Printer Friendly

The service of surveys.

AT 8:15 ONE MONDAY MORNING, facility security officer (FSO) John Holiday's phone rang. Holiday works for defense contractor ABC Inc. When he picked up the phone, the receptionist announced that two industrial security (IS) representatives from the local Defense Investigative Service (DIS) field office were in the lobby to see him. As Holiday went to greet them, he wondered why they had come to his facility that day.

Thoughts of the status of his security program raced through Holiday's mind as he walked down the hall. Suddenly his heart started to pound. He realized that this could be an unannounced security inspection.

Holiday had not completed the self-inspection he began two months ago. Since he was manager of administration as well as FSO, other tasks took priority. Holiday knew he was about to be embarrassed because his security program was in disarray, and he regretted not implementing a more formalized self-inspection plan.

Although this scenario is fictitious, Holiday's dilemma is real. Shrinking budgets and staffs place more responsibilities on fewer people. Frequently, when people are required to wear a number of hats, some area under their domain suffers.

Nevertheless, as a member of the defense contractor community, ABC Inc. signed a security agreement with the government to comply with the requirements of the Department of Defense (DoD) security program. The company agreed to implement a self-inspection program that conforms to guidelines set forth in the Industrial Security Manual (ISM).

The ISM establishes the minimum requirements of the government's information security program. These security measures are necessary to safeguard the classified information that is entrusted to contractors.

The requirements of the ISM also apply to safeguarding classified foreign government information that is furnished to US contractors. The US government is obliged to protect this information in the interest of national defense. Besides establishing these requirements, the ISM also incorporates the provisions of applicable federal statutes, executive orders, international treaties, and certain government-to-government agreements.

CHAPTER ONE, SECTION TWO, PARAGRAPH (1-206B) OF THE ISM states the requirements for self-inspections and reads as follows:

Contractors shall establish a self-inspection program

for the purpose of evaluating all security procedures

applicable to the facility's operations. Contractors shall

review their security system on a continuous basis and

shall also conduct a formal self-inspection to occur between

inspections conducted by the Defensive Investigative

Service (DIS), Cognizant Security Office

(CSO). At the discretion of management, the inspection

may be conducted by a security representative(s)

from the facility or by a home office facility, principal

management facility, or cleared parent representative(s).

In any event, management shall establish, at an

appropriate organizational level, a procedure for evaluating

the effectiveness of the self-inspection program.

Self-inspection shall consist of an audit of all the facility's

operations in light of its Standard Practice Procedures

and the requirements of the ISM.

Deficiencies identified as a result of self-inspections

shall be corrected promptly. If

difficulty is encountered in resolving

a deficiency, the DIS will

provide assistance on request. A

record of the date(s) of the self-inspection

shall be maintained

until the next formal inspection

by the DIS.

In addition to self-inspection, formal inspections--either announced or unannounced--are conducted to ensure that the operations, responsibilities, procedures, methods, and physical safeguards used by defense contractors are adequate for protecting classified information that has been entrusted to them. In conducting these inspections, representatives of DIS review security records, perform area and automated information system (AIS) checks, interview employees, assess the adequacy of the system of security controls, and ensure compliance with all applicable terms of the ISM. The frequency of general inspections by DIS representatives is determined by the level of classified material possessed by the facility.

John Holiday did not make self-inspection a top priority. So he did not develop a program to assist him in identifying potential problems before they occurred, thus preventing costly deficiencies. The unannounced inspection could have been a satisfying and challenging experience if only he had implemented a sound, self-inspection, preventive maintenance program.

Preventive maintenance is defined in Webster's dictionary basically as the act devoted to an undertaking to forestall anticipated conflicting action by the upkeep of programs, systems, property, etc., to be preserved from failure or decline.

A quality preventive maintenance program includes, but is not limited to, completing a self-inspection guide. The guide serves as an outline for the inspection process.

Since an inspection must be a complete audit of all aspects of the ISM, the guide leads the examiner through the chapters of the ISM. The ISM covers 24 elements that are addressed by IS representatives and therefore should be addressed by the self-inspection program.

1. facility clearance

2. access authorizations

3. security education

4. standard practice procedures (SPP)

5. subcontracting

6. visit control

7. classification

8. employee identification

9. foreign travel

10. public releases

11. classified storage

12. markings

13. transmission

14. classified material controls

15. controlled areas

16. disposition

17. reproduction

18. classified meetings

19. consultants

20. automated informations systems (AIS)

21. communications security/cryptography

22. international operations

23. operations security

24. special access programs

The number of elements requiring self-inspection is determined by the facility's involvement with the concerned areas of the security program. As the inspection is conducted, it is up to the user to determine the depth of the inspection effort within each element.

The guide has a clean, concise, instructional format and is a unique stand-alone package providing the tools to perform a self-inspection. Exhibits 1 and 2 are examples of questions that are found in the guide for elements 1 and 4, respectively.

Each question must be answered and the results documented on the lines found directly below the question. If a yes" or "no" answer needs clarification, this space can be used to support the answer.

At the end of each set of elements, there are three areas to record observations, deficiencies and corrective action, and date completed.

In the observations section, the user includes positive or negative observations. A positive observation might be "Accountability records are up-to-date and accurate--receipts correctly reflect each transaction." A negative observation might be "Employees interviewed had not been briefed on security awareness since the last formal inspection."

In the deficiencies and corrective action section, the user must state any deficiencies uncovered and what corrective action is being taken. All actions must conform with the ISM requirements. If the user's overall security program is based on the desire for security excellence, all uncovered deficiencies will be corrected, and feedback will be provided to those individuals or areas affected.

In the date completed section, the user fills in the date that the element was inspected. The whole inspection does not have to be completed at once. The remaining areas to be inspected then can be completed according to the user's work load. The self-inspection, however, must be completed in a reasonable period of time.

INSPECTION AND COMPLETION OF THE guide must be performed honestly, sincerely, and completely. An honest self-inspection is free from fraud and deception. The user's integrity is being upheld with each issue reviewed and evaluated. Honest results are documented in the form of written deficiencies or positive accomplishments.

Throughout the inspection, the user must get involved with the nuts and bolts of the program, reviewing and addressing all issues.

The inspection must include a thorough review of records and visit requests; account for all classified materials; and include a physical inspection of internal and external markings of AIS diskettes, an examination of reproduction records and procedures, and interviews with employees. Examination of AIS equipment and procedures will be supported by hands-on demonstrations by the users of how they operate the system.

A sincere self-inspection is performed with earnest devotion, without reservations or misgivings, and is absent of pretense. The inspection must have a set of known objectives, and those conducting the inspection must have a clearly defined path to follow to complete the objectives.

A complete self-inspection is an exhaustive examination of a facility's security program, followed by prompt correction of all deficiencies. Minor deficiencies that are uncovered can be handled during the inspection. Serious deficiencies that are uncovered must be immediately addressed and all actions taken must be documented and included in the postinspection debriefing to management.

The debriefing should include a review of the self-inspection guide and a line-by-line review of the self-inspection program evaluation form. In addition, all supporting documentation and notes used during the inspection should become part of the self-inspection package. When all reviews, inquiries, and deficiencies have been taken care of and the evaluation form signed, the self-inspection then represents the present status of a facility's security program.

On completion of the self-inspection, employees should be informed of the results. This is a motivational tool. It makes employees feel they are part of a team effort.

The old philosophy of not hanging out the dirty linen to view has no place in a sound, self-inspection security program. Security awareness doesn't only include the do's and don'ts of quality security practices. It must go beyond compliance to include a well-organized, informative, honest, sincere, and complete security program.

GOVERNMENT INCENTIVES FOR INDUSTRY to implement quality self-inspection programs would not only benefit the government but also benefit the industry and the taxpayer. Possible incentives and benefits follow.

Government

* Extend inspection periods from six to nine months or longer for those firms whose deficiency-free track record is a result of the implementation of a sound self-inspection program. DIS staff and travel expenditures that are allotted to handle these inspections could then be used to support other DIS-related efforts (for example, education, and training, and investigations).

* Increase recognition efforts for those firms whose innovation and leadership roles through the implementation of sound self-inspection programs consistently provide quality programs internally and promote security awareness throughout the security community.

Industry

* Piece of mind (Incorporating values such as quality service, respect, integrity, teamwork, and commitment to excellence).

* Decrease in lost work hours otherwise used to correct deficiencies.

* Increase in competitiveness. At present, the defense contract budget is being decreased. That, in turn, is resulting in a smaller slice of the pie for business. For each company to be more competitive, more will be demanded of FSOs and they, in turn, must reach beyond simple compliance.

Security officers must ensure that their programs are exceeding normal security requirements by using all the available tools that could help their company's security program rise above its competitor's.

Government and the security community are being challenged to remain competitive right now. Sound, quality, self-inspection security programs can be the present and future tool for reaching the ultimate goal of security excellence in all programs.

Michael H. Skurecki is senior administrator and FSO for PRC Inc., in Bala Cynwyd, PA. He is a member of ASIS.

Note: Questions incorporated into the self-inspection program/guide were extracted from "A Contractor's Handbook to Conducting the Self-inspection," which appeared in the February 1992 Security Awareness Bulletin, published by DoD Security Institute, Educational Programs Department, Defense General Supply Center, Richmond, VA 23297-5091; 804/275-5309.
COPYRIGHT 1992 American Society for Industrial Security
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 1992 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:Security Survey; self-inspection guidelines for internal security
Author:Skurecki, Michael H.
Publication:Security Management
Date:Aug 1, 1992
Words:1831
Previous Article:Four steps to success.
Next Article:The new kid on the training block.
Topics:


Related Articles
The other industrial security programs.
A quantitative tool.
How to prepare for and survive a CLIA inspection.
Self regulation: an assessment by SECPS members.
Evaluating internal controls.
Charting security's service renaissance.
Security gets easier, cheaper.
Surveys point the way.

Terms of use | Copyright © 2016 Farlex, Inc. | Feedback | For webmasters