Defense Security Service National Industrial Security Program. Guidelines for Trustees, Proxy Holders and Outside Directors

Similar documents
September 02, 2009 Incorporating Change 3, December 1, 2011

Question Distractors References Linked Competency

Suggested Contractor File Folder Headings

GAO INDUSTRIAL SECURITY. DOD Cannot Provide Adequate Assurances That Its Oversight Ensures the Protection of Classified Information

Job Aid: Understanding Your e-fcl Submission Requirements

February 11, 2015 Incorporating Change 4, August 23, 2018

HIPAA Privacy & Security

Introduction to Industrial Security, v3

Defense Security Service Intelligence Oversight Awareness Training Course Transcript for CI

Department of Defense INSTRUCTION

Department of Defense DIRECTIVE. DoD Executive Agent (EA) for the DoD Cyber Crime Center (DC3)

Originating Component: Office of the General Counsel of the Department of Defense. Effective: February 27, Releasability:

GAO. United States General Accounting Office Testimony. For Release On Delivery Expected on Wednesday March 21, 1990

SUMMARY OF NOTICE OF PRIVACY PRACTICES

Industrial Security Program

Presenting a live 90 minute webinar with interactive Q&A. Td Today s faculty features:

Greenwood Connections Notice of Privacy Practice

Security Asset Protection Professional Certification (SAPPC) Competency Preparatory Tools (CPT)

B. ACCESS, STORAGE, CUSTODY, CONTROL AND TRANSMISSION OF CLASSIFIED INFORMATION

NOTICE OF PRIVACY PRACTICES

Self-Inspection Handbook for NISP Contractors

HIPAA Privacy Rights and Operations Guide HIPAA Security Summary For the Practice of: Vail Aspen Breckenridge Dermatology

DEPUTY SECRETARY OF DEFENSE 1010 DEFENSE PENTAGON WASHINGTON, D.C

NISPOM Update & Security Basics

DoD R, December 1982

Report of the Information & Privacy Commissioner/Ontario. Review of the Cardiac Care Network of Ontario (CCN):

Department of Defense DIRECTIVE

Department of Defense DIRECTIVE

RECEIPT OF NOTICE OF PRIVACY PRACTICES WRITTEN ACKNOWLEDGEMENT FORM. I,, have received a copy of Dr. Andy Hand s Notice of Privacy Practice.

always legally required to follow the privacy practices described in this Notice.

Chapter 19 Section 3. Privacy And Security Of Protected Health Information (PHI)

Department of Defense DIRECTIVE

New York Notice Form Notice of Psychologists Policies and Practices to Protect the Privacy of Your Health Information

Revised Mar Standard Practice Procedures For Security Services. George Mason University 4400 University Drive, MSN 6D4, Fairfax, Virginia 22030

NOTICE OF PRIVACY PRACTICES

NOTICE OF PRIVACY PRACTICES

Personnel Clearances in the NISP

Oklahoma State University Policy and Procedures INSTITUTIONAL RADIATION SAFETY POLICY

Department of Defense DIRECTIVE. Inspector General of the Department of Defense (IG DoD)

ERIE COUNTY MEDICAL CENTER CORPORATION NOTICE OF PRIVACY PRACTICES. Effective Date : April 14, 2003 Revised: August 22, 2016

REPORT ON COST ESTIMATES FOR SECURITY CLASSIFICATION ACTIVITIES FOR 2005

Department of Defense INSTRUCTION

Department of Defense DIRECTIVE. SUBJECT: Unauthorized Disclosure of Classified Information to the Public

Q-53 Security Training: Transmitting and Transporting Classified Information, Part I

A Better You Counseling Services, LLC 1225 Johnson Ferry Road, Ste 170 Marietta GA

Personnel Security Update April 2016

Department of Defense INSTRUCTION

Acquisitions and Contracting Basics in the National Industrial Security Program (NISP)

Department of Defense DIRECTIVE

Personnel Security Update May 2016

Alumni Foundation Database

Compliance Program Updated August 2017

NOTICE OF PRIVACY PRACTICES

FSO Role in the NISP. Student Guide. Lesson 1: Course Introduction. Course Information. Course Overview

PRIVACY POLICY USES AND DISCLOSURES FOR TREATMENT, PAYMENT, AND HEALTH CARE OPERATIONS

COMPLIANCE PLAN PRACTICE NAME

SOUTH DAKOTA STATE UNIVERSITY

Department of Defense DIRECTIVE

Notice of Health Information Privacy Practices Acknowledgement

NOTICE OF PRIVACY PRACTICES

Department of Defense INSTRUCTION

BON SECOURS RICHMOND NOTICE OF PRIVACY PRACTICES

If you have any questions about this notice, please contact the SSHS Privacy Officer at:

Department of Defense INSTRUCTION

REVISED NOTICE OF PRIVACY PRACTICES ORIGINAL DATE: JANUARY 1, 2003 REVISED: JANUARY 16, 2014 REVISED: NOVEMBER 27, 2017 PLEASE REVIEW IT CAREFULLY

DEPARTMENT OF THE NAVY INSIDER THREAT PROGRAM. (1) References (2) DON Insider Threat Program Senior Executive Board (DON ITP SEB) (3) Responsibilities

Social Media IUSM-GME-PO-0031

DEPUTY SECRETARY OF DEFENSE 1010 DEFENSE PENTAGON WASHINGTON DC

Orthopedic Specialty Clinic, Ltd. Updated 05/2014

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED, AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.

North Hawaii Community Hospital Volunteer Services Application

PRIVACY IMPACT ASSESSMENT (PIA) For the

Department of Defense INSTRUCTION

Minutes Board of Trustees

August Initial Security Briefing Job Aid

Parental Consent For Minors to Receive Services

Protection of Classified National Intelligence, Including Sensitive Compartmented Information

NOTICE OF PRIVACY PRACTICES

COMMUNICATIONS SECURITY MONITORING OF NAVY TELECOMMUNICATIONS AND INFORMATION TECHNOLOGY SYSTEMS

This policy shall apply to all Municipality of Jasper operations and all Municipality of Jasper employees and volunteers.

DOE B, SAFEGUARDS AGREEMENT WITH THE INTERNATIONAL ATOMIC SYMBOL, AND OTHER CHANGES HAVE BEEN BY THE REVISIONS,

PROCEDURAL MANUAL SAFEGUARDING INFORMATION DESIGNATED AS CHEMICAL-TERRORISM VULNERABILITY INFORMATION (CVI)

DEPARTMENT OF THE NAVY OFFICE OF THE ASSISTANT SECRETARY (FINANCIAL MANAGEMENT AND COMPTROLLER) 1000 NAVY PENTAGON WASHINGTON DC

ADVANCED PLASTIC SURGERY, PLLC. NOTICE OF PRIVACY PRACTICES

NOTICE OF PRIVACY PRACTICES

Department of Defense DIRECTIVE

Department of Defense DIRECTIVE

Study Management PP STANDARD OPERATING PROCEDURE FOR Safeguarding Protected Health Information

DOD DIRECTIVE ASSISTANT TO THE SECRETARY OF DEFENSE FOR PUBLIC AFFAIRS (ATSD(PA))

Department of Defense DIRECTIVE

Department of Defense DIRECTIVE

RESEARCH SUPPORTED BY A DEPARTMENT OF DEFENSE (DOD) COMPONENT

GATEWAY BEHAVIORAL HEALTH SERVICES VOLUNTEER/INTERNSHIP APPLICATION

il~l IL 20 I I11 AD-A February 20, DIRECTIVE Department of Defense

Department of Defense INSTRUCTION. SUBJECT: DoD Information Security Program and Protection of Sensitive Compartmented Information

Child Care Program (Licensed Daycare)

NEW BRIGHTON CARE CENTER

Johns Hopkins Notice of Privacy Practices for Health Care Providers

PARAGOULD DOCTORS CLINIC PRIVACY NOTICE

BY-LAWS. Current Revision Amended on February per Resolution R50-62 through R50-68

Transcription:

Defense Security Service National Industrial Security Program Guidelines for Trustees, Proxy Holders and Outside Directors July 2009

Guidelines for Trustees, Proxy Holders, and Outside Directors (TO BE REVIEWED BY NOMINEES) General Requirements You are being considered by the Defense Security Service (DSS) to serve as a Trustee, Proxy Holder, or Outside Director (collectively referred to in this document as an Outside Director or OD ) to a Facility participating in the National Industrial Security Program (NISP). Outside Directors are expected to represent the national security interests of the United States. The primary responsibility of the OD position is to help ensure that the Facility implements all needed procedures and organizational changes pertaining to the security and safeguarding of classified and export controlled information. The OD s primary point of contact at DSS is the Industrial Security Representative (IS Rep), who serves on behalf of the U. S. Government in matters of industrial security covered by the NISP. The main responsibilities of the OD include the following: Abide by and enforce the mitigation agreement in place Ensure the Facility s officers, directors, and employees comply with the provisions of the Facility s mitigation agreement Ensure that DSS (through the IS Rep) is advised of any known attempts to violate any provision of the Facility s mitigation agreement or relevant U.S. government contract provisions related to security, U.S. export control laws, or the NISP Communicate any material changes to the IS Rep The OD role requires a significant time commitment and constant supervision of the Facility s efforts to comply with the NISP. The OD must remain a disinterested party and have no intention of taking an internal position within the Facility. If you are not prepared to meet these expectations please contact the Facility Security Officer (FSO) and notify DSS as soon as possible. How the Facility Can Provide Support In order to meet the responsibilities of the OD position, the Facility should provide the OD with appropriate resources and information, including the following: Access to the Technology Control Officer (TCO) and Facility Security Officer (FSO) Access to the Technology Control Plan (TCP) and Electronic Communications Plan (ECP), as well as other critical security information, such as visitor logs Timely information on breaches, violations and/or any other potentially significant issues related to the Facility s compliance with its mitigation plan If the Facility does not provide the appropriate resources and information, the OD should contact the IS Rep. July 2009 2

Guidelines The following sections provide general expectations, specific responsibilities, and suggested actions for the position of Outside Director. In addition to the responsibilities outlined below, ODs are required to fulfill all specific duties outlined in the Facility s mitigation agreement. Initial Meeting General Expectations: This is the first time the OD will meet representatives from DSS after the mitigation instrument is determined. During this meeting, DSS will provide a briefing to the OD that outlines specific roles and responsibilities expected of an OD of the Facility. Specific Responsibilities: During the Initial Meeting, the OD is responsible for gaining a full understanding of his/her role. After this role has been properly outlined and defined by DSS, the OD will also be required to sign off on the mitigation agreement. Suggested Actions: At the Initial Meeting, the OD should fully engage DSS and the Facility s KMPs to gain a complete understanding of the roles and responsibilities of the OD position. To achieve the requisite knowledge to fulfill the demands of his/her position, it is recommended that the OD ask clarifying questions about the role and what it entails. It is recommended that the Facility s KMPs and/or FSO provide the OD(s) with background information on the Facility prior to the annual meeting. This summary of information should identify the parent entity, major stockholders, rules governing the appointment of foreigners to the board, the organizational structure of the Facility, technology produced by the Facility, dual use or export controlled technology, a description of the Facility s classified program(s), and the identification of any companies/affiliates that have a vested interest in the program(s). Initial Inspection General Expectations: Outside Directors are not required to be at the initial inspection of a Facility but it is highly recommended that they help facilitate the inspection, if possible. Other attendees at the initial inspection usually includes one IS Rep, one KMP, and the FSO. Specific Responsibilities: If s/he attends the initial inspection, the Outside Director should assist in examining the Facility s security measures, program sensitivity, and FOCI issues during the inspection. ODs should specifically look at the Facility s visitation policy; determine whether the mitigation instrument has been executed in the appropriate manner; identify acts of noncompliance with the mitigation instrument, the NISP rules, or other relevant laws and regulations; examine any issues or impediments associated with the practical application or utility of the mitigation tool(s); and determine whether security controls, practices, or procedures warrant adjustment. Suggested Actions: It is recommended that the Chairman of the Government Security Committee (GSC) or at least one Outside Director attend the Initial Inspection. During the inspection process, it is recommended that ODs ask questions about the mitigation instrument(s) and security policies, take some time to walk around the Facility, and meet with security officers to examine operations, IT security, storage facilities, and records. July 2009 3

Annual Meeting General Expectations: Representatives of DSS and the GSC shall meet annually (on or near the anniversary date of DoD s execution of the mitigation instrument) to review the purpose and effectiveness of the mitigation instrument and to establish a common understanding of the operating requirements and implementation arrangements. The meeting shall discuss the following: Whether the mitigation instrument is working in a satisfactory manner Compliance or acts of noncompliance with the mitigation instrument in place, NISP rules, and other applicable laws and regulations Any necessary guidance or assistance regarding problems or impediments associated with the practical application or utility of the mitigation instrument in place Whether security controls, practices, or procedures warrant adjustment Specific Responsibilities: In advance of the annual meeting, the Outside Director serving as the Chairman of the GSC shall jointly submit to DSS an Annual Implementation & Compliance Report. This report shall include the following information: Detailed description of the manner in which the Corporation is carrying out its obligations under the mitigation instrument Detailed description of changes to security procedures, implemented or proposed, and the reasons for the changes Detailed description of any acts of noncompliance, whether inadvertent or intentional, with a discussion of what steps have been taken to prevent such acts from occurring in the future A description of any changes or impending changes to any of the Corporation's top management, including the reason for such changes A statement, as appropriate, that a review of the records concerning all visits and communications between representatives of the Corporation s entities and affiliates has been conducted and the records are in order A chronological summary of all transfers of classified or export controlled information, if any, from the Corporation s entities to the affiliates A discussion of any other issues that could have a bearing on the effectiveness or implementation of the mitigation instrument in place Suggested Actions: The Outside Director should be fully versed on the Annual Implementation & Compliance Report as well as key findings from the inspection. The OD should also be prepared with specific questions and recommendations for the Facility s KMPs, as appropriate. Board Meetings General Expectations: An Outside Director is required to be appointed as a Board Member and should attempt to attend all Board Meetings. Specific Responsibilities: The OD should vote and act on all matters before the Board in accordance with his/her best efforts and in the manner believed to be in the best interests of the Corporation. Additionally, the OD should act in a manner consistent with the national security concerns of the United States, and with such care, including reasonable inquiry, as an ordinarily prudent person in a like position would use under similar circumstances. At least one of the Outside Directors shall attend all of the July 2009 4

Facility s Board of Directors meetings and Board of Directors committee meetings in order for there to be a quorum. 1 Suggested Actions: It is recommended that Outside Directors sit on a maximum of three Facility Boards. There are currently no requirements that limit the number of Boards on which an OD can sit. However, holding more than three Board seats is highly discouraged due to the extensive workload and oversight this would entail. Outside Director All Hands Meeting General Expectations: During this conference, which generally takes place every year in October or November, DSS meets face to face with all Outside Directors to read through agreements and entertain questions. DSS typically discusses a range of security issues and topics, such as export controls, and provides Counterintelligence threat briefings. Specific Responsibilities: The OD is required to keep up to date on all FOCI issues and recent developments, to the best of his/her ability. Suggested Actions: Outside Directors are encouraged to attend the All Hands Meeting. During the conference, it is recommended that ODs engage other ODs about their roles and experiences in order to facilitate knowledge transfer. Shareholder Meeting General Expectations: The OD shall meet with shareholders at the Facility level on a quarterly to annual basis and provide feedback to the DSS IS Rep if any significant issues arise pertaining to the Facility s compliance with the mitigation agreement, the NISP rules, or other relevant laws and regulations. Specific Responsibilities: It is the OD s responsibility to ensure that shareholders are not intruding upon any classified information. The Outside Director is accountable for providing a detailed and comprehensive evaluation of the situation to DSS. Serve on the Government Security Committee (GSC) General Expectations: The GSC is a permanent committee of the Corporation Board, consisting of the Outside Director and no less than two other Directors who are also officers of the Corporation and who have personnel security clearances. 2 The FSO and an Export Control Officer are not members of the GSC, but attend meetings and serve as advisors. The members of the GSC shall exercise their best efforts to ensure the implementation within the Corporation of all procedures, organizational matters and other aspects pertaining to the security and safeguarding of classified and export controlled information called for in the agreement. This includes the exercise of appropriate oversight and monitoring of the Corporation's operations to ensure that the protective measures contained in the agreement are effectively maintained and implemented throughout its duration. The GSC must ensure implementation 1 Security Control Agreement 2 Security Control Agreement July 2009 5

and compliance with all terms of the applicable mitigation tool put in place. The GSC must also ensure that the corporation establishes and maintains policies and procedures to safeguard classified and export controlled information. Specific Responsibilities: The OD is in charge of reviewing the visit, meeting, and communication documentation during GSC meetings. One Outside Director will serve as Chairman of the GSC. The Chairman must designate a member to serve as the Secretary of the GSC and must also advise and consent to the selection of the Facility s FSO. Suggested Actions: It is essential that the OD fully understands his/her role on the GSC and that all GSC members work with one another to clearly define each position. Serve on the Compensation Committee General Expectations: The Compensation Committee, a permanent committee of the Board, consists of at least one Outside Director and one Inside Director. The Committee shall be responsible for reviewing and approving the Corporation Board recommendations for the annual compensation of the Corporation s key management personnel. 3 Specific Responsibilities: At least one Outside Director must be part of the Compensation Committee. Establish Visitation Policy and Approve Visits to Parent Companies General Expectations: When a U.S. Facility s KMPs or other personnel plan to visit a foreign parent, the Outside Director should be notified. The Facility should state who the individual(s) are visiting and the purpose of the visit. Except for certain Routine Business Visits, all visits must be approved in advance by one of the Outside Directors designated by the GSC Chairman to act on such matters. All requests for visits shall be submitted or communicated to the FSO for routing to the designated Outside Director. Although strictly social visits at other locations between the Corporation personnel and personnel representing the Affiliates are not prohibited, written reports of such visits must be submitted after the fact to the FSO for filing with, and review by, the designated Outside Director and the GSC. Specific Responsibilities: The Chairman of the GSC shall designate at least one Outside Director who shall have the authority to review, approve, and disapprove requests for incoming and outgoing visits by all personnel who represent the Corporation, the foreign shareholder, and any of its affiliates. The role of the Outside Director is as follows: Review, approve or disapprove requests for visits Review the visit, meeting, and communication documentation during GSC meetings Designate specific categories of Routine Business Visits, if necessary, and require that certain Routine Business Visits be approved in advance by an Outside Director Maintain visit and contact records for a period of twelve months for review by DSS 3 Special Security Agreement July 2009 6

Implement and Monitor ECPs and TCPs General Expectations: Outside Directors and the FSO are responsible for implementing and monitoring the Facility s ECP and TCP. An OD should maintain oversight of electronic communications to provide assurance to the GSC and DSS that such communications between the Corporation and the foreign shareholders and/or any of the other affiliates do not disclose classified or export controlled information without proper authorization. Electronic communications refers to the transfer of information via telephone conversations, facsimiles, teleconferences, video conferences, or electronic mail. Specific Responsibilities: While monitoring the ECP, the OD is responsible for reviewing other information, including phone logs, electronic mail, video teleconferencing, and facsimile. A summary log of all electronic communications should be kept by the OD. The OD should establish the policy for the Facility s ECP/TCP and ensure that the corporation establishes/implements the ECP/TCP within 45 days of the effective date of the Agreement and submits the ECP/TCP to the local DSS Industrial Security Field Office for approval. Suggested Actions: Outside Directors should work with Facilities to ensure that a proper tracking mechanism is in place in order to sufficiently track all forms of electronic communication. The FSO and Outside Director need to work together to discuss and define their individual roles regarding the TCP and ECP. It is recommended that Outside Directors be provided with quarterly reports from the TCO and FSO including, but not limited to: visitation logs, attempted intrusions (firewall), database security, anti virus and firewall updates, password protection, and security supporting records including information on Supply Chain, Human Resources, Finance/Tax, and IT. July 2009 7

2024 © careersdocbox.com Privacy Policy | Terms of Service | Feedback