NCMS & the Industrial Security Professional (ISP) Certification Preparation

1
NCMS the Industrial Security Professional (ISP)
Certification Preparation

• William L. Uttenweiler, ISP
• Lead Mentor, ISP Exam Prep Program
• Florida Space Coast Chapter, Cape Canaveral AFS,
  FL

2
Three Topics

• What is NCMS why should you belong?
• What is the Industrial Security Professional
  certification program why you should be one?
• How can you best prepare for the ISP exam?

3

• Question
• What is NCMS why should you belong?

4
Organization

• Society of Information Security Professionals
• Founded in 1964
• Headquartered in Wayne, PA
• 24 chapters in USA, 1 in Europe, 1 virtual
• 2,600 members

5
Official Scope 1

• Develop promote education training of members
  in the application of requirements of industrial
  security in support of the security of the United
  States and its allies as described in the
  National Industrial Security Program (NISP).
• Classified information (mostly DOD, DOE, CIA
  NRC but 23 other agencies included)

6
Official Scope 2

• Develop and promote education and training of
  members in the application of classification
  management principles, practices, procedures,
  techniques in protecting government designated
  unclassified information intellectual property
  in all forms.
• Government FOUO
• Company Proprietary/Competition Sensitive, etc.
• Operations Security (OPSEC)

7
How NCMS Meets Scope 1 2

• Web site, especially the Members Only section
• Annual National Training Seminar
• CM Bulletin
• Chapter level activities and communications

8
NCMS Web Site www.classmgmt.com

• New news you can use
• Resource library
• Counterintelligence information security
  education/awareness training tools, security
  briefings
• Government reports (NISPOM, Industrial Security
  Letters, Executive Orders, Presidential Decision
  Directives, PERSEREC Reports)
• Classification management, physical security,
  COMSEC, OPSEC, information security, information
  assurance
• Protecting FOUO, sensitive-but-unclassified
  information, proprietary information
• Homeland Security, Emergency Preparedness
• JPAS, e-QIP
• International security, NATO, Export Control
• Facility Security Officer Training
• And much, much more

9
NCMS Web Site www.classmgmt.com

• Membership Assistance Publication Series (MAPS)
  tied to sections of NISPOM
• Self-Inspection guide for collateral facilities
• Administrative inquiry checklist
• Handbook on DD 254 preparation (subcontracting)
• Sample resolution for exclusion of certain
  directors or officers
• Briefing The Foreign Intelligence Threat
• Sample annual security refreshers
• Instructions for changing safe lock
  combinations
• Where to get clips for false/drop ceilings in
  closed areas
• Writing a master systems security plan for
  classified AIS
• And much, much more

10
Annual National Training Seminar

• 43rd was held June 2007 in Reno NV included
• General and break-out sessions on topics like
• DISCO JPAS behind the scenes basic/advanced
  JPAS e-QIP training
• Threat integration in your security program
• Security clearance adjudication
• SCI overview special access program training
• FOCI, export control, proxy agreements, special
  security agreements
• Classified AIS security issues
• OPSEC They Really Didnt Do That, Did They?
• Ray Semko Unleashed
• Summaries of sessions published in CM Bulletin
  when available, slides posted on-line
• Facility Security Officer Program Management
  course offered by DSS Academy
• Proctored ISP certification exam

11
45th Annual National Training Seminar
12
CM Bulletin

• Bi-monthly NCMS newsletter
• Official means of communication between
  leadership members
• Articles by members on topics of interest, for
  example
• Results of polygraph survey
• Perils of the Internet
• How to build a better security team
• Verbal attestations
• US port deal highlights foreign investments
• Data spills cleanup prevention
• Effective speaking tips

13
Chapter level activities communications

• Chapter-sponsored seminars
• Chapter meetings with speakers
• E-mail from chapter chair with news, updates,
  etc.
• Association with government audit/ inspection
  personnel in a professional, non-adversarial
  environment
• Networking you are never alone

14
Official Scope 3

• Advance the professionalism of Members through a
  formal certification program recognized by
  government industry.
• Industrial Security Professional (ISP)
  certification
• http//www.ncms-isp.org/
• More in a moment

15
Official Scope 4

• Advance its purpose by representation
  participation on U.S. government professional
  security councils, committees, boards forums
  through formal comment, proposal, petition,
  coordination.
• Memorandum of Understanding (MOU) Group
• NISP Policy Advisory Committee (NISPPAC)
• Close rapport with ISOO, DSS, etc.

16
The MOU Group

• MOU Group
• Membership includes NCMS 5 other groups
• NISP Policy Advisory Committee
• By invitation but usually includes NCMS members
• Both represent industrys voice to top-level
  government security policy makers

17
Information Flowing Up

• Example High Security Lock Legislation
• Pushed by Sen Jim Bunning (R-KY) in FY 2002
  Defense Authorization Bill
• Would have accelerated requirement X0-8/9 locks
  (replacement kits cost 1,200 each cabinets cost
  1,570 - 5,679 each)
• Industry surveyed costs (231 million) and
  concluded they were not justified by risk
• Bunnings district includes headquarters of
  MAS-Hamilton, the only manufacturer of compliant
  locks

18
Information Flowing Up

• Example personnel security investigation backlog
• Explained the costs in unaccomplished work while
  PSIs languish uncompleted
• DSS agreed to allowing facilities to each
  prioritize a small number of if cases and to
  accelerate their completion
• Early notification of DSS plans and requests for
  future PSI needs

19
Special Relationships

• Special relationships with ISOO, DSS, etc.
• High level staff frequently with Board of
  Directors on issues of mutual interest
• High level staff regular present at NCMS National
  Training Center
• Permanent host for presentation of DSSs James S.
  Cogswell Award for outstanding industrial
  security programs

20
Evaluating the Value of Memberships

• DSS James S. Cogswell Award for Outstanding
  Industrial Security Program
• 2006 NCMS members for 13 of the 28 selected
  firms
• 2007 NCMS members for 20 of the 30 selected
  firms
• An NCMS member was one of the firms
  representatives at the awards ceremony.

21
Management Support Is Critical

• Security professionals need enthusiastic support
  from their management
• More than signing the occasional policy or giving
  the intro at annual company refresher
• Reimbursement for dues and expenses
• Permission to attend functions and work on NCMS
  business (both for training and good PR within
  the DOD contractor community)
• Demonstrates to other employees that security is
  important to the company

22

• Question
• What is NCMS why should you belong?
• Answer
• NCMS is the Society of Information Security
  Professionals. If you belong to NCMS, you your
  company are never hanging out there alone. You
  have access to local national level resources
  experts when a question or a problem occurs.

23
Question What is the Industrial Security
Professional certification program why should
you be one?
24
ISP Certification

• The security certification universe in 2003
• Some of existing ones were too broad
• Certified Protection Professional (CPP)
• Others were narrowly focused but on other
  disciplines
• Physical Security Professional (PSP)
• Certified Fraud Examiner (CFE)
• Certified Information Systems Security
  Professional (CISSP)
• Global Information Assurance Certificate (GIAC)
• Certified in Homeland Security (CHS)

25
ISP Certification

• Security certification universe in 2003
• None focused on the National Industrial Security
  Program (NISP) or the NISPOM
• None included areas like Counterintelligence (CI)
  and Communications Security/TEMPEST
• NCMS grassroots wanted a certification would
  closely match what a Facility Security Officer
  (FSO) and his/her staff actually do

26
Industrial Security Professional

• Industrial Security Professional (ISP)
  certification
• For individuals involved in classified government
  contracts
• Introduced in 2004
• Aimed at journeyman level professionals
• 190 currently certified world-wide

27
ISP Certification

• ISP Certification requirements
• 5 years experience (can be part-time if gt10 of
  duties)
• Pass a proctored exam
• 110 questions (100 core plus 5 each on 2
  electives chosen from 4 available
  counterintelligence, COMSEC/TEMPEST, intellectual
  property, OPSEC)
• 2 hours long open book
• Recommended by supervisor or NCMS National
  Director
• Subscribe to high ethical standards

28
ISP Certification

• Recertification required every 3 years
• Shows continued professional development
• Demonstrates that person has kept current on both
  threats and defenses
• Can be accomplished by
• Training/seminar attendance
• Leadership in security activities
• Authoring articles/classes on security topics
• Etc.

29
ISP Certification

• Accreditation
• Only recently provided for the ASIS-sponsored
  CPP ISP isnt far behind
• However, can be a valuable assurance in the case
  of a new program like the ISP
• NCMS is working with the American National
  Standards Institute (ANSI) to get formal
  accreditation for the ISP

30
ISP Certification

• Accreditation process has driven the requirement
  to have on-line test takers proctored
• Proctors insure that the candidate is the person
  who takes the exam
• Chapter Chairs help locate current ISPs to serve
  as proctors
• For those not near an ISP, NCMS Headquarters will
  approve qualified proctors (including Government
  Industrial Security Representatives, College/
  University teachers, etc.)

31
ISP On-Line http//www.ncms-isp.or
g

• Separate ISP web site to consolidate resources
• Certification Booklet
• Application Form
• ISP Code of Ethics
• Test References Sources
• Frequently Asked Questions
• List of Current ISPs
• ISP Exam Preparation Program

32
ISP Certification Why Certify?

• The ISP program provides a high-level baseline
  for the knowledge required of an Industrial
  Security FSO with at least five years of
  experience
• It certifies that the holder of the ISP has the
  requisite knowledge of the NISPOM and other
  related directives used by the average FSO on a
  daily basis
• It demonstrates on the part of the ISP a degree
  of professionalism and willingness to go the
  extra yard to develop professionally

33
ISP Certification Why Certify?

• It demonstrates self-confidence willingness to
  take a risk (of flunking the certification exam
  in this case)
• It demonstrates that the ISP has the academic and
  intellectual skills to not only perform as an FSO
  but also to develop further as a security
  professional
• It puts a company that has ISP's on their staff
  in a stronger position for contract bids and
  re-bids in the area of security and
• It provides a FSO with an ISP added credibility
  when dealing with DSS representatives

34
A couple of testimonials

• Crystal Chambers, ISP, CENTRA Technology Inc.,
  Arlington, VA.  Having ISP after my name MEANS
  something! When I applied for a new position, not
  only did my new boss know what it meant, he was
  impressed!  I have an ability now to confidently
  use, refer to and quote the NISPOM! This class
  made me open up the book and LOOK at chapters I
  hadnt needed previously, like Chapter 8. Did I
  mention I got a perfect score on that
  section?    
• Leonard Moss Jr., ISP, CHS-V, AAI Corporation,
  Hunt Valley, MD.  In October 2006 I moved
  cross-country for a promotion to the Director of
  Corporate Security at AAI Corporation.  It's a
  great opportunity and it's the promotion I had
  been seeking.  You will be happy to know that
  when I applied for this position one of the
  things the job called for was "ISP preferred. I
  thought that was great and worth sharing. It
  shows the value of our credential.

35

• Question
• What is the Industrial Security Professional
  certification program why should you be one?
• Answer
• The only professional certification aimed at
  staff working to protect classified information.
  It pays dividends both in knowledge reputation.

36
Next Question How can you best prepare for
the ISP exam?
37
ISP Exam Preparation

• Barrier to testing The Fear Factor
• Overcoming The Fear Factor through preparation

38
The Fear Factor

• Applicants are apprehensive about taking the exam
• Im not good enough (or experienced enough)
• Ive been out of school for a long time, I dont
  test well I might fail.
• Im too busy (workload, personal problems, etc.)
• If I fail, Ill look bad in the eyes of
  supervisors, coworkers colleagues.
• If I fail, Ill be out several hundred dollars.
  (Some companies dont fund the exam until
  employee passes.)

39
Overcoming the Fear Factor

• The two keys are networking preparation
• Networking
• Im not good enough dispelled by contact with
  colleagues (difference between test takers in
  Reno NV in 2004 Seattle WA in 2005)
• Preparation
• Knowledge provides self-confidence
• Some nervousness always remains for any high
  stakes test, but the adrenalin helps

40

• Main methods of preparation
• Self-study
• ISP Examination Preparation Program
• ISPCERT.COM

41
Self-Study http//www.ncms-isp.org/StudyRefer
ences.html

• Self-study was the only study method available
  before 2006
• All of the source documents for the ISP exam are
  unclassified and widely on-line
• Anxiety was high because candidates didnt know
  if their preparation was adequate
• Now the ISP Exam Prep Program workbook can be
  used for self-study

42
ISP Exam Preparation Program

• Arose during 2005 ramp-up
• Candidates met telephonically to discuss hard
  chapters (Chap 8 on AIS, Chap 10 on
  international)
• Expanded formalized at 41st Annual National
  Training Seminar in Seattle WA
• Sponsored by ISP Committee (co-Chairs Barbara
  Taylor, ISP Priscilla Crawford, ISP)

43
ISP Exam Preparation Program

• Prep Program purpose
• Develop better security professionals conducting
  comprehensive training on fundamentals like the
  NISPOM, ISLs, OPSEC, CI, etc.
• Assist those who do not have local ISPs to be
  their mentors
• Encourage unsure candidates that they can
  complete appropriate preparation for the exam
• Cooperate Graduate

44
ISP Exam Preparation Program

• Overview
• Students will obtain materials study in advance
  of the telecons
• Telecons with mentors other candidates to
  answer questions, help pace the preparation, etc.
• About 1 hour long each
• Once a week
• All but electives occur 3x weekly so Candidates
  can pick the most convenient one

45
ISP Exam Prep Program

• Materials
• Electronic copies of key references
• Workbook to help candidates review of NISPOM
  other materials (cost 15)
• The Annotated NISPOM, a great tool for all
  security professionals, is available at
  http//www.ncms-isp.org/NISPOM_200602_with_ISLs.pd
  f

46
ISP Exam Preparation Program

• Mentors
• All are current ISPs
• 2-person Mentor teams will provide a variety of
  experiences/viewpoints
• Timeline
• Next Round in the program started in July 2008
• Timed so that Candidates finish in time to test
  before the Thanksgiving end-of-year holidays
• To sign up or get more information, contact the
  ISP Lead Mentor Team by e-mail ISP_Mentor_at_hotmail.
  com

47
ISP Exam Preparation Program

• Lesson strategy
• Call 1A - get started, go over "Test Tips"
  article for information/techniques/tips, evaluate
  class size, etc.
• Call 1B - look up practice (5 questions w/paper
  NISPOM, 5 questions w/electronic search of The
  Annotated NISPOM in PDF)
• Lesson 2 - 10 - cover about 10 of the NISPOM
  in each session
• Lesson 11 - last minute questions, wrap-up

48
ISP Exam Preparation Program

• Lesson Strategy (continued)
• Four optional calls 1 for each of the four
  electives
• COMSEC/TEMPEST
• Counterintelligence
• Intellectual Property
• Operations Security

49
ISPCERT.COM

• Creation of Jeffrey W. Bennett, ISP, ISPCERT.com,
  Madison AL Secretary of NCMS Mid-South Chapter
• The Complete Guide for Industrial Security
  Professional (ISP) Exam Preparation
• Practice test with 400 multiple choice questions
  (with answer sheets)
• Practical tips for candidates
• Cost is 39.99

50
Final Comments on ISP Exam

• Available on-line 24/7
• Available on paper at 2009 NCMS Annual National
  Training Seminar in Anaheim CA next June
• Exam isnt easy but you will pass if you
• Pay attention to test discipline (110 answers in
  120 minutes)
• Prepare in advance

51

• Question
• How can you best prepare for the ISP exam?
• Answer
• There are several methods, from independent
  study to use of prepared workbooks to taking the
  ISP Exam Prep Program. Choose the one you believe
  will work best for you.

52
Final Notes Security Awareness Posters

• http//www.ncms-channelislands.org/posters.html

53
Speaker Contact Information

• William L Uttenweiler, ISP
• William.L.Uttenweiler_at_aero.org
• Work Phone 321-853-0803
• Cell Phone 321-506-7427
• FAX 310-563-2959

54
Any More Questions?