Upload
ross
View
54
Download
0
Tags:
Embed Size (px)
DESCRIPTION
THE ART OF SELF INSPECTION (and how to have fun conducting it!). Jennifer L. Rossignol Lockheed Martin GTL Security. Carnak …. “Who is …. “me ”’?. Who is: Who doesn’t like to do self inspections? Who is: Who looks at self inspections as a necessary evil? Who is: Who just “checks the box”?. - PowerPoint PPT Presentation
Citation preview
THE ART OF SELF INSPECTION
(and how to have fun conducting it!)
Jennifer L. RossignolLockheed Martin GTL Security
– Who is: Who doesn’t like to do self inspections?– Who is: Who looks at self inspections as a necessary
evil?– Who is: Who just “checks the box”?
Carnak …. “Who is …. “me”’?
• Don’t do it alone• Make it a team effort – conduct it with another
employee, a team, another FSO
• Do it differently• Start at the end of the checklist and work to the
front ….
• Pretend you’re a detective! CSI: Orlando!
• It really requires you to THINK … which is good for your health
Fun? How can that be?!?
It’s much more than checking off items on a checklist!
Philosophy …
Self inspection is an art ….
Purpose of Self Inspection
• An effective self inspection program is the key to any successful security organization
• Serves many purposes:– Assesses the health of your organization– Provides training opportunities and employee
development – Promotes your product– Meets a requirement– Prepares you for your DSS audit
• The value and importance of self-inspections has increased in the eyes of DSS
What is a Self Inspection?• It’s more than following and completing the DSS Self-
Inspection Checklist
• It must be a “total review” of the security program
• It must be an honest examination of the program and an indicator to senior leadership that you can safeguard classified material
• It provides a “snapshot” picture of current security operations and allows you to determine shortcomings and resolve them before your DSS audit
• It is a continuing review of the methods used to safeguard classified…. are they adequate? compliant?
• There is no one way to do self inspections - Be creative!• No need to wait for 6 months after your last audit
– Can audit year-round– Can audit more than once (sounds like an “enhancement” to me!)
• Remember to review your security incident reports, adverse information reports, etc. …
• Review past audit findings - AVOID repeats!• Share your findings and corrective actions with your DSS
representative• Enhance with a “Security Day”
Self-Inspections Ideas
What to do• Do interview employees (not just yourself!)• Do GET UP FROM YOUR DESK• Do emulate the DSS audit process
– How will you feel when your DSS representative talks to your employees? Will you be worried about how they will respond? Not if you have prepared them!
What not to do• Don’t stick to the checklist• Don’t talk to only cleared employees
– What about the receptionist?– What about the employees who receive packages?
Self-Inspection Process
3 Key Components
– Preparation– Inspection– Follow-up
Step 1 - Preparation• 1st step to success is developing a good Self-Inspection plan
– Doesn’t have to be written– It should be simple and not complex
• The plan is a mechanism that helps ensure that you cover “all the bases” and complete the entire Self-Inspection within a specified time
• The plan helps you assign personnel– Based upon experience and expertise
• Can be used as an opportunity for mentoring– Pairing less experienced with experienced security
professionals
Step 1 - Preparation• Gather your materials, such as:
– Audit checklist– Standard Operating Procedures– Reports – incidents, adverse, etc.– Checklists– DD 254’s– Previous audit results/findings– IS equipment lists– Receipt and dispatch records– FCL documentation– JPAS listing– NISPOM and ISL’s
• Allows you to examine your operation “piece by piece”
• Brief your senior leadership
Step 1 Continued: Team Selection
• If you are a FSO at a one-person facility …
• Larger facilities can employ more people to help– May not be faster but can cover more
• Have an experienced “Team Leader”– Well-versed in the NISPOM– Capable of keeping a team enthused
- Believe it or not: Self-Inspections can become laborious
Step 2: Conducting Self-Inspection
• Be professional• Review currency of policies and procedures and/or SSP• Remember to interview receptionist, Shipping, Receiving, guards• Always be prepared to correct issues on-the-spot and explain
what is being corrected to the employee– If possible involve the employee so they can learn– Bring a box of “tools” with you – stickers, markers, cover
sheets
Step 2: Conducting Self-Inspection
• Remember, employees may be defense - Don’t condemn or make it personal – educate!
• Use the same methods or techniques used by DSS– Allows the employee to get familiar with their inspection
methods and feel comfortable with DSS when they do their review
• Keep an eye out for “best practices” or items that are “above and beyond” the requirements in the NISPOM
• Watch for trends
Tools for Self-Inspections• Document Review Marking Forms
– Makes assessment of marking problems easy– Helps determine what marking requirements are not familiar to
employees, allowing you to focus your training efforts
• Security Knowledge Questionnaires– Derived from DSS checklist questions– Allows you to focus training efforts on specific areas
• Interviews– Use the DSS Self-Inspection Checklist interview questions– Determine who has conducted foreign travel or hosted a
foreign national visit– Provide employees with a Q&A sheet
• DSS– Ask DSS if there are any Special Interest Items for this
inspection cycle
Step 2: Self-Inspection IdeasDevelop checklists
CLOSED AREA CHECKLIST
Verify that all entries in Visitor Log are completed If entries missing: request that escort complete; educate occupants; if unknown, prepare MFR and file in
the Visitor Log. If repeat findings, notify FSO Look for non-U.S. citizen entries Look for company represented. Are they from an HVAC company? If so, follow up to determine if there
might be a breach to the area integrity. Are they from a computer company? Verify they did not access the classified systems
Remove all paperwork from prior to last DSS audit
Verify that media in area is properly marked
Quarterly: Review the area 147 and notify DSS if any changes are needed
Check area access list Are all listed still active employees? If visitors are listed, are they still cleared and working on the program?
Check supplies of Security posters and brochures.
Self Inspection MethodsExample: A review of the company’s receipt and dispatch records
• Is incoming or outgoing media a different classification level than the majority of approved equipment at the facility?
• How and where was the Confidential CD created? Was the trusted download procedure approved? Is trusted downloading approved for that system? Is the person who performed the trusted download authorized to do so?
• How is the Missile Control Unit (MCU) protected against contamination? Are there procedures in place to properly sanitize the unit if contamination occurs? Is the procedure approved by the customer?
• Do we have a contractual relationship (i.e. DD 254) with the sender/receiver?
This is just an example of how a little analysis and creativity can provide a more comprehensive review of the existing processes and procedures
Example: Review of Closed Area visitor logs • Pay close attention to the visitor’s company name. • Did someone visit from an HVAC service? If so, ask the area custodian
what they did. Did they put a hole in the wall or make a change affecting the area integrity or the 147? If so, is it greater than 96 square inches?
• Did someone visit from Xerox? If so, what did they do while they were there? Did they install a new copy machine with a hard drive? Did this get connected to the classified IS?
• Did someone visit from a computer service vendor? If so, what did they do? Did they bring diagnostic equipment with them? If so, did they connect it to the AS?
• Did any visitors have “keyboard” access? If so, was that authorized? • Remember to dispose of visitor logs from before the last DSS audit
Self Inspection Methods
Enhancing Your Self InspectionA. FACILITY CLEARANCE
NISPOM: Question: YES NO N/A
1-302g(3)
Have all changes (e.g. changes in ownership; operating name or address; Key Management Personnel (KMP) information; previously reported Foreign Ownership Control or Influence (FOCI) information or action to terminate business) affecting the condition of the Facility Clearance Level (FCL) been reported to the DSS Industrial Security Rep (ISR)?
Note: Is the site’s Industrial Security Facility Database (ISFD) record accurate? Physical address? Classified mailing address? Facility clearance level? FSO name? Special accesses? (If special accesses are listed, is the FSO properly briefed?) Ensure the FSO has a current copy of the site’s ISFD record on file. If data is not accurate, contact the site’s DSS Rep to request an update.NISPOM: Question: YES NO N/A
1-100cHas the fact that the company has an FCL been used for advertising or promotional purposes?
NISPOM: Question: YES NO N/A
2-104Are the senior management official, the FSO, and other Key Management Personnel cleared as required in connection with the FCL?
Note: Must be cleared to the level of the facility clearance. NISPOM: Question: YES NO
N/A
2-104 *Is the Key Management Personnel list current?
Step 3 – Follow-upWriting the Self-Inspection Report
• Reports documenting your Self-Inspection can be done in any format you would like
• Should identify the following:– Areas inspected– Commendable areas– Findings/ Deficiencies/Corrective Actions– Findings/ Deficiencies that need long-term monitoring
• Normally done where there are significant problems where it will take a long time to close out.
• Status report every 30 days
• Reference applicable compliance document
Step 3 – Follow-upWriting the Self-Inspection Report
• Include corrective action– Correct the process – DSS will validate– Update your procedures
• A well-written report seldom generates more questions
Conclusion• Self-Inspections are a tool that allows Security Department
to ensure they are compliant with the NISPOM
• A good Self-Inspection should emulate the DSS Security Review process
• Be aggressive and not afraid to have findings
• Write honest and accurate Self-Inspection Reports
• Remember a “bad” finding is the one that DSS finds during their Security Review
• There are “good” findings… the ones you catch during your Self-Inspection
Conclusion• Have a strong self-inspection program and use it as a tool
rather than just another “block to check” for the DSS Review
• Make DSS an effective member of your security team!
• Consider sharing your inspection results with other sites of your company or with your local NCMS Chapter members
• Using all these tools cannot guarantee higher DSS audit ratings, but it will make the process more organized and less stressful
NOW … GO HAVE SOME FUN!