570 likes | 905 Views
NCMS & the Industrial Security Professional (ISP) Certification Preparation. William L. Uttenweiler, ISP Lead Mentor, ISP Exam Prep Program Florida Space Coast Chapter, Cape Canaveral AFS, FL. Three Topics. What is NCMS & why should you belong?
E N D
NCMS & the Industrial Security Professional (ISP) Certification Preparation William L. Uttenweiler, ISP Lead Mentor, ISP Exam Prep Program Florida Space Coast Chapter, Cape Canaveral AFS, FL
Three Topics • What is NCMS & why should you belong? • What is the Industrial Security Professional certification program & why you should be one? • How can you best prepare for the ISP exam?
Question: What is NCMS & why should you belong?
Organization • Society of Information Security Professionals • Founded in 1964 • Headquartered in Wayne, PA • 37 chapters in USA & 1 “virtual” chapter • ~ 4,000 members
Official Scope – #1 • Develop & promote education & training of members in the application of requirements of industrial security in support of the security of the United States and its allies as described in the National Industrial Security Program (NISP). • Classified information (mostly DOD, DOE, CIA & NRC but 23 other agencies included)
Official Scope – #2 • Develop and promote education and training of members in the application of classification management principles, practices, procedures, & techniques in protecting government designated unclassified information & intellectual property in all forms. • Government FOUO • Company Proprietary/Competition Sensitive, etc. • Operations Security (OPSEC)
How NCMS Meets Scope #1 & #2 • Web site, especially the Members Only section • Annual National Training Seminar • CM Bulletin • Chapter level activities and communications
NCMS Web Site www.classmgmt.com • New news you can use • Resource library • Counterintelligence information; security education/awareness training tools, security briefings • Government reports (NISPOM, Industrial Security Letters, Executive Orders, Presidential Decision Directives, PERSEREC Reports) • Classification management, physical security, COMSEC, OPSEC, information security, information assurance • Protecting FOUO, sensitive-but-unclassified information, proprietary information • Homeland Security, Emergency Preparedness • JPAS, e-QIP • International security, NATO, Export Control • Facility Security Officer Training • And much, much more
NCMS Web Sitewww.classmgmt.com • Membership Assistance Publication Series (MAPS) – tied to sections of NISPOM • Self-Inspection guide for collateral facilities • Administrative inquiry checklist • Handbook on DD 254 preparation (subcontracting) • Sample resolution for exclusion of certain directors or officers • Briefing “The Foreign Intelligence Threat” • Sample annual security refreshers • Instructions for changing safe & lock combinations • Where to get clips for false/drop ceilings in closed areas • Writing a master systems security plan for classified AIS • And much, much more
Annual National Training Seminar • 46th was held June 2010 in Reno NV included • General and break-out sessions on topics like • Security Awareness Training for SAPs & Collateral Programs • The A to Z on How to Get a Clearance • DD Forms 254 for SAPs & Collateral Programs • Preempting Personnel Clearance Issues • Mitigating Foreign Ownership, Control & Influence (FOCI) • Prime Contractor Responsibilities • International Program Security Review Requirements • Setting Up a Corporate Import/Export Program • Summaries of sessions published in CM Bulletin; when available, slides posted on-line • Proctored ISP certification exam
CM Bulletin • Bi-monthly NCMS newsletter • Official means of communication between leadership & members • Articles by members on topics of interest, for example • Results of polygraph survey • Perils of the Internet • How to build a better security team • Verbal attestations • US port deal highlights foreign investments • Data spills – cleanup & prevention • Effective speaking tips
Chapter level activities & communications • Chapter-sponsored seminars • Chapter meetings with speakers • E-mail from chapter chair with news, updates, etc. • Association with government audit/ inspection personnel in a professional, non-adversarial environment • Networking – you are never alone
Official Scope – #3 • Advance the professionalism of Members through a formal certification program recognized by government & industry. • Industrial Security Professional (ISP) certification • http://www.ncms-isp.org/ • More in a moment
Official Scope – #4 • Advance its purpose by representation & participation on U.S. government & professional security councils, committees, boards & forums & through formal comment, proposal, petition, & coordination. • Memorandum of Understanding (MOU) Group • NISP Policy Advisory Committee (NISPPAC) • Close rapport with ISOO, DSS, etc.
The MOU Group • MOU Group • Membership includes: NCMS & 5 other groups • NISP Policy Advisory Committee • By invitation but usually includes NCMS members • Both represent industry’s voice to top-level government security policy makers
Information Flowing Up • Example: High Security Lock Legislation • Pushed by Sen. Jim Bunning (R-KY) in FY 2002 Defense Authorization Bill • Would have accelerated requirement X0-8/9 locks (replacement kits cost $1,200 each; cabinets cost $1,570 - $5,679 each) • Industry surveyed costs ($231 million) and concluded they were not justified by risk • Bunning’s district includes headquarters of MAS-Hamilton, the only manufacturer of compliant locks
Information Flowing Up • Example: personnel security investigation backlog • Explained the costs in unaccomplished work while PSIs languish uncompleted • DSS agreed to allowing facilities to each prioritize a small number of if cases and to accelerate their completion • Early notification of DSS plans and requests for future PSI needs
Special Relationships • Special relationships with ISOO, DSS, etc. • High level staff frequently with Board of Directors on issues of mutual interest • High level staff regular present at NCMS National Training Center • Permanent host for presentation of DSS’s James S. Cogswell Award for outstanding industrial security programs
Evaluating the Value of Memberships • DSS James S. Cogswell Award for Outstanding Industrial Security Program • 2006: NCMS members for 13 of the 28 selected firms • 2007: NCMS members for 20 of the 30 selected firms An NCMS member was one of the firm’s representatives at the awards ceremony.
Management Support Is Critical • Security professionals need enthusiastic support from their management • More than signing the occasional policy or giving the intro at annual company refresher • Reimbursement for dues and expenses • Permission to attend functions and work on NCMS business (both for training and good PR within the DOD contractor community) • Demonstrates to other employees that security is important to the company
Question: What is NCMS & why should you belong? Answer: NCMS is the Society of Information Security Professionals. If you belong to NCMS, you & your company are never “hanging out there” alone. You have access to local & national level resources & experts when a question or a problem occurs.
Question: What is the Industrial Security Professional certification program & why should you be one?
ISP Certification • The security certification universe in 2003 • Some of existing ones were too broad • Certified Protection Professional (CPP) • Others were narrowly focused but on other disciplines • Physical Security Professional (PSP) • Certified Fraud Examiner (CFE) • Certified Information Systems Security Professional (CISSP) • Global Information Assurance Certificate (GIAC) • Certified in Homeland Security (CHS)
ISP Certification • Security certification universe in 2003 • None focused on the National Industrial Security Program (NISP) or the NISPOM • None included areas like Counterintelligence (CI) and Communications Security/TEMPEST • NCMS grassroots wanted a certification would closely match what a Facility Security Officer (FSO) and his/her staff actually do
Industrial Security Professional • Industrial Security Professional (ISP) certification • For individuals involved in classified government contracts • Introduced in 2004 • Aimed at “journeyman” level professionals • ~ 300 currently certified world-wide
ISP Certification • ISP Certification requirements • 5 years’ experience (can be part-time if >10% of duties) • Pass a proctored exam • 110 questions (100 “core” plus 5 each on 2 electives chosen from 4 available – counterintelligence, COMSEC/TEMPEST, intellectual property, OPSEC) • 2 hours long; open book • Recommended by supervisor or NCMS National Director • Subscribe to high ethical standards
ISP Certification • Recertification required every 3 years • Shows continued professional development • Demonstrates that person has kept current on both threats and defenses • Can be accomplished by • Training/seminar attendance • Leadership in security activities • Authoring articles/classes on security topics • Etc.
ISP Certification • “Accreditation” • Only recently provided for the ASIS-sponsored CPP; ISP isn’t far behind • However, can be a valuable assurance in the case of a new program like the ISP • NCMS is working with the American National Standards Institute (ANSI) to get formal “accreditation” for the ISP
ISP Certification • Accreditation process has driven the requirement to have on-line test takers proctored • Proctors insure that the candidate is the person who takes the exam • Chapter Chairs help locate current ISPs to serve as proctors • For those not near an ISP, NCMS Headquarters will approve qualified proctors (including Government Industrial Security Representatives, College/ University teachers, etc.)
ISP On-Line http://www.ncms-isp.org/ • Separate ISP web site to consolidate resources • Certification Booklet • Application Form • ISP Code of Ethics • Test References & Sources • Frequently Asked Questions • List of Current ISPs • ISP Exam Preparation Program
ISP Certification: Why Certify? • The ISP program provides a high-level baseline for the knowledge required of an Industrial Security FSO with at least five years of experience; • It certifies that the holder of the ISP has the requisite knowledge of the NISPOM and other related directives used by the average FSO on a daily basis; • It demonstrates on the part of the ISP a degree of professionalism and willingness to go the extra yard to develop professionally;
ISP Certification: Why Certify? • It demonstrates self-confidence & willingness to take a risk (of flunking the certification exam in this case); • It demonstrates that the ISP has the academic and intellectual skills to not only perform as an FSO but also to develop further as a security professional; • It puts a company that has ISP's on their staff in a stronger position for contract bids and re-bids in the area of security; and • It provides a FSO with an ISP added credibility when dealing with DSS representatives
A couple of testimonials • Crystal Chambers, ISP, CENTRA Technology Inc., Arlington, VA. Having ISP after my name MEANS something! When I applied for a new position, not only did my new boss know what it meant, he was impressed! I have an ability now to confidently use, refer to and quote the NISPOM! This class made me open up the book and LOOK at chapters I hadn’t needed previously, like Chapter 8. Did I mention I got a perfect score on that section? • Leonard Moss Jr., ISP, CHS-V, AAI Corporation, Hunt Valley, MD. In October 2006 I moved cross-country for a promotion to the Director of Corporate Security at AAI Corporation. It's a great opportunity and it's the promotion I had been seeking. You will be happy to know that when I applied for this position one of the things the job called for was "ISP preferred.” I thought that was great and worth sharing. It shows the value of our credential.
Question: What is the Industrial Security Professional certification program & why should you be one? Answer: The only professional certification aimed at staff working to protect classified information. It pays dividends both in knowledge & reputation.
Next Question: How can you best prepare for the ISP exam?
ISP Exam Preparation • Barrier to testing – The Fear Factor • Overcoming The Fear Factor through preparation
The Fear Factor • Applicants are apprehensive about taking the exam • I’m not good enough (or experienced enough) • I’ve been out of school for a long time, I don’t test well & I might fail. • I’m too busy (workload, personal problems, etc.) • If I fail, I’ll look bad in the eyes of supervisors, coworkers & colleagues. • If I fail, I’ll be out several hundred dollars. (Some companies don’t fund the exam until employee passes.)
Overcoming the Fear Factor • The two keys are networking & preparation • Networking • “I’m not good enough” dispelled by contact with colleagues (difference between test takers in Reno NV in 2004 & Seattle WA in 2005) • Preparation • Knowledge provides self-confidence • Some nervousness always remains for any “high stakes” test, but the adrenalin helps
Main methods of preparation • Self-study • ISP Examination Preparation Program • Company or NCMS Chapter Based Study Groups • ISPCERT.COM
Self-Studyhttp://www.ncms-isp.org/StudyReferences.html • Self-study was the only study method available before 2006 • All of the source documents for the ISP exam are unclassified and widely on-line • Anxiety was high because candidates didn’t know if their preparation was “adequate” • Now – the ISP Exam Prep Program workbook can be used for self-study
ISP Exam Preparation Program • Arose during 2005 ramp-up • Candidates met telephonically to discuss “hard” chapters (Chap 8 on AIS, Chap 10 on international) • Expanded & formalized at 41st Annual National Training Seminar in Seattle WA • Sponsored by Education & Training Committee (Chair: Joseph Jessop)
ISP Exam Preparation Program • Prep Program purpose • Develop better security professionals conducting comprehensive training on fundamentals like the NISPOM, ISLs, OPSEC, CI, etc. • Assist those who do not have local ISPs to be their “mentors” • Encourage “unsure” candidates that they can complete appropriate preparation for the exam • “Cooperate & Graduate”
ISP Exam Preparation Program • Overview • Students will obtain materials & study in advance of the telecons • Telecons with mentors & other candidates to answer questions, help pace the preparation, etc. • About 1 hour long each • Once a week • All but electives occur 3x weekly so candidates can pick the most convenient one
ISP Exam Preparation Program • Materials • Electronic copies of key references • Workbook to help candidates’ review of NISPOM & other materials (cost $50.00 for NCMS members, $100.00 for non-members) • The Annotated NISPOM, a great tool for all security professionals, is available at: http://www.ncms-isp.org/NISPOM_200602_with_ISLs.pdf • Will be updated when “new NISPOM” is released
ISP Exam Preparation Program • Mentors • All are current ISPs • 3-person Mentor teams will provide a variety of experiences/viewpoints • Timeline • Current “Round” in the program started in February 2011, ~180 participants • Timed so that candidates finish in time to test before the Annual NCMS National Training Seminar and summer vacations • To sign up or get more information, contact the ISP Lead Mentor Team by e-mail ISP_Mentor@hotmail.com
ISP Exam Preparation Program • Lesson strategy • Call #1A - get started, go over "Test Tips" article for information/techniques/tips, evaluate class size, etc. • #Call #1B - look up practice (5 questions w/paper NISPOM, 5 questions w/electronic search of The Annotated NISPOM in PDF) • Lesson #2 - #10 - cover about 10% of the NISPOM in each session • Lesson #11 - last minute questions, wrap-up
ISP Exam Preparation Program • Lesson Strategy (continued) • Four optional calls; 1 for each of the four electives • COMSEC/TEMPEST • Counterintelligence • Intellectual Property • Operations Security • Special Access Programs (a fifth will be offered once elective is approved)
Company or NCMS Chapter Based Study Groups • Newest Development (Companies) • SAIC • Study group in National Capital Region • Offered exam during last 2 security officer conferences • Honeywell Global Security Solutions • Goal of having all qualified security compliance staff certified by end of FY 2012 • Raytheon Corporation • Over a dozen in 2010 study group in Tucson AZ area