USE OF EXTERNAL INFORMATION SYSTEMS

5.17 USE OF EXTERNAL INFORMATION SYSTEMS

• 
  Whether any of the Company’s external information systems will be information systems or components of information systems for which the Company has no direct control over the application of required security controls or the assessment of security control effectiveness.
  
• 
  Whether any of the Company’s external information systems will include, without limitation, personally owned information systems (e.g., computers, cellular telephones, or personal digital assistants); privately owned computing and communications devices resident in commercial or public facilities (e.g., hotels, convention centers, or airports); information systems owned or controlled by nonfederal governmental contractors; and federal information systems that are not owned by, operated by, or under the direct control of the Company.
  
• 
  Whether any of the Company’s authorized individuals will include Contractor personnel, contractors, or any other individuals with authorized access to the Contractor’s information system and information that is not intended for public access.
  
• 
  Whether the Company will establish terms and conditions for the use of external information systems in accordance with organizational security policies and procedures. The Company should establish terms and conditions that will address as a minimum the types of applications that can be accessed on the organizational information system from the external information system.
  

• 
  A prohibition on authorized individuals using an external information system to access the information system or to process, store, or transmit Company-controlled information except in situations where the Company: (i) can verify the employment of required security controls on the external system as specified in the Company’s information security policy and system security plan; or (ii) has approved information system connection or processing agreements with the Company entity hosting the external information system.
  

6. SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES

Instructions: Describe how the Company will develop, disseminate, and periodically review/update: (i) a formal, documented, security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among Contractor entities, and compliance; and (ii) formal, documented procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls. You may describe, for example, how the Company’s security awareness and training policy and procedures will be consistent with applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance.

Everyone at XYZ Inc. understands that participating in the NISP allows us to access classified information and that makes our company and our personnel a potential target for hostile intelligence interests. In order to ensure that we protect and limit the access to classified information, export controlled information, company proprietary information, and sensitive but unclassified information, XYZ has established a formal, documented security awareness and training policy in accordance with NISPOM 3-100.

Our training program applies to all XYZ personnel, including management, corporate staff, and employees performing work on contracts, including overseas. Upon employment with XYZ each cleared employee receives an initial security briefing that includes at a minimum the following:

• 
  A threat awareness briefing;
  
• 
  A defensive security briefing;
  
• 
  An overview of the security classification system;
  
• 
  Employee reporting obligations and requirements;
  
• 
  Security procedures and duties applicable to the employee’s job;
  
• 
  The Special Security Agreement (SSA) for XYZ; and
  
• 
  Execution of the SF-312, “Classified Information Nondisclosure Agreement.”
  

All employees will be made aware of the protections for Classified Information and the three levels of classification: Top Secret, Secret, and Confidential. In addition, storage and data transfer procedures will also be reviewed. XYZ, Inc. does not have any storage capabilities or cleared facilities at which to discuss classified information; however, in the event our status changes to a holding facility, this ECP will be updated accordingly and XYZ, Inc. will provide an annual briefing in compliance with NISPOM 3‑107 which will cover any changes in security regulations, our SSA, and will reinforce our initial security briefing. To supplement this training, the FSO will also provide monthly security training on selected topics to reinforce our security program as a whole. These monthly security briefings are provided to all employees of XYZ ‑ regardless of clearance status – to ensure all employees are aware of their duty to protect the information they are entrusted with.

Our specific security awareness and training policy and procedures, and detailed descriptions of the briefings provided to our employees, are outlined in more detail in our Standard Practices and Procedures (SPP).

Directory: documents
documents -> Concept stage
documents -> Concept stage
documents -> The great global switch-off
documents -> Nonprofit grant application
documents -> The Truth about the Rwandan Genocide
documents -> Annual InStructional unit plan
documents -> Chaos equipment included

Download 479.88 Kb.

Share with your friends: