250 likes | 506 Views
THE ART OF SELF INSPECTION (and how to have fun conducting it!). Jennifer L. Rossignol Lockheed Martin GTL Security. Carnak …. “Who is …. “me ”’?. Who is: Who doesn’t like to do self inspections? Who is: Who looks at self inspections as a necessary evil? Who is: Who just “checks the box”?.
E N D
THE ART OF SELF INSPECTION (and how to have fun conducting it!) Jennifer L. Rossignol Lockheed Martin GTL Security
Carnak …. “Who is …. “me”’? • Who is: Who doesn’t like to do self inspections? • Who is: Who looks at self inspections as a necessary evil? • Who is: Who just “checks the box”?
Fun? How can that be?!? • Don’t do it alone • Make it a team effort – conduct it with another employee, a team, another FSO • Do it differently • Start at the end of the checklist and work to the front …. • Pretend you’re a detective! CSI: Orlando! • It really requires you to THINK … which is good for your health
It’s much more than checking off items on a checklist! Philosophy … Self inspection is an art ….
Purpose of Self Inspection • An effective self inspection program is the key to any successful security organization • Serves many purposes: • Assesses the health of your organization • Provides training opportunities and employee development • Promotes your product • Meets a requirement • Prepares you for your DSS audit • The value and importance of self-inspections has increased in the eyes of DSS
What is a Self Inspection? • It’s more than following and completing the DSS Self-Inspection Checklist • It must be a “total review” of the security program • It must be an honest examination of the program and an indicator to senior leadership that you can safeguard classified material • It provides a “snapshot” picture of current security operations and allows you to determine shortcomings and resolve them before your DSS audit • It is a continuing review of the methods used to safeguard classified…. are they adequate? compliant?
Self-Inspections Ideas • There is no one way to do self inspections - Be creative! • No need to wait for 6 months after your last audit • Can audit year-round • Can audit more than once (sounds like an “enhancement” to me!) • Remember to review your security incident reports, adverse information reports, etc. … • Review past audit findings - AVOID repeats! • Share your findings and corrective actions with your DSS representative • Enhance with a “Security Day”
What to do • Do interview employees (not just yourself!) • Do GET UP FROM YOUR DESK • Do emulate the DSS audit process • How will you feel when your DSS representative talks to your employees? Will you be worried about how they will respond? Not if you have prepared them! What not to do • Don’t stick to the checklist • Don’t talk to only cleared employees • What about the receptionist? • What about the employees who receive packages?
Self-Inspection Process 3 Key Components • Preparation • Inspection • Follow-up
Step 1 - Preparation • 1st step to success is developing a good Self-Inspection plan • Doesn’t have to be written • It should be simple and not complex • The plan is a mechanism that helps ensure that you cover “all the bases” and complete the entire Self-Inspection within a specified time • The plan helps you assign personnel • Based upon experience and expertise • Can be used as an opportunity for mentoring • Pairing less experienced with experienced security professionals
Step 1 - Preparation • Gather your materials, such as: • Audit checklist • Standard Operating Procedures • Reports – incidents, adverse, etc. • Checklists • DD 254’s • Previous audit results/findings • IS equipment lists • Receipt and dispatch records • FCL documentation • JPAS listing • NISPOM and ISL’s • Allows you to examine your operation “piece by piece” • Brief your senior leadership
Step 1 Continued: Team Selection • If you are a FSO at a one-person facility … • Larger facilities can employ more people to help • May not be faster but can cover more • Have an experienced “Team Leader” • Well-versed in the NISPOM • Capable of keeping a team enthused - Believe it or not: Self-Inspections can become laborious
Step 2: Conducting Self-Inspection • Be professional • Review currency of policies and procedures and/or SSP • Remember to interview receptionist, Shipping, Receiving, guards • Always be prepared to correct issues on-the-spot and explain what is being corrected to the employee • If possible involve the employee so they can learn • Bring a box of “tools” with you – stickers, markers, cover sheets
Step 2: Conducting Self-Inspection • Remember, employees may be defense -Don’t condemn or make it personal – educate! • Use the same methods or techniques used by DSS • Allows the employee to get familiar with their inspection methods and feel comfortable with DSS when they do their review • Keep an eye out for “best practices” or items that are “above and beyond” the requirements in the NISPOM • Watch for trends
Tools for Self-Inspections • Document Review Marking Forms • Makes assessment of marking problems easy • Helps determine what marking requirements are not familiar to employees, allowing you to focus your training efforts • Security Knowledge Questionnaires • Derived from DSS checklist questions • Allows you to focus training efforts on specific areas • Interviews • Use the DSS Self-Inspection Checklist interview questions • Determine who has conducted foreign travel or hosted a foreign national visit • Provide employees with a Q&A sheet • DSS • Ask DSS if there are any Special Interest Items for this inspection cycle
Step 2: Self-Inspection Ideas Develop checklists CLOSED AREA CHECKLIST
Self Inspection Methods Example: A review of the company’s receipt and dispatch records • Is incoming or outgoing media a different classification level than the majority of approved equipment at the facility? • How and where was the Confidential CD created? Was the trusted download procedure approved? Is trusted downloading approved for that system? Is the person who performed the trusted download authorized to do so? • How is the Missile Control Unit (MCU) protected against contamination? Are there procedures in place to properly sanitize the unit if contamination occurs? Is the procedure approved by the customer? • Do we have a contractual relationship (i.e. DD 254) with the sender/receiver? This is just an example of how a little analysis and creativity can provide a more comprehensive review of the existing processes and procedures
Self Inspection Methods Example: Review of Closed Area visitor logs • Pay close attention to the visitor’s company name. • Did someone visit from an HVAC service? If so, ask the area custodian what they did. Did they put a hole in the wall or make a change affecting the area integrity or the 147? If so, is it greater than 96 square inches? • Did someone visit from Xerox? If so, what did they do while they were there? Did they install a new copy machine with a hard drive? Did this get connected to the classified IS? • Did someone visit from a computer service vendor? If so, what did they do? Did they bring diagnostic equipment with them? If so, did they connect it to the AS? • Did any visitors have “keyboard” access? If so, was that authorized? • Remember to dispose of visitor logs from before the last DSS audit
Step 3 – Follow-upWriting the Self-Inspection Report • Reports documenting your Self-Inspection can be done in any format you would like • Should identify the following: • Areas inspected • Commendable areas • Findings/ Deficiencies/Corrective Actions • Findings/ Deficiencies that need long-term monitoring • Normally done where there are significant problems where it will take a long time to close out. • Status report every 30 days • Reference applicable compliance document
Step 3 – Follow-upWriting the Self-Inspection Report • Include corrective action • Correct the process – DSS will validate • Update your procedures • A well-written report seldom generates more questions
Conclusion • Self-Inspections are a tool that allows Security Department to ensure they are compliant with the NISPOM • A good Self-Inspection should emulate the DSS Security Review process • Be aggressive and not afraid to have findings • Write honest and accurate Self-Inspection Reports • Remember a “bad” finding is the one that DSS finds during their Security Review • There are “good” findings… the ones you catch during your Self-Inspection
Conclusion • Have a strong self-inspection program and use it as a tool rather than just another “block to check” for the DSS Review • Make DSS an effective member of your security team! • Consider sharing your inspection results with other sites of your company or with your local NCMS Chapter members • Using all these tools cannot guarantee higher DSS audit ratings, but it will make the process more organized and less stressful NOW … GO HAVE SOME FUN!