Electronic Communications

Over the past five years, agreements with foreign owned firms have included a clause, which set forth a requirement for oversight of electronic communications. Specific details of how this is to be accomplished are not included. Such details are to be formulated by the companies themselves to assure that security goals are met within their operational environment. Tools are available to help accomplish this task.

Books and periodicals are commercially available which outline both technical and procedural steps to control and monitor electronic communications. The Internet offers many resources to help protect information. White papers from vendors, many of which are free to download, offer such software solutions as continuous auditing and monitoring of email, automated tools to identify and correct the new threats and hardware and software solutions for asset protection. Larger computer stores offer a variety of current books on all aspects of cybersecurity. Public libraries may have limited publications in this subject area and college or university libraries may have extensive collections to support their academic programs.

Manuals for communications equipment are also a resource. A look through the manual for a fax machine may disclose features useful for controlling or monitoring communications. There may be PIN code options, which can be used to control users, options for transmission restrictions, and choices of transmission and receipt reports including images.

Phone service automated monitoring tools are limited in comparison to other media. Records of long distance calls can be reviewed for calls to the foreign shareholders or affiliates, however, phone logs kept by employees may provide a better record. Visit records and records of meetings can likewise be employee responsibilities.

Security education is mandatory to assure that procedures used to support the security program and the provisions of the agreement are properly implemented. In addition to the procedures themselves, training needs to cover why controls are being put into place and what the expectations of the employees should be.

Employee privacy expectations need to be addressed when proposing a system to provide oversight to electronic communications. Chapter 1, Section 3 of the National Industrial Security Program Operating Manual sets forth reporting requirements for cleared individuals and organizations and recent security agreements have set standards for oversight of communications with foreign affiliates. Employee expectations of privacy must therefore be limited. Company policy must spell out the limitations of privacy and be communicated to each employee. This will limit employee challenges and help ensure employee cooperation.

There is no "one size fits all" solution to control and monitoring electronic communications. Each environment will require a review of what's on board plus research into products, services, and procedures. Periodic evaluation of systems employed to support oversight electronic communications should also be made to assure effectiveness and efficiency and to take advantage of new technologies.

Your assigned DSS Industrial Security Representative (IS Rep) has a dual, but complementary, role in this. An IS Rep can provide advice and assistance in both the initial and on going phases of control of electronic communications. Constraints that the IS Rep has include the fact that there is no accreditation program for computers used for unclassified work and there is no official product evaluation by the agency for most types of off the shelf hardware and software. Consequently, advice given is just that, and the final decision on what components are used is up to the company.

During the periodic security reviews, the IS Rep will sample records kept of electronic transmissions, conduct interviews with personnel involved and may watch a system in operation. The objective is to determine if communications made with the foreign owned parent and the controls in place meet the agreement standard. These techniques can be employed by the facility as well. At the conclusion of the review, the IS Rep will give an overall evaluation of the system of controls and monitoring. This is an opportunity to discuss methods of improvements in the efficacy and efficiency of the system. Electronic communications continue to change and evolve; consequently, controls can be expected to do likewise. Utilizing the talents and knowledge of employees, management, IS Reps, vendors, and security personnel are essential in maintaining the viability of a system to assure both the company and DSS that electronic communications do not disclose classified information and are not used to improperly influence performance on classified contracts.