Security Solutions Group COMSEC Awareness Training
Why Are You Here? You are here because your current position has a bearing on the safeguarding of Communications Security (COMSEC) Equipment, Systems, or Materials.
Elements of COMSEC
Transmission Security Transmission Security or TRANSEC is the part of COMSEC that includes all measures taken to protect information from interception and exploitation while being electronically transmitted.
Types of Transmissions Radio: The most widely used form of electronic transmission. No matter the type of end equipment in use, in most cases at some time between transmittal and receipt, radio signals are used for delivery. Because radio signals are sent out through the open air, they are one of least secure forms of transmission.
Types of Transmissions Telephone: One of the most widely used, and most convenient forms of communication. Not only are telephone lines used for voice communications, but data is also transferred over these lines. Telephone lines are easily tapped, making the phone a very unsecure form of communication.
Types of Transmissions Cell Phones: Very popular and widely used today. However they are even less secure than regular phones because their transmissions can be picked up just like radio signals.
Types of Transmissions Email: This has become one of the most widely used forms of communications, and one of the greatest risks to the security of classified and sensitive information.
Types of Transmissions Messages sent via email can be easily intercepted or can be found stored on servers and copied. There are some methods for protecting emails but currently none are approved for protecting classified data.
Types of Transmissions Face to Face: This is when two or more parties meet and talk with each other. Hand Delivery: This is when data in written or hardcopy form is hand carried from point of transmission to point of receipt. NOTE: The security of face to face and hand delivery transmissions is totally dependent on the parties communicating.
Types of Transmissions US Postal & Courier Services: This is when data or materials are transferred through certified mail or hand delivered by bonded couriers. In most cases this is a very secure means of communication, but is not useful when time constraints exist.
Cryptographic Security Cryptographic Security or Cryptosecurity is the part of COMSEC that includes the design, implementation, protection and use of technically sound cryptographic systems.
Cryptographic Security Cryptographic Security includes correctly applying encryption equipment to protect voice and data communications. When properly applied, encryption can secure all electronic transmission.
Cryptographic Security Includes the development of Key Management Plans and Procedures that provide instructions for the operation and protection of the Cryptographic devices and their key material.
Cryptographic Security Includes all measures taken to ensure only authorized personnel install, operate and perform maintenance on cryptographic devices.
Physical Security Physical security is the part of COMSEC that results from taking all measures necessary to physically safeguard all COMSEC classified and sensitive materials and information.
Physical Security Includes Storage Facilities And Security Containers
Physical Security Storage of Classified Materials: The storage requirement for items classified as Secret and Confidential is preferably a Class B vault. When necessary, such items can be stored in a GSA approved security container
Physical Security Storage of FOUO and SBU These items may be stored using the same methods as classified materials. When other methods are not available, a filing cabinet equipped with a locking bar and GSA changeable combination lock is the most preferable. However, in most cases it is acceptable to use any lockable container or room, but you should check with your RCO.
Physical Security Badges, Guards And Alarm Systems It includes applying methods to ensure only authorized persons have access to classified, sensitive and COMSEC materials and information. These methods include but are not limited to: Badges, Guards And Alarm Systems
Physical Security It includes the proper handling and accounting for all classified, sensitive or COMSEC information/materials on a continuous basis. Inventories of these materials must be taken once per shift, whenever the storage container is opened, or at a minimum of once a week, when the container remains closed.
Physical Security Whenever classified, sensitive or COMSEC materials are remove from storage, the person removing these materials or information must maintain constant control or surveillance over them.
Physical Security No matter how important a task may be, if it involves classified, sensitive or COMSEC materials or information: You may NEVER take it home or away from its secure area to be completed.
Physical Security Includes the proper disposal of classified and sensitive materials and information no longer needed. Some approved methods of destruction are:
Physical Security The proper disposal of classified and sensitive materials and information in electronic form is some what different. Two methods are:
Physical Security Most of you will not be performing the destruction of the materials. Most of you will place them in either a Burn Bag or a Classified/Sensitive Trash Receptacle.
Physical Security The destruction of COMSEC materials is even more strict than those of other classified materials. For this reason, there are even fewer personnel authorized to perform this destruction. For more information contact your RCO.
Emissions Security Emissions Security is the part of COMSEC that denies unauthorized persons the ability to derive classified/ sensitive information from the interception of unintentional emanations.
Emissions Security All electronic equipment produces and radiates RF signals.
Emissions Security How do we control these radiated RF signals from being intercepted by unauthorized parties? TEMPEST Rated 1. We use TEMPEST rated equipment. 2. We use Red/Black separation. 3. We shield and filter our facilities and sensitive areas.
Information Classifications Information is classified based on the amount of damage it could cause if disclosed to the wrong parties.
Information Classifications Top Secret This classification is given to information when its loss or compromise would cause exceptionally grave damage to the security of United States. Secret This classification is given to information when its loss or compromise would cause serious damage to the security of the United States. Confidential This classification is given to information when its loss or compromise would cause damage to the security of the United States.
Information Classifications For Official Use Only This classification is given to information when its loss or compromise would pose a threat to the operations or missions of the Classifying Agency. Sensitive But Unclassified COMSEC This classification is given to COMSEC information that is not classified but its loss or compromise would pose a threat to the operations or missions of the holding agency.
Disclosure of Information Disclosure of information, quite simply is when information passes from one party to another. When dealing with classified, sensitive or COMSEC information, it is the responsibility of the party possessing the information to ensure it is not disclosed to parties who do not have a need for or a right to the information.
Authorized Disclosure Disclosure of classified, sensitive or COMSEC information is authorized only when the party receiving the information has the proper clearance or background check, can be properly identified and has a need to know. Need to Know does not mean, because a person holds a high management position, he or she automatically needs access to the information.
Unauthorized Disclosure Unauthorized disclosure of classified, sensitive or COMSEC information is when the party receiving the information does not have the proper clearance or in most cases a need to know. In most cases, unauthorized disclosures are unintentional and due to poor planning or a failure to think by the possessing party.
Unaware of Surroundings One of the leading causes of unintentional disclosures is simply people not being aware of what is happening around them. Discussing classified, sensitive or COMSEC information when you are unsure or unaware of your surroundings can quickly lead to this information being disclosed to the wrong people.
Awe Of Position We all want to please our management, and work very hard each day to do so. We must remember, just because they are our supervisors, we can’t always give them the information they request. If a higher-up requests anything that is classified, sensitive or COMSEC in nature, we must make sure they meet all the requirements for access to this information just like everyone else.
Trapped by Time When ever we feel rushed, or have a deadline that we can’t see ourselves making, we tend to cut corners. When we are in this type of situation and working with classified, sensitive or COMSEC information, the corners we cut could very likely lead to an unintentional disclosure. We must remember when working with classified, sensitive or COMSEC information, the job must be done by the book, no matter how long it takes.
Emotional Hazard Emotions play a very big part in our lives, and affect each of us on a daily basis. When we let emotions cloud our thinking, the classified, sensitive or COMSEC information we are working with is at risk of an unintentional disclosure. Note: Emotions are one of the most difficult of all the unintentional disclosure risks to control.
Security Incidents Security Incidents are events or incidents that may jeopardize the security of any of the COMSEC Elements, classified or sensitive information or materials.
Security Incidents Security incidents can be broken into three categories that are: Personnel Physical Cryptographic
Personnel Security Incidents Personnel security incidents are events or incidents that involve acts of espionage and sabotage, or the willful or unwillful disclosure of information to hostile or foreign agents by personnel having authorized access to the information.
Physical Security Incidents Physical security incidents occur when the control over classified, sensitive, and/or COMSEC equipment, materials or information is lost.
Cryptographic Security Incidents Cryptographic security incidents are willful or unwillful actions or inactions that place any element of a Cryptosystem in jeopardy of compromise.
Security Incidents Also includes: Reporting the incident Correcting the problem Investigating the cause Performing preventive measures
Reporting the Incident Any event or incident that jeopardizes any of the COMSEC Elements, classified or sensitive information or materials must be reported immediately.
Reporting the Incident We must be careful when reporting an incident, because, on most occasions, the initial report will be made over some type of unsecure means of communications. Don’t Report in This Manner I left the safe open and now I can’t find the Crypto Keys! Do Report in this Manner I have an issue, could you come see me!
Correcting the Problem The first priority is to correct the problem. This could mean anything from: Securing an unsecure area or container To taking the affected equipment or system out of service
Incident Investigation The RCO and CAM will perform an investigation into the cause of the incident. All involved persons are expected to cooperate fully with the investigation.
Incident Investigation The investigation determines the severity of the incident. There four levels of severity: COMPROMISE Compromise Not Ruled Out Compromise Improbable Dangerous Practice
Preventive Measures Preventive Measures are anything performed to help stop a reoccurrence of the same type of incident. Changing Procedures Personnel Changes Arrest and Conviction
Conclusion This concludes the COMSEC Awareness Training. If you have any further questions with regard to the protection of COMSEC, classified and sensitive information and materials, contact your Responsible COMSEC Officer.