Customizing
the Guide
To Fit Your Needs
You are free to add, delete,
or change any information in this Guide to ensure that it reflects your
organization's specific policies, procedures, and security needs. You may
change the Guide as much or as little as you wish.
Many users of the Guide have started with
minimum customizing, so they can get the Guide up and running quickly.
They then customize if further as time permits. Before using the program
for mandatory awareness briefings, you will want to check to ensure that
it covers all the things you want your personnel to learn from the
briefing.
Be
aware that once you
install the Guide on your network, you become responsible for
the content. It is up to you to determine that this content is
appropriate for your organization and reflects your particular policies and
procedures. U.S. Government security regulations apply
to all government agencies and companies with classified contracts, but they are sometimes
written in broad terms to permit flexibility in implementation. They may be implemented in
different ways that reflect the different
circumstances and needs of individual agencies and companies.
All information in the Guide, as it now
stands, has been approved for public release by the Department of Defense.
If you add substantive information to this Guide, it is up to you to
obtain any approval for public release that may be required.
Technical Issues
You do not need to be a
computer programmer to customize this Guide. The only technical skill
required is a basic knowledge of how to use an html editor. This
skill is rather broadly available. Changing the wording in an existing file is
simple.
Adding files or changing hyperlinks becomes a bit more complicated. To add reporting forms
that an employee can fill out and return to you electronically, consult with
your webmaster.
The Employees' Guide is written in html using
the Microsoft FrontPage software program. The Guide may be edited directly in html or
by using an html editor such as FrontPage. Any html editor may be used to make the changes as long as it is capable of
keeping track of a large number of files.
Keeping Records
You will find it useful to keep
a record of changes you make in the program. This
record will come in handy when there is an updated version of a file.
Updates will be posted on the Defense Security Service website at
www.dss.mil/training/SecurityAwareness.htm. Before installing an updated file, you will want to
determine if this is a file you changed and whether those same changes
should be incorporated into the update.
What to Customize
You may, if you so
desire, use the Guide virtually as is with only three simple changes as noted
below.
-
At the
bottom left of the Home page, delete the link that says Back to
Opening Screen. See below for discussion of other links that might be
added here.
-
In the About
this Guide file, the description of the Guide
should be edited to identify who to contact with comments
or questions and whether or not you have customized the original Guide. If your organization has its own legal counsel, he or she may wish to review
the statements here about the Guide. Please do not
delete the Credits section on this page. The people who created these
cartoons, animations, and page backgrounds and made them available to
the public should be given credit for their work.
-
Follow the
directions for separating the Guide from the Implementation Package
and the CBT Module. These directions are at the bottom of the page on Tips for HTML
Editors. Separating the
Guide breaks all links from the
Implementation Package to the Guide. Therefore, it is advisable to wait
until after finishing the customization before doing this.
The following parts of this
program should be reviewed and considered for customization. If you see
something you want to change, printout the page or pages and mark up the
changes to be made. The headings
below are links to the pages being discussed.
Feedback: The Guide is intended to lower the threshold
of what prompts people to contact the security office. You can make it
easier for them
by adding a link that allows a user to send an e-mail message back
to your office. (See the draft feedback page.)
An appropriate place for this link would be on the Home page, under the
animation. To prepare an e-mail feedback
link to your office, you will need the professional assistance of your
webmaster.
Gray Navigation Bar: If
the Guide is installed within a larger Security Office web site, the gray bar at the bottom of the Home page is a
good spot for the link back to your Security Office Home Page. If you do not have any other
security office site, this bar can be left blank.
Additional Links: On the
left side of the Home page, under Help for First-Time Users, it is possible to make room for a couple
additional links. If you have an automated library of security regulations, for example,
you could add a link to it here.
The quizzes are intended to summarize the
most important messages in the Guide. Add, delete, or edit questions as necessary to
emphasize those points that are most important to your organization. IMPORTANT: To
avoid technical problems, see Tips for HTML Editors
BEFORE MAKING ANY CHANGES IN THE QUIZZES.
In Quiz I, Question 5, check
whether you wish to specify more rigorous procedures for protecting the
STU-III key.
Protecting
Classified Information: Consider the following:
- Look at the topics on Using
the STU-III, and Appropriate Use of Computers to see if
you want to elaborate on or change anything there.
- Organizations that receive
foreign visitors should consider adding a topic on visitor control.
The threat is described under Foreign Threats to Protected Information
in the topics on Short-Term
Visitors to Sensitive Installations and Long-Term
Foreign Visitors, but it may be appropriate to cover your
organization's specific procedures for controlling visitors here under
Protecting Classified Information.
- Some defense contractors
may wish to elaborate on the discussion in the Classification
Guidelines and Distribution Controls file. Additional text that can be
added to this file may be found in the Classif.htm
file in the Altrnats directory in the Implementation Package.
- Some defense
contractors may wish to elaborate on the discussion in Handling
Classified Information. The file Handling.htm
in the Altrnats directory was developed by one defense contractor to
incorporate material from its own security procedures handbook. It may be substituted for the existing Handling
Classified Information file to provide more specific guidance on
generating, controlling, reproducing, retaining, and releasing classified
information.
Protecting
Sensitive Unclassified Information: Defense contractors may wish to customize and
give a more prominent place to the topics on Proprietary Information and Trade
Secrets and Export-Controlled
Information. Look at the topic on Use
of Computer Systems. Do you have an organizational policy on carrying laptop computers
with sensitive information? If so, it would be well to mention it here as well as in Theft of Laptops under Computer
Vulnerabilities.
Pre-Publication Review of Web Site Content
should be checked to see if your own organization's policy on web site content should be
discussed here.
Self-Reporting
on Your Personal Activities: This entire module deals with specific responsibilities
for reporting things to the security office. Tailor it to reflect the specific policies of
your organization concerning, for example, reporting foreign contacts or foreign travel.
Consider adding forms and specific procedures for reporting the information.
Reporting Unreliable, Improper, or
Suspicious Behavior: This is an obviously important but sensitive area, and the
applicable regulations are not very specific. Review the wording here to ensure there is
nothing that you find objectionable or inappropriate for your particular organization. Do
you have experiences from your own organization that could be substituted in the topic on
People Who Made a Difference?
If you are aware of specific foreign
intelligence activities against your organization that you would like to share with your
employees, this element of the Guide is an appropriate place to do it. In doing so,
however, please be aware that you may need to obtain approval for public
release of such information in a U.S. Government product. The following
policy considerations may apply.
It is the policy of the Defense Security
Service, as well as several other government agencies, that Unclassified foreign
threat awareness materials should not focus attention on any specific foreign entity
(i.e., government, company, association, agency, etc.) as being particularly active in
intelligence operations against the United States. As a result, this Guide discusses foreign threats in general terms -- the methods that are used rather than the
countries that are using them.
There are three reasons for this policy:
- Identifying specific foreign countries as
counterintelligence problems focuses awareness and resulting security measures too
narrowly. Intelligence operations in general, and particularly operations against
economic, scientific and technical, and industrial targets, are now conducted against the
United States by many of our allies as well as our adversaries. Focusing attention on a
few key countries tends to imply that other countries are not a significant threat, which
is not the case.
- Directing an awareness message at a specific
foreign country can create an appearance of U.S. Government-sponsored discrimination
against nationals, émigrés, and those with ancestry from that nation and the region
where it is located. This appearance of discrimination can go beyond national origin to
the appearance of religious or racial discrimination.
- Awareness messages that concentrate on
specific foreign countries can generate unnecessary problems in foreign policy and in the
unclassified world of international business.
There are exceptions to this policy against
identifying specific countries as threats in any Unclassified product. 1) The sponsoring
country may be identified when describing the cases of Americans arrested
and prosecuted for espionage.
2) Formal, unclassified U.S. Government threat assessments may be cited, such as State
Department identification of countries that engage in state-sponsored terrorism.
If this program is used on a classified
network, the limitations on citing specific countries do not apply. You may wish to
customize the Guide to include threat information about specific countries, although it is
still wise to avoid focusing security attention too narrowly and to avoid any appearance
of discrimination against any particular national, ethnic, or religious group.
Long-Term
Foreign Visitors discusses risks posed by long-term foreign visitors and
foreign-national employees, and
countermeasures to protect against these risks. Does your organization have long-term
foreign visitors who have access to your organizational intranet and who might see this
discussion? From a security perspective, it may be desirable that they do see it, as it
advises them of rules they are expected to follow. However, you need to judge whether this
is appropriate for your particular situation.
The first topic in this module is written for
organizations that have a formal Employee Assistance Program (EAP). If your
organization does not have an Employee Assistance Program, you will want to change this first
topic. The Implementation Package has an alternate topic to insert in its place. It is
the Eap.htm file in the Altrnats
directory in the Implementation Package. For guidance on changing files, see Tips for
HTML Editors.
If your organization does have an EAP, you
will want to coordinate with the office responsible for that program. The EAP plays an
important role in helping to resolve personal problems before they become security
problems. What is the best way for your security office to encourage EAP usage while also
reinforcing the confidentiality and independence of the EAP program? Ideally, the Guide
should help reduce the common employee fear that confiding in the EAP may affect one's
security clearance or future assignments.
Does your EAP program have a web site? If so,
one option may be to transfer all but the introductory page of the EAP module to
the EAP
site, and then provide a link to it in this program. Some organizations may wish to delete
the EAP module, and perhaps modify those pages for inclusion in a separate program on a
Human Resources or Medical site. If you delete the EAP module, remember that you have to
delete all the links and references to it. This can be considerable work, as the
navigation bar at the bottom of every page has an EAP link and there are quite a few
references in the text. If you plan to do this, see the discussion of Search and Orphan
Links in Tips for HTML Editors.
There are many places under Computer Vulnerabilities, Intercepting Your Communications,
and Bugs and Other Eavesdropping Devices where it
may be appropriate to discuss your organization's specific policies regarding use of passwords, unauthorized modems, discussion of sensitive
company business in e-mail or on cellular phones, encryption, and other
countermeasures against technical vulnerabilities.
Do you want to elaborate on policies
regarding the use and protection of laptop computers in Security
of Laptops, or discuss specific products that are available and should
be used to enhance the protection of laptops and the information on
them?
Each of the spy stories is
designed to communicate a lesson, not just tell a story. If you have lessons to be learned
from specific intelligence activities against your organization, it would be appropriate
to add them here.
No changes should be needed in
this module.
If you have added or deleted
topics, don't forget to make the appropriate changes in the List of Contents as well as in
the Contents section of the specific module in which the change was made.
|