Section Five: Security Inspections and Reviews Note: All classified markings contained within this presentation are for training purposes only.
{Company} is a cleared defense contractor with {Confidential, Secret, or Top Secret} facility security clearance (FCL) – As such, we are subject to both scheduled and un-scheduled inspections by various government agencies and other entities to include: Defense Security Service Various Intelligence Community Agencies Department of Justice Corporate Security Audit Team Other special customers Inspections ensure that security procedures, methods, and physical safeguards are adequate and in compliance with government and/or {Company} security regulations Security Inspections and Reviews Purpose
Government Inspections – The Security Department continuously works with personnel to prepare for Government inspections Review security container holdings Review end-of-day checks Closed Area documentation Self Inspections – Go above and beyond Government Inspections to ensure we are meeting all requirements Information Systems Security Reviews (Included in Government and Self reviews) ‒All Classified Information Systems inspected annually Note: PII review is a component of all security inspections Security Inspections and Reviews Types
Security Inspections and Reviews What should you expect? Government inspections include a review of: – Public Release Reviews – Subcontractor DD254s – Consultant Purchase Orders – Visit Requests – Courier letters – Security Containers and Holdings – System Security Plans – Audits and Logs Interviews with personnel – Security Container Assessment (if applicable)
Have you been involved in a security violation? When was the last time you have had security education? What level security clearance do you have? How do you use your security clearance? What is adverse information? What are some things that must be reported? Who do you report adverse information to? Are you part of an end-of-day security check? If yes, do you know what it consists of? Have you traveled locally or abroad for {Company}? If yes, did it include hand-carrying classified material? Do you know what the classified hand-carrying process is? Security Inspections and Reviews Types of questions that will be asked
Security Inspections and Reviews Information everyone should know You are required to obtain and maintain a DoD security clearance while employed at the {Company} Know your security clearance level – In process, Interim Secret, Secret, and Top Secret Know how you use or can use your security clearance – Classified activities and work (i.e., Classified meetings or presentations, hand-carrying, classified projects, etc.) – Never say “I do not have a need for my clearance” Education is provided daily, weekly, and annually through different means – Publications, posters, s, presentations, courses, etc.
Ensure relevant portions of System Security Plan (SSP) are available – Have documentation for the following on hand Profile System Requirements Specification ( SRS) Hardware and software listing (Current and Past) Up-to-date, signed and relevant U ser Briefing Statements and accounts Configuration Management Record Audit Log Review Hardware sanitization records Records of degaussed hard drives Seal log – Copies of the most current accreditation letter and system additions Security Inspections and Reviews Records to maintain and have available
Auditing ‒Know procedures for log file review and retention requirements ‒Unless specified and approved in the SSP, weekly audits are required Security Seals, Seal Log, and Sign-out Sheet –Seals must be placed over –Laptops hard drive to prevent tampering and to assist visual inspection –IR ports and unused network ports –The Security Seal Log should record location and serial number of the seal –Sign-out sheet used to maintain accountability and must be used for systems with more than one user Periods Processing –Proper start-up and shut-down procedures must be documented and accounted for Trusted Downloading –Users trained and approved for trusted downloading must be identified on the User Briefing statement Listed users may be asked to demonstrate Trusted Downloading –Specific approved procedures and file types used during Trusted Downloading must be identified within the SSP Security Inspections and Reviews Records to maintain and have available (cont.)
Ensure system is configured as documented in SSP – User Accounts Delete unnecessary accounts Ensure User Briefing Statements are signed by the users of all active accounts Verify that no Users have passwords set to ‘Never Expire’ – Antivirus Definitions must be updated weekly or monthly at minimum Document updates in configuration record – BIOS Settings Password protect Boot sequence should be set to only boot from the internal hard drive Wireless, Bluetooth, IR and unnecessary ports disabled – Screensaver All systems should have a password protected screensaver set to automatically engage after 15 minutes of inactivity Security Inspections and Reviews System Configurations
The Security Department centrally oversees and supports the Self Security Review Program for all {Company} facility activities ‒Assess the overall security posture for unclassified and collateral classified programs ‒The scope exceeds and offsets government assessment Methodology ‒Visit and discrepancies recorded and corrective action documented ‒Examples: Self Security Review (industrial and information systems) Information System (IS) Review Dumpster and Recycle Program Audit After Hours Review Package Checks and Compliance Personally Identifiable Information (PII) Review Security Inspections and Reviews Self Inspections
Scope: ‒Interviews are conducted with personnel to discuss their understanding of security responsibilities ‒Refresher briefings provided annually ‒Reviews consist of: 100% classified holding review Administrative documentation Closed/Restricted Areas documentation and compliance IT Compliance ITAR Workplace Violence EOD checks Classified and Unclassified systems Audit records Personally Identifiable Information (PII) Security Inspections and Reviews Self Inspections (cont.)