Embed Size (px)
Citation preview
Florida Industrial Security Workgroup
Self-Inspections
• What are Self-Inspections• Why should Self-Inspections be conducted• When should Self-Inspections be conducted• What does the NISPOM say about Self-
Inspections• What are some tips for conducting Self-
Inspections• What are some Common Issues• What qualifies as an enhancement for Self-
Inspections
What Are Self-Inspections?
Self-inspections are security reviews of your program.
Self-inspections should be tailored to your program.
The Self-Inspection handbook was designed to be used as a job aid and to help in complying with this requirement. The handbook was also developed to help assist in developing a viable self-inspection program tailored to the classified needs of your company.
Why Should Self-Inspections Be Conducted?
To be in compliance with NISPOM requirements To assess your company’s security program Improve the overall quality of your program Help identify any issues/vulnerabilities you may
not otherwise be aware of To prepare for Audits Opportunity to talk to employees one on one if
possible
When Should Self-Inspections be Conducted?
Generally a formal self-inspections should be conducted mid way between security reviews/Audits
There is no rule on how often self-inspections should be conducted, however this should be a continuous process
Self-Inspections can be conducted as often as FSO feels necessary
What Does the NISPOM Say About Self-Inspections?
NATIONAL INDUSTRIAL SECURITY PROGRAM
OPERATING MANUAL
February 2006 Incorporating Change 1 March 28, 2013
DoD 5220.22-M
1-206b: Contractors shall review their security system on a continuing basis and shall also conduct a formal self-inspection at intervals consistent with risk management principles
Risk management principles –
The process should create value
It should be an integral part of the organizational process
It should factor into the overall decision making process
It must explicitly address uncertainty
It should be systematic and structured
It should be based on the best available information
It should be tailored to the project
It must take into account human factors
It should be transparent and all-inclusive
It should be dynamic and adaptable to change
It should be continuously monitored and improved upon as the project moves forward
What are Some Tips for Conducting Self-Inspections?
Make Notes on Inspection checklist Interview cleared and uncleared employees Be sure to include your AFSO and ISSO Ensure to verify all documentation Having all materials centrally located helps during
Audit time Conduct self-inspections as necessary, at a
minimum two per year. Get employees involved Be sure to address any vulnerabilities that were
found Share your review with your DSS Rep, if there were
any issues found work with your rep to find solutions before the audit
What are the Most Common Issues?
Company claims to have conducted multiple self-inspections but vulnerabilities are still found during Audit
ISSM has failed to conduct a comprehensive self-inspection of the accredited information systems
Local employees receive great security training but off-site employees rarely receive guidance
When interviewed for Audit it is clearly evident that employees are not provided with adequate training and education
Company does not keep DSS apprised of reportable information (i.e. company name change, KMP changes)
Not following updated NISP requirements
What Qualifies As An Enhancement?
Yeah we got an enhancement!!
Category 5: Self Inspection - Effective documented self inspections designed to provide an on-going, continuous evaluation of the security program and promptly sharing the self inspection results with DSS, which encourages open dialogue of identified issues and possible resolutions prior to the DSS scheduled inspection.
Provide DSS with a detailed report of their self-inspections to include identifying threats or vulnerabilities
Collaborate with DSS to correct any issues prior to annual assessment
Proof of on-going and continuous evaluation of security program through multiple self-reviews
Self-review conducted by a cleared contractor outside of the corporate structure, i.e. prime contractor assisting a sub or a consultant with an applicable need-to-know (DD 254)
Establish an internal corporate review program conducted by another facility within the organization/corporate structure in addition to the required self-review
QUESTIONS????
