Running Head: Security Plan

Security Plan SEC/ 480 Capstone Course Omari H. Broussard 14 May 2013 Darren Gil, Faculty University of Phoenix

Security Plan

In this paper we will be designing a physical, personal, and information systems security plan. Security measures will be supplied to address identified threats and vulnerabilities from the previous risk and threat assessment. Rationales for each security measure will be explained based on NIMS. Also a preliminary security plan implementation budget will be provided. Purpose The security plan for Naval Special Operations Group ONE (NOSG1) is designed to implement and enforce security measures relating to physical, information, and personal security. This document is an overview of the security program authorized by the Commanding Officer and enforced by the Command Security Manager. NOSG1 personnel shall be familiar with the contents and procedures contained in the security plan. Objectives: The objective of this security plan is to establish NOSG1s general security policy for facilities, personnel, and information systems. To establish guidelines set by the Commanding Officer for the protection of command assets. Reduce the loss of valuable command assets, theft of critical information, and damage to command facilities. This security plan does not reduce the Commanding Officers ability to use more stringent standards in order to protect facilities, personnel or information from loss. Physical Security Measures Physical security measures are designed to establish and maintain a proactive physical security posture. Security measures are based on an integrated approach and combine the following: active and passive systems, security personnel, and devices; to protect command

Security Plan

assets from possible threats. Perimeter controls, Facility exterior controls and Facility Interior controls make up the components of physical security measures. Perimeter Controls NOSG1 facilities are protected by host base security assets. The base main gate provides adequate access control to facilities. Main gate security personnel are responsible for verifying status of base visitors. Mandatory ID checks and random vehicle inspections conducted by base security personnel ensure only authorized personnel gain access to base assets. Base security also provides mobile security patrols to NOSG1 facilities. Mobile security patrols conduct security rounds of NOSG1 facilities every four hours during the standard work day (0700 1600) and after hours. In the event of an incident base security patrols will make contact with the Command Duty Officer for further action. Command Duty Officer (CDO) incident procedures are contained in the Command Incident Binder (CIB). A NOSG1 facility are within a fenced barrier and requires personnel to use a Common Access Card (CAC) and four to six digit pin to gain access to buildings. Fences are equipped with barbed wire to deter and delay threats from gaining access. Command security personnel inspect fences once a day for sign of wear or tampering. Vehicle parking lots are located at least 100ft from perimeter of buildings to protect facilities from vehicle threats. Protective lighting is used around buildings and in parking lots for exposing intruders and personnel safety. Camera systems are located on fence lines and in parking lots to monitor for intruder detection and other criminal acts.

Security Plan Facility Exterior Controls

Facility exterior controls are designed to deter and delay threats from gaining entry into the NOSG1 facility interior. Controls include doors, windows, walls, intrusion detection systems, and sensors. Security personnel are also included in exterior controls, in case electronic systems are down, facility entries and command personnel can man exits. NOSG1 facility doors are designed to provide maximum security at entries and exits. Doors are equipped with at least three different security systems to protect personnel from manmade or natural threats. Door construction is made to high level security standards. Each door requires a X-09 combination lock or cypher lock, electronic keypad, and standard key lock. X-09 combination locks are standard spin dial security locks that can be configured to accept one or two combinations. Cypher locks are 6 button locks attached to the actual door handle. Doors will be connected to the building Intrusion Detection System (IDS) to alert based security personnel. Electronic key pads are designed to have security badge scanned and accepts a four digit pin. CDO will have access to a master keys, master security badge and combinations if access is needed. Windows to facilities will be covered with steel grating and a reflective film to prevent intruders from access the facility. Steel grating protects the windows from intruders and debris from natural disasters or explosions. Reflective window film prevents persons from outside obtain visual information on the inside of the facility. Window located in classified spaces must be locked at all times and be installed with tamper indicator devices. Alarm (audible and silent) are installed in every facility to alert security personnel of an intruder. Fire alarms are also installed in every building and connected to base security and fire

Security Plan

department. Alarms systems are tested monthly by security personnel to ensure proper operation. If command personnel find an alarm that is not operational, facilities department should be contacted for immediate assistance. Facility Internal Controls Facility internal controls include: door and window locks, access controls, and security systems. Interior doors are made with the same material as external doors. All spaces within the building that contain classified information must meet the following standards: X-09 combination or cypher lock, electronic keypad, and high security dead bolt lock. Unclassified spaces only require a high security deadbolt lock. Intelligence spaces and spaces where communications security material is stored or used require a vault type door to be installed. Walls, floors, and roofs within facilities are to be made with permanent material resistant to and evidence of unauthorized entry into the area. Areas within the facility require more or less stringent standards based on the space classification. Space classifications include controlled access area, restricted access area, and secure rooms. Controlled access areas is a physical area under physical control and to which only personnel cleared to the level of information being processed are authorized unrestricted access (USN/USMC, 2003). Personnel not cleared for access to controlled access areas must be escorted by authorized personnel or constantly kept under surveillance. Escorted personnel must have official business to conduct within the facility to gain access. Visiting personnel will be issued a temporary escort badge if not cleared. Visiting personnel not attached to NOSG1, but have proper clearance will be issued a Non-Escort security badge. Other areas include: Unrestricted, Secure Rooms, and Restricted. Facility areas require access list with authorized

Security Plan

personnel to be generated. Access list are verified by the command security manager and signed by the commanding officer. Access list must be posted on doors along with a standard open and closure log. Personal Security Secure Workplace It is critical for personnel attached to NOSG1 abide by security instructions, policies, safety notices, and verbal orders that apply to security practices. Command staffs are held accountable for ensuring security policies are followed and personnel are educated on best security practices in accordance with this security plan. Personnel security includes: security badge use, CAC card use, safety policies, and emergency action plans. Security badges are designed to give personnel access to facility entries and space entries. Personnel must carry their security badge on their person at all times while within facilities. Proper placement of the security badge is above the waist and in plain visibility. Security badges are issued per individual with picture of badge owner. Badges are coded with user space access and colored coded based on security clearance of user. If badges are loss or stolen, personnel are responsible for notifying security office for re-issue. Personnel are also issued a CAC as a Department of Defense (DoD) ID. CACs are used to gain access to military bases and DoD computer systems. CACs are only issued to Active Duty Personnel. NOSG1 personnel use CAC to access facility computer systems. Personnel are responsible to maintain a valid CAC at all times. If CAC is lost or stolen an incident report and voluntary statement will be required to receive a new CAC. CACs are equipped with a four to six digit pin number. Pin numbers can be reset at the base Personnel Support Detachment.

Security Plan Incident Reporting

Personnel safety is paramount at NOSG1, this includes protected from workplace violence. Incident reporting procedures are designed to assist personnel in reporting various violations of security and the Uniformed Code of Military Justice (UCMJ). Resources for incident reporting include: NOSG1 Security Department, Chaplains office, Medical, Legal Department, and local chain of command. Incidents such as sexual assault and sexual harassment can be reported to the command Sexual Assault Resource Coordinator (SARC). Incidents involving equal opportunity issues are to be reported to the Command Management Equal Opportunity (CMEO) officer. Discrimination or unfair treatment based on sex, color, creed, or sexual orientation is to be directed to the CMEO for reporting. The chain of command will conduct an investigation to determine case findings and outcome. Reporting of criminal acts such as theft, pilferage, fraud, waste, and abuse is to be reported to NOSG Security Department. Security personnel are responsible to conduct preliminary investigations. If incident is outside the scope of responsibility of security personnel, Naval Criminal Investigation Services (NCIS) will take over investigation. NOSG1 has a NCIS representative assigned to the command and must be informed when incidents are reported. Background Investigation Prior to being attached to NOSG1 all personnel must undergo a security clearance background check. The Department of the Navy, Central Adjudication Facility (DONCAF) has the sole responsibility for issuing final security clearance for civilian and military personnel at the request of Department of the Navy (DON) commands and activities (upon affirmation that

Security Plan

granting the clearance is clearly consistent with the interests of national security. A security clearance remains valid as long as the individual continues compliance with DONCAF personnel security standards and has no break in service over 24 months. Eligibility to maintain a clearance transfers with the individual from command to command but access to classified material does not. NOSG1 Security Manager will activate clearance investigations on interviewing personnel and clearance access. Security clearance re-investigations are conducted based on clearance level of the individual. Temporary clearances can be authorized by the Commanding Officer for special circumstances while reinvestigations are in process. Continuous assessments and evaluations are required to ensure everyone who has access to classified information remains eligible. Personnel are encouraged to inform supervisor or security department staff for any incident or situation, which could affect their eligibility. Coworkers have an obligation to report any potential security risks as they apply to security clearances. Emergency Action Plans NOSG1 personnel are required to participate in workplace emergency action plan training and assessment. Emergency action plans are developed to provide personnel with specific actions during times of emergencies (i.e. fire, natural disasters, attacks). NOSG1 Safety and Security departments are responsible for planning, executing, and assessing emergency action plan procedures. NOSG1 facilities are equipped with fire safety equipment in accordance with base safety standards. Evacuation plans are posted in all office spaces and high traffic areas. Emergency

Security Plan

exits are clearly labeled. Facilities are equipped with emergency lighting and audible alarms to assist personnel with emergency evacuations. Office spaces with sensitive material or equipment are equipped with emergency destruction equipment. Personnel who work in sensitive areas must receive emergency destruction training to ensure material is properly destroyed. Semi-annual assessments will be conducted to ensure all personnel with access to sensitive material are properly trained in emergency destruction procedures. Information Systems Security Information systems security applies to the protection of NOSG1 information systems and data from various threats to ensure operational readiness and minimize risks. Information security is achieved by integrating policies, procedures, safeguards, and controls. NSOG1 Information Systems department is responsible for ensuring information security policies, procedures, and controls are in working order. Information Systems Asset Management NSOG1 Information Systems department maintains an inventory or key computer assets, including: routers, switches, desktops, printers, laptops, and thin clients. Monthly inventories are conducted to ensure accountability of all systems and components. Disposal of computer equipment containing storage media must be checked by IS personnel prior to destruction. Destruction procedures are to be conducted in accordance with National Security Agency standards. Facility Access and Security

Security Plan

10

Office spaces containing information systems maintain sensitive information vital to operations, must only be accessed by authorized personnel. Network operating centers and automated information systems spaces are considered sensitive areas. Access to office spaces are required to be protected by secure electronic or mechanical entry systems (cypher locks or electronic key pads). Network operating centers are only to access by personnel who maintain or support command information systems. NSOG1 Information Systems department head is authorized to grant access to information systems spaces to contractors or third party vendors on official business. Incident Management Upon discovery of a possible or actual information systems security incident, personnel are to immediately notify information systems personnel or security department. Information systems personnel will initiate preliminary corrective action and report to higher authority. Information systems department head will maintain documentation on information systems security incidents. Incidents include: attempts to gain unauthorized access to systems, denial of service, unauthorized use of systems or storage of data, changes to hardware or software without authorization, unauthorized disclosure of classified material. Disaster Recovery and Continuity In the event of a natural or manmade disaster, NSOG1 Information Systems department will initiate the disaster recovery plan. The disaster recovery plan is designed to protect information resources, safeguard records, and provides an outline for recovery of vital systems. The information systems disaster recovery team responds to external disasters and system operation failures.

Security Plan

11

Information systems Continuity of Operations (CoOp) plan is designed to counteract interruptions to operations, protect command operations from major system failures, and ensure a timely recovery of critical systems. Information systems personnel are responsible to maintain redundant systems to minimize the loss of information necessary for operations. NSOG1 maintains off-site network operating centers and data centers for emergency incidents involving information systems. Budget To maintain protection of personnel, facility, and information systems a recommended budget of 10% of NSOG1 operating budget is recommended. The host base maintains physical security of NSOG1 facilities, but NSOG1 is responsible for minor maintenance (alarm maintenance, light bulbs, etc.). Host base facilities department is responsible for ensuring perimeter security, parking lots, and traffic flow equipment is maintained. Contracts specifically for NSOG1 will be handled by the Facilities Department in conjunction with security department a security manager to ensure facilities meet physical security requirements. Information systems security budget is covered by NSOG1 parent command. However, personnel training and research and development are the responsibility of NSOG1. As information security threats evolve it is important for information security personnel to be trained on network security and vulnerability technologies. NSOG1 can save money by hosting third party instructors locally vice sending personnel on travel. Most of NSOG1 security systems are paid for by Special Operation Command initially. Physical, personal, and information security requires a minor portion of the overall operations budget. Major budget requirements are mainly allocated for operations support, equipment,

Security Plan

12

travel, and maintenance of installed systems. As newer security programs and systems are available, NSOG1 must go through a testing, assessment, and evaluation period prior to submitting a budget package to higher authority.

Security Plan References:

13

Curtis, G.E., & McBride, R. B. (2011). Proactive Security Administration (2nd e.d.). Boston, MA: Prentice Hall. Department of the Navy (1995). Introduction to Information Systems Security (INFOSEC) Guidebook, Module 01. Retrieved from: http://www.marcorsyscom.usmc.mil/Sites/PMIA%20Documents/Resources/Department%20of% 20the%20Navy/NAVSO%20P5239-01%20IS%20Scty%20Intro.pdf The International Foundation for Protection Officers. (2010). The professional protection officer: Practical security strategies and emerging trends. Burlington, MA: Elsevier. U.S. Navy. (2009) OPNAV Instruction 5530.14E. Navy Physical Security and Law Enforcement Program. Retrieved from: http://navybmr.com/study%20material/OPNAVINST%20553014E.pdf

Security Plan

14