Becoming an ISP : Why & How ® William L. Uttenweiler, ISP
Becoming an ISP®: Why & How William L. Uttenweiler, ISP® Chair ISP® Certification Subcommittee & Member & Florida Space Coast Chapter Chair, Chapter, Cape Canaveral AFS, FL James Massaro, ISP® Chair, ISP® CEU Subcommittee & Member, Alamo Chapter, San Antonio, TX ©2014, NCMS – The Society of Industrial Security Professionals. All Rights Reserved. Overview Whatt is Wh i the th Industrial I d t i l Security S it Professional certification program & why you should h ld be b one? ? How can you best prepare for the ISP® exam? What is NCMS & why should you belong? - Bonus topic: Included for your information. Question: What is the Industrial Security Professional certification program & why should you be one? Past Security Certification Landscape Th security The it certification tifi ti universe i in i 2003 - Some of existing ones were too broad • Certified Protection Professional (CPP) - Others were narrowly focused but on other di i li disciplines • • • • • Physical Security Professional (PSP) Certified Fraud Examiner (CFE) Certified Information Systems Security Professional (CISSP) ( ) Global Information Assurance Certificate (GIAC) C tifi d iin H Certified Homeland l dS Security it (CHS) Past Security Certification Landscape S Security it certification tifi ti universe i in i 2003 - None focused on the National Industrial Security Program (NISP) or the NISPOM - None included areas like Counterintelligence (CI) and Communications Security/TEMPEST - NCMS grassroots wanted a certification which would closely match what a Facility Security Officer (FSO), ISSO/ISSM and his/her staff and actually t ll do d 2014 Security Certification Landscape Ch Changed d for f contractors t t in i the th NISP - ISP® dominates the landscape - There are other certifications available 2014 Security Certification Landscape ISP® (Industrial (Ind strial Sec Security rit Professional). Professional) Developed De eloped by b NCMS to meet the specific needs of contractor personnel who perform Industrial Security for the US government as specified by the National Industrial Security Program (NISP) and other government security-related security related requirement documents. (All government agencies that deal with classified information must follow the NISP: DOD, DOE, NRC, CIA, DNI, etc.) SPēD (Security Professional Education Development). Development) The SPēD Certification Program is a new part of the Department of Defense’s (DoD) initiative to professionalize the government security workforce. SPēD has 4 levels: SFPC ((Security y Fundamentals Professional Certification), ), SPPPC (Security Asset Protection Professional), SPIPC (Security Program Integration & Professional Certification, and SEPC (Security Enterprise Professional Certification). SPēD Certification is also open to employees off DoD D D contractors. t t (It iis nott b based d on th the NISP Operating O ti Manual M l like lik the ISP® is.) 2014 Security Certification Landscape CISSP (Certified Information S Systems stems Sec Security rit Professional) Professional). This certification targets information systems/information technology professionals with five years of full-time experience in at least two of the 10 domains that are part of the “common common body of knowledge.” knowledge. These include the Operations Security, Business Continuity and Disaster Recovery, Legal, Regulations, Investigations, and Physical Security. Typically it appeals to Information Systems Security Managers (ISSMs), Officers (ISSOs) and security generalists. CCP (Certified Protection Professional). The CPP targets professionals who can effectively p y manage g complex p security y issues for corporations, governments, and public and private institutions. This certification tests an individual’s skills in eight broad subjects – security principles & practices, business principles & practices, legal aspects, t personnell security, it physical h i l security, it information i f ti security, it crisis management, and investigations. Industrial Security Professional IIndustrial d t i l Security S it Professional P f i l (ISP®) certification - For individuals involved in classified government contracts - Introduced in 2004 - Aimed at “journeyman” j y level p professionals - ~ 400 currently certified world-wide ISP® Certification ISP® Certification requirements - 5 years’ experience in security management (can be part-time if >10% of duties) - Pass a proctored exam • 110 questions (100 “core” plus 5 each on 2 electives chosen from 5 available – counterintelligence, COMSEC/TEMPEST, intellectual property, OPSEC, special access programs) • 2 hours long; open book - Recommended by supervisor or NCMS National Director - Subscribe to high ethical standards ISP® Certification: Experience Requirement ISP® Certification: Experience Requirement ISP® Certification: Experience Requirement ISP® Certification R Recertification tifi ti required i d every 3 years - Shows continued professional development - Demonstrates that person has kept current on both threats and defenses - Can be accomplished by activities such as • Membership/leadership in security organizations (NCMS, ASIS, etc.) • Training class/seminar attendance • Authoring articles/presenting classes on security y topics p ISP® Certification “A “Accreditation” dit ti ” - The ISP® was awarded formal “accreditation” by the American National Standards Institute (ANSI) in October 2013 - Rigorous process carefully defining standards, process, etc. Requires extensive documentation ISP® Certification Accreditation process has driven several changes - The requirement to have on-line on line test takers proctored • Proctors insure that the candidate is the person who takes the exam • Chapter Chairs, Chapter ISP® Committees, and ISP® Certification Subcommittee will help locate current ISP®s to serve as proctors • For those not near an ISP®, NCMS Headquarters will approve qualified proctors (including Government Industrial Security Representatives, g University y teachers, etc.)) College/ ISP® Certification Accreditation A dit ti process has h driven di severall changes (continued) - The elimination of the paper exam • Usually offered only at the National Training Seminar • Pass/Fail results of paper vs. online were not consistent i t t • Candidates at NCMS 2012 said they’d prefer to take the test online and know results immediately as opposed to waiting for papers to be hand scored/verified ISP® On-Line http://www.ncms-isp.org/ ISP® web site consolidates resources - Certification Booklet - Application Form - ISP® Code of Ethics - Test References & Sources - Frequently Asked Questions - List of Current ISP®s - ISP® Exam Preparation Program ISP® Certification: Why Certify? The ISP® program provides Th id a hi high-level hl l baseline for the knowledge required of an Industrial Security FSO with at least five years of experience It certifies that the holder of the ISP® has the requisite knowledge of the NISPOM and other related directives used by the average FSO on a daily basis It demonstrates on the part of the ISP® a degree of professionalism and willingness to go the extra mile to develop p professionally p y ISP® Certification: Why Certify? It demonstrates d t t self-confidence lf fid & willingness illi to t take t k a risk (of failing the certification exam in this case) It demonstrates d t t that th t the th ISP® has h the th academic d i and d intellectual skills to not only perform as an FSO but also to develop further as a security professional It puts a company that has ISP®'s on their staff in a stronger position for contract bids and re-bids re bids in the area of security It p provides a FSO with an ISP® added credibility y when dealing with DSS representatives. ISP® Certification: Why Certify? The ISP® certification f provides enhancement points during the DSS Vulnerability Assessment for “security staff professionalism professionalism” Other enhancement points from NCMS membership/activities derive from: - Active participation in security organizations (NCMS officer, board member, community member, etc.) - Membership/attendance in security community events A couple of testimonials Crystal C t l Chambers, Ch b ISP®. Having H i ISP® after ft my name MEANS something! When I applied for a new position, not only did my new boss know what it meant, he was impressed! I have an ability now to confidently use use, refer to and quote the NISPOM! Leonard Moss Jr., ISP®, CHS-V. In October 2006 I moved crosscountry for a promotion to the Director of Corporate Security. It's a great opportunity and it's the promotion I had been seeking. You will be happy to know that when I applied for this position one of the things the job called for was "ISP® preferred.” I thought that was as great and worth orth sharing sharing. It sho shows s the value al e of o ourr credential credential. Question: What is the Industrial Security Professional certification program & why should you be one? Answer: It is the only y professional certification aimed at industrial security staff working for NISP contractors. It pays dividends both in knowledge & reputation. Next Question: How can you best prepare for f the h ISP® exam? ISP® Exam Preparation B i tto ttesting Barrier ti – The Th Fear F Factor F t Overcoming g The Fear Factor through g preparation The Fear Factor Applicants A li t are apprehensive h i about b t taking t ki the exam - I’m I’ nott good d enough h (or ( experienced i d enough) h) - I’ve been out of school for a long time. I don’t test well & I might fail. fail - I’m too busy (workload, personal problems, etc.) - If I fail, I’ll look bad in the eyes of supervisors, coworkers & colleagues - If I fail, f il I’ll be b outt severall hundred h d d dollars. d ll (Some companies don’t fund the exam until p y passes.) p ) employee Overcoming the Fear Factor Th two The t keys k are networking t ki & preparation ti Networking g - “I’m not good enough” dispelled by contact with colleagues g Preparation - Knowledge K l d provides id self-confidence lf fid - Some nervousness always remains for any “hi h stakes” “high t k ” test, t t but b t the th adrenalin d li helps h l Main Methods of Preparation S lf t d Self-study ISP® Examination Preparation p Program g (EPP) Company or NCMS Chapter Based Study Groups Self-Study http://www.ncms-ISP.org/StudyReferences.html Self-study S lf t d was the th only l study t d method th d available before 2006 All of the source documents for the ISP® exam are unclassified and available on-line Anxiety was high because candidates didn’tt know if their preparation was didn “adequate” Now – the ISP® Exam Prep Program (EPP) workbook can be used for self-study ISP® Exam Preparation Program A Arose d during i 2005 ramp-up - Candidates met telephonically to discuss “hard” chapters (Chap 8 on AIS, Chap 10 on international) - Expanded & formalized after the 41st Annual National Training Seminar in Seattle WA - Current sponsor is Education & Training Committee (Co-Chair: Charles Talley, ISP® & Sheryl Daniels, ISP®) ISP® Exam Preparation Program E Exam P Prep P Program purpose - Develop better security professionals by conducting study group sessions led by subject matter experts on fundamentals like the NISPOM ISLs, ISLs OPSEC, OPSEC CI, CI etc. etc NISPOM, - Assist those who do not have local ISP®s to be their “mentors” - Encourage “unsure” candidates that they can l t appropriate i t preparation ti for f the th exam complete - “Cooperate & Graduate” ISP® Exam Preparation Program O Overview i - Students will obtain materials & study in advance d off the th telecons t l - Telecons with mentors & other candidates to answer questions, questions help pace the preparation, preparation etc. • Frequency: Once a week • Time: About 1 hour long each • All but electives occur 3 times weekly; candidates can pick the most convenient one ISP® Exam Preparation Program Materials - Electronic copies of key references - Workbook to help candidates candidates’ review of NISPOM & other materials (cost: $50.00 for NCMS members, $100.00 for non-members) • 1 year free update policy protects you if new NISPOM/EPP Workbook come out shortly after you sign up - Recordings of past sessions - The Annotated NISPOM (TAN), a great tool for all security professionals, is available at: http://www.ncmsISP.org/NISPOM_200602_with_ISLs.pdf • Updated whenever an ISL or the “new NISPOM” is released ISP® Exam Preparation Program Mentors - All are current ISP®s - 3 3-person Mentor M t tteams will ill provide id a variety i t off experiences/viewpoints Timeline - One timed so that candidates finish in time to test before the Annual NCMS National Training Seminar and summer vacations - A second timed to end before end of year holidays like Thanksgiving, Christmas, Hanukah, New Years Day, etc. - To sign up or get more information, contact the ISP® L d Mentor Lead M t Team T by b e-mail il [email protected] ISP M t @h t il ISP® Exam Preparation Program L Lesson strategy t t - Call #1A - get started, go over "Test Tips" article for information/techniques/tips evaluate class size, information/techniques/tips, size etc. etc - #Call #1B - look up practice (5 questions w/paper NISPOM instructions of Adobe Acrobat search NISPOM, techniques, then 5 questions w/electronic search of The Annotated NISPOM (TAN) in PDF) - Lesson #2 - #10 - cover about 10% of the NISPOM in each session - Lesson L #11 - last l minute i questions i and d wrap-up ISP® Exam Preparation Program L Lesson Strategy St t (continued) - Five optional calls; 1 for each of the five electives • COMSEC/TEMPEST • Counterintelligence (CI) • Intellectual Property • Operations Security (OPSEC) • Special Access Programs (SAP) EF14 Company or NCMS Chapter Based Study Groups N Newest tD Development l t (C (Companies) i ) - SAIC • Study group in National Capital Region • Offered exam during last 2 security officer conferences - Honeywell Global Security Solutions • Goall off having G h i all ll qualified lifi d security it compliance li staff certified by end of FY 2012 - Raytheon Corporation • Over a dozen in 2010 study group in Tucson AZ area Slide 37 EF14 need to add the applicable years or make generic statement and list the groups. I do not know what groups have supported it for the past 12 months but surely there are some new ones. Elizabeth Fant, 3/21/2013 EF15 Company or NCMS Chapter Based Study Groups N Newest tD Development l t (NCMS Ch Chapters) t ) - Mid-South Chapter (Huntsville, AL area) • Lunchtime group sessions with a local ISP® as the Mentor • 7 tested in December 2010; all 7 passed • Continuing g effort - Chesapeake Bay Chapter (eastern Maryland) Slide 38 EF15 need to update info since it is now a year old. Elizabeth Fant, 3/21/2013 Sample Test 10 “S “Sample l T Test” t” Questions Q ti in i NCMS “Survey” - Provides examples of type of questions and their difficulty - “Survey” style means all are available at a single link, not a question-by-question format used d for f on-line li exams - Available 24/7 once you get the link - Email request to Sharon Tannahill at [email protected] Some Mechanics: Signing Up for the EPP Question: Q ti How H do d I sign i up for f the th ISP® Exam Preparation Program (EPP)? Answer: Send an email to [email protected]. The Mentor Team will send you instructions. Some Mechanics: The ISP® Application Th two The t mostt straightforward t i htf d points i t are: - The application form is available on-line. Fill it out completely and sign. http://www.ncmsISP.org/documents/application.pdf - Be sure to include your payment Some Mechanics: The ISP® Application Some Mechanics: The ISP® Application If you cannott take t k th the test t t as originally i i ll planned: - You are within the 1 year approval window: notify NCMS HQS and your proctor of your new date d t - You are outside the 1 year approval window: you will ill have h to t resubmit b it the th application li ti and d supporting documents but you will be credited with the amount you previously paid Some Mechanics: The ISP® Application The résumé - Critical for reviewers who verify you meet the 5year experience requirement - Is not restricted to 1 page! “F ti l” format f t – including i l di t t and d end d - “Functional” start dates – might be best since it allows you to combine industrial security experience from multiple jobs in one place - Explain clearly the work you did, especially when the position was not in a purely industrial security role for a NISP contractor Some Mechanics: The ISP® Application The letter Th l tt off reference f – Can C b be very short. h t One short paragraph is enough. - Verifies supervisory relationship - Attests that y you meet the 5-year y security y experience requirement - Attests that y you are a p person of g good character - Recommends you for certification as an Industrial Security Professional Some Mechanics: The Proctor NCMS provides id proctor t for f th those who h test t t att the Annual National Training Seminar For on-line candidates: - Anyone y who is already y an ISP® can be a Proctor - Proctor cannot present a real or apparent conflict of interest ((e.g., g , supervisor p or subordinate) p Chairs and ISP® Committee - NCMS Chapter Chairs can help; if those are unhelpful, NCMS National or the ISP® Certification Subcommittee can help Turning 75% to 95% Whatt can you do Wh d to t dramatically d ti ll increase i your odds of passing - Prepare in advance – on your own, independently with the EPP Workbook, or in a group (local, company EPP/nationally) company, - Don’t test on a “really bad day” – bad news, disaster at work, work sickness (not just nerves) - Pay attention to test discipline – don’t use references for any reason until your are done done, 1 minute per question, answer all questions the first time ((a blank answer is a guaranteed g “wrong”) g ) Some Mechanics: Retesting Should you nott pass the th exam the th first fi t time ti - Don’t panic or despair; it happens just like it did in hi h school high h l when h we were all ll getting tti our first fi t driver’s licenses. - You must wait six months to take the test again again. - If you are still within your 1-year approval window and no changes in application or supporting documents, notify NCMS and submit the retest fee. - If y you are outside the 1-year y approval pp window,, you y must submit a new application to NCMS HQ along with the retest fee. Final Comments on ISP® Exam A il bl on-line Available li 24/7 Administered in a group setting in 2014 at seminar in National Harbor, MD; will be offered again at 2015 seminar in Las Vegas, NV. Exam isn’t easy but you will pass if you - Prepare in advance - Don’t test on a “really bad day” - Pay attention to test discipline (110 answers in 120 minutes) Q Question: ti How can you best prepare for the ISP® exam? Answer: There are several methods, from independent study to use of prepared workbooks to taking the ISP® Exam Prep Program. Choose the one you believe will work best for you. Final Notes: Security Awareness Posters http://www.ncms-channelislands.org/About/posters.asp Contact Information Willi William L Uttenweiler, Utt il ISP® - [email protected] - Work Phone: 321-853-0803 - Cell Phone: 321-506-7427 - FAX: 310-563-2959 Any y More Questions? Bonus Topic Question: What is NCMS & why should h ld you belong? b l ? Organization Society S i t off Information I f ti Security S it Professionals Founded in 1964 Headquartered in Wayne, Wayne PA 55 chapters with ~ 5,700 members (and growing) i ) Official Scope – #1 Develop D l & promote t education d ti & ttraining i i off members in the application of requirements i t off industrial i d t i l security it in i support of the security of the United States and d its it allies lli as d described ib d in i the th National N ti l Industrial Security Program (NISP). - Classified information (mostly DOD, DOE, CIA & NRC but 20+ other agencies included) Official Scope – #2 Develop D l and d promote t education d ti and d training of members in the application of classification management principles principles, practices, procedures, & techniques in protecting p g government g designated g unclassified information & intellectual property in all forms. - Government FOUO - Company p y Proprietary/Competition p y p Sensitive,, etc. - Operations Security (OPSEC) How NCMS Meets Scope #1 & #2 Web W b site, it especially i ll the th Members M b Only O l section Annual National Training Seminar NCMS Bulletin Chapter level activities and communications i ti NCMS Web Site www.classmgmt.com eNews emails help p you y stay y current Resource library - Counterintelligence g information;; security y education/awareness training g tools, security briefings - Government reports (NISPOM, Industrial Security Letters, Executive Orders, Presidential Decision Directives, PERSEREC Reports) - Classification management, physical security, COMSEC, OPSEC, information security, information assurance - Protecting FOUO, sensitive-but-unclassified information, proprietary information - Homeland Security, Emergency Preparedness - JPAS, e-QIP - International security, NATO, Export Control - Facility Security Officer Training - And much, much more Annual National Training Seminar 49th was held June 2013 in Chicago IL. - General and break-out sessions on topics included: • NISPOM Updates • Cyber Command Readiness Review Inspection (CCRI) Program • Defending Security Clearances Before & After Issues Arise and the Role of the FSO • SAP Basics for New CPSOs • Using Metrics to Support a Superior Security Program • OPSEC and the FOCI Paradigm • OPM Update on e-QIP and the Investigation Process • Social Networking (and OPSEC) - Summaries of sessions published in NCMS Bulletin; when available, slides posted on on-line line - Proctored ISP® certification exam 51st Annual National Training Seminar NCMS Bulletin Bi Bi-monthly thl NCMS newsletter l tt - Official means of communication between leadership & members - Articles by members on topics of interest, for example • Results of polygraph survey • Perils of the Internet • How to build a better security team • Verbal attestations • US port deal highlights foreign investments • Data spills – cleanup & prevention • Effective speaking tips Chapter level activities & communications Ch t Chapter-sponsored d seminars i Chapter p meetings g with speakers p E-mail from chapter chair with news, updates etc. updates, etc Association with government audit/ i inspection ti personnell in i a professional, f i l non-adversarial environment Networking – you are never alone Official Scope – #3 Advance the Ad th professionalism f i li off Members M b through a formal certification program recognized i d by b governmentt & industry. i d t - Industrial Security Professional (ISP®) certification • http://www.ncms-ISP.org/ Official Scope – #4 Advance its Ad it purpose by b representation t ti & participation on U.S. government & professional security councils councils, committees, boards & forums & through formal comment,, proposal, p p , petition, p ,& coordination. - Memorandum of Understanding g (MOU) ( ) Group p - NISP Policy Advisory Committee (NISPPAC) - Close rapport with ISOO ISOO, DSS DSS, etc. etc The MOU Group MOU Group G - Membership includes: NCMS & 5 other groups NISP Policy Advisory Committee - By invitation but usually includes NCMS members Both represent industry’s voice to top toplevel government security policy makers Information Flowing Up E Example: l High Hi h Security S it Lock L k Legislation L i l ti - Pushed by Sen. Jim Bunning (R-KY) in FY 2002 Defense Authorization Bill - Would have accelerated requirement X0-8/9 locks (replacement kits cost $1 $1,200 200 each; cabinets cost $1,570 - $5,679 each) - Industry surveyed costs ($231 million) and concluded they were not justified by risk - Bunning’s g district includes headquarters q of MAS-Hamilton, the only manufacturer of compliant locks Information Flowing Up Example: E l personnell security it investigation i ti ti backlog - Explained the costs in unaccomplished work while PSIs languish uncompleted - DSS agreed to allowing facilities to each prioritize a small number of if cases and to accelerate l t their th i completion l ti - Early notification of DSS plans and requests f future for f PSI S needs Special Relationships S Special i l relationships l ti hi with ith ISOO, ISOO DSS, DSS etc. t - High level staff members meet frequently with Board of Directors on issues of mutual interest - High level staff regular present at NCMS National Training Center - Permanent host for presentation of DSS’s James S. Cogswell Award for outstanding industrial security programs Management Support Is Critical Security S it professionals f i l need d enthusiastic th i ti support from their management - More than signing the occasional policy or giving the intro at annual company refresher - Reimbursement for dues and expenses - Permission to attend functions and work on NCMS business (both for training and good PR within the DOD contractor community) - Demonstrates to other employees that security is important to the company Question: What is NCMS & why should you belong? Answer: NCMS is the Society of Information Security Professionals. If you belong to NCMS NCMS, you & your company are never “hanging out there” alone. You have access to local & national level resources & experts when a question or a problem occurs. Contact Information for NCMS W b site: Web it http://www.classmgmt.com/ htt // l t / Email: Sharon Tannahill,, NCMS Executive Director at [email protected]
© Copyright 2024