Section Five: Security Inspections and Reviews

Note: All classified markings contained within this presentation are for training purposes only.

• {Company} is a cleared defense contractor with {Confidential, Secret, or Top Secret} facility security clearance (FCL)

– As such, we are subject to both scheduled and un-scheduled inspections by various government agencies and other entities to include:

Defense Security Service

Various Intelligence Community Agencies

Department of Justice

Corporate Security Audit Team

Other special customers

• Inspections ensure that security procedures, methods, and physical safeguards are adequate and in compliance with government and/or {Company} security regulations

Security Inspections and ReviewsPurpose

• Government Inspections

– The Security Department continuously works with personnel to prepare for Government inspections

Review security container holdings

Review end-of-day checks

Closed Area documentation

• Self Inspections

– Go above and beyond Government Inspections to ensure we are meeting all requirements

• Information Systems Security Reviews (Included in Government and Self reviews)

‒ All Classified Information Systems inspected annually

Note: PII review is a component of all security inspections

Security Inspections and ReviewsTypes

Security Inspections and ReviewsWhat should you expect?

• Government inspections include a review of:

– Public Release Reviews

– Subcontractor DD254s

– Consultant Purchase Orders

– Visit Requests

– Courier letters

– Security Containers and Holdings

– System Security Plans

– Audits and Logs

• Interviews with personnel

– Security Container Assessment (if applicable)

• Have you been involved in a security violation?

• When was the last time you have had security education?

• What level security clearance do you have?

• How do you use your security clearance?

• What is adverse information?

• What are some things that must be reported?

• Who do you report adverse information to?

• Are you part of an end-of-day security check? If yes, do you know what it consists of?

• Have you traveled locally or abroad for {Company}? If yes, did it include hand-carrying classified material?

• Do you know what the classified hand-carrying process is?

Security Inspections and Reviews Types of questions that will be asked

Security Inspections and Reviews Information everyone should know

• You are required to obtain and maintain a DoD security clearance while employed at the {Company}

• Know your security clearance level

– In process, Interim Secret, Secret, and Top Secret

• Know how you use or can use your security clearance

– Classified activities and work (i.e., Classified meetings or presentations, hand-carrying, classified projects, etc.)

– Never say “I do not have a need for my clearance”

• Education is provided daily, weekly, and annually through different means

– Publications, posters, emails, presentations, courses, etc.

• Ensure relevant portions of System Security Plan (SSP) are available– Have documentation for the following on hand

Profile System Requirements Specification (SRS) Hardware and software listing (Current and Past) Up-to-date, signed and relevant User Briefing Statements and

accounts Configuration Management Record Audit Log Review Hardware sanitization records Records of degaussed hard drives

Seal log

– Copies of the most current accreditation letter and system additions

Security Inspections and Reviews Records to maintain and have available

• Auditing‒ Know procedures for log file review and retention requirements

‒ Unless specified and approved in the SSP, weekly audits are required

• Security Seals, Seal Log, and Sign-out Sheet– Seals must be placed over

– Laptops hard drive to prevent tampering and to assist visual inspection– IR ports and unused network ports

– The Security Seal Log should record location and serial number of the seal

– Sign-out sheet used to maintain accountability and must be used for systems with more than one user

• Periods Processing– Proper start-up and shut-down procedures must be documented and accounted for

• Trusted Downloading– Users trained and approved for trusted downloading must be identified on the User

Briefing statement Listed users may be asked to demonstrate Trusted Downloading

– Specific approved procedures and file types used during Trusted Downloading must be identified within the SSP

Security Inspections and Reviews Records to maintain and have available (cont.)

• Ensure system is configured as documented in SSP– User Accounts

Delete unnecessary accounts Ensure User Briefing Statements are signed by the users of all active

accounts Verify that no Users have passwords set to ‘Never Expire’

– Antivirus Definitions must be updated weekly or monthly at minimum Document updates in configuration record

– BIOS Settings Password protect Boot sequence should be set to only boot from the internal hard drive Wireless, Bluetooth, IR and unnecessary ports disabled

– Screensaver All systems should have a password protected screensaver set to

automatically engage after 15 minutes of inactivity

Security Inspections and Reviews System Configurations

• The Security Department centrally oversees and supports the Self Security Review Program for all {Company} facility activities‒ Assess the overall security posture for unclassified and

collateral classified programs‒ The scope exceeds and offsets government assessment

• Methodology‒ Visit and discrepancies recorded and corrective action

documented‒ Examples:

Self Security Review (industrial and information systems) Information System (IS) Review Dumpster and Recycle Program Audit After Hours Review Package Checks and Compliance Personally Identifiable Information (PII) Review

Security Inspections and Reviews Self Inspections

• Scope:‒ Interviews are conducted with personnel to

discuss their understanding of security responsibilities

‒ Refresher briefings provided annually‒ Reviews consist of:

100% classified holding review

Administrative documentation

Closed/Restricted Areas documentation and compliance

IT Compliance ITAR

Workplace Violence EOD checks Classified and

Unclassified systems Audit records Personally Identifiable

Information (PII)

Security Inspections and Reviews Self Inspections (cont.)