1 / 51

Sam DeSante Manager, Security Administration Lockheed Martin Aeronautics

Security Incidents. Sam DeSante Manager, Security Administration Lockheed Martin Aeronautics. Categories Of Security Incidents. Security Violations Security Infractions Inadvertent Disclosure. Security Violation.

jolene-williamson
Download Presentation

Sam DeSante Manager, Security Administration Lockheed Martin Aeronautics

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security Incidents Sam DeSante Manager, Security Administration Lockheed Martin Aeronautics

  2. Categories Of Security Incidents • Security Violations • Security Infractions • Inadvertent Disclosure

  3. Security Violation • Any Loss, Compromise or Suspected Compromise of Classified Information Foreign or Domestic • Any Knowing, Willful, or Negligent Action • That Could Reasonably be Expected to Result in an Unauthorized Disclosure of Classified Information

  4. Examples Of Loss, Compromise, Or Suspected Compromise Of Classified Information • Unclassified Information Sent or Received Across the Internet That is Determined to be Classified at a Later Time • A Closed Area That is Not Attended and the Alarm is Not Activated • Classified Documents Left in a Non-secure Area • Classified Material Hand Carried Off the Facility Complex Without Being Properly Packaged and/or Controlled • Closed a Security Container or Closed Area, But Failed to Spin the Spin Dial Lock • Processing Classified Information on a Non-accredited Information System • Weekly Audits Not Conducted on an Accredited Information System

  5. Infraction • Incidents That Do Not Involve the Loss, Compromise, or Suspected Compromise of Classified Information • These Are Also Known as Administrative Deficiencies or Practices Dangerous to Security

  6. Examples Of Infractions • Not Using Cover Sheets • Not Applying Media Stickers • Not Utilizing the Open/Close Logs • Not Applying Warning Notice on the Inner Envelope • Not Marking Paragraphs • Note That Incidents May Very Well Start as Infractions and Result in Violations, I.E., Not Applying a Media Sticker on a Classified Disk and Inserting it Into a Unclassified System

  7. Inadvertent Disclosure • Involuntary Unauthorized Access to Classified Information • This is Still a Violation and Requires All Applicable Reports

  8. Examples Of Inadvertent Disclosure • Fire Department/EMT Personnel in an Area That is Not Sanitized • Repair/Janitorial Personnel in Area That is Not Sanitized • The Individual Gains Involuntary Unauthorized Access to Classified Information

  9. Compromise • An Unauthorized Disclosure of Classified Information “A Communication or Physical Transfer of Classified Information to an Unauthorized Recipient”

  10. Examples • Information is Found and Returned From an Unauthorized Recipient • Information is Transmitted Over Unsecured Communications, I.E., Fax, Email, Voice • Information is Published in the Media (Note: do Not Assume the Information is Unclassified)

  11. Reporting • Violations • Report “Through CSA Channels” Defense Security Service (DSS) Representative • Infractions • Document & Make Available for Review by the DSS Rep During Visits/Reviews • Inadvertent Disclosure • Interview, I.E. Emergency Response Situations, Guard Personnel or Local Emergency Authorities • Inadvertent Disclosure Statement • Report Refusal to Sign

  12. What Is The Most Serious Security Incident? Known or Unknown Play

  13. Cause • Classified Assets Are Protected By Many Policies and Procedures • The Cause of the Incidents is Simple • Breakdown or Disregard For Security Requirements

  14. Policy & Procedures • OPSEC Plan • Component Guidance • NISPOM • Standard Security Procedures • Security Classification Guide • Transportation Plan

  15. Reasons For Failure Unaware Carelessness Accident Deliberate Disaster Resources

  16. Damage…National Security • When We Talk About Damage, We Are Talking About the Damage to National Security • National Security is Information Relevant to Our Foreign Relations and National Defense • We Don’t Live in a Bubble… What We do, Not Only Affects Us, it Normally Affects at Least One Other Person, and What Happens if That One Other Person is the War Fighter Losing His/Her Life

  17. Impact • What is the Impact of a Security Incident? • Program Integrity: • What is the Integrity of the Assets Protected Within Your Programs? • Is the Information Totally Compromised or Just a Portion Thereof? • Cost: • Dollars For Development, Design, and Testing • Dollars to Conduct Investigations and Damage Assessments • Loss of Production Time • Loss of Life

  18. Discoverer’s Responsibilities • Immediate Action • The Individual Who Discovers the Incident Must Take Immediate Action to Take Control, Protect, and Report Through Official Channels • One Must Consider OPSEC Indicators Through the Reporting Process • A Weakness Such as a Security Violation Could Uncover a Vulnerability Within and to Your Program

  19. Discoverer’s Responsibilities • An Incident May Appear Minor at First; However, Each Incident Must be Documented to Ensure Future Investigations and/or Damage Assessment. The Discoverer is the First Line of Reporting the Details. Don’t Assume You Will “Remember” All the Fine Details - Document! • Who, What, Where, When, How, and Why • Do Not Destroy or Interrupt Anything That May Support an Investigation • An Example May be Receipt of a Classified Document Over Unsecured Communications. The Recipient Would Immediate Obtain The Guidance From Their Information System Security Manager (ISSM) or Information System Security Officer (ISSO). The Recipient Does Not Want to Simply Just Delete

  20. Facility Security Officer’s Responsibilities • Train Employees to Know What Constitutes a Security Incident • Train Employees to Report All Security Incidents (Classified or Unclassified) to the FSO

  21. Facility Security Officer’s Responsibilities • Once the FSO Receives the Report of an Incident He/She Will Take Control of the Situation and Safeguard the Information • Immediate Assessment is Warranted for Each Incident. Of Course if Classified Information is Not in Control (I.E., Someone Has Lost Possession or Information is Transmitted Over Unsecured Communication) Time is of the Essence • Do You Have a “Blazing Fire” (Lost Control) or a Small “Camp Fire” (Probability of Compromise is Remote)

  22. Facility Security Officer’s Responsibilities • The FSO Will Conduct a Classification Review of the Information. Is the Information Still Classified? Has the Security Class Guide (SCG) Declassified the Information? • Notify Defense Security Service (DSS) • Review Available Details of the Incident • Identify Investigative Requirements

  23. Investigating Official • The FSO Appoints the Investigating Official Based on Internal Policies. However, the Person is Always a Disinterested Person That: • Is Competent to Conduct a Solid Inquiry Into the Incident • Has the Proper Security Clearance Level

  24. Preliminary Inquiry What is a Preliminary Inquiry? • It’s an Examination Into a Reported Security Incident • A Preliminary Inquiry is a Review of the Details of an Incident That is Not Complex or Serious

  25. Preliminary Inquiry…When??? • Immediately on Receipt of a Report of Loss, Compromise or Suspected Compromise to Determine the Facts

  26. Facts • Meet With All Parties Involved and Request Written Statements • When Required, Request “Alarm Activity Report” from Alarm Company • When Required, Retrieve a Copy of Visitor Sign-In Logs, Safe Open/Close Log, Document Control Logs, and Facility Access Control Records for all Information Involved • When Required, the ISSM should become Involved to Determine Proper Procedures to follow Regarding Computer Equipment, Printers, Servers, Internet, Audit Logs, Etc. • Review DD Form 254 to Determine if the Contract Requires Notification of Security Incidents Over and Above NISPOM Requirements

  27. Initial Report…When?? • The Initial Report Occurs Immediately if the Preliminary Inquire Confirms That a Loss, Compromise, or Suspected Compromise of Any Classified Information Occurred • It’s Submitted to the Defense Security Service (DSS) • You do Not Want to Defer Pending Completion of the Entire Investigation • An Initial Report May Be a Telephone Call or E-mail With the Immediate Details • You Do Not Want DSS to Learn of a Reportable Incident Through Other Means

  28. Initial Report Criteria • Authority: Cite The Reason for the Investigation Including: When, Where and by Whom it was Reported and Conducted • Essential Facts: Arrange Facts, not Opinions or Assumptions, in Chronological Order • Nature of the Violation: What Happen and When and Where Did it Take Place

  29. Initial Report Criteria • When, By Whom, and to Who Was the Violation Reported • What Actions Were Taken to Secure the Classified Information and/or Limit the Damage Before the Inquiry Began • Examples: Inventories, Securing of Materials, Changing Combinations of Locks, ETC. • Identify the Classified Information • User Agency • It’s Location • Contract Number & Contracting Officer

  30. Initial Report Criteria • Classification of the Information Involved • When and How Long, and Under What Circumstances Was the Classified Information Vulnerable to Unauthorized Disclosure? Determine Identity of Unauthorized Disclosures. Identify Unauthorized Persons Likely to Have Had Access to the Classified Information. Obtain All Necessary Records: • Access Control Records • Open/Close Records • Witness Statements

  31. Final Report Your Final Report Will Include Any New Information Not Previously Reported Plus the Remainder of the Bulleted Details: • Primary Responsible Person • Name • Position • SSN • Date/Place of Birth • Date of Clearance • Prior Incidents

  32. Final Report The Final Report Will State: • Statement of The Corrective Actions • How Can You Prevent the Incident From Reoccurring? • Is Disciplinary Action Warranted? • Hold People Accountable, Based on the Facts and Regulatory Guidance • Did a Loss, Compromise, or Suspected Compromise Occur?

  33. Individual Culpability Report The Culpability Report Will State: • Includes the Administrative Actions Taken Against the Individual(s) Responsible For the Incident and One or More of the Factors Are Evident: • Violation Involved a Deliberate Disregard of Security Requirements • Violation Involved Gross Negligence in Handling Classified Material • Violation Was Not Deliberate in Nature, But Involves a Pattern of Negligence or Carelessness • Normally, a Company’s Standard Practices And Procedures Will Identify a Graduate Scale of Disciplinary Actions to be Followed

  34. Disciplinary Actions/Sanctions • Warning • Reprimand • Suspension Without Pay • Forfeiture of Pay • Removal • Termination • Loss or Denial of Access to Classified Information • Removal of Classification Authority

  35. Countermeasures • An Action Taken or a Physical Entity Used to Reduce or Eliminate One or More Vulnerabilities • Procedures • Equipment • Manpower

  36. Procedures • Procedure Changes Are the Most Cost Effective to Implement • Standard Operating Procedures • Security, Education & Awareness • Conduct Oversight For Compliance • Administer Sanctions

  37. Equipment Equipment as a Countermeasure Could Be Costly From Procurement to Maintenance on the System • Transportation Equipment • Locks • Fences • Safes • Access Control • Closed-circuit TV • Doors

  38. Manpower: Civilian, Military, Contractors, Guards, Police Force Is Your Program Vulnerability Due to Limited Manpower? Is an Increase in Manpower Warranted? Are All Individuals Trained Properly? Are All Individuals Alert to Their Responsibilities? Manpower

  39. Example Written Preliminary Inquiry, Synopsis INCIDENT: Improper marking and safeguarding of classified material PERSON(s) RESPONSIBLE: Joe Doe, Sr. Member Engineering Staff SSN: 123-45-6789, D/POB 02 May 1956, Philadelphia, PA Clearance: SECRET, granted 01 July 2004 LOCATION: Building 123/106 FINDING: On Monday, January 6, 2009, Mr. Tom Thumb, Manager, Project Engineer advised the writer, that Mr. Joe Doe, a Lockheed Martin employee under his supervision had been storing classified information in an inappropriate manner. Mr. Thumb and Ms. Jane Day, a co- worker were interviewed. Ms. Day notified Mr. Thumb that she had noticed that Mr. Doe has been keeping notes in an unauthorized file cabinet and thought that he notes contained classified information. Therefore, Ms. Day removed the notes from the unauthorized file cabinet and reviewed them. As she suspected, the notes contained SECRET information. Ms. Day turned the notes over to Mr. Thumb.

  40. Example Written Preliminary Inquiry, Synopsis Mr. Thumb turned the notes over to the writer. The notes were safeguarded in the Information Master Control Center until a complete classification review was conducted by Mr. Sam Smart. On January 7, 2009 Mr. Smart reviewed the notes for classification determination. Mr. Smart found SECRET information on six pages. Mr. Doe was interviewed by the writer and questioned about the notes (see attached statement. This is where you write your interview with the subject and all witnesses. Note: Make sure you obtain a written statement from each person interviewed bearing the date and their signature.)

  41. Example Written Preliminary Inquiry, Synopsis If AIS systems are involved, make sure that you include the ISSO and him/her findings and actions. Identify all contract numbers (Government and subcontracts to Document Control.) In accordance with paragraph 1-303 of the National Industrial Security Program Operating Manual, Mr. Doe is found culpable of the following security violations. List the security violation(s). Failure to safeguard SECRET information. Improper markings, etc.

  42. Example Written Preliminary Inquiry, Synopsis Due to the circumstances and extended period of time, the compromise of classified information cannot be ruled out. This statement is your determination of compromise, suspected compromise and or; loss of classified information. Report submitted by: Don’t forget to sign and date it. Your Name Today’s Date:

  43. Initial Report, Example of Letter to DSS (Date) (DSS Reps Name) (DSS Reps Address) Subject: Initial Report – Suspected Compromise of Classified Material Dear (DSS Reps Name): In accordance with paragraph 1-303 of the National Industrial Security Program Operating Manual, the following written report is submitted (verbally submitted 01/20/09). Lockheed Martin employee Mr. Jo T. Doe, SSN 123-45-6789, cleared SECRET, 01 Jul 04, D/POB 02 May 1956, Philadelphia, PA was found responsible for the following Security violation. List the violation(s) ///////////////////////////////////////////// /////////////////////////////////////////////

  44. Initial Report, Example of Letter to DSS On January 5, 2009, it was reported to the LM Aero Security Department that Mr. Doe had been storing classified notes in an unapproved container. The attached synopsis describes the events and their circumstances in our conclusion. Due to the circumstances and the extended period of time, the compromise of classified information cannot be ruled out. Mr. Doe worked on the following contracts, ////////////////////////////////, //////////////////////////////// during this period of time. I will advise your office of the disciplinary action taken. Should you have any questions, please contact the undersigned at (your phone number). Sincerely, Your Name Your Title Attachments: As Stated

  45. Final Report, Example of Final Report Letter (Date) (DSS Reps Name) (DSS Reps Address) Subject: Final Report – Joe Doe (01/06/07), suspected compromise Dear (DSS Reps Name): In accordance with paragraph 1-303 of the National Industrial Security Program Operating Manual, the following Final Report is submitted. Mr. Joe Doe received the following disciplinary action for the subject security violation. Mr. Doe was suspended without pay from work for five days beginning April 1 through April 6, 2009. Mr. Doe has received remedial training in his responsibilities as a cleared individual, to include proper handling, safeguarding storage and destruction of classified media and information.

  46. Final Report, Example of Final Report Letter He will be monitored on a random recurring basis by his supervisor and from a member of the LM Aero Security Staff. Should you have any questions, please contact the undersigned at (your phone number). Sincerely, Your Name Your Title

  47. Culpability Report, Example Letter (Date) Defense Security Service – Columbus Operations PO Box 2499 Columbus, Ohio 43216-5006 Attn: Special Programs Branch Subject: Culpability Report – NISPOM paragraph 1-304 Reference: January 5, 2009 Violation Responsible Individual: DOE, Joseph SSN: 123/45/6789 D/POB: 02 May 1956, Philadelphia, PA Clearance Level/Date: SECRET, 24 JUL 2004 Facility Code: 02769

  48. Culpability Report, Example Letter Gentleman: In accordance with paragraph 1-304 of the National Industrial Security Program Operating Manual, the following report is submitted. This is where you explain why this individual is culpable. Don’t forget to explain that you have already submitted a report to DSS. Make sure you state if this is a first security violation or what number. Should you have any questions, please contact the undersigned at (your phone number). Sincerely, Your Name Your Title

  49. Keep in Mind! • Security Incidents Can Not Always be Prevented • Don’t be That Proverbial Ostrich and Stick Your Head in the Sand! • The Key is When an Incident Occurs, Take Immediate Control of the Information and Conduct an Assessment to Minimize the Impact of the Incident. • Conduct Reviews & take Corrective Action to Prevent or Minimize Future Incidents • Remember, an Unreported Security Incident Could Jeopardize the Safety of Our Men and Women Who Defend Our Great Country

More Related