Initial and Refresher Briefings deedee collins

1
Initial and Refresher Briefingsdeedee
collins John WallerNCMS Atlanta 2006
2
Workshop Overview

• Why is Security Education and Training so
  important
• Speaking Security for Success tips on effective
  presentation skills
• Requirements for Initial and Refresher Briefings
• Q A Session

3
Why is Security Education and Training Important?

• When we properly protect classified information
  our sons and daughters and brothers and sisters
  return from Iraq and Afghanistan
• 99.9 of your employees want to do the right
  thing
• If you educate them, your infractions and
  violations will be minimized!!!

• The ability of your employees to meet their
  security responsibilities is directly
  proportional to your effectiveness in helping
  them to understand the requirements!!!

4
The Goal of Security Education

• An educated workforce
• We have the technical knowledge to administer our
  security programs
• What do we do to enlist the support of our
  greatest resource our cleared employees?
• Establish acceptance of security as an individual
  responsibility
• Cause a change of behavior security attitude as
  a part of daily life

5
Speaking Security For Success

• Attitude about security is based on daily contact
  you are the message!
• Be the conduit for the message ? you are not the
  focus!
• A good briefing is where the
• speaker has a message
• A great briefing is where the
• message has a speaker

6
Communication Motivation

• Our job is first to inform, then motivate
• Motivation is the why rationale
• Communication is the what requirements
• Answer what is in this for me?
• Guide them to success in their security
  responsibilities
• Use the building blocks approach

7
First Impressions are Lasting Impressions

• Be disciplined in delivery
• Make them your best give your best
• Listening intently encourage questions
• Whenever possible, include exercises and media
  for variety!
• Involve your management and technical staff in
  design delivery!
• Give them something to walk away with!

8
Variety in Delivery

• Quizzes Contests
• Again, management involvement
• Beyond in-person briefings
• Using web pages, e-mail
• Paper still has value!
• Computer Based Training (CBT)

9
Security Education Requirements

• EO 12958
• ISOO Directive 1
• NISPOM Chapter 3
• Your Agencys directives

10
Executive Order 12958 (Sect 5.4)

• -Include remarks in performance evaluations
  addressing management of classified information
  for
• OCAs
• Security Managers and Specialists
• All others who are significantly involved with
  classified information

Agency Heads shall

• Demonstrate a personal commitment to EO 12958
• Dedicate the necessary resources to their
  Security Program
• Optimize safeguarding and facilitate
  declassification
• ESTABLISH SECURITY EDUCATION AND TRAINING
  PROGRAMS
• Establish and maintain an effective
  self-inspection program
• Prevent unnecessary access to classified
  information

11
ISOO DIrective 1(Sect 2001.70)

• These (education and training) standards are
  binding on all executive branch departments and
  agencies that create or handle classified
  information
• Each agency shall provide some form of refresher
  security education and training AT LEAST ANNUALLY

• Agencies shall maintain records about the
  programs it has offered and employee
  participation in them

12
NISPOM(Para 3-106/107)

• Employees will receive a security briefing PRIOR
  TO ACCESS
• The initial security briefing will include
• Threat awareness briefing
• Defensive security briefing
• Overview of the classification system
• Employee reporting obligations
• Security procedures and duties applicable to the
  employees job

• The refresher briefing shall
• Reinforce the initial security briefing
  information
• Inform the employees of changes in security
  procedures/requirements

I would also talk about problems seen over the
last year
13
Your Agencys Directives

• DoD 5200.1-R Chap 9
• AR 380-5 Chap 9
• SECNAVINST 5510.36 Chap 3
• AFI 31-401 Chap 8
• Department of Commerce Security Manual Chap 3
• Etc..

Your organization may have additional
requirements relevant to your security education
and training program
14
Document, Document , Document

• Regardless of the method you use, always ensure
  that the training is documented in writing to
  include the date, subjects covered, instructor,
  list of attendees, and attendees signature
• Should you decide to complete the training via
  e-mail, ensure you have a read receipt for
  documentation

15
Its Your TurnWhat Makes An Effective
Initial Briefing Refresher Briefing
16
The Initial Briefing
The most important briefing you will ever give
17
Key Topics

• Threat awareness
• Defensive security
• Overview of the classification system
• Employee reporting obligations
• Security procedures and duties applicable to the
  employees job

Remember your goal is understanding and
convincing the employee to take ownership of the
security program
Do not give each newly-cleared employee the same
generic briefing
18
The Refresher Briefing
19
Key Topics

• Refresher training should address
• the policies, principles and procedures covered
  in initial and specialized training
• the threat and the techniques employed by foreign
  intelligence activities attempting to obtain
  classified information
• penalties for engaging in espionage activities
• issues or concerns identified during agency
  self-inspections
• ISOO Directive 1

The NISPOM also wants us to talk about changes in
security regulations
20
Frequency

• The frequency of agency security education and
  training will vary in accordance with the needs
  of the agency's security classification program
• Each agency shall provide some form of refresher
  security education and training at least
  annually
• ISOO Directive 1

21
OPSEC Training

• "Even minutiae should have a place in our
  collection, for things of a seemingly trifling
  nature, when enjoined with others of a more
  serious cast, may lead to a valuable conclusion.
• ..George Washington

• Information may be collected from
• telephone and public conversations
• telephone directories
• financial or purchasing documents
• position or "job" announcements
• travel documents, blueprints or drawings
• distribution lists
• shipping and receiving documents
• contents of your web page
• personal information or items found in the trash

• The OPSEC Process
• Critical Information
• Indicators
• Adversaries
• Vulnerabilities
• Protective Measures

22
Dont Forget Employees at Remote Sites

• Even though one or more of your cleared employees
  are assigned at a location other than one of your
  facilities, YOU are still responsible for
  ensuring they get the required security education
  and training briefings!!

23
Dont Forget Senior Management Officials

• Ensure that the security manager and other senior
  command personnel receive training as required,
  and support the command security education
  program
• Commanding Officers/senior officials must
  understand dictates of EO 12958/ISOO Directive 1

• Senior management in Industry needs to know
  about
• FOCI
• the Security Agreement they signed
• the NISP and the NISPOM requirements
• threat associated with RFI
• the Threat at conferences and seminars
• the challenges associated with mergers
  especially with a foreign company

24
Some Final Thoughts

• Employee education is an investment not an
  expense
• Security awareness will save your organization
  money, embarrassment, and time

• Always tailor your briefings to the audience
  dont waste their time with stuff they dont need
  to know

It is not good enough to just put the word out
you should strive for understanding on the part
of your troops until this happens, your work is
not done!!
25
Questions Discussion
26
Initial and Refresher Briefingsdeedee
collins www.nstii.org703-690-2015 John
WallerJPW Security Solutions