defense and intelligence council newsletter-december 2014
TRANSCRIPT
Defense and Intelligence
CouncilMembers
COUNCIL CHAIR
James A. Shamess, CPP
COUNCIL VICE CHAIR
Daniel A. McGarvey
2 nd COUNCIL VICE CHAIR
Karl C. Glasbrenner, CPP, PCI
MEMBERS
List included
Defense and Intelligence CouncilDecember 2014
A QUICK LOOKA QUICK LOOKThe Defense and Intelligence Council (D&IC) successfully closes out the year with several accomplishments. The establishment of issue specific focus groups and continued collaboration with the security community led to positive participation and presentations at the annual seminar. The council met goals and objectives outlined in its business plan and looks forward to similar achievements in 2015.
In this Issue: DOD Insider Threat Program 2014 At-A-Glance Policies & Issues Survey National Counterintelligence & Security Center Meet Our Members 2014 Annual Seminar-D&IC Sponsored Sessions Defense & Intelligence Council Members
DOD INSIDER THREAT PROGRAMDOD INSIDER THREAT PROGRAMThe National Insider Threat Policy and Minimum Standards for Executive Branch Insider Threat Programs evolved from a presidential memorandum in 2012 to provide guidance for developing effective insider threat programs within agencies. The goal was to identify actions and behaviors of employees who may pose a threat to national security. The Department of Defense issued a new Insider Threat Directive on September 30, 2014 to further explain the requirements of the program. The key components in the directive are:
The program will monitor and audit information from sources including counterintelligence, security, cybersecurity, civilian and military personnel management, workplace violence, antiterrorism risk management, law enforcement, user monitoring and other sources as necessary.
The program will provide training, education, and awareness to military and civilian personnel, contractors and volunteers who have access to DOD resources.
1 of 8
2014 AT-A-GLANCE2014 AT-A-GLANCE
The D&IC restructured the council to address the needs of the members and ASIS. An executive committee emerged to manage the council infrastructure and relationships to the ASIS membership. Several working groups were created to identify issues within industry, find ways to leverage the council expertise and create partnerships with government and industry members. The working groups manifested many accomplishments in 2014.
Group AccomplishmentPolicy and Issues Working Group
Developed the first comprehensive security policy issues matrix for government and industry.
Issues matrix accepted as the standard document at many industry and government events.
A special team was formed at the request of the NISPPAC to address the potential degradation of the NISP.
Insider Threat Working Group
Reorganized the ITWG into four functional subgroups (Operations, Analytics, Collaboration and Education) staffed by government and industry SMEs to develop an Insider Threat Program Model.
Coordinated with NCMS Board of Directors the completion of an Insider Threat survey of small and medium-sized organization programs.
Provided Insider Threat Program Model presentations during the Annual CAISSWG Conference (5/6), DIB SCC Quarterly Meeting (6/11) and AIA/NDIA conference (9/24).
Developed a presentation for the ASIS 2014 Seminar outlining how to create an effective scalable model framework for a corporate Insider Threat Program.
Supported the development and certification of Insider Threat Program and Analytical Workshops for ASIS International.
Develop a section in the ASIS O.P. Norton Library for an Insider Threat Information Repository to hold reference/training materials. (In progress)
Trusted Information Provider Working Group
Chaired Pre-employment Background Screening Supplement (PBSS) Technical Committee of the Commission of Standards & Guidelines:
o 20 hours of internal comment review/revision so far; another 20 hours expected after public comment period.
o Hope to approve supplement by early 2015. Enlisted GWU PhD candidate in Systems Engineering to analyze TIP
clearinghouse/database management concern (ongoing).Security Metrics Supported the completion of the ASIS Foundation funded project which involved
researching and summarizing literature on the use of security metrics, conducting surveys, performing interviews and collecting data associated with current practices, developed a Security Metrics Evaluation Tool (SMET) to evaluate specific metrics and published a 207 page report which has received broad circulation.
Created and delivered a training module the Insider Threat Workshop. Drafted and submitted for publication an article on Security Metrics for ASIS
Security Management (scheduled for publication in October 2014). Presenting on Security Metrics at the 2014 ASIS Annual Seminar.
2 of 8
POLICIES & ISSUES SURVEYPOLICIES & ISSUES SURVEY
The D&IC conducted a policies and issues survey as a topic area for discussion with government and industry partners. Several noteworthy items to included changes in the National Industrial Security Operating Manual were prevalent. The following chart depicts the issues identified by members around the Defense Industrial Base and the government.
NATIONAL COUNTERINTELLIGENCE & SECURITY CENTERNATIONAL COUNTERINTELLIGENCE & SECURITY CENTER
The National Counterintelligence and Security Center (NCSC) launched on Monday, December 1, 2014 as the parent organization to the Office of the National Counterintelligence Executive (ONCIX). The increase in cyber-attacks to U.S. businesses and agencies led to the establishment of the NCSC. Hackers are targeting personally identifiable information (PII) on U.S. citizens and are using the information to affect the U.S. economy. The center brings security and counterintelligence under one umbrella to be led by William Evanina. The security component will continue to focus on government security clearances and conducting background investigations. The counterintelligence mission is to continue monitoring foreign intelligence service activities and counterspy programs. Combining security and counterintelligence has proved a successful practice around other organizations.
3 of 8
MEET OUR MEMBERSMEET OUR MEMBERSKerrie L. Kavulic
Security Education, Training and Awareness Program Manager
Amazon Web Services
1. Briefly describe how you first started in the defense /intelligence business?
I always thought I would end up as a lobbyist on Capitol Hill. Majoring in government and history I wanted to make a difference in national security through legislative means. Fortunately, I stumbled on the security profession because my uncle worked in the business and highly encouraged everyone to do their best to protect national security. I began my security career at Northrop Grumman and quickly became engrossed in the security profession. I was given the opportunity to influence employees to become force multipliers and protect the nation.
2. What are your major challenges in the defense/intelligence community?
Money has always been my major challenge although not a complete road block. My passion in security became security training, awareness and education and I was fortunate to find the right opportunity and right managers to allow me to flourish. Money continued to be a challenge in producing quality products on virtually no budget. I quickly learned to become my own design studio, print shop, video production studio and web based training operation. The challenges presented me with the opportunity to learn to do it myself and produce quality products at very low cost.
3. What are your most prevalent opportunities in the defense /intelligence community?
My most prevalent opportunities have been the ability to work with employees and external organizations to figure out the right products and messages to protect information. I have always had great managers that allowed me to use my creative and strategic skills to launch corporate wide security programs. I was able to apply the knowledge and dissemination strategies of protecting classified information and projecting that to other equally important programs.
4. What types of changes have you personally developed and implemented?
One of my greatest accomplishments has been creating and instituting a corporate wide protecting information campaign. The intent was to categorize information into six focus areas and develop marketing materials, posters, videos, training and awareness around those areas. Employees were informed on the definitions of the areas and then given the tools to protect the information. The areas consisted of protecting classified information, company proprietary information, export controlled/ITAR information, controlled unclassified information, personally identifiable information, and protected health information. The campaign blast around each topic was comprehensive and disseminated in several forms to allow a blended learning approach. The campaign was extremely successful
4 of 8
which resulted in me receiving company and industry awards. The most important part for me was discussing the topics with employees and repeatedly seeing the ‘brand’ around the company. There was a heightened awareness by employees to protect all types of information which ultimately protects our country and our trade secrets.
5. What is your vision for the company/agency?
My challenge continues to be finding a balance in educating those that understand the classified environment and those who do not. The uncleared employee is just as important in recognizing the insider threat, external threats, and must be vigilant. The HR person working for a defense contractor has sensitive information can be targeted just because of the nature of their employer. My vision is to continue to bring awareness to all employees in understanding the importance of protecting national security information.
6. What keeps you enthused about your career?
Creativity keeps me enthused about my career. I have been able to use processes, procedures, and new ways to bring forth messages appropriate to the audiences in different ways.
7. What is your leadership style?
I am a democratic leader. I am diplomatic in my approach to effectively leading and managing projects and people. Being democratic allows buy in from different audiences and makes them a stakeholder in the process. Creating a first rate product is ineffective
if I don’t have the buy in from management or employees.
8. What lessons have you learned throughout your career that still inspires you today?
Listening to people has been one of the most important lessons I have learned. Stakeholders are all different depending on what you are trying to sell-whether products or programs. The more engagement I provide the better the programs are received. I have often thought of myself as a marketing and advertising security professional because I feel as though I am constantly ‘selling’ security to someone. The key has been to be able to sell it in a way best received by that audience. Security comes in all shapes and sizes and being creative in the way it is disseminated has been a lesson that continues to inspire me every day.
5 of 8
Heightened Awareness Protects our Secrets
2014 ANNUAL SEMINAR – D&IC SPONSORED SESSIONS2014 ANNUAL SEMINAR – D&IC SPONSORED SESSIONS
The D&IC sponsored 7 sessions at the annual seminar. The sessions covered a variety of topic areas with prominent speakers and were well received. The D&IC also met with several members from the defense and intelligence industry as well as other industry partners.
Session Title Speaker(s) Abstract
Insider Threat Program Model, Part 1: Best Security Practices from Government and Industry
George Quin Lockheed Martin Aeronautics Dave DrabInsider Threat Mitigation Group Daniel McGarveyGlobal Skills X-change
Every business has its own “crown jewels” which provide an edge in a highly competitive global market. What would happen if your company lost its edge through internal theft or sabotage? Learn how to safeguard your company’s proprietary, sensitive, and government-provided information from unauthorized disclosure by deterring, detecting, and defeating employee insider threats. This two-part session presents a scalable program derived from government and industry best practices to counter the insider threats. Part 1 introduces the Insider Threat Program Model and describes its operational and analytical components.
Insider Threat Program Model, Part 2: Best Security Practices from Government and Industry
George Quin Lockheed Martin Aeronautics Michael McCallRaytheon Company Mark Dargis FBI Headquarters
Part 2 describes the educational and collaborative components of the Insider Threat Program Model.
Shaping Federal Security Policy
John FitzpatrickDirectorNational Archives and Records Administration Mike Witt Director of Security/Chief Security OfficerBall Aerospace & Technologies Corp.
Discover how ASIS International helps influence National Industrial Security policy as one of seven professional security associations known as the Memorandum of Understanding (MOU) group. Many within the industry are unaware of the MOU and the role it plays in shaping National Industrial Security policy. ASIS was founded in 1955 by industrial security directors collaborating to improve classified information safeguards. Today, the U.S. government still aggressively seeks ASIS expertise. Learn about the National Industrial Security Program Policy Advisory Committee, other MOU signatories, and how the group speaks with one voice.
Leveraging Security Metrics to Demonstrate Efficiencies and ROI
Peter Ohlhausen PresidentOhlhausen Research, Inc.Daniel McGarveyMetrics Research TeamASIS Foundation
Tracking metrics is the answer to measuring the effectiveness of security. But what are the best ones and best examples? How can a security organization assess and improve a metric and then tailor it to organizational needs? Discover the answers from new ASIS Foundation research. Learn the specifics of a
6 of 8
Security Metrics Evaluation Tool, which helps assess, select, and improve metrics. Hear a description of metrics in actual use today by private and public sector organizations, and gain ideas that can be applied to any organization. Discover guidelines for using metrics to inform senior management and demonstrate return on investment.
Sex, Drugs, and Rock n Roll: The 24/7 Online Party
Adam LurieVice President - Government SolutionsSocial Intelligence Corp. Geoffrey Andrews Chief Operating OfficerSocial Intelligence Corp.
Can security departments legally use social media and online data? Case studies help to illuminate the types of deviant behavior that regularly exists online and how to best locate and identify vital information. Online data is a treasure trove of information that has been applied to security operations, insider threat detection, and social network analysis. The result? Individuals have been caught engaging in various types of illegal activity, and lives have been saved.
Defense Security Service: A Report to ASIS
Stanley Sims DirectorDefense Security Service
Learn about the symbiotic relationship between the Defense Security Service (DSS) and ASIS International and current DSS initiatives that affect industry. DSS supports national security and the warfighter, secures the technological base, and oversees the protection of U.S. and foreign classified information in the hands of industry. It provides security and counterintelligence support to approximately 14,000 facilities on behalf of the military services, defense agencies, and 26 other federal agencies in the National Industrial Security Program. Also learn about the role of DSS in the defense of the cyber domain.
Bulletproof Your Thinking: Key Skills for Security Professionals
Kathy PhersonCEOPherson Associates, LLC
Critical thinking techniques can help frame solutions for a range of security problems, ranging from sensitive facilities, supply chains, counterterrorism analysis, and competitive intelligence pertinent to homeland security or national security issues. Focusing on analytic strategies that improve rigor, avoid mental traps, and communicate clearly with others, security examples will be used to demonstrate the importance of understanding your context, checking key assumptions, considering alternative explanations, seeking inconsistent data, and focusing on key drivers and indicators. These skills will improve the quality of your work by protecting against biased thinking, spurring imagination, and facilitating collaboration with others.
7 of 8
DEFENSE SECURITY SERVICE UPDATEDEFENSE SECURITY SERVICE UPDATE
8 of 8
D&IC MEMBERSD&IC MEMBERS
Curt E. Armbruster J. Michael Harris Rhonda Peyton
Jeffrey J. Berkin Klaus Heerwig Charles S. Phalen, Jr.
Marc Brooks Matthew Hollandsworth Katherine Pherson
David P. Brummell Vincent Jarvie Michael J. Porturica
Allen Chung Alvina E. Jones Steven Rutledge
Michael H. Clancy Kerrie L. Kavulic Marc Ryan
Cynthia P. Conlon Robb Kubiak-Cherkaski Marshall C. Sanders
Christian Conroy Michael L. Laverdure Daniel E.(Dan) Schlehr
Shawn S. Daley Robert O. Lilje James Shamess
Carl Davis Joseph S. Mahaley Cheryl Stone
Jeffrey C. (JC) Dodson Jeffrey C. Manzanec Michelle Sutphin
Jonathan Fitz-Enz Gregory Marshall Robert E. Trono
John Fitzpatrick John McCarthy Jeff Vish
William F. Flynn Daniel A. McGarvey Richard Weaver
Karl C. Glasbrenner Paul Mellema Richard F. Williams
Dennis P. Hanratty Raymond Musser
Robert Harney Greg Pannoni