ncms & the industrial security professional (isp) certification preparation william l....
TRANSCRIPT
NCMS & the Industrial Security Professional (ISP) Certification Preparation
William L. Uttenweiler, ISP
Lead Mentor, ISP Exam Prep ProgramFlorida Space Coast Chapter, Cape Canaveral AFS, FL
Three Topics
What is NCMS & why should you belong?
What is the Industrial Security Professional certification program & why you should be one?
How can you best prepare for the ISP exam?
Question:
What is NCMS & why should you belong?
Organization
Society of Information Security Professionals
Founded in 1964
Headquartered in Wayne, PA
24 chapters in USA, 1 in Europe, & 1 “virtual”
~ 2,600 members
Official Scope – #1
Develop & promote education & training of members in the application of requirements of industrial security in support of the security of the United States and its allies as described in the National Industrial Security Program (NISP).
- Classified information (mostly DOD, DOE, CIA & NRC but 23 other agencies included)
Develop and promote education and training of members in the application of classification management principles, practices, procedures, & techniques in protecting government designated unclassified information & intellectual property in all forms.- Government FOUO
- Company Proprietary/Competition Sensitive, etc.
- Operations Security (OPSEC)
Official Scope – #2
How NCMS Meets Scope #1 & #2
Web site, especially the Members Only section
Annual National Training Seminar
CM Bulletin
Chapter level activities and communications
NCMS Web Site www.classmgmt.com
New news you can use
Resource library- Counterintelligence information; security education/awareness training
tools, security briefings
- Government reports (NISPOM, Industrial Security Letters, Executive Orders, Presidential Decision Directives, PERSEREC Reports)
- Classification management, physical security, COMSEC, OPSEC, information security, information assurance
- Protecting FOUO, sensitive-but-unclassified information, proprietary information
- Homeland Security, Emergency Preparedness
- JPAS, e-QIP
- International security, NATO, Export Control
- Facility Security Officer Training
- And much, much more
Membership Assistance Publication Series (MAPS) – tied to sections of NISPOM
- Self-Inspection guide for collateral facilities
- Administrative inquiry checklist
- Handbook on DD 254 preparation (subcontracting)
- Sample resolution for exclusion of certain directors or officers
- Briefing “The Foreign Intelligence Threat”
- Sample annual security refreshers
- Instructions for changing safe & lock combinations
- Where to get clips for false/drop ceilings in closed areas
- Writing a master systems security plan for classified AIS
- And much, much more
NCMS Web Site www.classmgmt.com
Annual National Training Seminar
43rd was held June 2007 in Reno NV included- General and break-out sessions on topics like
• DISCO & JPAS behind the scenes; basic/advanced JPAS & e-QIP training
• Threat integration in your security program
• Security clearance adjudication
• SCI overview; special access program training
• FOCI, export control, proxy agreements, special security agreements
• Classified AIS security issues
• OPSEC – “They Really Didn’t Do That, Did They?”
• Ray Semko “Unleashed”
- Summaries of sessions published in CM Bulletin; when available, slides posted on-line
- Facility Security Officer Program Management course offered by DSS Academy
- Proctored ISP certification exam
45th Annual National Training Seminar
CM Bulletin
Bi-monthly NCMS newsletter
- Official means of communication between leadership & members
- Articles by members on topics of interest, for example
• Results of polygraph survey
• Perils of the Internet
• How to build a better security team
• Verbal attestations
• US port deal highlights foreign investments
• Data spills – cleanup & prevention
• Effective speaking tips
Chapter level activities & communications
Chapter-sponsored seminars
Chapter meetings with speakers
E-mail from chapter chair with news, updates, etc.
Association with government audit/ inspection personnel in a professional, non-adversarial environment
Networking – you are never alone
Advance the professionalism of Members through a formal certification program recognized by government & industry.
- Industrial Security Professional (ISP) certification
• http://www.ncms-isp.org/
- More in a moment
Official Scope – #3
Advance its purpose by representation & participation on U.S. government & professional security councils, committees, boards & forums & through formal comment, proposal, petition, & coordination.- Memorandum of Understanding (MOU) Group
- NISP Policy Advisory Committee (NISPPAC)
- Close rapport with ISOO, DSS, etc.
Official Scope – #4
The MOU Group
MOU Group
- Membership includes: NCMS & 5 other groups
NISP Policy Advisory Committee
- By invitation but usually includes NCMS members
Both represent industry’s voice to top-level government security policy makers
Information Flowing Up
Example: High Security Lock Legislation- Pushed by Sen Jim Bunning (R-KY) in FY 2002
Defense Authorization Bill
- Would have accelerated requirement X0-8/9 locks (replacement kits cost $1,200 each; cabinets cost $1,570 - $5,679 each)
- Industry surveyed costs ($231 million) and concluded they were not justified by risk
- Bunning’s district includes headquarters of MAS-Hamilton, the only manufacturer of compliant locks
Example: personnel security investigation backlog
- Explained the costs in unaccomplished work while PSIs languish uncompleted
- DSS agreed to allowing facilities to each prioritize a small number of if cases and to accelerate their completion
- Early notification of DSS plans and requests for future PSI needs
Information Flowing Up
Special Relationships
Special relationships with ISOO, DSS, etc.
- High level staff frequently with Board of Directors on issues of mutual interest
- High level staff regular present at NCMS National Training Center
- Permanent host for presentation of DSS’s James S. Cogswell Award for outstanding industrial security programs
Evaluating the Value of Memberships
DSS James S. Cogswell Award for Outstanding Industrial Security Program- 2006: NCMS members for 13 of the 28
selected firms
- 2007: NCMS members for 20 of the 30 selected firms
An NCMS member was one of the firm’s representatives at the awards ceremony.
Management Support Is Critical
Security professionals need enthusiastic support from their management
- More than signing the occasional policy or giving the intro at annual company refresher
- Reimbursement for dues and expenses
- Permission to attend functions and work on NCMS business (both for training and good PR within the DOD contractor community)
- Demonstrates to other employees that security is important to the company
Question: What is NCMS & why should you
belong?
Answer: NCMS is the Society of Information Security Professionals. If you belong
to NCMS, you & your company are never “hanging out there” alone. You have access to local & national level resources & experts when a question
or a problem occurs.
Question:
What is the Industrial Security Professional
certification program & why should you be
one?
ISP Certification
The security certification universe in 2003- Some of existing ones were too broad
• Certified Protection Professional (CPP)
- Others were narrowly focused but on other disciplines
• Physical Security Professional (PSP)• Certified Fraud Examiner (CFE)• Certified Information Systems Security
Professional (CISSP)• Global Information Assurance Certificate (GIAC)• Certified in Homeland Security (CHS)
ISP Certification
Security certification universe in 2003
- None focused on the National Industrial Security Program (NISP) or the NISPOM
- None included areas like Counterintelligence (CI) and Communications Security/TEMPEST
- NCMS grassroots wanted a certification would closely match what a Facility Security Officer (FSO) and his/her staff actually do
Industrial Security Professional
Industrial Security Professional (ISP) certification
- For individuals involved in classified government contracts
- Introduced in 2004
- Aimed at “journeyman” level professionals
- ~ 190 currently certified world-wide
ISP Certification requirements
- 5 years’ experience (can be part-time if >10% of duties)
- Pass a proctored exam • 110 questions (100 “core” plus 5 each on 2 electives
chosen from 4 available – counterintelligence, COMSEC/TEMPEST, intellectual property, OPSEC)
• 2 hours long; open book
- Recommended by supervisor or NCMS National Director
- Subscribe to high ethical standards
ISP Certification
Recertification required every 3 years
- Shows continued professional development
- Demonstrates that person has kept current on both threats and defenses
- Can be accomplished by
• Training/seminar attendance
• Leadership in security activities
• Authoring articles/classes on security topics
• Etc.
ISP Certification
ISP Certification
“Accreditation”
- Only recently provided for the ASIS-sponsored CPP; ISP isn’t far behind
- However, can be a valuable assurance in the case of a new program like the ISP
- NCMS is working with the American National Standards Institute (ANSI) to get formal “accreditation” for the ISP
ISP Certification
Accreditation process has driven the requirement to have on-line test takers proctored- Proctors insure that the candidate is the person
who takes the exam
- Chapter Chairs help locate current ISPs to serve as proctors
- For those not near an ISP, NCMS Headquarters will approve qualified proctors (including Government Industrial Security Representatives, College/ University teachers, etc.)
ISP On-Line http://www.ncms-isp.org
Separate ISP web site to consolidate resources
- Certification Booklet
- Application Form
- ISP Code of Ethics
- Test References & Sources
- Frequently Asked Questions
- List of Current ISPs
- ISP Exam Preparation Program
ISP Certification: Why Certify?
The ISP program provides a high-level baseline for the knowledge required of an Industrial Security FSO with at least five years of experience;
It certifies that the holder of the ISP has the requisite knowledge of the NISPOM and other related directives used by the average FSO on a daily basis;
It demonstrates on the part of the ISP a degree of professionalism and willingness to go the extra yard to develop professionally;
ISP Certification: Why Certify?
It demonstrates self-confidence & willingness to take a risk (of flunking the certification exam in this case);
It demonstrates that the ISP has the academic and intellectual skills to not only perform as an FSO but also to develop further as a security professional;
It puts a company that has ISP's on their staff in a stronger position for contract bids and re-bids in the area of security; and
It provides a FSO with an ISP added credibility when dealing with DSS representatives
A couple of testimonials
Crystal Chambers, ISP, CENTRA Technology Inc., Arlington, VA. Having ISP after my name MEANS something! When I applied for a new position, not only did my new boss know what it meant, he was impressed! I have an ability now to confidently use, refer to and quote the NISPOM! This class made me open up the book and LOOK at chapters I hadn’t needed previously, like Chapter 8. Did I mention I got a perfect score on that section?
Leonard Moss Jr., ISP, CHS-V, AAI Corporation, Hunt Valley, MD. In October 2006 I moved cross-country for a promotion to the Director of Corporate Security at AAI Corporation. It's a great opportunity and it's the promotion I had been seeking. You will be happy to know that when I applied for this position one of the things the job called for was "ISP preferred.” I thought that was great and worth sharing. It shows the value of our credential.
Question: What is the Industrial Security
Professional certification program & why should you be one?
Answer: The only professional certification
aimed at staff working to protect classified information. It pays
dividends both in knowledge & reputation.
Next Question:How can you best
prepare for theISP exam?
ISP Exam Preparation
Barrier to testing – The Fear Factor
Overcoming The Fear Factor through preparation
The Fear Factor
Applicants are apprehensive about taking the exam- I’m not good enough (or experienced enough)
- I’ve been out of school for a long time, I don’t test well & I might fail.
- I’m too busy (workload, personal problems, etc.)
- If I fail, I’ll look bad in the eyes of supervisors, coworkers & colleagues.
- If I fail, I’ll be out several hundred dollars. (Some companies don’t fund the exam until employee passes.)
Overcoming the Fear Factor
The two keys are networking & preparation
Networking
- “I’m not good enough” dispelled by contact with colleagues (difference between test takers in Reno NV in 2004 & Seattle WA in 2005)
Preparation
- Knowledge provides self-confidence
- Some nervousness always remains for any “high stakes” test, but the adrenalin helps
Main methods of preparation
- Self-study
- ISP Examination Preparation Program
- ISPCERT.COM
Self-Study http://www.ncms-isp.org/StudyReferences.html
Self-study was the only study method available before 2006
All of the source documents for the ISP exam are unclassified and widely on-line
Anxiety was high because candidates didn’t know if their preparation was “adequate”
Now – the ISP Exam Prep Program workbook can be used for self-study
ISP Exam Preparation Program
Arose during 2005 ramp-up
- Candidates met telephonically to discuss “hard” chapters (Chap 8 on AIS, Chap 10 on international)
- Expanded & formalized at 41st Annual National Training Seminar in Seattle WA
- Sponsored by ISP Committee (co-Chairs: Barbara Taylor, ISP & Priscilla Crawford, ISP)
ISP Exam Preparation Program
Prep Program purpose
- Develop better security professionals conducting comprehensive training on fundamentals like the NISPOM, ISLs, OPSEC, CI, etc.
- Assist those who do not have local ISPs to be their “mentors”
- Encourage “unsure” candidates that they can complete appropriate preparation for the exam
- “Cooperate & Graduate”
ISP Exam Preparation Program
Overview- Students will obtain materials & study in advance
of the telecons
- Telecons with mentors & other candidates to answer questions, help pace the preparation, etc.
• About 1 hour long each
• Once a week
• All but electives occur 3x weekly so Candidates can pick the most convenient one
ISP Exam Prep Program
Materials
- Electronic copies of key references
- Workbook to help candidates’ review of NISPOM & other materials (cost $15)
- The Annotated NISPOM, a great tool for all security professionals, is available at: http://www.ncms-isp.org/NISPOM_200602_with_ISLs.pdf
ISP Exam Preparation Program
Mentors
- All are current ISPs
- 2-person Mentor teams will provide a variety of experiences/viewpoints
Timeline
- Next “Round” in the program started in July 2008
- Timed so that Candidates finish in time to test before the Thanksgiving & end-of-year holidays
- To sign up or get more information, contact the ISP Lead Mentor Team by e-mail [email protected]
ISP Exam Preparation Program
Lesson strategy
- Call #1A - get started, go over "Test Tips" article for information/techniques/tips, evaluate class size, etc.
- #Call #1B - look up practice (5 questions w/paper NISPOM, 5 questions w/electronic search of The Annotated NISPOM in PDF)
- Lesson #2 - #10 - cover about 10% of the NISPOM in each session
- Lesson #11 - last minute questions, wrap-up
Lesson Strategy (continued)
- Four optional calls; 1 for each of the four electives
• COMSEC/TEMPEST
• Counterintelligence
• Intellectual Property
• Operations Security
ISP Exam Preparation Program
ISPCERT.COM
Creation of Jeffrey W. Bennett, ISP, ISPCERT.com, Madison AL; Secretary of NCMS Mid-South Chapter
The Complete Guide for Industrial Security Professional (ISP) Exam Preparation
- Practice test with 400+ multiple choice questions (with answer sheets)
- Practical tips for candidates
- Cost is $39.99
Final Comments on ISP Exam
Available on-line 24/7
Available “on paper” at 2009 NCMS Annual National Training Seminar in Anaheim CA next June
Exam isn’t easy but you will pass if you
- Pay attention to test discipline (110 answers in 120 minutes)
- Prepare in advance
Question: How can you best prepare for the
ISP exam? Answer:
There are several methods, from independent study to use of
prepared workbooks to taking the ISP Exam Prep Program.
Choose the one you believe will work best for you.
Final Notes: Security Awareness Posters
http://www.ncms-channelislands.org/posters.html
Speaker Contact Information
William L Uttenweiler, ISP
- Work Phone: 321-853-0803
- Cell Phone: 321-506-7427
- FAX: 310-563-2959
Any More Questions?