NCMS the Industrial Security Professional ISP Certification Preparation

1. NCMS & the Industrial Security Professional (ISP) Certification Preparation William L. Uttenweiler, ISP Lead Mentor, ISP Exam Prep Program Florida Space Coast Chapter, Cape Canaveral AFS, FL

3. Question: What is NCMS & why should you belong? See also article �Why Should Management Support Membership in NCMS � The Society of Industrial Security Professionals,� CM Bulletin, November/December 2006, page 9See also article �Why Should Management Support Membership in NCMS � The Society of Industrial Security Professionals,� CM Bulletin, November/December 2006, page 9

4. Organization Society of Information Security Professionals Founded in 1964 Headquartered in Wayne, PA 24 chapters in USA, 1 in Europe, & 1 �virtual� ~ 2,600 members

5. Official Scope � #1 Develop & promote education & training of members in the application of requirements of industrial security in support of the security of the United States and its allies as described in the National Industrial Security Program (NISP). Classified information (mostly DOD, DOE, CIA & NRC but 23 other agencies included)

6. Develop and promote education and training of members in the application of classification management principles, practices, procedures, & techniques in protecting government designated unclassified information & intellectual property in all forms. Government FOUO Company Proprietary/Competition Sensitive, etc. Operations Security (OPSEC) Official Scope � #2

7. How NCMS Meets Scope #1 & #2 Web site, especially the Members Only section Annual National Training Seminar CM Bulletin Chapter level activities and communications

8. NCMS Web Site www.classmgmt.com New news you can use Resource library Counterintelligence information; security education/awareness training tools, security briefings Government reports (NISPOM, Industrial Security Letters, Executive Orders, Presidential Decision Directives, PERSEREC Reports) Classification management, physical security, COMSEC, OPSEC, information security, information assurance Protecting FOUO, sensitive-but-unclassified information, proprietary information Homeland Security, Emergency Preparedness JPAS, e-QIP International security, NATO, Export Control Facility Security Officer Training And much, much more

9. Membership Assistance Publication Series (MAPS) � tied to sections of NISPOM Self-Inspection guide for collateral facilities Administrative inquiry checklist Handbook on DD 254 preparation (subcontracting) Sample resolution for exclusion of certain directors or officers Briefing �The Foreign Intelligence Threat� Sample annual security refreshers Instructions for changing safe & lock combinations Where to get clips for false/drop ceilings in closed areas Writing a master systems security plan for classified AIS And much, much more NCMS Web Site www.classmgmt.com

10. Annual National Training Seminar 43rd was held June 2007 in Reno NV included General and break-out sessions on topics like DISCO & JPAS behind the scenes; basic/advanced JPAS & e-QIP training Threat integration in your security program Security clearance adjudication SCI overview; special access program training FOCI, export control, proxy agreements, special security agreements Classified AIS security issues OPSEC � �They Really Didn�t Do That, Did They?� Ray Semko �Unleashed� Summaries of sessions published in CM Bulletin; when available, slides posted on-line Facility Security Officer Program Management course offered by DSS Academy Proctored ISP certification exam

11. 44th Annual National Training Seminar

12. CM Bulletin Bi-monthly NCMS newsletter Official means of communication between leadership & members Articles by members on topics of interest, for example Results of polygraph survey Perils of the Internet How to build a better security team Verbal attestations US port deal highlights foreign investments Data spills � cleanup & prevention Effective speaking tips

13. Chapter level activities & communications Chapter-sponsored seminars Chapter meetings with speakers E-mail from chapter chair with news, updates, etc. Association with government audit/ inspection personnel in a professional, non-adversarial environment Networking � you are never alone

14. Advance the professionalism of Members through a formal certification program recognized by government & industry. Industrial Security Professional (ISP) certification http://www.ncms-isp.org/ More in a moment Official Scope � #3

15. Advance its purpose by representation & participation on U.S. government & professional security councils, committees, boards & forums & through formal comment, proposal, petition, & coordination. Memorandum of Understanding (MOU) Group NISP Policy Advisory Committee (NISPPAC) Close rapport with ISOO, DSS, etc. Official Scope � #4

16. The MOU Group MOU Group Membership includes: NCMS & 5 other groups NISP Policy Advisory Committee By invitation but usually includes NCMS members Both represent industry�s voice to top-level government security policy makers

17. Information Flowing Up Example: High Security Lock Legislation Pushed by Sen Jim Bunning (R-KY) in FY 2002 Defense Authorization Bill Would have accelerated requirement X0-8/9 locks (replacement kits cost $1,200 each; cabinets cost $1,570 - $5,679 each) Industry surveyed costs ($231 million) and concluded they were not justified by risk Bunning�s district includes headquarters of MAS-Hamilton, the only manufacturer of compliant locks

18. Example: personnel security investigation backlog Explained the costs in unaccomplished work while PSIs languish uncompleted DSS agreed to allowing facilities to each prioritize a small number of if cases and to accelerate their completion Early notification of DSS plans and requests for future PSI needs Information Flowing Up

19. Special Relationships Special relationships with ISOO, DSS, etc. High level staff frequently with Board of Directors on issues of mutual interest High level staff regular present at NCMS National Training Center Permanent host for presentation of DSS�s James S. Cogswell Award for outstanding industrial security programs

20. Evaluating the Value of Memberships DSS James S. Cogswell Award for Outstanding Industrial Security Program 2006: NCMS members for 13 of the 28 selected firms 2007: NCMS members for 20 of the 30 selected firms An NCMS member was one of the firm�s representatives at the awards ceremony. 2006 � data is from CM Bulletin, November-December 2006, pages 10-11 Diane Jackson, University of AL in Huntsville 2007 � data is from pictures in CM Bulletin, Special Seminar Issue 2007, and my look-up of winners� last names Jackie Rudolph, SCI Technology Inc, Huntsville AL2006 � data is from CM Bulletin, November-December 2006, pages 10-11 Diane Jackson, University of AL in Huntsville 2007 � data is from pictures in CM Bulletin, Special Seminar Issue 2007, and my look-up of winners� last names Jackie Rudolph, SCI Technology Inc, Huntsville AL

21. Management Support Is Critical Security professionals need enthusiastic support from their management More than signing the occasional policy or giving the intro at annual company refresher Reimbursement for dues and expenses Permission to attend functions and work on NCMS business (both for training and good PR within the DOD contractor community) Demonstrates to other employees that security is important to the company

22. Question: What is NCMS & why should you belong? Answer: NCMS is the Society of Information Security Professionals. If you belong to NCMS, you & your company are never �hanging out there� alone. You have access to local & national level resources & experts when a question or a problem occurs.

24. ISP Certification The security certification universe in 2003 Some of existing ones were too broad Certified Protection Professional (CPP) Others were narrowly focused but on other disciplines Physical Security Professional (PSP) Certified Fraud Examiner (CFE) Certified Information Systems Security Professional (CISSP) Global Information Assurance Certificate (GIAC) Certified in Homeland Security (CHS)

25. ISP Certification Security certification universe in 2003 None focused on the National Industrial Security Program (NISP) or the NISPOM None included areas like Counterintelligence (CI) and Communications Security/TEMPEST NCMS grassroots wanted a certification would closely match what a Facility Security Officer (FSO) and his/her staff actually do See Ray Bernard, PSP, �Security Certifications: Designations tell you who you�re working with and who you�re hiring, and they�re the next step in your own security education,� Security Technology & Design, September 2005, pp. 36ffSee Ray Bernard, PSP, �Security Certifications: Designations tell you who you�re working with and who you�re hiring, and they�re the next step in your own security education,� Security Technology & Design, September 2005, pp. 36ff

26. Industrial Security Professional Industrial Security Professional (ISP) certification For individuals involved in classified government contracts Introduced in 2004 Aimed at �journeyman� level professionals ~ 160 currently certified world-wide

27. ISP Certification requirements 5 years� experience (can be part-time if >10% of duties) Pass a proctored exam 110 questions (100 �core� plus 5 each on 2 electives chosen from 4 available � counterintelligence, COMSEC/TEMPEST, intellectual property, OPSEC) 2 hours long; open book Recommended by supervisor or NCMS National Director Subscribe to high ethical standards ISP Certification

28. Recertification required every 3 years Shows continued professional development Demonstrates that person has kept current on both threats and defenses Can be accomplished by Training/seminar attendance Leadership in security activities Authoring articles/classes on security topics Etc. ISP Certification

29. ISP Certification �Accreditation� Not provided by most existing certifications such as the ASIS-sponsored CPP However, can be a valuable assurance in the case of a new program like the ISP NCMS is working with the American National Standards Institute (ANSI) to get formal �accreditation� for the ISP

30. ISP Certification Accreditation process has driven the requirement to have on-line test takers proctored Proctors insure that the candidate is the person who takes the exam Chapter Chairs help locate current ISPs to serve as proctors For those not near an ISP, NCMS Headquarters will approve qualified proctors (including Government Industrial Security Representatives, College/ University teachers, etc.)

31. ISP On-Line http://www.ncms-isp.org Separate ISP web site to consolidate resources Certification Booklet Application Form ISP Code of Ethics Test References & Sources Frequently Asked Questions List of Current ISPs ISP Exam Preparation Program

32. ISP Certification: Why Certify? The ISP program provides a high-level baseline for the knowledge required of an Industrial Security FSO with at least five years of experience; It certifies that the holder of the ISP has the requisite knowledge of the NISPOM and other related directives used by the average FSO on a daily basis; It demonstrates on the part of the ISP a degree of professionalism and willingness to go the extra yard to develop professionally;

33. ISP Certification: Why Certify? It demonstrates self-confidence & willingness to take a risk (of flunking the certification exam in this case); It demonstrates that the ISP has the academic and intellectual skills to not only perform as an FSO but also to develop further as a security professional; It puts a company that has ISP's on their staff in a stronger position for contract bids and re-bids in the area of security; and It provides a FSO with an ISP added credibility when dealing with DSS representatives

34. A couple of testimonials Crystal Chambers, ISP, CENTRA Technology Inc., Arlington, VA.� Having ISP after my name MEANS something! When I applied for a new position, not only did my new boss know what it meant, he was impressed!� I have an ability now to confidently use, refer to and quote the NISPOM! This class made me open up the book and LOOK at chapters I hadn�t needed previously, like Chapter 8. Did I mention I got a perfect score on that section?���� Leonard Moss Jr., ISP, CHS-V, AAI Corporation, Hunt Valley, MD.� In October 2006 I moved cross-country for a promotion to the Director of Corporate Security at AAI Corporation.� It's a great opportunity and it's the promotion I had been seeking.� You will be happy to know that when I applied for this position one of the things the job called for was "ISP preferred.� I thought that was great and worth sharing. It shows the value of our credential.

35. Question: What is the Industrial Security Professional certification program & why should you be one? Answer: The only professional certification aimed at staff working to protect classified information. It pays dividends both in knowledge & reputation.

37. ISP Exam Preparation Barrier to testing � The Fear Factor Overcoming The Fear Factor through preparation

38. The Fear Factor Applicants are apprehensive about taking the exam I�m not good enough (or experienced enough) I�ve been out of school for a long time, I don�t test well & I might fail. I�m too busy (workload, personal problems, etc.) If I fail, I�ll look bad in the eyes of supervisors, coworkers & colleagues. If I fail, I�ll be out several hundred dollars. (Some companies don�t fund the exam until employee passes.)

39. Overcoming the Fear Factor The two keys are networking & preparation Networking �I�m not good enough� dispelled by contact with colleagues (difference between test takers in Reno NV in 2004 & Seattle WA in 2005) Preparation Knowledge provides self-confidence Some nervousness always remains for any �high stakes� test, but the adrenalin helps

40. Main methods of preparation Self-study ISP Examination Preparation Program ISPCERT.COM

41. Self-Study http://www.ncms-isp.org/StudyReferences.html Self-study was the only study method available before 2006 All of the source documents for the ISP exam are unclassified and widely on-line Anxiety was high because candidates didn�t know if their preparation was �adequate� Now � the ISP Exam Prep Program workbook can be used for self-study

42. ISP Exam Preparation Program Arose during 2005 ramp-up Candidates met telephonically to discuss �hard� chapters (Chap 8 on AIS, Chap 10 on international) Expanded & formalized at 41st Annual National Training Seminar in Seattle WA Sponsored by ISP Committee (co-Chairs: Barbara Taylor, ISP & Priscilla Crawford, ISP)

43. ISP Exam Preparation Program Prep Program purpose Develop better security professionals conducting comprehensive training on fundamentals like the NISPOM, ISLs, OPSEC, CI, etc. Assist those who do not have local ISPs to be their �mentors� Encourage �unsure� candidates that they can complete appropriate preparation for the exam �Cooperate & Graduate�

44. ISP Exam Preparation Program Overview Students will obtain materials & study in advance of the telecons Telecons with mentors & other candidates to answer questions, help pace the preparation, etc. About 1 hour long each 12 calls over an 18-week period

45. ISP Exam Prep Program Materials Electronic copies of key references Workbook to help candidates� review of NISPOM & other materials (cost $15) The Annotated NISPOM, a great tool for all security professionals, is available at: http://www.ncms-isp.org/NISPOM_200602_with_ISLs.pdf

46. ISP Exam Preparation Program Mentors All are current ISPs 2-person Mentor teams will provide a variety of experiences/viewpoints Timeline Next �Round� in the program starts again in February 2008 Timed so that Candidates finish in time to test in CT or on-line during the summer To sign up or get more information, contact the ISP Lead Mentor Team by e-mail ISP_Mentor@hotmail.com

47. ISP Exam Preparation Program Lesson strategy Lesson #1 - get started, go over "Test Tips" article for information/techniques/tips, evaluate class size, etc. Lesson #2 - #10 - cover about 10% of the NISPOM in each session Lesson #11 - look up practice (5 questions w/paper NISPOM, 5 questions w/electronic search of the NISPOM in PDF), last minute questions, wrap-up

48. ISPCERT.COM Creation of Jeffrey W. Bennett, ISP, ISPCERT.com, Madison AL; Secretary of NCMS Mid-South Chapter The Complete Guide for Industrial Security Professional (ISP) Exam Preparation Practice test with 400+ multiple choice questions (with answer sheets) Practical tips for candidates Cost is $39.99

49. Final Comments on ISP Exam Available �on paper� at 2008 NCMS Annual National Training Seminar in Mashantucket, CT next June Available on-line 24/7 Exam isn�t easy but you will pass if you Pay attention to test discipline (110 answers in 120 minutes) Prepare well in advance

50. Question: How can you best prepare for the ISP exam? Answer: There are several methods, from independent study to use of prepared workbooks to taking the ISP Exam Prep Program. Choose the one you believe will work best for you.

51. Final Notes: Security Awareness Posters http://www.ncms-channelislands.org/posters.html

52. Speaker Contact Information William L Uttenweiler, ISP William.L.Uttenweiler@aero.org Work Phone: 321-853-0803 Cell Phone: 321-506-7427 FAX: 310-563-2959