1 / 89

Security Awareness Briefing & Annual Security Awareness Refresher Briefing as revised 2012-08-03

Enterprise Information Services, Inc. (EIS) EAGLE Enterprise Joint Venture (EEJV) Alliant Enterprise Joint Venture (AEJV). Security Awareness Briefing & Annual Security Awareness Refresher Briefing as revised 2012-08-03. Executive Order 12958 as amended. The SF312 references Executive Order

tarala
Download Presentation

Security Awareness Briefing & Annual Security Awareness Refresher Briefing as revised 2012-08-03

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Enterprise Information Services, Inc. (EIS) EAGLE Enterprise Joint Venture (EEJV) Alliant Enterprise Joint Venture (AEJV) Security Awareness Briefing&Annual Security Awareness Refresher Briefingas revised 2012-08-03

  2. Executive Order 12958 as amended • The SF312 references Executive Order • (EO) 12958 – Classified National • Security Information, issued by • President Clinton on April 17, 1995 • Established the National • Industrial Security Program; • Set new guidelines for the protection of • classified information.

  3. Introduction • U.S. industry develops and produces the majority of our nation’s defense technology – much of which is classified – and thus plays a significant role in creating and protecting the information that is vital to our nation’s security. The National Industrial Security Program (NISP) was established in 1995 by Executive Order 12958 to ensure that cleared U.S. defense industry safeguards the classified information in their possession while performing work on contracts, programs, bids, or research and development efforts. • The Defense Security Service (DSS) administers the NISP on behalf of the Department of Defense and 23 other federal agencies within the Executive Branch. There are approximately 12,000 contractor facilities that are cleared for access to classified information.

  4. Introduction (continued) • To have access to U.S. classified information and participate in the NISP, a facility – a designated operating entity in private industry or at a college/university – must have a bona fide procurement requirement. Once this requirement has been established, a facility is eligible for a Facility Security Clearance (FCL). A Facility Security Clearance is an administrative determination that a facility is eligible to access classified information at the same or lower classification category as the clearance being granted. • The Facility Security Clearance may be granted at the Top Secret, Secret or Confidential level. • In order to obtain the clearance, the contractor must execute a Defense Security Agreement which is a legally binding document that sets forth the responsibilities of both parties and obligates the contractor to abide by the security requirements of the National Industrial Security Program Operating Manual (NISPOM).

  5. Overview • EIS, Inc. is a cleared company in the National Industrial Security Program (NISP) • Employees are bound by Department of Defense (DoD) rules and regulations to properly protect and control all classified material in their possession per the National Industrial Security Program Operating Manual (NISPOM) and as appropriate, other Cognizant Security Agency directives. • You must familiarize yourself with specific contract provisions on ‘how’ protection and control measures apply to each program you support.

  6. Security Briefings • The NISPOM requires that you be provided: • with an Initial Security Briefingprior to being permitted access to classified information, • and that you be provided with anAnnual Security Refresher Briefing. • The NISPOM also states that personnel granted clearances are required to sign a Classified Information Nondisclosure Agreement (Standard Form 312) • which further outlines responsibilities for the protection and safeguarding of classified information. • This is essentially an agreement between the individual and the U.S. Government (discussed later in this briefing). • Additionally, government site security managers may require other security briefings specific to the needs of the onsite government client.

  7. DD-254 Form(Contract Security Classification Specification) • Makes the facility clearance (FCL) possible • Must accompany every classified contract • Maintained by FSO and by Contracts • Supports the need for Personnel Security Clearances (PCL) • Absence of DD-254 is cause for termination of FCL or removal of PCL on any given contract … • (managers beware!)

  8. Clearance Information • EIS maintains a TOP SECRET facility clearance (FCL). • Just as you are required to sign an agreement with the U.S. Government, as a defense contractor, the company has signed a Security Agreement with the U.S. Government. • Your security responsibilities are real: • They are magnified as a result of your employment in a vital defense industry. It is essential that you realize the importance of this. • Unauthorized disclosure or failure to properly safeguard classified information is punishable under the Espionage Laws and Federal Criminal Statutes. • Your responsibilities affect the security of our government and the technological advancement of our nation.

  9. Types of Security Investigations • EIS processes two different investigations (SF-86): • Collateral: Confidential, Secret and Top Secret clearance • SCI: Caveat sometimes attached to Top Secret clearances, to allow access to Sensitive Compartmented Information (SCI); • processed through the government • Government client processes another investigation (SF-85P): • Position of Trust : Employees may have a need to work on a project that is Sensitive But Unclassified, and may be processed for a background investigation that does not result in clearance, but gives access to SBUmaterial (VA, DHS, FAA among others).

  10. Overview of Security Classification System • As outlined by Executive Order 12958, as amended, classified information is official government information that has been determined to require protection in the interest of national security. • All classified information (with only one exception) is under sole ownership of the U.S. Government, and employees possess no right, interest, title, or claim to such information.

  11. Introduction toClassified Information • Classified National Security Information (“classified information”): information that has been determined pursuant to Executive Order 12958 to require protection against unauthorized disclosure and is marked to indicate its classified status when in documentary form. • Information is classified when it is determined that its unauthorized disclosure can reasonably be expected to cause damage to national security. Such information is assigned a classification of TOP SECRET, SECRET, or CONFIDENTIAL and is appropriately marked. • Unauthorized disclosure means disclosure to someone NOT authorized by the government to have access to classified information. Unauthorized disclosure is punishable as detailed in the Extracts of the Espionage and Sabotage Acts. • Classified information is discussed in more depth later in this briefing.

  12. Classified Information (continued) • Three levels have been established based on the criticality of the information or material to national interests: • 1. TOP SECRET: Information or material whose unauthorized disclosure could be expected to cause exceptionally grave damage to the national security. • 2. SECRET: Information or material whose unauthorized disclosure could be expected to cause serious damage to the national security. • 3. CONFIDENTIAL: Information or material whose unauthorized disclosure could be expected to cause damage to the national security.

  13. Identifying Classified Information • Classified documents are boldly marked with the highest classification on the top and bottom of each page. • Individual Paragraphs have markings: (U), (C), (S), (TS). • Use the Program Security Classification Guide for help when marking classified for your contract. This guide will instruct you on what types of information should be classified at which levels. • If you believe information is over-classified, contact the FSO/CSSO for guidance.

  14. Procedures for Handling Classified Information • Detailed instructions will be provided to you by the client/site security officer before you access classified information. • You will be advised about identifying, handling and safeguarding classified information. • Always ask questions when in doubt.

  15. SBU Sensitive But Unclassified Information (SBU) • Warrants a degree of protection and administrative control that meets the criteria for exemption from the public • SBU information includes, but is not limited to: • Medical, Personal, Financial, Investigatory, • Visa, and Law Enforcement Records • If released, could result in harm or unfair treatmentto any individual or group, or could have a negativeimpact upon foreign policy

  16. SBU Handling Procedures • SBU information should be transmitted through means that limit the potential for unauthorized public disclosure • Secure FAX, Phone, or other encrypted means is preferable • Custodian of SBU data needs to make this determination • During off-duty hours, SBU information must be secured within a locked office, or in a locked container

  17. SafeguardingClassified Information • One of the most fundamental requirements of the NISP is the proper safeguarding and storage of classified information. It isessential that classified information be atall times properly safeguarded or storedin accordance with the requirements ofthe NISPOM. • “Safeguarding” means measures andcontrols that are prescribed to protectclassified information.

  18. Destruction of Data • All Sensitive but Unclassified (SBU) data on disk, tape or other portable media must be formatted and over-written multiple times to prevent unauthorized access of the data. • Hard Drives must be erased and reformatted. Shredding is also acceptable.

  19. Classified Information • Classified information exists in many forms. It may be a piece of hardware, a photograph, a film, recording tapes, notes, a drawing, a document or spoken words. • Material is classified by the originator. • It comes to industry via security classification guides. • The degree of safeguarding required depends on the information's classification category.

  20. Sharing ofClassified Information • Determining access to classified material - When an individual is granted a security clearance, it means that an individual is eligible to have access to classified information on a “need-to-know” basis. Access is granted only when the following twoconditions are met: • The recipient has a valid and current security clearance • at least as high as the information to be released. • (Contact your FSO if in doubt about a person’s clearance status) • AND • 2. The recipient requires access in order to perform tasks essential • to the fulfillment of a classified Government contract or program. • This is called “need-to-know.” • (Contact the recipient’s supervisor if in doubt about a person’s • “need-to-know”)

  21. Need-to-Know • Need-to-know confirmation for both internal employees and visitors should come from a security department advisor or representative. • If there is doubt as to whether or not a person has a need-to-know, you should check with the proper authority prior torelease of any classified information. • Establishment of need-to-know is essential. • It is far better to delay release to an authorized person than to disclose classified information to one who is unauthorized. • It is the responsibility of the possessor of classified information to ensure that the prospective recipient meets BOTH of these conditions.

  22. SF312(Classified Information Nondisclosure Agreement) • The SF312 is essentially a lifetime contract between you and the U.S. Government in which you agree to protect U.S. classified information from unauthorized disclosure. • The agreement may limit you from freely discussing your work with colleagues, relatives, and others. • Violation of the agreement can result in a wide array of legal action against you, ranging from civil suits to a succession of more severe penalties. Penalties for breaking the nondisclosure contract may include loss of clearance, fines and criminal prosecution under several statutes. • The original signed copy of the SF312 is forwarded to DSS for their records, while a copy is maintained in the individual’s security file by the company. • Failure to sign the agreement will result in revocation of your clearance.

  23. SF312(Classified Information Nondisclosure Agreement)

  24. Reporting RequirementsSuspicious Contacts • Employees are required to report any suspicious behavior or occurrences that may occur at any time. This includes all contacts with known or suspected intelligence officers from any country, or any contact that suggests you may be the target of an attempted exploitation by a foreign intelligence service (NISPOM 1-302b). More specifically, employees must report to security any of the following events:  • Any efforts, by any individual, regardless of nationality, to obtain illegal or unauthorized access to classified or sensitive but unclassified information (SBU). • Any efforts, by any individual, regardless of nationality, to compromise a cleared employee. • Any contact by a cleared employee with a known or suspected intelligence officer from any country. • Any contact which suggests an employee may be the target of an attempted exploitation by the intelligence services of another country. • If there is any problem as to whether any specific situation is reportable, questions should be directed to your Facility Security Officer.

  25. Reporting Requirements (continued)Foreign Travel • If you travel to another country, whether for business or pleasure, if at all possible, you must report your travel to your Facility Security Officer prior to departure. Information regarding travel in a foreign country will be provided to you. Foreign travel must be reported; if not prior, then immediately after travel. • EIS form, “Foreign Travel Reporting for EIS Staff,” should be completed and returned to the facility Security Officer prior to foreign travel, whether personal or for business. • Don’t forget this requirement includes Mexico and Canada.

  26. You Must Report … • Adverse Information. Examples are: • Financial … this includes garnishments, lawsuits, bankruptcies, unexplained affluence and excessive indebtedness. • Arrests … even if you are arrested and found “not guilty” this needs to be reported. In addition, any traffic violation with a fine over $300 should be reported. • Psychological … mental or emotional counseling, or counseling for personality disorders (marital, family and grief counseling are excluded). • Substance Abuse … this includes the use of illegal drugs and/or excessive use of alcohol.

  27. Reporting Requirements (continued)Adverse Information Examples … • Arrest for any serious violation of the law • (including DUI or DWI) • Excessive use of alcohol or abuse of prescription drugs • Any use of illegal drugs • Bizarre or notoriously disgraceful conduct • Sudden unexplained affluence • Treatment for mental or emotional disorders

  28. Reporting Requirements (continued)Adverse Information • The Aldrich Ames case provides a lesson on what can happen if adverse information is not reported (case is addressed again later in the briefing). • Ames, a CIA employee, had clear signs of adverse behavior, including excessive drinking and unexplained affluence. While noticed, these behaviors were not reported until much too late. • In 1984, motivated by financial troubles, Ames volunteered highly SECRET and sensitive CIA information to Soviet and Russian intelligence. • After 9 years of selling secrets for over $2.5 million, Ames showed signs of living beyond the means afforded by his government income. • As a result of Ames’ treason, 11 agents lost their lives and a large amount of information regarding the CIA's Soviet intelligence efforts was lost.

  29. Reporting Requirements (continued)Loss or Compromise • Employees are required to report any loss, compromise or suspected compromise of classified information, foreign or domestic, to the appropriate security office (NISPOM 1-303). Reporting provides employees with an opportunity to extricate themselves from a compromising situation and enhances the protection of national security information. • Not reporting a known security compromise may in itself constitute a major security violation, regardless of the severity of the unreported incident.  • Violations may include acts such as misplacing, losing, improperly storing, improperly transmitting, and leaving classified material unattended.

  30. You Must Report … • Loss, compromise, (or suspected loss or compromise) of classified or proprietary information, including evidence of tampering with a container used for storage of classified information. • When in doubt, check it out … consult with your onsite security manager, FSO, or the NISPOM.

  31. Other Reporting Requirements • Employees are required to report any • act of sabotage or possible sabotage, • espionage or attempted espionage, • and any subversive or suspicious activity. • Employees should alsoreport any • attempts to solicit classified information, • unauthorized persons on company property, • unwillingness to work on classified information, • and disclosure of classified information to an unauthorized person, • along with any other condition that would qualify as a security violation or which common sense would dictate as worth reporting.

  32. Information Security(INFOSEC)

  33. Possible Threats to a System • Hackers and Crackers • Malicious Code • Viruses, Worms, Trojans, Time Bombs • Terrorism • Internet Access • Social Engineering • Insider Threat

  34. Vulnerabilities • A vulnerability is a weakness that can be exploited to develop an attack against a system, network or individual computer. • Examples: • ▪ Users ▪ Out-of-date patches • ▪ Software ▪ Unneeded services • ▪ Improper storage ▪ Poor management • ▪ Weak passwords • There is no such thing asa completely secure system!

  35. Why We Are Vulnerable NIPRNET = “non-secure” • The Internet was not designed with security in mind. • Development often focuses on “Slick, Stable, Simple” not necessarily “Secure” • NIPRNET is an extension of the commercial Internet • User awareness is unacceptably low Most Popular Sites Visited by DoD Users— yahoo.com google.com streamtheworld.com ……….….. music weather.com cnn.com windowsupdate.com foxnews.com msn.com aol.com deezer.com ….....……..……….… music facebook.com ….... social networking liveu.tv ……….…….... video streaming go.com …………..…. news and sports vtunnel.com ...…....………… proxy site 96% of DoD web traffic is commercial web browsing

  36. Confidentiality • Confidentiality, when applied to computer systems, means data processed and/or stored via a specific computer system is accessible only to authorized individuals. This applies to: • Privacy data • Employment data • ID theft

  37. Integrity • Integrity, in the arenaof computer security,means no unauthorizedchanges have been madeto system components ordata processed or storedwithin a computer system.This applies to: • Payroll • Client Info • Employment data

  38. Ways to Protect the Network • Comply with EIS guidelines for use of Internet and E-mail • No Instant Messaging (IM), cryptography, music or software downloads • Change your network log-on password regularly (as applicable) • Make it easy to remember but hard to crack • Try a “sentence” password – 1st letter of each word • For example: “I went down to 3rd street yesterday.” = iwdt3sy • Lock your workstation when you leave your desk • CTRL+ALT+DELETE, then choose “Lock” • or • “Windows” key + L

  39. Protecting Your Workstation • When leaving your work area, be sure and lock your screen with a password protected screensaver OR if you are going to be away for long periods of time…LOG OFF! • Ensure your workstation has a password protected screensaver that automatically activates after a period of time.

  40. Creating a Good Password • Creating a “good password” means that your password cannot be easily guessed or cracked • At a minimum, a case sensitive 8-character mix of upper/lower case letters, numbers, and special characters, including at least two of each • Example - it be a phrase that can be repeated when logging in: R#1,iie2casp,bPSWDie! ….Which is derived from Rule #1, It is easy to create a safe password, butPSWD is easier! • Do NOT use common words(Family names, dictionary words, birth dates, anniversary etc.) • Never share your password with others! DO NOT write down your password and leave it near your computer!!!!

  41. Responsibilities of the User(Some DOs and DON’Ts) • Environmental Concerns • DO protect your work area; keep liquids away from PC/keyboard • Software Accountability • DON’T load unauthorized software • DO report any unauthorized personnel loading software on your workstation • DON’T be afraid to question technicians if you don’t know them • Network Access • DO be aware of visitors to your site

  42. Responsibilities of the User(Some DOs and DON’Ts continued) • Contingency Planning • DO save your work to the network drive, not local drive • DO remember that you are ultimately accountable for activities that occur under your user name • Anti Virus Program • DO check your update file regularly • DON’T bring files from other computers

  43. PEDs and Removable Media Handling • Portable Electronic Devices (PEDs) and Removeable Media include: Blackberry, cell phone, PDA, thumb/flash drive, CD/DVD, external hard drive • Blackberries, cell phones, PDAs, MP3 players are prohibited in controlled spaces • In accordance with CTO 08-08, thumb drive use on Navy networks is prohibited until further notice • Government issued external hard drives are authorized for use – devices should be regularly scanned

  44. Internet Access • Official Business Use • Reasonable personal use • No jokes, Instant Messaging (IM), downloading music or software,political or religious content, fundraising, etc. • Nothing offensive • Anti-Virus protection • Exercise caution • Remember, you represent EIS and your client.

  45. Safe Home Computing Your home computer is a popular target for intruders. Why? Because intruders want what you’ve stored there. They look for credit card numbers, bank account information, and anything else they can find. By stealing that information, intruders can use your money to buy themselves goods and services.

  46. Safe Home Computing What Should I Do To Secure My Home Computer? 1 – Install and Use Anti-Virus Programs2 – Keep Your System Patched3 – Use Care When Reading Email with Attachments4 – Install and Use a Firewall Program5 – Make Backups of Important Files and Folders6 – Use Strong Passwords7 – Use Care When Downloading and Installing Programs8 – Install and Use a Hardware Firewall9 – Install and Use a File Encryption Program and Access Controls

  47. Operations Security(OPSEC)Threat AwarenessDefensive Security

  48. What is OPSEC ? • Operations Security (OPSEC) is all about keeping potential adversaries from discovering our critical information. • Success of the military mission depends on secrecy and surprise; • Likewise, protecting company proprietary and confidential information, and related information is a priority …

  49. Some OPSEC Guidelines • xxxsall about keeping potential adversaries from discovering our critical information. • xxxxsof the military mission depends on secrecy and surprise; • xxxxprotectingcompany proprietary and confidential information, and related information is a priority …

  50. Threat Awareness The Foreign Intelligence Threat • The gathering of information by intelligence agents, especially in wartime, is an age-old strategy for gaining superiority over enemies. • Intelligence officers, those individuals working for government intelligence services, are trained to serve their country by gathering information. • Spies, on the other hand, betray their country by espionage. • Preventing this kind of betrayal is the ultimate goal of the entire U.S. personnel security system.

More Related