How FSOs Are Using Security Metrics in a Department of Defense Contractor Cleared Facility

Metrics are tools leaders use to assess the effectiveness of their programs. These metrics indicate success, failures or areas where significant improvement is needed. Metrics data is found in surveys, inspections, and reports and are pulled for the specific purpose of understanding where the program is. The other part is to understand where the organization should be and comparing it to the results.

FSOs should make metrics development and use a top priority. Chief security officers, chief information officers and other executive level security managers understand how to read metrics and use them to focus with pinpoint intensity on directing their security programs within their companies. Security managers in lower positions can use the same skills to gain influence in their companies. Because of the nature of compliance with government regulations, the task may be easier for FSOs to accomplish.

An FSO has readily available data to determine and communicate the effectiveness of the security program. Gathering available information, creating a detailed database and performing solid analysis will determine the program’s success. Whether or not a security program is where it needs to be can be determined from information found in the following actions:

* Incidents, infractions, violations reports with compromise or

suspected compromise

* Annual DSS reviews

* Annual self-inspections

* Professional and organizational certification

* Self-reporting statistics

* Security Awareness Training

* Security budget

* Contractual requirements

The above list is not all inclusive, but is readily available information directly affected by security or influences security decisions.

Incidents, infractions, violations and reports of compromise or suspected compromise as Metrics – These should be made at each occurrence and analyzed regularly. Reports indicating that compromise or suspected compromise has occurred are taken seriously and forwarded to the CSA. Many other reports of minor consequences are not required to be sent outside of the organization, but are extremely helpful as indicators of the organization’s security health.

Annual DSS Reviews as Metrics – According to the NISPOM DSS is responsible for determining the frequency of annual inspections.

Inspections are typically conducted every 12 months, but circumstances can require more or less frequent visits 2. DSS inspects the facilities security program for the primary purposes of ensuring their programs provide the proper protection of classified information they are charged with protecting. Additionally, the inspection programs are designed to improve the effectiveness of the contractor’s security program. At the conclusion of the inspections, the contractor is given a rating ranging from unsatisfactory to superior

Annual self-inspections as Metrics – The self-inspections offer other exceptional opportunities for FSOs to improve the security program as well as measure results from the previous DSS annual audit. The self-inspection is conducted by security personnel organic to the company. It is a requirement that affords the opportunity to look into procedures, review documentation, review incidents and conduct classified holding inventories among a few of the tasks. These self-inspections are typically conducted midway between the annual audits and help keep the security team focused on improvement and compliance.

Professional and Organizational Certification as Metrics – Quality and or other outside agency reviews are performed to qualify a company for a rating. These reviews are purposefully strenuous and thorough in an effort to discover the enterprise’s business functions, policies and procedures. Depending on the inspection, each outside agency is invited to bring in experts to analyze a company’s performance. The inspector visits every aspect of the organization, measuring the company’s compliance, record keeping, improvements and other performance issues and makes a determination of whether or not they are worthy of the certification.

Security Awareness Training as Metrics – Attitudes toward security awareness programs are great indicators of the FSO’s program. Comments that reflect a desire for or loathing of continuing security awareness education speaks volumes. Those who are conscious for the need to protect national security assets and classified information understand the need for training. Refresher training is a requirement identified in the executive orders, DoD and federal agency regulations including the NISPOM 4.

Security Budget as Metrics – Security budget support or lack of support can either demonstrate a well received or unappreciated security program. In a functional security manager role, the intuitive FSO understands business, the company mission and how the role of protecting classified material fits. The FSO can provide risk assessment and speak intelligently of the procedures, equipment and costs associated with protecting classified information. They understand how to contract outsourced security resources to install alarms, access control and other protection measures. The FSO is also able to demonstrate a return on investment.

Contractual Requirements as Metrics – An FSO who has developed rapport, a reputation for integrity and considerable influence is instrumental in helping the company achieve its goals. Classified work is identified on the DD Form 254 and the statement of work. The FSO should understand associated costs inherent to the classified work identified in the contract and the DD Form 254.

Results of Metrics Data

A security manager can use such metrics or data and write a white paper, report, or provide a picture graph to employees, managers and executives for several purposes. Regardless of the report media, the objective should be to improve the state of security and communicate the results to the executives and share holders. Employees can be trained on recognizing proper procedures and preventing future occurrences by changing behavior. Managers can use the information to direct change in their employees to provide better security. Executives can use the information to identify programs or projects with probable risks and use the data for strategic planning. Finally, the shareholder; tax payers, board of director members, customers, and employees have a good understanding of their return on investment.