applying for a security clearance.


Aldrich Ames


• We continue to have our classical spy cases. The most famous case, has been Aldrich Ames, a veteran CIA intelligence officer, who volunteered highly secret and sensitive CIA information to Soviet and Russian intelligence from 1985 to 1994. It is known that at least 11 agents lost their lives and that Ames gave the KGB tens of thousand of classified documents.

• On the heels of Ames came a second CIA operations officer, Harold Nicholson, arrested at the end of 1996 on espionage charges that he had sold secrets to Moscow for 29 months.



• Classical espionage cases still occur, but now we are seeing a bourgeoning of a different kind of spying, an espionage based not just on the theft of classified information, but on theft of high-technology information, classified or not.

• This economic espionage is not a new phenomenon. It is just that in recent years its frequency has increased greatly.

• Estimates of current yearly U.S. loss of proprietary business information now range between $20 billion and $100 billion.


Threat Awareness - Espionage You may be the target of foreign intelligence

activity.

Foreign powers may seek to collect U.S. industrial proprietary economic information and technology, the loss of which would undermine the U.S. strategic industrial position.

Foreign intelligence collectors are targeting US corporate marketing information in order to gather data that would help their respective countries.

Overseas travel, foreign contact, and joint ventures increase your company’s exposure to the efforts of foreign intelligence collectors.


Threat Awareness - Video

Let’s take a look at real life threats to our nation’s military and industrial secrets …

(30-minute video not available to personnel reviewing these slides via e-mail msg; those persons need to complete and fax security briefing certification at end of this slide presentation, to verify having read the annual security refresher briefing)

DVD: “Critical Security Issues:

The reality of Economic Espionage”

from the CI Centre, Alexandria, VA


You Must Report …• To report any of the instances previously cited,

or other suspicious acts, contact:– Your immediate supervisor– Your FSO/CSSO

• In the event you cannot reach the above, you may contact the HOTLINE…

DEFENSE HOTLINE

(800) 424-9098The Pentagon

Washington, D.C. 20301-1900


SafeguardingPII


• Personally Identifiable information (PII) is any information that relates to you as an individual:

• Full name• SSN• Bank accounts• Address & phone number• … and many other forms of information …

What is PII ?


• Loss or compromise of PII may result in

Identity theft

• Privacy laws require that it be protected

• Report any breach of PII (loss or compromise) immediately

Protect PII


“High risk” PII which may cause harm to an individual if lost/compromised

Financial information- bank account #, credit card #, bank routing #

Medical Data- diagnoses, treatment, medical history

Full Social Security Number - use of truncated SSN is better but still a risk

NSPS/Personnel ratings and pay pool information Place and date of birth Mother’s maiden name Passport # Numerous low risk PII elements when aggregated and linked to a name

Forms of PIIBusiness related PII, all releasable under FOIA or authorized use under DON policy and considered “low risk”

Badge number Job title Pay grade Office phone number Office address Office email address Full name*

*Cautionary note: Growing problem with email phishing


• Focus on correcting human error and malicious intent

• Ensure contracts include FAR PII language

• Take corrective action where there are program deficiencies and follow up

• Consider identity theft protection

Accountability for PII


• Identity theft is real

• FTC reports that 8M+ of US adults have experienced identity theft

• Crimes are still more offline than online

• ½ of all identity thieves were known by the victim; ¼ were dishonest employees

• SSN’s are the most valuable commodity for an identity thief

Basic Facts about Identity Theft


PIIPII has a shelf life of has a shelf life of

FOREVERFOREVER … …

SSafeguard itafeguard it

Final thought on PII


The next series of slides are taken from a presentation to the National Classification Management Society

Washington, D.C.

by

deborah russell collins

Executive Director

National Security Training Institute (NSTI)

www.nstii.org


The World We Live In...

Is the murder of one worker

every eight hours

acceptable as a cost of doing business

in the United States?


In Binghamton, N.Y., a Vietnamese immigrant upset about losing his job burst into an immigration center and killed 13 people before killing himself. In Pittsburgh, police said a gun enthusiast recently discharged from the Marine Corps opened fire and killed three police officers. And in Graham, Wash., investigators said a man whose wife was leaving him shot and killed five of his children in their mobile home before taking his own life. The carnage that occurred during less than 48 hours last week capped a recent string of unusually brazen mass killings, which crime experts say have touched more people and occurred in more public settings than in any time in recent memory. Comparative statistics are difficult to come by, but during the past month alone, at least eight mass homicides in this country have claimed the lives of 57 people. Just yesterday, four people were discovered shot to death in a modest wood-frame home in a remote Alabama town. The factor underlying the violence, some experts think, is the dismal state of the nation's economy. Criminologists theorize that the epidemic of layoffs, the meltdown of storied American corporations and the uncertainty of recovery have stoked fear, anxiety and desperation across society and unnerved its most vulnerable and dangerous. "I've never seen such a large number [of killings] over such a short period of time involving so many victims," said Jack Levin, a noted criminologist at Northeastern University who has authored or co-authored eight books on mass murder. The simple fact, criminologist James Alan Fox said, is that more Americans are struggling.

Some Link Economy with Spate of KillingsIn One Month, 57 Die In Eight Mass Murders

By Philip Rucker

Washington Post Staff Writer

April 8, 2009


Staggering Statistics Tell The Story

• Staggering statistics• Two million victims every year • Leading cause of death at work for women -

“domestic boil-over”

• Most cases go unreported• Two thirds of cases are preceded by ‘red flags’

• How would you define it? • More than homicide• Verbal threats, physical attacks top the list...


What Is Workplace Violence?

The threat or actual use of force by anyone against another person or persons in the

workplace…

This includes physical attacks; any threats spoken, written or electronically transmitted; intimidating or threatening behavior; harassment; coercion; and

other behavior or comments that attempts to harm or give reasonable cause to believe that it

places others at risk.


What are the Warning Signs?• Irrational beliefs and ideas• Unwarranted perception of unfairness• Displays of unwarranted anger• Self image of being “irreplaceable”• Isolation - depression, suicide threats• Erratic job performance, inability to take criticism• Use of threats - verbal, non-verbal, written• History of drug or alcohol abuse• Obsession with weapons• Recent family, financial or other personal problems


Whole Person Concept• A catalog of traits is no substitute for

informed observation and judgment

• More than one or two traits -- a pattern of behavior

“We are dealing with a sick person

who needs help.” Park Dietz, Forensic Psychologist


The ESL Story

The tragedy of workplace violence was made evident in the February 16, 1988 shootings at ESL, in Sunnyvale, CA, which prompted a made-for-TV movie,

“I Can Make You Love Me: The Stalking of Laura Black.”


No amount of prevention can stop a person who is determined to commit an act of violence in the

workplace...

Being Proactive, Being Prepared

Proper planning can reduce the likelihood of an incident happening and can prepare an

organization to deal with one if necessary


In a changing world ... the challenges we face …

The another tragedy of inappropriate behavior leading to violence was made evident at a youth hockey game in Massachusetts, when an altercation

between two fathers resulted in the death of one at the hands of the other.


The Challenges We Face

• Being rude is acceptable…– Increasing anger, hostility toward others– Complacency – it’s old news, we’re numb to

it

• And it goes well beyond the office…– On the ball field, how we drive, on the

airplane, even at the store

- In our schools…churches and homes…

You can make a difference…every single day!


How will you respond?

Do what you can to help those around you who need help...

Make a personal commitment to be proactive in ending this epidemic

in our society…

And remember what matters most in this life...


Take-aways

• Know the Reporting Requirements *• Be Aware of the Threat *

– Practice good INFOSEC– Practice good OPSEC– Be aware of violence in the workplace

• Safeguard PII *• Understand the “Need-to-Know” *• Know your FSO *


Something to Remember …

CLEARANCE

NEED TO KNOW+ ACCESS=

Employees will only be permitted access to classified Employees will only be permitted access to classified information with the proper clearance AND the need to information with the proper clearance AND the need to know.know.

If you ever need to disclose classified information to If you ever need to disclose classified information to anyone, make sure they have the proper clearance anyone, make sure they have the proper clearance ANDAND need to know. Not sure of the clearance level? Check need to know. Not sure of the clearance level? Check with your FSO.with your FSO.


Recap - Reporting Requirements Don’t Hesitate

• In general, don’t hesitateto report anything you feelcould be detrimental tothe security of:– our company,

– our employees,

– our governmentcustomers; or

– our country.


Security is …

EVERYONE’sEVERYONE’s business !!!business !!!


NISPOM Hotlines• Federal agencies maintain hotlines to provide an unconstrained

avenue for government and contractor employees to report, without fear of reprisal, known or suspected instances of serious security irregularities and infractions concerning contracts, programs, or projects. These hotlines do not supplant contractor responsibility to facilitate reporting and timely investigation of security matters concerning its operations or personnel, and contractor personnel are encouraged to furnish information through established company channels. However, the hotline may be used as an alternative means to report this type of information when considered prudent or necessary.

DoD Hotline: (800) 424-9098The Pentagon, Washington, D.C. 20301-1900


Know Your FacilitySecurity Officer (FSO)• You should know who your company

security officer is. The title is “FSO” for Facility Security Officer:

– Joe Curry, FSO

703-752-5537

– Bonnie Grishkat, Asst. FSO

703-752-5541

• Any security related questions should be brought to the

FSO’s attention.


Madeleine Albright Former Secretary of State

“I don’t care how skilled you are as a diplomat, how brilliant you may be at meetings, or how creative you are as an administrator …if you are not professional about security …you are a failure.”


This concludes the

Security Awareness Briefingalso serving as the

Annual Security Refresher Briefing


Conclusion

• Thank you for taking the time to read and understand this briefing.

• Should you have any questions regarding what you have just read, or any other security matters, please contact either your onsite security manager or company FSO.

• Please sign the briefing certificate on the following page and return to the EIS FSO, @ FAX 301-749-0215.


I confirm that I have read & understood the EIS Security Awareness I confirm that I have read & understood the EIS Security Awareness

Briefing, as revised for Briefing, as revised for CY 2012CY 2012. .

__________________________________________________________ Printed NamePrinted Name

__________________________________________________________ SignatureSignature

__________________________________________________________DateDate

Please complete and return to:Please complete and return to:Joe CurryJoe Curry

1945 Old Gallows Road, Suite 5001945 Old Gallows Road, Suite 500Vienna, VA 22182Vienna, VA 22182

or or FAXFAX to: to:703-749-0215703-749-0215

or scan and email to:or scan and email to:

[email protected]@goeis.com

Send upon completion.Send upon completion.

Security Briefing Certificate(for self-certifying individuals in lieu of in-person briefing)


Response Required

You have now completed the

Security Awareness Briefing,

also serving as the

Annual Security Refresher Briefing.

Please respond, so that we may print a verification that you have received this

briefing.

Thank you.

Documents

Security Awareness Briefing & Annual Security Awareness Refresher Briefing as revised 2012-08-03