When viewing controlled goods on a computer screen, assessed personnel must take measures to guard those screen from the sight of non-assessed persons.
In a cubicle or room, the screen must be positioned such that no one entering the area can view it. This can be easily achieved by positioning the screen so it faces away from the entrance. If a non-assessed person needs to step around the desk, turn the monitor off or blank the screen. If an operator must leave a cubicle or room, they need to check any controlled goods back in and log out. Of course, everyone must keep their password secure and only reveal it to an assessed supervisor or the designated official.
When traveling, assessed personnel must only use a laptop or mobile device when alone in a hotel room using a secure virtual private network (VPN) that was setup by an assessed person in the IT department. Using a device in public could allow non-assessed people to see the screen. This can include hotel lobbies, restaurants, parks, beaches, subways, aircraft or any other place where there is a danger of someone viewing controlled goods.
Guarding controlled goods and technologies extends beyond the obvious. A small detail that seems unimportant can lead to serious compromises.
Imagine that you are in charge of shipping a controlled item to a decommissioned military base. If the designated official has drawn up an effective security plan and you have been trained to use it, you will know not to discuss the item in emails, when speaking with unassessed persons or at conferences. You might think this is all that's required to protect the controlled goods.
But, safeguarding controlled items and technology extend beyond physical considerations. You might be out in public and someone mentions an old decommissioned military base outside of town and you say, “Oddly enough, we just shipped some items up there.” You haven’t said anything directly about controlled goods, still, agents of an unfriendly power who learn about the shipment might be able to deduce several things. They may know what types of products your company manufactures and be able to produce a short list showing likely controlled goods in question. Knowing that the item is being shipped to an abandoned base indicates activity might be restarting there. If, for instance, your company produces military grade inertial movement units (IMU) and the agents have learned that a company that manufactures high resolution cameras is shipping some kind of item to the same base, They could deduce that the base is being reactivated to support or conduct aerial espionage and bears observation. Even a single piece of information can add to a foreign power’s knowledge, such as the size of a food order being sent to the base that could indicate the number of persons who will shortly be assigned there.
Security clearances and assessments alone cannot be the only deciding factor when sharing information, even within a company, a government department or between departments. The person receiving the item or technology must have a need to know it. Those who do not need to use the goods or technology to do their job cannot be allowed to possess them. The more people who become exposed to controlled goods, the greater the possibility of a breach. The designated official must keep a list of who needs to possess each controlled goods and to make that clear to everyone involved.
Before anyone can possess controlled goods or technologies, he or she must undergo security training or a security briefing. This is so important that the Controlled Goods Regulations stipulates training and briefing programs must be included in the security plan for an organization to register with the Controlled Goods Directorate.
The designated official is responsible for providing training programs and security briefings. Training programs will be delivered to persons who will possess, examine or transfer controlled goods on an ongoing basis. This can include board members, officers, employees, contractual workers and temporary workers, whether they have been assessed by the designated official or have been exempted by the Controlled Goods Directorate. Visitors who have been exempted by the Controlled Goods Directorate and are authorized to access controlled goods and/or controlled technologies will receive a security briefing prior to the visit. Assessed and exempt persons will not be allowed to access controlled goods until they have completed a training program or security briefing.
Security training includes general regulations as well as items specific to an organization. It covers such areas as the processes of becoming assessed, threats and risks, physical security, IT security, receiving controlled goods, sending controlled goods, reporting and handling security breaches, access to printed and electronic material, storing controlled goods, using controlled goods and escorting visitors. The training program will also discuss specific locations and situations where controlled goods are kept at a site.
Security briefings will inform the visitor of the importance of safeguarding controlled goods, restrictions on discussing controlled goods accessed during the visit and fines and penalties for compromising controlled goods. Security briefings also cover the unique location and controlled goods involved, the degree of access and any conditions placed on the visit.
The training program and security briefing are subject to inspection at any time by the
Controlled Goods Directorate.
The designated official will review the training and security briefing programs periodically to ensure they continue to meet the security needs for safeguarding controlled goods and/or controlled technologies and reflect any regulatory or legislative changes.
The designated official will maintain a log containing the date, names and signatures of the authorized person(s) who have received training and the security official who conducted the training. This log will be kept in a secure container such as a locked filing cabinet or a password protected electronic volume or file. Likewise, the designated official will maintain a log that contains the date, names and signatures of visitors who have received a security briefing and the security official who conducted the briefing. As with training records, this log will be kept in a secure container such as a locked filing cabinet or a password protected electronic volume or file. Access to these records will be restricted to the designate official and authorized person.
Training is ongoing. It will be delivered both to new employees and temporary workers who require access to controlled goods and periodically to those persons authorized to examine or possess controlled goods and/or controlled technologies in order to reinforce the information provided during the initial training and advise of any changes in the security plan or Controlled Goods Regulations. The period for refresher retaining should not exceed six months.
Personnel who understand how to properly possess, examine or transfer controlled goods and/or technologies will be able to make informed decisions to protect these items and preserve security.
You’ve done your threat and risk assessment, identified the controlled goods in your organization, written your security plan and registered with the Controlled Goods Directorate. Some designated officials might think their jobs are finished and all they have to do is assess new personnel. That might be the case if we lived in a world where nothing changed, but we don’t.
You’re organization’s controlled goods program is fluid. To deal with this, internal audits need to be conducted. Not only are they mandated by the controlled goods regulations, they are a valuable tool that allows the DO to verify the state of the local program.
In addition, audits offer a chance to evaluate the effectiveness of the current security plan and make recommendations for corrective action as required. Such corrections may be necessary when the regulations change, when the environment changes, when it is evident that the security plan no longer meets the needs of the organization or if a part of the security plan is found to be flawed.
Audits begin with an examination of the records the DO is required to keep. These include records pertaining to assessments and exemptions to make certain all relevant information has been gathered such as biographical data, background history, reference contact, criminal background checks and credit reports. Other records include verification of contractor registration with the controlled goods directorate, records of visitors, training and security briefing records, records of transfer in and out of the facility, the current physical location of each controlled good, records of the destruction of controlled goods and records of security breaches with the initial report, contact with the Controlled Goods Directorate, the corrective actions and their follow ups.
The DO then needs to go into the field and cross reference the documents with the actual state of personnel and controlled goods. Security measures, physical and electronic, need to match the security plan. Those measures must also be evaluated for their effectiveness. Records of assessed or exempt personnel need to be checked with the actual personnel possessing controlled goods to make certain these people are still with the organization and to detect if there are non-assessed or non-exempt persons working with controlled goods. The DO must make certain the physical location of controlled goods match the documentation and that they have not been moved to a different location, shipped out of the facility or destroyed without proper records. The audit can also reveal controlled goods that have been introduced without the proper documentation. This can occur when someone orders an item without informing the DO or without realizing it is controlled. The DO must become familiar with the purpose and requirements of all manufacturing and research projects to anticipate where controlled goods might be introduced.
Whenever a discrepancy is detected, a corrective action must be initiated, assigned for repair, and followed up to make certain it was accomplished and that it had the intended effect. If a security breach is discovered, such as non-assessed persons handling controlled goods, it must be recorded and the Controlled Goods Directorate notified immediately.
Audits need to be conducted on a periodic basis. This might be yearly, biyearly or some other period depending on the needs of the organization. The DO might want to conduct a full audit each time or break up the audit by type of information (personnel vs. material), department, project or facility and stagger these throughout the year.
Audits are the most important tool a designated official has to monitor and adjust the health of a controlled goods program.