February 12, 2013

Creating Real Security Awareness: STEP 3

This is the fourth installment in our Create Real Security Awareness series.

Step 3: Research. 

For me, this step sparks my creative side. When I go into this mode, it looks like a whirl wind of activity, but there is some structure to my madness. My research breaks down into two categories: 1) Communication methods, and 2) Material.

1) Communication methods. This category is primarily researching what communication platforms you have available. Below are some sample questions you may want to answer during your research. 

-Do I have a budget, and how much? 
-What are my imposed constraints (i.e., no mandatory briefings, no budget) ?
-What are some platforms I could use to disseminate my message?
-What resources do I have available?

2) Material. This category is to find information that you will use in your awareness campaign. Three main questions you want to answer for this category are:

- Where does the requirement come from? Determine if it is a legal or local requirement. If I am having problems with people following a security rule, I like to show how it stems from a legal requirement. By doing this, I show them I didn't make this crap up!

- Why does the audience need to know this information? I call this the "so what" factor. People are not going to listen if they do not think the information is relevant  to them, regardless how interesting you think it is. 

- What are some examples demonstrating the requirement and why it is important? Try to use real life examples. People have a tendency to view security officials as a paranoid bunch that thinks the sky is falling. My typical response is "Just because you don't think they're after you, doesn't mean it's true." Seriously try to use real life examples to demonstrate that it is not your paranoia. 

Some other research tips
Ensure you use credible sources and collaborate the information from different ones. You are basing your credibility on the sources you use. Try to summarize the information as much as possible. Typically your audience will not be interested in the minute details.

 When possible, get a dead guy quote from a historical figure. The audience will find it more inspirational than you. Don't believe me? Let's conduct a little experiment.

What is more inspirational?
A."Information is the currency of democracy."   
                   - President Thomas Jefferson


B"Our information is important."
                  - Security Officer

For some reason, an American Founding Father seems far more interesting than a security officer. Sorry, but you are no match. To further drive my point home, here is another set. What is more inspirational?

A"The opportunity to secure ourselves against defeat lies in our own hands..."                                 -Sun Tzu, Art of War


                                 B.   "We hold the keys to security."                                        
 - Security Officer

Regardless of how smart you are, you are not famous, so what you say does not really matter. No offense, but famous dead guys come across as more insightful than you do. Nobody quotes the security officer; however, you quoting famous dead guy makes you a genius!

Related articles

February 10, 2013

Data Aggregation vs. Election Financial Disclosure

          In a highly interconnected and information driven world, data aggregators pose a risk to individual privacy. The aggregators quickly scour the Internet, collecting innocuous bits of information, and build an individual's composite. This dossier may or may not be 100 percent updated and accurate. Typically data aggregators do not list their sources, so the information’s credibility is questionable. Additionally, individuals are not aware of the information within their profile. How is the data verified for accuracy? If it could be verified, how could the person correct false or outdated information? Unfortunately, the information could be used for other purposes.

Donor information of a controversial
measure overlayed on a
Google map.
           In a recent California election, one ballot measure, Proposition 8, asked voters a question on marriage. Donors to the Prop 8 campaign found that their names, addresses, and amount of contribution were matched up with Google Maps and thus rendered into a format showing the world a map image of donors’ names, street addresses, and dollar contributions. The data came from public records from under the election financial disclosure laws, but were still quite inconvenient to access.
Data aggregators create potentials for hostile political environments, particularly with controversial issues. In our example, the opposition used voter intimidation tactics to scare supporters, which ultimately undermines our democratic processes. How do we maintain election financial disclosure to ensure our process is not corrupted, while protecting people from voter intimidation?

Associated Press. (2009, Jan 10) Prop 8 supporters file suit after threats. Retrieved from http://www.cbn.com/cbnnews/us/2009/January/Prop-8-Supporters-File-Suit-After-Threats-/

Stone, B. (2009, Feb 7) Prop 8 donor web site shows disclosure law is 2-edged sword. Retrieved from http://www.nytimes.com/2009/02/08/business/08stream.html?_r=0

February 2, 2013

Basic User Info: Protecting Classified Documents

Today’s post is a short overview of the importance and the requirements of protecting classified information. This refresher will remind you about simple steps to protect our classified material.

Classified is information sensitive to our national defense. If it fell into the wrong hands, the compromise would cause damage to our collective national security. Due to the high sensitivity of classified material, we have various legal security requirements to protect it. Our local security policies, procedures and practices implement these requirements. Despite popular belief, they are not created to be an annoyance, or a hindrance to you. They are focused on protecting our national defense information. 

Protecting classified information from unauthorized disclosure is everybody’s responsibility, and you readily accepted this when you signed your nondisclosure agreement. Fortunately, you do not need a security degree to carry out your responsibility. Here, I will list some simple security procedures to protect classified material.

Before spinning the lock dial to open the security container, make sure you have a secure environment. This incorporates:
  • Locking entry points to prevent unauthorized individuals from walking in and visually seeing the information;
  • Covering windows by lower blinds or closing curtains to prevent people from outside seeing the material; and
  • Ensuring unauthorized individuals are not in the secure area.
Magnetic "OPEN/CLOSED" sign

SF 702 Security Container Check Sheet
Learn to how to fill one out in our SF 702 post.
When opening the security container, fill out the SF 702, Security Container Check Sheet, as pictured to the right; and flip the magnetic "OPEN/CLOSED" sign, such as the one shown here, to "OPEN." The SF 702 assists security officials with assessing container maintenance requirements based on usage, as well as help with security incident investigations. 

The “OPEN/CLOSED” magnetic sign visually reminds you, the user, that the container is unsecured. Classified material not in locked security containers must be under continual visual surveillance by a cleared individual. Don’t let it out of your sight. By using cover sheets on the classified documents taken out of the security container, you make it easier for you to visually track the documents. These vibrantly colored cover sheets are designed to help you quickly identify classified documents, make it difficult to misplace them, and help prevent you from causing a security violation.
Classified Cover Sheets

 When you are done with the material, promptly return it to the security container. Before locking the container, thoroughly inspect the workspace to ensure you did not inadvertently misplace any classified material. Only lock the container when you are confident all documents were returned. Take the extra two seconds to confirm the container is secure by firmly pressing down on the handle. Do not forget to fill out the SF 702, and flip the “OPEN/CLOSED” sign back to “CLOSED.”  If possible, have another cleared individual double check your process.

The daily end of day checks are another security procedure to ensure classified material is secure. Before leaving the office, the last person will:

  • Check the security containers are locked;
  • Visually inspect copiers, waste bins, printers, and workspaces for classified documents; and
  • Check all major entry points, such as doors and windows, are locked.

The SF 701, Activity Security Checklist posted at the main entrance serves as a visual reminder of this requirement, as well as provides a checklist on the items the last person is supposed to do.
In conclusion, we each have responsibility to protect our sensitive national defense information. Our security policies and procedures were designed to provide simple steps in prevent unauthorized disclosure. If at any time you are unsure on how to properly handle classified, don’t guess; contact your Security Office. They are here to support you. When it comes to security, the only dumb question is the one never asked.