August 23, 2014

Free resources for tailored security awareness products

Hey security officers, you can create tailored security awareness products for FREE!

Over the years I learned to become crafty in coming up with tailored security awareness material without a budget to rely upon. Considering previous security inspectors routinely applaud  my initiatives and ask to use my material, I think I may have become pretty good at it. Not to toot my own horn or anything.

Lately I have been using publicly available resources to develop new security awareness posters. Below is a great example of what I have been able to freely create.

Before editing
After editing

I legally took a free picture from the creative common domain, meaning I have permission to modify and use for commercial purposes. That's right, no copy right restrictions. Then I modified the photo online in a free photo editor. You can see a significant difference between the before and after.

You can come up with great posters too with just some a little bit of time and some of the sites below.

Free High Quality Photos
As the old cliche goes, a picture is worth a thousand words, and the right one could do wonders for adding an extra pizzazz to your security awareness program. The sites below provide images without any restrictive licenses, so you can freely use them.

 (Psst!...As a side note, the images from these sites also make a great substitute for the cheesy clip art images typically found in security briefings. It's just an idea to freshen up other aspects of your program.)
Great image on Pixabay that could be
used for an Internet security poster

Pixabay. This site let's you search beautiful FREE images using key words. You can also see editors' choice and view the recently uploaded photos. With multiple users continually uploaded their amazing photos, you'll never run out of selection. I frequently use this one site for pictures. Site: 

Unsplash. Free high resolution images you can use. This site doesn't have an easy search function, but they consistently add stunning photos that may inspire a new poster. Site:

Public Domain Archive image.
Let security be your guiding light!
Public Domain Archive. I think the opening statement on the site defines it well, "everything you need for your creative projects, all public domain images!" The ``site is primarily ran by one guy trying to archive all high resolution images in the public domain.You're encouraged to use the photos to create something new, but the selection is currently limited. Site: 

New Old Stock. This site provides vintage images from the public archives, so they are free from copyright restrictions. If you're looking to provide a more historical feel, this site probably has the right photo for you! Site:

SplitShire image.
Great for travel briefing reminder
SplitShire. As the site says, "Made in Italy with Love...Free Stock Photos." A graphic designer and photographer based in Italy shares his personal images for you to freely use for personal or commercial purposes. The only thing he asks in return is to spread the word about his site. It is certainly worth a look. Site: 

I'm certain there are other sites that offer high resolution photos that you can freely use without fear of violating some copyright rule. If you know of one I didn't list, please drop a note in the comments.

Photo Editor
The online photo editor I'm in love with right now is PicMonkey. I've been using this site to edit the photos I find to create one of a kind security posters. It is very user friendly and I love playing with the different features. You can also create overlays and collages in addition to just touching up and editing photos. PicMonkey does have a paid service, but for the example above I purely used the free version. Did I mention that I am NOT a graphic designer? That's right, I'm able to create beautiful security posters that look like I have some type of professional training. Pretty cool, huh?

This goes to show you that you don't need to have a big budget to have tailored security awareness products for your program. Honestly the hardest part in the whole process is deciding what to type on the poster. The only thing limiting you is your time and creativity.

You can check out other Security Checks Matter designed photo in the SCM Designed Poster tab.

August 19, 2014

Football related security posters

I have a little confession.

I LOVE Football!
I am so giddy with excitement over the fact that the official NFL season is almost here. It's been a long off season. The preseason is nice, but we all know it means nothing. Wins in the preseason are like points on the show Who's line is it anyways?. They don't matter.

In celebration for the upcoming kick off, I gathered up our football related security posters from our collection including a couple of new ones made by Security Checks Matter . Mix in one or two of these into your security awareness program to catch the eye of the football fans and give them a little security reminder.

practice your security process and procedures

Like the winning touchdown in a football game security is a team effort
Delivery is risky business get a courier briefing
Protect your signals practice OPSEC

protect your signals

Safeguard valuable assets

August 15, 2014

SPeD Certification: General

These questions are intended to be used as a study guide for security professionals going for their SPeD certification. These are NOT actual questions from the test.

Identify the three core components of the risk assessment process.
  • Asset criticality
  • Threat assessment
  • Vulnerability assessment
List the five steps in the DoD risk management model.
  • Assess assets
  • Assess threats
  • Assess vulnerabilities
  • Assess risks
  • Determine countermeasures
What elements should a security professional consider when assessing and managing risks to DoD assets?
  • Asset
  • Threat
  • Vulnerability
  • Risk
  • Countermeasure
What are four principle incidents/events required to be reported to DoD CI organizations?
  • Espionage
  • Sabotage
  • Terrorism
  • Cyber
What are the different types of assets?

  • People
  • Information
  • Equipment
  • Facilities
  • Activities
  • Operations

What are indicators of insider threat?
  • Failure to report overseas travel or contact with foreign nationals
  • Seeking to expand access outside scope of job
  • Engaging in classified conversations without need to know
  • Working hours inconsistent with job assignment or insistence on working in private
  • Exploitable behavior traits 
  • Repeated security violations
  • Attempting to enter areas not granted access to
  • Unexplainable affluence/living above one's means
  • Anomalies
  • Illegal downloads of information/files
What are the different types of security briefings used to help manage risk to DoD assets?
  • Initial orientation
  • Annual refresher
  • Threat awareness
  • Foreign travel
  • Special training requirements
  • Derivative classification
  • Original classification authority (OCA)
  • Declassification authority
  • Debriefings
  • Termination briefings
What are some elements that should be considered in identifying critical program information?
  • Cause significant degradation in mission effectiveness
  • Shorten the expected combat-effective life of the system
  • Reduce technological advantage
  • Significantly alter program direction
  • Enable an adversary to defeat, counter, copy, or reverse-engineer the technology or capability
Describe the security professional's role in handling a security incident.
  • Secure
  • Safeguard
  • Report
  • Inquire
  • Investigate
  • Recommend
Define the difference between a security infraction and a security violation.
An infraction cannot reasonably be expected to and does not result in the loss, compromise, or suspected compromise of classified information; whereas a violation does result in a or could be expected to result in the loss or compromise of classified information.

Describe how the roles of the security professional and the information assurance (IA) professional differ in regard to protecting DoD classified information on information technology (IT) systems.
The IA professional must ensure that all DoD information systems maintain appropriate, confidentiality, and non-repudiation in order to protect and defend DoD information and networks. They must also ensure the systems are certified and accredited. The security professional coordinates with the IA professional during the C&A process. The security professional must be aware of the nature, scope, and schedule of ongoing C&A activities within a given organization, in order to provide timely and relevant classification management direction and to ensure the physical environment is properly secured and accredited for the operations planned and that users are properly cleared and have all requisite access in time to support the mission.

What is the definition of critical program information in DoD?
US capability elements that contribute to the warfighter's advantage throughout the life cycle, which, if compromised or subject to unauthorized disclosure, decrease the advantage. Elements or components of a Research, Development, and Acquisition (RDA) program that, if compromised, could cause significant degradation in mission effectiveness; shorten the expected combat-effective life of the system; reduce technological advantage; significantly alter program direction; or enable an adversary to defeat, counter, copy, or reverse engineer the technology or capability. Includes information about applications, capabilities, processes and end-items. Includes elements or components critical to a military system or network mission effectiveness. Includes technology that would reduce the US technological advantage if it came under foreign control.

August 11, 2014

SPeD Certification: Information Security

These questions are intended to be a study guide for security professionals going for their SPeD certification. These are NOT actual questions from the test.

List the three main policies that govern the DoD Information Security Program.
  • EO 13526
  • ISOO 32 CFR Parts 2001 and 2003
  • DoD Manual 5200.01, Volumes 1-4
List the different types of threats to classified information.
  • Insider threat
  • Foreign intelligence entities
  • Cybersecurity threat
What must an "authorized person" have before being granted access to classified information?
  • Favorable determination of eligibility for access
  • Need to know
  • Signed SF 312, Nondisclosure Agreement
What is the purpose of marking documents?
To quickly alert holders of information requiring safeguarding.

What is original classification information?
Original classification is an initial determination made by an original classification authority that information requires, in the interest of national security, protection against unauthorized disclosure.

What are the classification duration options for original classified information?
  • Less than 10 years
  • 10 years
  • 25 years
  • 50x1-HUM
  • 50x2-WMD
  • 25x
Define derivative classification.
Incorporating, paraphrasing, restating, or generating in a new form, information that is already classified and marking the newly developed material consistent with the markings that apply to the source information.

List three authorized sources of security classification guidance that could be used in the derivative classification process.
  • Security classification guide (preferred source)
  • Properly marked source document
  • Contract security classification specification
How does the lack of attention to the concept of compilation introduce risks to DoD assets?
A lack of attention could cause:

  • accidental unauthorized disclosure
  • misclassification
  • security violation
  • improper safeguarding
  • improper dissemination
  • improper handling
  • improper destruction

What is "For Official Use Only" (FOUO) information?
Unclassified information protected from public disclosure since it falls within one of the nine Freedom of Information Act (FOIA) exemptions.

List the different types of approved classified material storage areas.
  • GSA-approved storage containers
  • Vaults
  • Open Storage area
What labels must be displayed on a GSA-approved security container to store classified
  • GSA-approved label
    • Indicates GSA tested and certified the container
    • Containers manufactured after October 1990, label is silver with red lettering
    • Containers manufactured before October 1990, label is either silver with black lettering or black with silver lettering
    • Displayed on face container 
  • Test certification label
    • Displayed on control door's external side
    • Identifies the container class, as well as the amount of time the container protects against forced, covert, and surreptitious entry
  • Cabinet identification label
    • Displayed on control door's external side or inside face of vault door
  • Number label
    • Container serial number
    • Displayed on container front face
  • Warning label
    • Warns against unapproved container modification
    • Displayed on control drawer internal top or vault door internal side
    • On containers manufactured in April 2007 or later

What forms are required for every storage container and what are their purposes?

  • Standard Form (SF) 700: Security Container Information. Contains pertinent security container information, especially the contact information of individuals who should be contacted if the container is found unsecured.
  • SF 701: Activity Security Checklist. Records and reminds of the required end-of-day security checks. If multiple containers are located in one area, a single SF 701 may be used for the area.
  • SF 702: Security Container Check Sheet. Records the opening and closing; tracks usage; and assists security officials into security inquiries.

Besides the labels and forms, what other sign do security containers require?
 An open and close sign. The free DoD Lock magnetic "open/close" signs are preferred.

What are the supplemental controls required for Top Secret material stored in an approved secure room?

  • Room protected by an intrusion detection system (IDS)
  • If there is security-in-depth, response time requirement to an IDS alarm is within 15 minutes
  • If the room is not protected using security-in-depth, the response time requirement to an IDS alarm is within 5 minutes

What are the supplemental controls required for the protection of Top Secret material stored in security containers?

  • Continuous protection by a cleared guard or duty personnel
  • Inspection of the container by a cleared guard or duty personnel every 2 hours
  • IDS with a 15 minute response
  • Security-in-depth using a GSA-approved container equipped with a GSA-approved lock

What are the supplemental controls required for the protection of Top Secret material stored in vaults?

  • If protected using security-in-depth, required response time to an IDS alarm is within 15 minutes
  • If not protected using security-in-depth, required response time to an IDS alarm is within five minutes

What are the supplemental controls required for the protection of Secret material stored in a secure room?

  • Continuous protection by a cleared guard or duty personnel
  • Inspection of the container by a cleared guard or duty personnel every four hours
  • IDS with a 30 minute response time

 List transmission and transportation requirements that help manage risks to DoD assets.
  • Safeguarding
  • Briefings
  • Documentation
  • Personal control
  • Utilizing proper methods of transmission/transportation based on classification level 
  • Intended recipient(s) have proper clearance/eligibility, need to know (or access), and capability to properly store classified information
List types of safeguarding procedures for classified information.
  • Proper storage
  • Proper handling
  • Approved disposition
  • Proper transmission/transportation methods
  • Receipt use, when required
  • Forced entry protection
  • dissemination
  • physical security measures
  • technical, administrative, and personnel control measures
  • Develop emergency plan
Define unauthorized disclosure.
Communication or physical transfer of classified or controlled unclassified information to an unauthorized recipient.

List approved disposal and destruction methods used for DoD classified information.
  • Cross-cut shredding
  • Burning/incinerating
  • Pulverizing
  • Disintegrating
  • Mutilating
  • Degaussing
  • Chemical decomposition
  • Special burn
  • Wet pulping
  • Overwriting
  • Sanding
  • Physical destruction

August 8, 2014

SPeD Certification: Special Access Program (SAP)

English: At sea aboard USS Kitty Hawk (CV 63) ...
Photo credit: Wikipedia
These questions are intended to be a study guide for security professionals going for their SPeD certification. These are NOT actual questions from the test.

What is a Special Access Program (SAP)?
A program established for a specific class of classified information that imposes safeguarding and access requirements that exceed those normally required for information at the same classification level.

List some responsibilities of the Government SAP Security Officer/Contractor Program Security Officer (GSSO/CPSO).

  • Possess a personal clearance and program access at least equal to the highest level of program classified information involved.
  • Provide security administration and management for his/her organization.
  • Ensure personnel processed for access to a SAP meet the prerequisite personnel clearance and/or investigative requirements specified.
  • Ensure strict adherence to the NISPOM, supplement, and the Overprint
  • Establish and oversee a classified material control program for each SAP
  • Conduct an annual inventory of accountable classified material
  • Establish and oversee a visitor control program
  • Monitor reproduction and/or duplication and destruction capability of SAP information
  • Ensure adherence to special communications capabilities within the SAP Facilities (SAPF)
  • Provide for initial program indoctrination of employees after their access is approved, rebrief, and debrief personnel as required
  • Establish and oversee specialized procedures for the transmission of SAP material to and from program elements
  • Establish security training and briefings specifically tailored to the unique requirements of the SAP
  • Ensure contractual specific security requirements such as TEMPEST and OPSEC are accomplished.
List three categories of SAPS.
  • Acquisition
  • Intelligence
  • Operations and support
What are some enhanced security requirements for protecting SAP information?
  • Access rosters
  • Billet structures
  • Indoctrination agreement
  • Clearance based on an appropriate investigation completed within the last 5 years
  • Individual must materially contribute to the program in addition to having the need to kno
  • All individuals with access to SAP are subject to a randcom CI-scope polygraph examination
  • Polygraph examination, if approved by the DepSecDefm may be used as a mandatory access determination
  • Tier review process
  • Personnel must have a secret or top secret clearance
  • SF 86 must be current within one year
  • Limited access
  • Waivers required for foreign cohabitants, spouses, and immediate family members
  • Access control
  • Maintain a SAPF
  • Have unclassified nickname/codeword

August 6, 2014

SPeD Certification: Physical Security

These questions are intended to be a study guide for security professionals going for their SPeD certification. These are NOT actual questions from the test.

What regulation(s) cover the DoD Physical Security Program?
DoD 5200.08-R

Describe the security-in-depth concept.
Layered and complementary security controls sufficient to deter, detect, and document unauthorized entry and movement within an installation or facility.

What are some physical security threats?
  • Foreign intelligence services
  • Foreign military and paramilitary forces
  • Terrorists and saboteurs
  • Criminals
  • Protest groups
  • Disaffected persons
What is the purpose of perimeter barriers?
They define the physical limits of an installation, activity, or area, restrict, channel, impede access, or shield activities within the installation from immediate and direct observation.

Explain how visitor identification control methods are used to effectively control access to facilities.
Visitor control ensures that only authorized personnel and materials enter and exit from an installation or facility by identifying, verifying, and authenticating.

Explain why access control measures are contingent on threat levels.
Based upon threat levels, commanders or directors are responsible for enhancing access control measures to their installation and facilities.

What is the difference between physical security surveys and physical security inspections?
A physical security survey is a formal, recorded assessment of an installation's overall security program; whereas a physical security inspection is a formal, recorded compliance of physical procedures and measures implemented by a unit or activity to protect its assets.

Who makes the determination of when physical security surveys and inspections are required?
DoD Component Commanders

What are some physical security measures?
  • Barriers
  • Fencing
  • Clear zones
  • Signage
  • Lighting
  • CCTV
  • IDS
  • Access control
  • Screening equipment
  • Security forces/guards
  • Security containers
What are different category types of barriers?

  • Active
  • Passive
  • Manmade
  • Nature

What are the DoD requirements for chainlink fences?

  • 9 gauge galvanized steel
  • 6 feet tall
  • 2 inches diamond mesh
  • No more than 2 inch gap between the ground and the bottom of the fence

What is the purpose of intrusion detection systems?
To detect unauthorized penetration into a secured area

What are some things that security lighting should do?
  • Discourage/deter entry attempts
  • Make detection likely
  • Prevent glare for guards
  • Not interfere with CCTV or other monitoring systems
What's the purpose of security lighting?

  • deters unauthorized entry
  • detects intruder
  • incapacitates intruders (glare lighting)

What are four categories of lighting?

  • Continuous
  • Emergency
  • Standby
  • Movable 

What are some vault door construction requirements?
  • Constructed of metal
  • Hung on non-removable hinge pins or interlocking leaves
  • Equipped with a GSA-approved three position combination lock
  • Emergency egress hardware

August 5, 2014

SPeD Certification: Personnel Security Questions

These questions are intended to be a study guide for security professionals going for their SPeD certification. These are NOT actual questions from the test.

What regulation(s) cover the Personnel Security Program (PSP)?
What are the types of initial personnel security investigations and to whom do they apply?
  • SSBI: For military, DoD civilian, and contractor applying for a top secret clearance.
  • ANACI: DoD civilian applying for a secret clearance.
  • NACLC: For military and contractors applying for a secret clearance.
  • NACI: DoD civilian and contractor in a position of trust or general access to installations.

List three DoD position sensitivity types and their investigative requirements.
  • Special Sensitive: SSBI, SSBI-PR, PPR
  • Critical sensitive: SSBI, SSBI-PR, PPR
  • Non-critical sensitive: ANACI, NACLC
  • Nonsensitive: NACI
List three factors that should be considered when determining position sensitivity.
  • Level of access to classified information
  • IT level needed
  • Duties associated with position
When should a position be categorized as Special Sensitive?
A position should be considered Special Sensitive if it involves:
  • Access to SCI information
  • Access to unique or uniquely productive intelligence sources or methods vital to the US security
  • Positions that could cause grave damage and/or compromise technologies, plans, or procedures vital to the strategic advantage of the US
(Source: DSS CDSE Supervisor Role in Personnel Security job aid)

When should a position be categorized as Critical Sensitive?
The position should be designated as Critical Sensitive when the job involves:
  • access to Top Secret information
  • duties under special access programs
  • Information Technology
(Source: DSS CDSE Supervisor Role in Personnel Security job aid)

What is the purpose of due process in the Personnel Security Program (PSP)?
Ensures fairness by providing the subject the opportunity to appeal an unfavorable adjudicative determination.

List the key procedures for initiating Personnel Security Investigations (PSI).
  • Validate the need for an investigation
  • Initiate in e-QIP
  • Review personnel security questionnaire )PSQ) for completeness
  • Submit electronically to OPM
Explain how the adjudication process contributes to effective risk management of DoD assets.
It ensures that, based upon all available information, an individual's loyalty, reliability, and trustworthiness are such that entrusting assigned persons with eligibility to classified information or sensitive duties is in the best interest of national security.

Explain how effective implementation of the continuous evaluation process contributes to management of risks to DoD assets.
It ensures that individuals with national security eligibility and access are continuously assessed through utilization of accessible databases and other lawfully available information; continue to meet adjudicative standards; and that any issues that may arise are promptly reported.

Describe the difference between revocation and denial in personnel security program
Revocation: A current security eligibility determination is rescinded.
Denial: An initial request for security eligibility is not granted.

Describe the purpose of a Statement of Reason (SOR).
The purpose of the SOR is to provide a comprehensive and detailed written explanation of why a preliminary unfavorable adjudicative determination was made.

List the adjudicative guidelines.

List  individuals in the PSI process and describe their role.
  • Security manager: initiates, reviews, forwards investigation to investigation service provider (ISP)
  • Subject: completes forms and provides additional information
  • Investigator: conducts PSI
  • Adjudicator: determines eligibility for National Security access
Describe the function of e-QIP in the PSP.
  • Initiate investigations
  • Complete forms
  • Forward forms to ISP

List indicators of insider threat.
  • Failure to report overseas travel or contact with foreign nationals
  • Seeking to expand access outside scope of job
  • Engaging in classified conversations without need to know
  • Working hours inconsistent with job assignment or insistence on working in private
  • Exploitable behavior traits (something they could be blackmailed for)
  • Repeated security violations
  • Unexplainable affluence/living above one's means
  • Illegal downloads of information/files
Briefly describe the concept of insider threat.
An employee who may represent a threat to national security. These threats encompass potential espionage, violent acts against the government or the nation, and unauthorized disclosure of classified information, including the bast amounts of classified data available on interconnected US government computer networks and systems.