January 31, 2013

Awareness Resource: Customizable Security Guide

Free security awareness resourceNeed to provide your workforce a comprehensive online security resource? Don't build from scratch when Online Guide to Security Responsibilities," which is updated to reflect major security policy changes within the Department of Defense. Click on the link to preview it.
you could get a fairly extensive version for free. The Defense Personnel Security Research Center (PERSEC) developed a detailed "

A modifible version is avialable to download here if you want to tailor it to your specific organization. That's what Wright University did, and you can view their expanded version here.

January 27, 2013

Army Security Incident Process

I had a simple assignment to write about the security incident process for classified material. The teacher was expecting three paragraphs. I found that out after I finalized a 12 page (double spaced) paper. I end up redoing my assignment to met the teacher's expectations, but I couldn't let my lengthy master piece go to waste. Oh no! I am bringing it here for YOU! 
I would like to point out the fact that all information I used for my report is in the public domain.

"Prompt reporting of security incidents ensure that such incidents are properly investigated and the necessary actions are taken to negate or minimize the adverse effects of an actual loss or unauthorized disclosure of classified information..." 

We all play a vital role in protecting our national defense information. Sometimes the unfortunate security lapse happens leaving our nation's sensitive information vulnerable. If you stumble upon a security lapse, what should you do? What happens? This paper will answer these questions by walking through the process from three different perspectives.

The individual.
If you suspect a security incident, your first responsibility is to secure the information and limit the potential for further compromise. Compromise is the disclosure of classified information to individuals without the appropriate security clearance, access level or need to know. The second step is to report. If the incident is on the computer, immediately contact the local help desk. They will ask you basic questions such as, was the information e-mailed, downloaded, saved, or printed. This information assists them in limiting further compromise, and network contamination. Ultimately, the incident must be reported to the command security office. From here, the security office will conduct a precursory inquiry, which focuses on ensuring the sensitive information is secure, reviewing the material, and capturing pertinent documents that may assist with potential investigations. This is to occur within the first 24 hours. Based upon the type of information, the Security Office may report the incident to other officials as required. If it is classified, the security will initiate a preliminary inquiry (PI), which incorporates interviews, and analyze supporting documents. Through this process, the PI investigator will try to determine:

      -       What happened; 

-       Whether classified information was disclosed to individuals without valid clearance, access and need to know (this is a compromise);

-       Whether a violation occurred; and

-       The root cause of the incident.

To clarify, violations are security incidents that indicate knowing, willful, and negligent of security rules, which result in, or expected by a reasonable person to result in the compromise of classified information.

If the investigator determines there was a possible compromise, security violation, and/or an in-depth examination is required, then the command will initiate a formal investigation. This step requires the appointment of a disinterested third party investigator, which will expand upon what was done during the inquiry. Based on the findings of the inquiry and/or investigation, the security office will work with the chain of command to take appropriate action to prevent future security incidents. This may include changes in security policies, practices, training, or combination thereof. Any personnel actions resulting from the incident, such as disciplinary actions, or central adjudication facility reports, are handled through the appropriate channels.  

The Supervisor/Manager.
If your personnel report a security incident to you, ensure they take appropriate steps to secure the information and report it to security. Within the first 24 hours, the security office will conduct a precursory inquiry to capture pertinent documentation, and ensure the information is secured while a review is conducted. The review is to determine what type of information was involved, i.e. classified, communication security (COMSEC), For Official Use Only (FOUO), Personal Identifiable Information (PII), Sensitive Compartmented Information (SCI). Based upon the type of information involved, the Security Office will contact the appropriate office to conduct further inquiries.

-       COMSEC incidents are reported to and handled by the COMSEC custodian.

-       PII incidents are reported to and handled by the PII Officer.

-       Incidents involving FOUO and other restricted unclassified information is reported to and handled by the Operations Security (OPSEC) Officer.

-       SCI incidents are reported to and handled by the Special Security Office (SSO).

-       Incidents involving NATO information are reported to and handled by the NATO Control Officer.

-       Classified information that does not contain any of the above special markings (commonly referred to as collateral classified) is handled by the Security Office.

 If the incident involves the jurisdiction of multiple offices, the Security Office will serve as the coordinator. For classified material, the command will initiate a preliminary inquiry to report:

-       What happened;

-       Whether classified information was disclosed to individuals without proper clearance, access and need to know;

-       Whether a violation occurred;

-       The root cause of the incident; and

-       What could prevent a repeat of this incident.

 During the preliminary inquiry, an investigator will review the area, access control records, and closed-circuit television footage (if applicable). Additionally, the inquiry requires one-on-one interviews with employees to piece together details of the incident. While it can be inconvenient, every attempt will be made to limit potential impact this process may have on mission requirements; however, the investigator needs to complete the inquiry in 10 calendar days. Please encourage your employees to support the process as appropriate. If the inquiry requires the interview of on-site contractors, the investigator will notify appropriate contract official representative (COR). The inquiry report will be provided to you, the command leadership, and higher headquarters' security office. 

 The command will initiate a formal investigation, if the determine is made during the inquiry that classified information was possibly compromised, a security violation occurred, or an in-depth examination is needed. At this point, the command will appoint in writing a disinterested third party as an investigator to expand on what information was obtained during the inquiry.  Additional interviews may be required. Based upon the findings and recommendations from the investigation and/or inquiry, the security office in conjunction with management will take appropriate action to prevent future security incidents. This could include changes to current security policies, practices, training, or combination thereof. Any changes will take into consideration the organization's mission and business practice. If warranted, the command, in consultation with security and the personnel office, will decide appropriate disciplinary personnel actions.

 If at any time during the process, the security incident is suspected to involve criminal activity or foreign intelligence services, the investigation will be immediately stopped. The incident is immediately reported to the appropriate authority, such as the supporting counterintelligence field office, or Criminal Investigation Command (CID). When this occurs, do not expect to receive regular updates on the investigation. Due to the sensitivity and legal requirements of these types of investigations, updates are on a strict need to know basis.

The Security Officer.
When you receive a report of a security incident, you will start a precursory inquiry. This is to determine if a preliminary inquiry is required and who else needs is required know about the incident. Of utmost importance is to limit damage by ensuring the information is secured and accounted for. Ask questions to find out what steps were already taken; gain an overall understanding of what occurred to see if a reasonable person would suspect a compromise; and determine if outside organizations were involved. If the incident involves computers, you will need to work closely with the help desk and the local Information Assurance Manager (IAM). Gather all pertinent records that may support potential investigations into the security incident to ensure they are not inadvertently destroyed. Review the potentially compromised material to assess what type of information is involved. Based upon the results of the review, report the incident to the appropriate office, since they have additional requirements.

-       COMSEC incidents are reported to and handled by the COMSEC custodian.

-       PII incidents are reported to and handled by the PII Officer.

-       Incidents involving FOUO and other restricted unclassified information is reported to and handled by the Operations Security (OPSEC) Officer.

-       SCI incidents are reported to and handled by the Special Security Office (SSO).

-       Incidents involving NATO information are reported to and handled by the NATO Control Officer.

In the event the incident includes multiple types (i.e. SCI and COMSEC), the Security Office will serve as the command lead investigation coordinator. The Security Office handles incidents involving collateral classified information. If the information is classified, and you reasonably suspect there is a potential for a compromise, you must do the following:

-       Inform the original classification authority (OCA) of the potential compromise, and ask them to verify the information is appropriately classified. If it is appropriately marked, the OCA will need to reassess the sensitivity of the information to if it could be declassified. 

-       Inform the command about the incident. The process of resolving a security incident could potentially be resource intensive and retard mission success.

-       If applicable, inform the security office of the outside organization involved in the incident.

-       Inform the supervisor or manager of the department that reported the incident.

-       Initiate a preliminary inquiry within 24 hours of the incident.

 Chapter 10 of the Army Regulation (AR) 380-5, Department of Army Information Security details the preliminary inquiry process, as well as contains a sample report template. Use this as a guide for conducting the inquiry. While this AR is dated, it is still in effect until the Army issues newer guidance. Also review enclosure 6 of the recent DoDM 5200 .01 Volume 3, which references requirements from current legal statues, and executive orders. The general principle between the two references is the same. In the event of discrepancies between them, the general rule of thumb is to use the most stringent requirement. If in doubt, consult with your higher headquarters' security section for clarification. The person appointed to conduct the preliminary inquiry will:

-       Hold the appropriate security clearance level.

-       Not be involved in the incident.

-       Preferably have a security background.

-       Preferably not the command security manager; however, this may occur when other security trained personnel are not available to conduct the inquiry in a timely manner. (Army, Page 105)  

 The Security Office provide all necessary support and resources for this person to conduct, in 10 calendar days, a fact finding inquiry to report:

-       What happened;

-       What conditions contributed to the incident;

-       Who was involved;

-       If a compromise occurred;

-       What information was compromised;

-       Whether a violation occurred;

-       The root cause of the incident; and

-       What practice and procedure changes could prevent repeats this incident .

 Resources may include, but not limited to, the documentation you gathered; work space to privately conduct interviews; copies of appropriate security regulations and policies to reference; and access to the area where the incident occurred. Encourage all involved personnel to work with the investigator by willing providing information. The investigator will interview and analyze pertinent documentation to collaborate information to piece together what happen. If interviews with on-site contractors are required, you must inform the appropriate contracting official representative (COR). The COR must be informed of all changes to the contractors' work.

The investigator will use the report template in AR 380-5. At a minimum, the report will contain the dissemination restriction of "For Official Use Only." In the report, he or she is to only provide facts and may not recommend disciplinary actions. When finished, the investigator will provide the final report to the Security Office for proper dissemination. The results must go to:

-       The Command Leadership.

-       Higher Headquarters' Security.

-       The OCA. This office need to know if a compromised happened, so they may conduct a damage assessment.

 If the inquiry does not provide adequate results, the command may initiate a formal investigation, which will appoint in writing a disinterested third party. The formal investigation requirements come from DoDM 5200.1-V3. This process will expand upon the work done during the inquiry. "As an investigation may lead to administrative or disciplinary action, the evidence developed should be comprehensive in nature and gathered in such a manner that it would be admissible in a legal or administrative proceeding." (DoD, Page 92) The legal office will provide guidance on the proper procedures to conduct an investigation. The Security Office will assume a supportive role.  

Based upon the results of the investigation and/or inquiry, you may need to change local security practices, update procedures, develop new awareness material, or combination thereof. If the information was compromised, you may need to conduct debriefings. The Commander will decide the appropriate disciplinary personnel actions with input from the personnel office, legal and security. If a compromise or violation occurred, the Commander must decide on whether to locally suspend access of the individual(s) responsible.  Regardless if access is suspended, you must submit a derogatory report on the individual to the proper central adjudication facility (CAF). Any actions taken by the CAF, such as revoke clearance, is separate from any personnel disciplinary actions. 

 If at any time during the entire process, criminal or foreign intelligence services (FIS) activity is suspected of being involved, stop all investigations. Report and turn over the case to the appropriate authorities. The Criminal Investigation Command (CID) handles criminal cases. The local counterintelligence field office handles FIS cases. Once one of these agencies takes over the case, you will receive limited updates, if any. Information about ongoing investigations is strictly limited due to legal ramifications and potential compromises of the investigation.