Describe a time when your proposed course of action was met with great
resistance. Who resisted the measures
and how did you resolve the conflict?
Shortly after the approval of my company’s FOCI Mitigation agreement,
an event occurred where an employee decided to operate in a manner that
violated the terms of the company’s FOCI mitigation agreement. The infraction involved the employee
performing work on his former employer’s laptop. Upon the IT team identifying the foreign Parent
system showing up on the corporate office network, I was immediately notified
by the IT Director. I then initiated and
led a preliminary investigation, gathered facts and then drafted a proposed
response to submit to the Defense Security Service (DSS) that I then presented
to the company President. The security
issues at hand were:
The employee was performing work supporting
government accounts (no classified and no export) on the foreign Parent laptop
for six months post transitioning from being an employee of the foreign Parent
to transitioning to become our employee.
The information on the device was backing up to the
foreign Parent network.
When the device was directly connected to the
corporate office it put at risk HVF’s network and systems.
The operational issue was the employee stated that the highly
specialized programs he was running required the highly customized and
configured Apple laptop and taking the device would mean that he could no
longer continue supporting mission critical efforts while waiting for IT to
have a replacement device ordered and delivered.
The President being new to FOCI mitigation expressed to me that they
were extremely concerned about the potential optics and impact a security
infraction would have on the company’s current agreement, current contracts and
future business. They were also
concerned that taking the laptop out of service and the time down for the
employee not having a capable device to perform work until a replacement device
provided by IT would jeopardize current contractual obligations. Their initial response was to go to the legal
department and attempt to silence me. I
responded to this action by scheduling an in person meeting with the President,
listened to their concerns and then took
the time to explain to him the worst-case scenarios and best-case scenarios of
specific outcomes. Explaining the
requirement to report noncompliance and the negative impacts of not doing
so. I advised the following:
The company had solid security policies and
procedures in place and those capabilities proved their effectiveness in
identifying the device showing on our network.
The IT team properly initiated the Incident
Response Policy and Procedures spelled out in the company’s ECP by immediately
contacting me in my role as the Facility Security Officer (FSO).
I then explained that this was a great opportunity to further
strengthen our processes and procedures for the transfer of foreign Parent
personnel to the Federal business unit.
Once I alleviated the Presidents fears, he agreed and approved my proposed
course of action. Upon hearing his
response, I reached out to the Government Security Committee (GSC), advised
them of the planned course of action, received their concurrence to move
forward with reporting the infraction to the Defense Security Service (DSS).
In the report to DSS, I explained the circumstance of the event and the
mitigation / get well strategy. The plan
I devised and executed involved working with the foreign Parent IT team having developed
and deployed an IT asset tracking process that is activated upon transfer of a foreign
Parent employee to the company. The
automated process tracks the status of the employee’s foreign Parent IT asset
and sends notifications of the status of the device to the IT staff, the
employee’s new manager and to the security team. The goal is to keep the company apprised of
any potential foreign Parent mobile device still listed as in the possession of
a foreign Parent transfer. To enable the
employee to continue to support the contracts he was working, the laptop was
reimaged by the IT department and reissued to the employee to use while waiting
for an equal level system to be custom ordered and delivered. Once the replacement device was received the foreign
Parent device was reimaged and sent back to the foreign Parent. In addition, I took action to update our new
employee onboarding training to educate both managers and foreign Parent
transfers of the foreign Parent tracking process. The messaging explained that employees are
never to do any work on foreign Parent computing system.
DSS was pleased with the company’s response and did not issue any type
of violation. After hearing the response
from DSS, the President developed a level of comfort and understanding moving
forward regarding reporting when necessary.
Identifying the infraction, strengthening the company’s policies,
procedures, training and notifying DSS of the situation ultimately built good
will with the agency showing that we view them as a partner, have transparent
operations resulting in further strengthening the relationship.
Doing the right thing, is never the wrong choice.