150 likes | 267 Views
CEO-FSO A Case Study in Challenges. July 2014. Oh Sensei , Why Are There No Simple Security Solutions?. NISPOM Madness. STEPP Training. JPAS Usability. Outsider Threats.
E N D
CEO-FSOA Case Study in Challenges July 2014
Oh Sensei, Why Are There No Simple Security Solutions? NISPOM Madness STEPP Training JPAS Usability Outsider Threats “The Industrial Security Process is like a martial art. One can create the chi by devoting oneself to practice, patience, dedication, discipline and respect to the ‘wise’ ones.” Sensei Gerardi, 2010 Insider Threats
Story Arc CEO forms CPG. As its, CEO he visualizes opportunities and lays an azimuth that will result in great success. One day, a “work fairy “ arrives at his door with a contract award and a DD254 that change the life as I knew it. He is now the FSO. FSO takes actions to implement the NISPOM in his company and encounters numerous challenges. Along the way, FSO makes friends and identifies resources that make his jobs doable. Attacks JPAS NISPOM Inspection Tools DD254 Application Founding Resolutions
I Am Illiterate Perception: NISPOM is about the rules. It is infeasible to learn all the rules if you are not fully devoted to security. NISPOM is written in the language of bureaucrats with ambiguous language that must be interpreted.
Lessons Learned • Use a graduated approach to digesting the NISPOM. Start-up with the Chapters that matter: Chapter 1: General Requirements Chapter 2: Security Clearances Chapter 3: Security Training & Briefings Chapter 6: Visits and Meetings • Don’t re-invent; re-purpose instead FISWG is a resource. Mentoring relationships (e.g., FBI) DSS website
I Am Untrainable Perception: Security training can’t be that difficult. Foundations of all effective training are learning requirements, instructional design and assessment tools. Spend too much of the time figuring out STEPP and not learning. STEPP is not a good example of adult learning.
Lessons Learned Spend time with the STEPP tutorial; it explains the mechanics. STEPP training should not be “check the box”. Don’t make it a crash course if you want to learn. Help desk personnel are helpful. (e.g., Ft. Knox).
I Am Not a Single-Trial JPAS Learner Perception: Without practice, you won’t get it. Seems designed to be counter-intuitive. Requires tribal knowledge to use efficiently. The only tool it provides is a hammer. Always better to have more than one set of eyes and hands on the problem. :AFSO
Lessons Learned Make logging on weekly a best practice. Sit down with individual members to review their information quarterly. The only time I have called the Help desk was to renew and expired password. For an infrequent user, using JPAS is about power and not finesse. Invest in a highly competent AFSO.
I Am Paranoid for a Reason Perception: OPSEC requires continuous risk assessment of insider and external threats. Risks take the form of competitors as well as foreigners. “Game of Pawns” represents a small part of the OPSEC threat we must defeat. There are no good measures for assessing the return on investment for OPSEC.
Lessons Learned Social media presence represents a significant breach in our OPSEC. OPSEC threat is multi-dimensional competitors and adversaries. DSS has us focus on foreign adversaries. OPSEC measures fail for two reasons: • we don’t take the perspective of the threat when doing our risk assessment. • we don’t identify what needs to be protected. OPSEC Plan is a “living” document that needs periodic revision.
I Am My Worst Enemy Perception: Security is about discipline, practices and quality assurance. Take the time to be creative. Being an FSO is about observing, recognizing and perceiving what’s going on in your organization. Security is an imperative, and not a tradeoff. Too little time, too much to do. FSO CEO
Lessons Learned Biggest FSO surprises include— • international travel • international relationships • DD254s with added requirements • suspicious behaviors aren’t everywhere Biggest CEO surprises include— • security budget • emerging cyber and information security requirement • impact of social media presence on security • get involved, stay involved FSO CEO
Solution Set Administration Security Enablers • JCAVS/JPAS • Record Keeping • Budget Resources Apply Risk Management Use Guided Practice and Activity Contact DSS Representative Seek Mentoring and Networking Conduct Self-inspections Prepare for Periodic Formal Inspections Make Security a “Team” Sport Training • FSO STEPP • Collective Annual • FISWG/ Continual Learning Best Practices • SPP • Cyber Security Plan • Knowledge Management Awareness • OPSEC Awareness • Insider Threats • Travel
CPG Security System Threat Awareness Cyber Awareness OPSEC Risk Management JPAS/JCAVS Cognitive Performance Group FSO/AFSO DSS Representative Active Community of Practice Security Practices & Procedures Formal Staff Training & Checks on Learning Performance Metric for Each Employee www.cognitiveperformancegroup.com 3662 Avalon Park Blvd E., Orlando, FL 407.282.4433 (O)