Customizing the Guide
To Fit Your Needs
You are free to add, delete, or change any
information in this Guide to ensure that it reflects your organization's
specific policies, procedures, and security needs. You may change the Guide as much or as
little as you wish.
Many users of the Guide have started with
minimum customizing, so they can get the Guide up and running quickly. They then customize it further as time
permits. Before using the program
for mandatory awareness briefings, you will want to check to ensure that it
covers all the things you want your personnel to learn from the
briefing.
Be aware that once you install the Guide
on your network, you become responsible for the content. It is up to you to determine that this
content is appropriate for your organization and reflects your particular
policies and procedures. U.S.
Government security regulations apply to all government agencies and
companies with classified contracts, but they are sometimes written in broad
terms to permit flexibility in implementation. They may be implemented in different
ways that reflect the different circumstances and needs of individual
agencies and companies.
All information in the Guide, as it now
stands, has been approved for public release by the Department of Defense. If you add substantive information to
this Guide, it is up to you to obtain any approval for public release that
may be required.
Technical Issues
You do not need to be a computer
programmer to customize this Guide.
The only technical skill required is a basic knowledge of how to use
an html editor. This skill is
rather broadly available. Changing
the wording in an existing file is simple. Adding files or changing hyperlinks
becomes a bit more complicated. To
add reporting forms that an employee can fill out and return to you
electronically, consult with your webmaster.
The Employees' Guide is written in html
using the Microsoft FrontPage software program. The Guide may be edited directly in
html or by using an html editor such as FrontPage. Any html editor may
be used to make the changes as long as it is capable of keeping track of a
large number of files.
Keeping Records
You will find it useful to keep a record
of changes you make in the program.
This record will come in handy when there is an updated version of a
file. Updates will be posted on
the Defense Security Service website at
http://www.dss.mil/training/csg/csg1.htm. Before installing an updated file, you
will want to determine if this is a file you changed and whether those same
changes should be incorporated into the update.
What to Customize
You may, if you so desire, use the Guide
virtually as is with only three simple changes as noted below.
·
At the bottom
left of the Home page, delete the link that says Back to Opening Screen. See below for discussion of other
links that might be added here.
·
In the About this Guide file, the description of the
Guide should be edited to identify who to contact with comments or questions
and whether or not you have customized the original Guide. If your organization has its own legal
counsel, he or she may wish to review the statements here about the Guide. Please do not delete the
Credits section on the About page.
The people who created these cartoons, animations, and page
backgrounds and made them available to the public should be given credit for
their work.
·
Follow the
directions for separating the Guide from the Implementation Package and the
CBT Module. These directions are
at the bottom of the page on Tips for HTML
Editors. Separating the Guide
breaks all links from the Implementation Package to the Guide. Therefore, it is advisable to wait
until after finishing the customization before doing this.
The following parts of this program should
be reviewed and considered for customization. If you see something you want to
change, printout the page or pages and mark up the changes to be made. The headings below are links to the
pages being discussed.
Feedback: The Guide is intended to lower the threshold of
what prompts people to contact the security office. You can make it easier for them to
contact you by adding a link that allows a user to send an e-mail message
back to your office. (See the
draft feedback page.) An appropriate place for this link
would be on the Home page, under the animation. To prepare an e-mail feedback link to
your office, you will need the professional assistance of your
webmaster.
Gray Navigation Bar: If the Guide is installed within a larger Security
Office web site, the gray bar at the bottom of the Home page is a good spot
for the link back to your Security Office Home Page. If you do not have any other security
office site, this bar can be left blank.
Additional Links: On the left side of the Home page, under Help for
First-Time Users, it is possible to make room for a couple additional links. If you have an automated library of
security regulations, for example, you could add a link to it here.
The quizzes are intended to summarize the
most important messages in the Guide.
Add, delete, or edit questions as necessary to emphasize those points
that are most important to your organization. IMPORTANT: To avoid technical
problems, see Tips for HTML Editors
BEFORE MAKING ANY CHANGES IN THE QUIZZES.
In Quiz I, Question 5, check whether you
wish to specify more rigorous procedures for protecting the STU-III key.
Protecting
Classified Information: Consider the following:
- Look at the topics on Using the STU-III, and Appropriate Use of
Computers to see if you want to elaborate on or change anything
there.
- If your organization receives foreign
visitors, you should consider adding a topic on your specific
organization's visitor control procedures. The threat is described under
Foreign Threats to Protected Information in the topics on Short-Term Visitors to
Sensitive Installations and Long-Term Foreign Visitors,
but it may be appropriate to cover your organization's specific
procedures for controlling visitors here under Protecting Classified
Information.
- Some contractors, especially DoD contractors,
may wish to elaborate on the discussion in Handling Classified
Information. The file Handling.htm in the
Altrnats folder was developed by one defense contractor to incorporate
material from its own security procedures handbook into the Guide. You may wish to edit it and
substitute it for the existing Handling Classified
Information file to provide more specific guidance on generating,
controlling, reproducing, retaining, and releasing classified
information.
Protecting
Sensitive Unclassified Information: Government contractors may wish to
customize and give a more prominent place to the topics on Proprietary
Information and Trade Secrets and Export-Controlled Information. Look at the topic on Use of Computer Systems. Do you have an organizational policy
on carrying laptop computers with sensitive information? If so, it would be well to mention it
here as well as in Theft
of Laptops under Computer Vulnerabilities.
Pre-Publication Review of Web
Site Content should be checked to see if your own organization's policy
on web site content should be discussed here.
What Is
Expected of Me: This entire module deals with specific responsibilities
for reporting things to the security office. Tailor it to reflect the specific
policies of your organization concerning, for example, reporting foreign
contacts or foreign travel. Consider
adding forms and specific procedures for reporting the information.
Reporting Unreliable,
Improper, or Suspicious Behavior: This is an obviously important but
sensitive area, and the applicable regulations are not very specific. Review the wording here to ensure
there is nothing that you find objectionable or inappropriate for your
particular organization. Do you
have experiences from your own organization that could be substituted in the
topic on People Who Made a Difference?
If you are aware of specific foreign
intelligence activities against your organization that you would like to
share with your employees, this element of the Guide is an appropriate place
to do it. In doing so, however,
please be aware that you may need to obtain approval for public release of
such information in a U.S. Government product. The following policy considerations
may apply.
It is the policy of the Defense Security
Service, as well as several other government agencies, that Unclassified foreign threat awareness
materials should not focus attention on any specific foreign entity (i.e.,
government, company, association, agency, etc.) as being particularly active
in intelligence operations against the United States. As a result, this Guide discusses
foreign threats in general terms -- the methods that are used rather than the
countries that are using them.
There are three reasons for this policy:
- Identifying specific foreign countries as
counterintelligence problems focuses awareness and resulting security
measures too narrowly. Intelligence
operations in general, and particularly operations against economic,
scientific and technical, and industrial targets, are now conducted
against the United
States by many of our allies as well
as our adversaries. Focusing
attention on a few key countries tends to imply that other countries are
not a significant threat, which is not the case.
- Directing an awareness message at a specific
foreign country can create an appearance of U.S. Government-sponsored
discrimination against nationals, immigrants, and those with ancestry
from that nation and the region where it is located. This appearance of discrimination
can go beyond national origin to the appearance of religious or racial
discrimination.
- Awareness messages that concentrate on specific
foreign countries can generate unnecessary problems in foreign policy
and in the unclassified world of international business.
There are exceptions to this policy
against identifying specific countries as threats in any Unclassified product. 1) The sponsoring country may be
identified when describing the cases of Americans arrested and prosecuted for
espionage. 2) Formal,
unclassified U.S. Government threat assessments may be cited, such as State
Department identification of countries that engage in state-sponsored
terrorism.
If this program is used on a classified
network, the limitations on citing specific countries do not apply. You may wish to customize the Guide to
include threat information about specific countries, although it is still
wise to avoid focusing security attention too narrowly and to avoid any
appearance of discrimination against any particular national, ethnic, or
religious group.
Long-Term Foreign Visitors discusses
risks posed by long-term foreign visitors and foreign-national employees, and
countermeasures to protect against these risks. Does your organization have long-term
foreign visitors who have access to your organizational intranet and who
might see this discussion? From a
security perspective, it may be desirable that they do see it, as it advises
them of rules they are expected to follow. However, you need to judge whether
this is appropriate for your particular situation.
The first topic in this module is written
for organizations that have a formal Employee Assistance Program (EAP). If your organization does not have an
Employee Assistance Program, you will very likely want to change this first
topic. The Implementation Package
has an alternate topic to insert in its place. It is the Eap.htm file in the
Altrnats folder in the Implementation Package. For guidance on changing files, see Tips for HTML Editors.
If your organization does have an EAP, you
will want to coordinate with the office responsible for that program. The EAP plays an important role in
helping to resolve personal problems before they become security problems. What is the best way for your security
office to encourage EAP usage while also reinforcing the confidentiality and
independence of the EAP program? Ideally,
the Guide should help reduce the common employee fear that confiding in the
EAP may affect one's security clearance or future assignments.
Does your EAP program have a web site? If so, one option may be to transfer
all but the introductory page of the EAP module to the EAP site, and then
provide a link to it in this program.
Some organizations may wish to delete the EAP module, and perhaps
modify those pages for inclusion in a separate program on a Human Resources
or Medical site. If you delete
the EAP module, remember that you have to delete all the links and references
to it. This can be considerable
work, as the navigation bar at the bottom of every page has an EAP link and
there are quite a few references in the text. If you plan to do this, see the discussion
of Search and Orphan Links in Tips for
HTML Editors.
There are many places under Computer
Vulnerabilities, Intercepting Your
Communications, and Bugs and Other
Eavesdropping Devices where it may be appropriate to discuss your
organization's specific policies regarding use of passwords, unauthorized modems,
discussion of sensitive company business in e-mail or on cellular phones,
encryption, and other countermeasures against technical vulnerabilities.
Do you want to elaborate on policies
regarding the use and protection of laptop computers in Security of Laptops,
or discuss specific products that are available and should be used to enhance
the protection of laptops and the information on them?
Each of the spy stories is designed to
communicate a lesson, not just tell a story. If you have lessons to be learned from
specific intelligence activities against your organization, it would be
appropriate to add them here.
No changes should be needed in this
module.
If you have added or deleted topics, don't
forget to make the appropriate changes in the List of Contents as well as in
the Contents section of the specific module in which the change was made.
|