Top Banner
Sam DeSante Manager, Security Administration Lockheed Martin Aeronautics Security Incidents
51

VIOLATIONS AND COMPROMISES - jsac-dfw.org

Dec 31, 2021

Download

Documents

dariahiddleston
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: VIOLATIONS AND COMPROMISES - jsac-dfw.org

Sam DeSante

Manager, Security Administration

Lockheed Martin Aeronautics

Security Incidents

Page 2: VIOLATIONS AND COMPROMISES - jsac-dfw.org

Categories Of Security Incidents

• Security Violations

• Security Infractions

• Inadvertent Disclosure

Page 3: VIOLATIONS AND COMPROMISES - jsac-dfw.org

Security Violation

• Any Loss, Compromise or Suspected

Compromise of Classified Information Foreign or

Domestic

• Any Knowing, Willful, or Negligent Action

– That Could Reasonably be Expected to

Result in an Unauthorized Disclosure of

Classified Information

Page 4: VIOLATIONS AND COMPROMISES - jsac-dfw.org

Examples Of Loss, Compromise, Or Suspected

Compromise Of Classified Information

• Unclassified Information Sent or Received Across the Internet That is Determined to be Classified at a Later Time

• A Closed Area That is Not Attended and the Alarm is Not Activated

• Classified Documents Left in a Non-secure Area

• Classified Material Hand Carried Off the Facility Complex Without Being Properly Packaged and/or Controlled

• Closed a Security Container or Closed Area, But Failed to Spin the Spin Dial Lock

• Processing Classified Information on a Non-accredited Information System

• Weekly Audits Not Conducted on an Accredited Information System

Page 5: VIOLATIONS AND COMPROMISES - jsac-dfw.org

Infraction

• Incidents That Do Not Involve the Loss,

Compromise, or Suspected Compromise of

Classified Information

• These Are Also Known as Administrative

Deficiencies or Practices Dangerous to Security

Page 6: VIOLATIONS AND COMPROMISES - jsac-dfw.org

Examples Of Infractions

• Not Using Cover Sheets

• Not Applying Media Stickers

• Not Utilizing the Open/Close Logs

• Not Applying Warning Notice on the Inner Envelope

• Not Marking Paragraphs

• Note That Incidents May Very Well Start as Infractions and

Result in Violations, I.E., Not Applying a Media Sticker on a

Classified Disk and Inserting it Into a Unclassified System

Page 7: VIOLATIONS AND COMPROMISES - jsac-dfw.org

Inadvertent Disclosure

• Involuntary Unauthorized Access to Classified

Information

• This is Still a Violation and Requires All Applicable

Reports

Page 8: VIOLATIONS AND COMPROMISES - jsac-dfw.org

Examples Of Inadvertent Disclosure

• Fire Department/EMT Personnel in an Area That is

Not Sanitized

• Repair/Janitorial Personnel in Area That is Not

Sanitized

• The Individual Gains Involuntary Unauthorized

Access to Classified Information

Page 9: VIOLATIONS AND COMPROMISES - jsac-dfw.org

Compromise

• An Unauthorized Disclosure of Classified

Information

“A Communication or

Physical Transfer of

Classified Information

to an Unauthorized

Recipient”

Page 10: VIOLATIONS AND COMPROMISES - jsac-dfw.org

Examples

• Information is Found and Returned From an

Unauthorized Recipient

• Information is Transmitted Over Unsecured

Communications, I.E., Fax, Email, Voice

• Information is Published in the Media (Note: do

Not Assume the Information is Unclassified)

Page 11: VIOLATIONS AND COMPROMISES - jsac-dfw.org

Reporting

• Violations

– Report “Through CSA Channels” Defense Security Service (DSS)

Representative

• Infractions

– Document & Make Available for Review by the DSS Rep During

Visits/Reviews

• Inadvertent Disclosure

– Interview, I.E. Emergency Response Situations, Guard Personnel or Local

Emergency Authorities

– Inadvertent Disclosure Statement

– Report Refusal to Sign

Page 12: VIOLATIONS AND COMPROMISES - jsac-dfw.org

What Is The Most Serious Security Incident?

Known or Unknown

Play

Page 13: VIOLATIONS AND COMPROMISES - jsac-dfw.org

Cause

• Classified Assets Are Protected By Many Policies and Procedures

• The Cause of the Incidents is Simple

• Breakdown or Disregard For Security Requirements

Page 14: VIOLATIONS AND COMPROMISES - jsac-dfw.org

Policy & Procedures

• OPSEC Plan

• Component Guidance

• NISPOM

• Standard Security Procedures

• Security Classification Guide

• Transportation Plan

Page 15: VIOLATIONS AND COMPROMISES - jsac-dfw.org

Reasons For Failure

Unaware Carelessness

Deliberate

Disaster

Accident

Resources

Page 16: VIOLATIONS AND COMPROMISES - jsac-dfw.org
Page 17: VIOLATIONS AND COMPROMISES - jsac-dfw.org

Damage…National Security

• When We Talk About Damage,

We Are Talking About the

Damage to National Security

• National Security is Information

Relevant to Our Foreign

Relations and National Defense

• We Don’t Live in a Bubble…

What We do, Not Only Affects

Us, it Normally Affects at Least

One Other Person, and What

Happens if That One Other

Person is the War Fighter Losing

His/Her Life

Page 18: VIOLATIONS AND COMPROMISES - jsac-dfw.org

Impact

What is the Impact of a Security Incident?

• Program Integrity:

‒ What is the Integrity of the Assets Protected Within

Your Programs?

‒ Is the Information Totally Compromised or Just a

Portion Thereof?

• Cost:

‒ Dollars For Development, Design, and Testing

‒ Dollars to Conduct Investigations and Damage

Assessments

‒ Loss of Production Time

‒ Loss of Life

Page 19: VIOLATIONS AND COMPROMISES - jsac-dfw.org

Discoverer’s Responsibilities

• Immediate Action

– The Individual Who Discovers the Incident Must Take

Immediate Action to Take Control, Protect, and Report Through Official Channels

– One Must Consider OPSEC Indicators Through the Reporting Process

• A Weakness Such as a Security Violation Could Uncover a Vulnerability Within and to Your Program

Page 20: VIOLATIONS AND COMPROMISES - jsac-dfw.org

Discoverer’s Responsibilities

• An Incident May Appear Minor at First; However, Each Incident Must be Documented to

Ensure Future Investigations and/or Damage Assessment. The Discoverer is the First

Line of Reporting the Details. Don’t Assume You Will “Remember” All the Fine Details -

Document!

• Who, What, Where, When, How, and Why

– Do Not Destroy or Interrupt Anything That May Support an Investigation

• An Example May be Receipt of a Classified Document Over Unsecured Communications.

The Recipient Would Immediate Obtain The Guidance From Their Information System

Security Manager (ISSM) or Information System Security Officer (ISSO). The Recipient

Does Not Want to Simply Just Delete

Page 21: VIOLATIONS AND COMPROMISES - jsac-dfw.org

Facility Security Officer’s Responsibilities

• Train Employees to Know What Constitutes a

Security Incident

• Train Employees to Report All Security Incidents

(Classified or Unclassified) to the FSO

Page 22: VIOLATIONS AND COMPROMISES - jsac-dfw.org

Facility Security Officer’s Responsibilities

• Once the FSO Receives the Report of an Incident He/She Will Take

Control of the Situation and Safeguard the Information

• Immediate Assessment is Warranted for Each Incident. Of Course if

Classified Information is Not in Control (I.E., Someone Has Lost

Possession or Information is Transmitted Over Unsecured

Communication) Time is of the Essence

• Do You Have a “Blazing Fire” (Lost Control) or a Small “Camp Fire”

(Probability of Compromise is Remote)

Page 23: VIOLATIONS AND COMPROMISES - jsac-dfw.org

Facility Security Officer’s Responsibilities

• The FSO Will Conduct a Classification Review of the

Information. Is the Information Still Classified? Has the

Security Class Guide (SCG) Declassified the Information?

• Notify Defense Security Service (DSS)

• Review Available Details of the Incident

• Identify Investigative Requirements

Page 24: VIOLATIONS AND COMPROMISES - jsac-dfw.org

Investigating Official

• The FSO Appoints the Investigating Official Based on Internal Policies. However, the Person is Always a Disinterested Person That:

– Is Competent to Conduct a Solid Inquiry Into

the Incident

– Has the Proper Security Clearance Level

Page 25: VIOLATIONS AND COMPROMISES - jsac-dfw.org

Preliminary Inquiry

What is a Preliminary Inquiry?

• It’s an Examination Into a Reported Security

Incident

• A Preliminary Inquiry is a Review of the Details of

an Incident That is Not Complex or Serious

Page 26: VIOLATIONS AND COMPROMISES - jsac-dfw.org

Preliminary Inquiry…When???

• Immediately on Receipt of a Report of Loss,

Compromise or Suspected Compromise to

Determine the Facts

Page 27: VIOLATIONS AND COMPROMISES - jsac-dfw.org

Facts • Meet With All Parties Involved and Request Written Statements

• When Required, Request “Alarm Activity Report” from Alarm Company

• When Required, Retrieve a Copy of Visitor Sign-In Logs, Safe Open/Close Log, Document Control Logs, and Facility Access Control Records for all Information Involved

• When Required, the ISSM should become Involved to Determine Proper Procedures to follow Regarding Computer Equipment, Printers, Servers, Internet, Audit Logs, Etc.

• Review DD Form 254 to Determine if the Contract Requires Notification of Security Incidents Over and Above NISPOM Requirements

Page 28: VIOLATIONS AND COMPROMISES - jsac-dfw.org

Initial Report…When??

• The Initial Report Occurs Immediately if the Preliminary Inquire Confirms That a Loss,

Compromise, or Suspected Compromise of Any Classified Information Occurred

• It’s Submitted to the Defense Security Service (DSS)

• You do Not Want to Defer Pending Completion of the Entire Investigation

• An Initial Report May Be a Telephone Call or E-mail With the Immediate Details

• You Do Not Want DSS to Learn of a Reportable Incident Through Other Means

Page 29: VIOLATIONS AND COMPROMISES - jsac-dfw.org

Initial Report Criteria

• Authority: Cite The Reason for the Investigation

Including: When, Where and by Whom it was

Reported and Conducted

• Essential Facts: Arrange Facts, not Opinions or

Assumptions, in Chronological Order

• Nature of the Violation: What Happen and When

and Where Did it Take Place

Page 30: VIOLATIONS AND COMPROMISES - jsac-dfw.org

Initial Report Criteria

• When, By Whom, and to Who Was the Violation Reported

• What Actions Were Taken to Secure the Classified Information and/or

Limit the Damage Before the Inquiry Began

– Examples: Inventories, Securing of Materials, Changing

Combinations of Locks, ETC.

• Identify the Classified Information

– User Agency

– It’s Location

– Contract Number & Contracting Officer

Page 31: VIOLATIONS AND COMPROMISES - jsac-dfw.org

Initial Report Criteria

– Classification of the Information Involved

– When and How Long, and Under What Circumstances Was the Classified Information Vulnerable to Unauthorized Disclosure? Determine Identity of Unauthorized Disclosures. Identify Unauthorized Persons Likely to Have Had Access to the Classified Information. Obtain All Necessary Records:

– Access Control Records

– Open/Close Records

– Witness Statements

Page 32: VIOLATIONS AND COMPROMISES - jsac-dfw.org

Final Report

Your Final Report Will Include Any New Information Not Previously Reported Plus the Remainder of the Bulleted Details:

– Primary Responsible Person

• Name

• Position

• SSN

• Date/Place of Birth

• Date of Clearance

• Prior Incidents

Page 33: VIOLATIONS AND COMPROMISES - jsac-dfw.org

Final Report

The Final Report Will State:

• Statement of The Corrective Actions

– How Can You Prevent the Incident From Reoccurring?

• Is Disciplinary Action Warranted?

– Hold People Accountable, Based on the Facts and Regulatory Guidance

• Did a Loss, Compromise, or Suspected Compromise Occur?

Page 34: VIOLATIONS AND COMPROMISES - jsac-dfw.org

Individual Culpability Report

The Culpability Report Will State:

• Includes the Administrative Actions Taken Against the Individual(s) Responsible For the Incident and One or More of the Factors Are Evident:

– Violation Involved a Deliberate Disregard of Security Requirements

– Violation Involved Gross Negligence in Handling Classified Material

– Violation Was Not Deliberate in Nature, But Involves a Pattern of Negligence or Carelessness

• Normally, a Company’s Standard Practices And Procedures Will Identify a Graduate Scale of Disciplinary Actions to be Followed

Page 35: VIOLATIONS AND COMPROMISES - jsac-dfw.org

Disciplinary Actions/Sanctions

• Warning

• Reprimand

• Suspension Without Pay

• Forfeiture of Pay

• Removal

• Termination

• Loss or Denial of Access to Classified Information

• Removal of Classification Authority

Page 36: VIOLATIONS AND COMPROMISES - jsac-dfw.org

Countermeasures

• An Action Taken or a Physical Entity Used to

Reduce or Eliminate One or More Vulnerabilities

– Procedures

– Equipment

– Manpower

Page 37: VIOLATIONS AND COMPROMISES - jsac-dfw.org

Procedures

• Procedure Changes Are the Most Cost Effective to

Implement

– Standard Operating Procedures

– Security, Education & Awareness

– Conduct Oversight For Compliance

– Administer Sanctions

Page 38: VIOLATIONS AND COMPROMISES - jsac-dfw.org

Equipment

Equipment as a Countermeasure Could Be Costly From

Procurement to Maintenance on the System

• Transportation Equipment

• Locks

• Fences

• Safes

• Access Control

• Closed-circuit TV

• Doors

Page 39: VIOLATIONS AND COMPROMISES - jsac-dfw.org

Manpower

Manpower: Civilian, Military, Contractors, Guards, Police Force

• Is Your Program Vulnerability Due to Limited Manpower?

• Is an Increase in Manpower Warranted?

• Are All Individuals Trained Properly?

• Are All Individuals Alert to Their Responsibilities?

Page 40: VIOLATIONS AND COMPROMISES - jsac-dfw.org

Example Written Preliminary Inquiry, Synopsis

INCIDENT: Improper marking and safeguarding of classified material

PERSON(s) RESPONSIBLE: Joe Doe, Sr. Member Engineering Staff

SSN: 123-45-6789, D/POB 02 May 1956, Philadelphia, PA

Clearance: SECRET, granted 01 July 2004

LOCATION: Building 123/106

FINDING: On Monday, January 6, 2009, Mr. Tom Thumb, Manager, Project Engineer advised

the writer, that Mr. Joe Doe, a Lockheed Martin employee under his supervision had been

storing classified information in an inappropriate manner. Mr. Thumb and Ms. Jane Day, a co-

worker were interviewed. Ms. Day notified Mr. Thumb that she had noticed that Mr. Doe has

been keeping notes in an unauthorized file cabinet and thought that he notes contained

classified information. Therefore, Ms. Day removed the notes from the unauthorized file

cabinet and reviewed them. As she suspected, the notes contained SECRET information. Ms.

Day turned the notes over to Mr. Thumb.

Page 41: VIOLATIONS AND COMPROMISES - jsac-dfw.org

Example Written Preliminary Inquiry, Synopsis

Mr. Thumb turned the notes over to the writer. The notes

were safeguarded in the Information Master Control Center

until a complete classification review was conducted by Mr.

Sam Smart. On January 7, 2009 Mr. Smart reviewed the

notes for classification determination. Mr. Smart found

SECRET information on six pages.

Mr. Doe was interviewed by the writer and questioned about

the notes (see attached statement. This is where you write

your interview with the subject and all witnesses. Note: Make

sure you obtain a written statement from each person

interviewed bearing the date and their signature.)

Page 42: VIOLATIONS AND COMPROMISES - jsac-dfw.org

Example Written Preliminary Inquiry, Synopsis

If AIS systems are involved, make sure that you include the

ISSO and him/her findings and actions. Identify all contract

numbers (Government and subcontracts to Document

Control.) In accordance with paragraph 1-303 of the National

Industrial Security Program Operating Manual, Mr. Doe is

found culpable of the following security violations.

List the security violation(s).

Failure to safeguard SECRET information.

Improper markings, etc.

Page 43: VIOLATIONS AND COMPROMISES - jsac-dfw.org

Example Written Preliminary Inquiry, Synopsis

Due to the circumstances and extended period of time, the

compromise of classified information cannot be ruled out.

This statement is your determination of compromise,

suspected compromise and or; loss of classified information.

Report submitted by:

Don’t forget to sign and date it.

Your Name Today’s Date:

Page 44: VIOLATIONS AND COMPROMISES - jsac-dfw.org

Initial Report, Example of Letter to DSS

(Date)

(DSS Reps Name)

(DSS Reps Address)

Subject: Initial Report – Suspected Compromise of Classified Material

Dear (DSS Reps Name):

In accordance with paragraph 1-303 of the National Industrial Security Program

Operating Manual, the following written report is submitted (verbally submitted

01/20/09). Lockheed Martin employee Mr. Jo T. Doe, SSN 123-45-6789, cleared SECRET,

01 Jul 04, D/POB 02 May 1956, Philadelphia, PA was found responsible for the following

Security violation.

List the violation(s)

/////////////////////////////////////////////

/////////////////////////////////////////////

Page 45: VIOLATIONS AND COMPROMISES - jsac-dfw.org

Initial Report, Example of Letter to DSS

On January 5, 2009, it was reported to the LM Aero Security Department that Mr. Doe had

been storing classified notes in an unapproved container. The attached synopsis describes

the events and their circumstances in our conclusion. Due to the circumstances and the

extended period of time, the compromise of classified information cannot be ruled out.

Mr. Doe worked on the following contracts, ////////////////////////////////, //////////////////////////////// during

this period of time.

I will advise your office of the disciplinary action taken. Should you have any questions,

please contact the undersigned at (your phone number).

Sincerely,

Your Name

Your Title

Attachments: As Stated

Page 46: VIOLATIONS AND COMPROMISES - jsac-dfw.org

Final Report, Example of Final Report Letter

(Date)

(DSS Reps Name)

(DSS Reps Address)

Subject: Final Report – Joe Doe (01/06/07), suspected compromise

Dear (DSS Reps Name):

In accordance with paragraph 1-303 of the National Industrial Security Program Operating

Manual, the following Final Report is submitted. Mr. Joe Doe received the following

disciplinary action for the subject security violation. Mr. Doe was suspended without pay

from work for five days beginning April 1 through April 6, 2009. Mr. Doe has received

remedial training in his responsibilities as a cleared individual, to include proper handling,

safeguarding storage and destruction of classified media and information.

Page 47: VIOLATIONS AND COMPROMISES - jsac-dfw.org

Final Report, Example of Final Report Letter

He will be monitored on a random recurring basis by his

supervisor and from a member of the LM Aero Security Staff.

Should you have any questions, please contact the

undersigned at (your phone number).

Sincerely,

Your Name

Your Title

Page 48: VIOLATIONS AND COMPROMISES - jsac-dfw.org

Culpability Report, Example Letter

(Date)

Defense Security Service – Columbus Operations

PO Box 2499

Columbus, Ohio 43216-5006

Attn: Special Programs Branch

Subject: Culpability Report – NISPOM paragraph 1-304

Reference: January 5, 2009 Violation

Responsible Individual: DOE, Joseph

SSN: 123/45/6789

D/POB: 02 May 1956, Philadelphia, PA

Clearance Level/Date: SECRET, 24 JUL 2004

Facility Code: 02769

Page 49: VIOLATIONS AND COMPROMISES - jsac-dfw.org

Culpability Report, Example Letter

Gentleman:

In accordance with paragraph 1-304 of the National Industrial Security

Program Operating Manual, the following report is submitted.

This is where you explain why this individual is culpable. Don’t forget to

explain that you have already submitted a report to DSS. Make sure you

state if this is a first security violation or what number.

Should you have any questions, please contact the undersigned at (your

phone number).

Sincerely,

Your Name

Your Title

Page 50: VIOLATIONS AND COMPROMISES - jsac-dfw.org

Keep in Mind!

• Security Incidents Can Not Always be Prevented

• Don’t be That Proverbial Ostrich and Stick Your Head in the Sand!

• The Key is When an Incident Occurs, Take Immediate Control of the Information

and Conduct an Assessment to Minimize the Impact of the Incident.

• Conduct Reviews & take Corrective Action to Prevent or Minimize Future

Incidents

• Remember, an Unreported Security Incident Could Jeopardize the Safety of Our

Men and Women Who Defend Our Great Country

Page 51: VIOLATIONS AND COMPROMISES - jsac-dfw.org

Questions