Becoming an ISP®: Why & How

Becoming an ISP®: Why & How

William L. Uttenweiler, ISP®

Chair ISP® Certification Subcommittee & Member & Florida Space Coast ChapterChair, ISP Certification Subcommittee & Member & Florida Space Coast Chapter, Cape Canaveral AFS, FL

James Massaro, ISP®Chair, ISP® CEU Subcommittee & Member, Alamo Chapter, San Antonio,

TX©2014, NCMS – The Society of Industrial Security Professionals. All Rights Reserved.

Overview

Wh t i th I d t i l S itWhat is the Industrial Security Professional certification program & why

h ld b ?you should be one?How can you best prepare for the ISP®

exam? What is NCMS & why should you belong?What is NCMS & why should you belong?- Bonus topic: Included for your information.

Question:What is the Industrial Security ProfessionalSecurity Professional

certification program & why should you be

one?one?

Past Security Certification Landscape

Th it tifi ti i i 2003The security certification universe in 2003- Some of existing ones were too broad

• Certified Protection Professional (CPP) - Others were narrowly focused but on other

di i lidisciplines • Physical Security Professional (PSP)

Certified Fraud Examiner (CFE)• Certified Fraud Examiner (CFE)• Certified Information Systems Security

Professional (CISSP)( )• Global Information Assurance Certificate

(GIAC)C tifi d i H l d S it (CHS)• Certified in Homeland Security (CHS)

Past Security Certification Landscape

S it tifi ti i i 2003Security certification universe in 2003- None focused on the National Industrial

Security Program (NISP) or the NISPOM- None included areas like Counterintelligence

(CI) and Communications Security/TEMPEST- NCMS grassroots wanted a certification which

would closely match what a Facility Security Officer (FSO), ISSO/ISSM and his/her staff and

t ll dactually do

2014 Security Certification Landscape

Ch d f t t i th NISPChanged for contractors in the NISP- ISP® dominates the landscape- There are other certifications available


ISP® (Ind strial Sec rit Professional) De eloped b NCMS to meet theISP® (Industrial Security Professional). Developed by NCMS to meet the specific needs of contractor personnel who perform Industrial Security for the US government as specified by the National Industrial Security Program (NISP) and other government security-related requirementProgram (NISP) and other government security related requirement documents. (All government agencies that deal with classified information must follow the NISP: DOD, DOE, NRC, CIA, DNI, etc.)

SPēD (Security Professional Education Development) The SPēDSPēD (Security Professional Education Development). The SPēD Certification Program is a new part of the Department of Defense’s (DoD) initiative to professionalize the government security workforce. SPēD has 4 levels: SFPC (Security Fundamentals Professional Certification), SPPPC ( y ),(Security Asset Protection Professional), SPIPC (Security Program Integration & Professional Certification, and SEPC (Security Enterprise Professional Certification). SPēD Certification is also open to employees

f D D t t (It i t b d th NISP O ti M l likof DoD contractors. (It is not based on the NISP Operating Manual like the ISP® is.)


CISSP (Certified Information S stems Sec rit Professional) ThisCISSP (Certified Information Systems Security Professional). This certification targets information systems/information technology professionals with five years of full-time experience in at least two of the 10 domains that are part of the “common body of knowledge.”the 10 domains that are part of the common body of knowledge. These include the Operations Security, Business Continuity and Disaster Recovery, Legal, Regulations, Investigations, and Physical Security. Typically it appeals to Information Systems Security Managers (ISSMs), Officers (ISSOs) and security generalists.

CCP (Certified Protection Professional). The CPP targets professionals who can effectively manage complex security issues for p y g p ycorporations, governments, and public and private institutions. This certification tests an individual’s skills in eight broad subjects –security principles & practices, business principles & practices, legal

t l it h i l it i f ti itaspects, personnel security, physical security, information security, crisis management, and investigations.

Industrial Security Professional

I d t i l S it P f i l (ISP®)Industrial Security Professional (ISP®) certification- For individuals involved in classified

government contracts- Introduced in 2004- Aimed at “journeyman” level professionalsj y p- ~ 400 currently certified world-wide

ISP® Certification

ISP® Certification requirementsISP Certification requirements- 5 years’ experience in security management

(can be part-time if >10% of duties)(can be part-time if >10% of duties)- Pass a proctored exam

• 110 questions (100 “core” plus 5 each on 2 electives chosen from 5 available – counterintelligence, COMSEC/TEMPEST, intellectual property, OPSEC, special access programs)

• 2 hours long; open book

- Recommended by supervisor or NCMS National Director

- Subscribe to high ethical standards

ISP® Certification: Experience Requirement

ISP® Certification

R tifi ti i d 3Recertification required every 3 years- Shows continued professional development- Demonstrates that person has kept current on

both threats and defenses- Can be accomplished by activities such as

• Membership/leadership in security• Membership/leadership in security organizations (NCMS, ASIS, etc.)

• Training class/seminar attendanceTraining class/seminar attendance• Authoring articles/presenting classes on

security topicsy p

ISP® Certification

“A dit ti ”“Accreditation”- The ISP® was awarded formal “accreditation”

by the American National Standards Institute (ANSI) in October 2013

- Rigorous process carefully defining standards, process, etc. Requires extensive documentationdocumentation

ISP® Certification

Accreditation process has driven severalAccreditation process has driven several changes- The requirement to have on-line test takersThe requirement to have on line test takers

proctored• Proctors insure that the candidate is the person

who takes the exam• Chapter Chairs, Chapter ISP® Committees, and

ISP® Certification Subcommittee will help locateISP Certification Subcommittee will help locate current ISP®s to serve as proctors

• For those not near an ISP®, NCMS Headquarters will approve qualified proctors (including Government Industrial Security Representatives, College/ University teachers, etc.)g y )

ISP® Certification

A dit ti h d i lAccreditation process has driven several changes (continued)- The elimination of the paper exam

• Usually offered only at the National Training Seminar

• Pass/Fail results of paper vs. online were not i t tconsistent

• Candidates at NCMS 2012 said they’d prefer to take the test online and know results immediatelytake the test online and know results immediately as opposed to waiting for papers to be hand scored/verified

ISP® On-Line http://www.ncms-isp.org/

ISP® web site consolidates resourcesISP® web site consolidates resources- Certification Booklet- Application Form- ISP® Code of Ethics - Test References & Sources

Frequently Asked Questions- Frequently Asked Questions- List of Current ISP®s- ISP® Exam Preparation Program

ISP® Certification: Why Certify?

Th ISP® id hi h l lThe ISP® program provides a high-level baseline for the knowledge required of an Industrial Security FSO with at least five yearsIndustrial Security FSO with at least five years of experienceIt certifies that the holder of the ISP® has theIt certifies that the holder of the ISP® has the requisite knowledge of the NISPOM and other related directives used by the average FSO onrelated directives used by the average FSO on a daily basisIt demonstrates on the part of the ISP® a degreeIt demonstrates on the part of the ISP a degree of professionalism and willingness to go the extra mile to develop professionally p p y


It d t t lf fid & illi t t kIt demonstrates self-confidence & willingness to take a risk (of failing the certification exam in this case)It d t t th t th ISP® h th d i dIt demonstrates that the ISP® has the academic and intellectual skills to not only perform as an FSO but also to develop further as a security professionalalso to develop further as a security professionalIt puts a company that has ISP®'s on their staff in a stronger position for contract bids and re-bids in thestronger position for contract bids and re bids in the area of securityIt provides a FSO with an ISP® added credibility when p ydealing with DSS representatives.


ISP® fThe ISP® certification provides enhancement points during the DSS Vulnerability Assessment for “security staff professionalism”staff professionalism Other enhancement points from NCMS membership/activities derive from:membership/activities derive from:- Active participation in security organizations (NCMS officer,

board member, community member, etc.)

- Membership/attendance in security community events

A couple of testimonials

C t l Ch b ISP® H i ISP® ft MEANSCrystal Chambers, ISP®. Having ISP® after my name MEANS something! When I applied for a new position, not only did my new boss know what it meant, he was impressed! I have an ability now to confidently use refer to and quote the NISPOM!to confidently use, refer to and quote the NISPOM!

Leonard Moss Jr., ISP®, CHS-V. In October 2006 I moved cross-country for a promotion to the Director of Corporate Security. It's a great opportunity and it's the promotion I had been seeking. You will be happy to know that when I applied for this position one of the things the job called for was "ISP® preferred.” I thought that

as great and orth sharing It sho s the al e of o r credentialwas great and worth sharing. It shows the value of our credential.

Question: What is the Industrial Security

Professional certification program & why should you be one?

Answer: It is the only professional y

certification aimed at industrial security staff working for NISP

contractors. It pays dividends both in knowledge & reputation.

Next Question:

How can you best f hprepare for the

ISP® exam?

ISP® Exam Preparation

B i t t ti Th F F tBarrier to testing – The Fear FactorOvercoming The Fear Factor through g gpreparation

The Fear Factor

A li t h i b t t kiApplicants are apprehensive about taking the exam

I’ t d h ( i d h)- I’m not good enough (or experienced enough)- I’ve been out of school for a long time. I don’t

test well & I might failtest well & I might fail.- I’m too busy (workload, personal problems, etc.)- If I fail, I’ll look bad in the eyes of supervisors,

coworkers & colleaguesIf I f il I’ll b t l h d d d ll- If I fail, I’ll be out several hundred dollars. (Some companies don’t fund the exam until employee passes.)p y p )

Overcoming the Fear Factor

Th t k t ki & tiThe two keys are networking & preparationNetworkingg- “I’m not good enough” dispelled by contact

with colleaguesg

PreparationK l d id lf fid- Knowledge provides self-confidence

- Some nervousness always remains for any “hi h t k ” t t b t th d li h l“high stakes” test, but the adrenalin helps

Main Methods of Preparation

S lf t dSelf-studyISP® Examination Preparation Program p g(EPP)Company or NCMS Chapter Based StudyCompany or NCMS Chapter Based Study Groups

Self-Study http://www.ncms-ISP.org/StudyReferences.html

S lf t d th l t d th dSelf-study was the only study method available before 2006All of the source documents for the ISP®

exam are unclassified and available on-lineAnxiety was high because candidates didn’t know if their preparation wasdidn t know if their preparation was “adequate”Now the ISP® Exam Prep Program (EPP)Now – the ISP® Exam Prep Program (EPP) workbook can be used for self-study

ISP® Exam Preparation Program

A d i 2005Arose during 2005 ramp-up- Candidates met telephonically to discuss

“hard” chapters (Chap 8 on AIS, Chap 10 on international)

- Expanded & formalized after the 41st Annual National Training Seminar in Seattle WA

- Current sponsor is Education & Training Committee (Co-Chair: Charles Talley, ISP® & Sheryl Daniels, ISP®)


E P PExam Prep Program purpose- Develop better security professionals by

conducting study group sessions led by subject matter experts on fundamentals like the NISPOM ISLs OPSEC CI etcNISPOM, ISLs, OPSEC, CI, etc.

- Assist those who do not have local ISP®s to be their “mentors”their “mentors”

- Encourage “unsure” candidates that they can l t i t ti f thcomplete appropriate preparation for the exam

- “Cooperate & Graduate”


O iOverview- Students will obtain materials & study in

d f th t ladvance of the telecons- Telecons with mentors & other candidates to

answer questions help pace the preparationanswer questions, help pace the preparation, etc.

• Frequency: Once a weekFrequency: Once a week• Time: About 1 hour long each

All but electives occur 3 times weekly;• All but electives occur 3 times weekly; candidates can pick the most convenient one


MaterialsMaterials- Electronic copies of key references

Workbook to help candidates’ review of NISPOM & other- Workbook to help candidates review of NISPOM & other materials (cost: $50.00 for NCMS members, $100.00 for non-members)

• 1 year free update policy protects you if new NISPOM/EPP Workbook come out shortly after you sign up

- Recordings of past sessions- Recordings of past sessions

- The Annotated NISPOM (TAN), a great tool for all security professionals, is available at: http://www.ncms-ISP.org/NISPOM_200602_with_ISLs.pdf

• Updated whenever an ISL or the “new NISPOM” is released


MentorsMentors- All are current ISP®s

3 M t t ill id i t f- 3-person Mentor teams will provide a variety of experiences/viewpoints

TimelineTimeline- One timed so that candidates finish in time to test before

the Annual NCMS National Training Seminar and summerthe Annual NCMS National Training Seminar and summer vacations

- A second timed to end before end of year holidays like Thanksgiving, Christmas, Hanukah, New Years Day, etc.

- To sign up or get more information, contact the ISP®

L d M t T b il ISP M t @h t ilLead Mentor Team by e-mail [email protected]


L t tLesson strategy- Call #1A - get started, go over "Test Tips" article for

information/techniques/tips evaluate class size etcinformation/techniques/tips, evaluate class size, etc.

- #Call #1B - look up practice (5 questions w/paper NISPOM instructions of Adobe Acrobat searchNISPOM, instructions of Adobe Acrobat search techniques, then 5 questions w/electronic search of The Annotated NISPOM (TAN) in PDF)

- Lesson #2 - #10 - cover about 10% of the NISPOM in each session

L #11 l i i d- Lesson #11 - last minute questions and wrap-up


L St tLesson Strategy (continued)

- Five optional calls; 1 for each of the five electives

• COMSEC/TEMPEST• Counterintelligence (CI)• Intellectual PropertyIntellectual Property• Operations Security (OPSEC)

Special Access Programs (SAP)• Special Access Programs (SAP)

Company or NCMS Chapter Based Study Groups

N t D l t (C i )Newest Development (Companies)- SAIC

• Study group in National Capital Region• Offered exam during last 2 security officer

conferencesconferences

- Honeywell Global Security SolutionsG l f h i ll lifi d it li• Goal of having all qualified security compliance staff certified by end of FY 2012

- Raytheon Corporation- Raytheon Corporation• Over a dozen in 2010 study group in Tucson AZ

area

EF14

EF14 need to add the applicable years or make generic statement and list the groups. I do not know what groups have supported it for the past 12 months but surely there are some new ones.Elizabeth Fant, 3/21/2013

Company or NCMS Chapter Based Study Groups

N t D l t (NCMS Ch t )Newest Development (NCMS Chapters)- Mid-South Chapter (Huntsville, AL area)

• Lunchtime group sessions with a local ISP® as the Mentor

• 7 tested in December 2010; all 7 passed• Continuing effortg

- Chesapeake Bay Chapter (eastern Maryland)

EF15

EF15 need to update info since it is now a year old.Elizabeth Fant, 3/21/2013

Sample Test

10 “S l T t” Q ti i NCMS10 “Sample Test” Questions in NCMS “Survey”- Provides examples of type of questions and

their difficulty- “Survey” style means all are available at a

single link, not a question-by-question format d f liused for on-line exams

- Available 24/7 once you get the link- Email request to Sharon Tannahill at

[email protected]

Some Mechanics: Signing Up for the EPP

Q ti H d I i f th ISP®Question: How do I sign up for the ISP®

Exam Preparation Program (EPP)?Answer: Send an email to [email protected]. The Mentor Team will send you instructions.

Some Mechanics: The ISP® Application

Th t t t i htf d i tThe two most straightforward points are:- The application form is available on-line. Fill it

out completely and sign. http://www.ncms-ISP.org/documents/application.pdf

- Be sure to include your payment


If t t k th t t i i llIf you cannot take the test as originally planned:- You are within the 1 year approval window:

notify NCMS HQS and your proctor of your d tnew date

- You are outside the 1 year approval window: ill h t b it th li ti dyou will have to resubmit the application and

supporting documents but you will be credited with the amount you previously paidwith the amount you previously paid


The résuméThe résumé- Critical for reviewers who verify you meet the 5-

year experience requirementyear experience requirement- Is not restricted to 1 page!

“F ti l” f t i l di t t d d- “Functional” format – including start and end dates – might be best since it allows you to combine industrial security experience fromcombine industrial security experience from multiple jobs in one place

- Explain clearly the work you did, especiallyExplain clearly the work you did, especially when the position was not in a purely industrial security role for a NISP contractor


Th l tt f f C b h tThe letter of reference – Can be very short. One short paragraph is enough.- Verifies supervisory relationship- Attests that you meet the 5-year security y y y

experience requirement- Attests that you are a person of good y p g

character- Recommends you for certification as anRecommends you for certification as an

Industrial Security Professional

Some Mechanics: The Proctor

NCMS id t f th h t t tNCMS provides proctor for those who test at the Annual National Training SeminarFor on-line candidates:- Anyone who is already an ISP® can be a Proctory y- Proctor cannot present a real or apparent

conflict of interest (e.g., supervisor or ( g , psubordinate)

- NCMS Chapter Chairs and ISP® Committee pChairs can help; if those are unhelpful, NCMS National or the ISP® Certification Subcommittee can helpcan help

Turning 75% to 95%

Wh t d t d ti ll iWhat can you do to dramatically increase your odds of passing- Prepare in advance – on your own, independently

with the EPP Workbook, or in a group (local, company EPP/nationally)company, EPP/nationally)

- Don’t test on a “really bad day” – bad news, disaster at work sickness (not just nerves)disaster at work, sickness (not just nerves)

- Pay attention to test discipline – don’t use references for any reason until your are done 1references for any reason until your are done, 1 minute per question, answer all questions the first time (a blank answer is a guaranteed “wrong”)( g g )

Some Mechanics: Retesting

t th th fi t tiShould you not pass the exam the first time- Don’t panic or despair; it happens just like it did in

hi h h l h ll tti fi thigh school when we were all getting our first driver’s licenses.You must wait six months to take the test again- You must wait six months to take the test again.

- If you are still within your 1-year approval window and no changes in application or supportingand no changes in application or supporting documents, notify NCMS and submit the retest fee.

- If you are outside the 1-year approval window, you y y pp , ymust submit a new application to NCMS HQ along with the retest fee.

Final Comments on ISP® Exam

A il bl li 24/7Available on-line 24/7Administered in a group setting in 2014 at seminar in National Harbor, MD; will be offered again at 2015 seminar in Las Vegas, NV.Exam isn’t easy but you will pass if you- Prepare in advancePrepare in advance- Don’t test on a “really bad day”

Pay attention to test discipline (110 answers in- Pay attention to test discipline (110 answers in 120 minutes)

Q tiQuestion: How can you best prepare for the

®ISP® exam? Answer:

There are several methods, from independent study to use

of prepared workbooks to taking the ISP® Exam Prep Program.

Choose the one you believe will work best for you.

Final Notes: Security Awareness Posters

http://www.ncms-channelislands.org/About/posters.asp

Contact Information

Willi L Utt il ISP®William L Uttenweiler, ISP®

- [email protected] Work Phone: 321-853-0803- Cell Phone: 321-506-7427Cell Phone: 321-506-7427- FAX: 310-563-2959

Any More yQuestions?

Bonus Topic

Question:What is NCMS & why

h ld b l ?should you belong?

Organization

S i t f I f ti S itSociety of Information Security ProfessionalsFounded in 1964Headquartered in Wayne PAHeadquartered in Wayne, PA55 chapters with ~ 5,700 members (and

i )growing)

Official Scope – #1

D l & t d ti & t i i fDevelop & promote education & training of members in the application of

i t f i d t i l it irequirements of industrial security in support of the security of the United States

d it lli d ib d i th N ti land its allies as described in the National Industrial Security Program (NISP). - Classified information (mostly DOD, DOE, CIA

& NRC but 20+ other agencies included)


D l d t d ti dDevelop and promote education and training of members in the application of classification management principlesclassification management principles, practices, procedures, & techniques in protecting government designated p g g gunclassified information & intellectual property in all forms.- Government FOUO- Company Proprietary/Competition Sensitive, p y p y p ,

etc.- Operations Security (OPSEC)

How NCMS Meets Scope #1 & #2

W b it i ll th M b O lWeb site, especially the Members Only sectionAnnual National Training SeminarNCMS BulletinNCMS BulletinChapter level activities and

i ticommunications

NCMS Web Site www.classmgmt.com

eNews emails help you stay currentp y yResource library

- Counterintelligence information; security education/awareness training g ; y gtools, security briefings

- Government reports (NISPOM, Industrial Security Letters, Executive Orders, Presidential Decision Directives, PERSEREC Reports)

- Classification management, physical security, COMSEC, OPSEC, information security, information assurance

- Protecting FOUO, sensitive-but-unclassified information, proprietary informationinformation

- Homeland Security, Emergency Preparedness- JPAS, e-QIP- International security, NATO, Export Control- Facility Security Officer Training- And much, much more

Annual National Training Seminar

49th was held June 2013 in Chicago IL. - General and break-out sessions on topics included:

• NISPOM Updates• Cyber Command Readiness Review Inspection (CCRI) Program• Defending Security Clearances Before & After Issues Arise and

the Role of the FSO• SAP Basics for New CPSOs• Using Metrics to Support a Superior Security Program • OPSEC and the FOCI Paradigm• OPM Update on e-QIP and the Investigation Process• Social Networking (and OPSEC)

- Summaries of sessions published in NCMS Bulletin; when available, slides posted on-lineavailable, slides posted on line

- Proctored ISP® certification exam

51st Annual National Training Seminar

NCMS Bulletin

Bi thl NCMS l ttBi-monthly NCMS newsletter- Official means of communication between

leadership & members- Articles by members on topics of interest, for

example• Results of polygraph survey• Perils of the Internet• Perils of the Internet• How to build a better security team• Verbal attestations• US port deal highlights foreign investments• US port deal highlights foreign investments• Data spills – cleanup & prevention• Effective speaking tips

Chapter level activities & communications

Ch t d iChapter-sponsored seminarsChapter meetings with speakersp g pE-mail from chapter chair with news, updates etcupdates, etc.Association with government audit/ i ti l i f i linspection personnel in a professional, non-adversarial environmentNetworking – you are never alone


Ad th f i li f M bAdvance the professionalism of Members through a formal certification program

i d b t & i d trecognized by government & industry. - Industrial Security Professional (ISP®)

certification• http://www.ncms-ISP.org/


Ad it b t ti &Advance its purpose by representation & participation on U.S. government & professional security councilsprofessional security councils, committees, boards & forums & through formal comment, proposal, petition, & , p p , p ,coordination.- Memorandum of Understanding (MOU) Groupg ( ) p- NISP Policy Advisory Committee (NISPPAC)- Close rapport with ISOO DSS etc- Close rapport with ISOO, DSS, etc.

The MOU Group

MOU GMOU Group- Membership includes: NCMS & 5 other groups

NISP Policy Advisory CommitteeBy invitation but usually includes NCMS- By invitation but usually includes NCMS members

Both represent industry’s voice to topBoth represent industry’s voice to top-level government security policy makers

Information Flowing Up

E l Hi h S it L k L i l tiExample: High Security Lock Legislation- Pushed by Sen. Jim Bunning (R-KY) in FY 2002

Defense Authorization BillDefense Authorization Bill- Would have accelerated requirement X0-8/9

locks (replacement kits cost $1 200 each;locks (replacement kits cost $1,200 each; cabinets cost $1,570 - $5,679 each)

- Industry surveyed costs ($231 million) andIndustry surveyed costs ($231 million) and concluded they were not justified by risk

- Bunning’s district includes headquarters of g qMAS-Hamilton, the only manufacturer of compliant locks

Information Flowing Up

E l l it i ti tiExample: personnel security investigation backlog- Explained the costs in unaccomplished work

while PSIs languish uncompleted- DSS agreed to allowing facilities to each

prioritize a small number of if cases and to l t th i l tiaccelerate their completion

- Early notification of DSS plans and requests f f Sfor future PSI needs

Special Relationships

S i l l ti hi ith ISOO DSS tSpecial relationships with ISOO, DSS, etc.- High level staff members meet frequently with

Board of Directors on issues of mutual interest- High level staff regular present at NCMS

National Training Center- Permanent host for presentation of DSS’s

James S. Cogswell Award for outstanding industrial security programs

Management Support Is Critical

S it f i l d th i tiSecurity professionals need enthusiastic support from their management- More than signing the occasional policy or

giving the intro at annual company refresher- Reimbursement for dues and expenses- Permission to attend functions and work on

NCMS business (both for training and good PR within the DOD contractor community)

- Demonstrates to other employees that security is important to the company

Question: What is NCMS & why should you

belong?belong?

Answer: NCMS is the Society of Information

Security Professionals. If you belong to NCMS you & your company areto NCMS, you & your company are

never “hanging out there” alone. You have access to local & national levelhave access to local & national level resources & experts when a question

or a problem occurs.

Contact Information for NCMS

W b it htt // l t /Web site: http://www.classmgmt.com/Email: Sharon Tannahill, NCMS Executive ,Director at [email protected]

Becoming an ISP®: Why & How

Documents

Transcript of Becoming an ISP®: Why & How