Describe a time when your proposed course of action was met with greatresistance. Who resisted the measuresand how did you resolve the conflict? Shortly after the approval of my company’s FOCI Mitigation agreement,an event occurred where an employee decided to operate in a manner thatviolated the terms of the company’s FOCI mitigation agreement. The infraction involved the employeeperforming work on his former employer’s laptop.
Upon the IT team identifying the foreign Parentsystem showing up on the corporate office network, I was immediately notifiedby the IT Director. I then initiated andled a preliminary investigation, gathered facts and then drafted a proposedresponse to submit to the Defense Security Service (DSS) that I then presentedto the company President. The securityissues at hand were: · The employee was performing work supportinggovernment accounts (no classified and no export) on the foreign Parent laptopfor six months post transitioning from being an employee of the foreign Parentto transitioning to become our employee.
· The information on the device was backing up to theforeign Parent network.· When the device was directly connected to thecorporate office it put at risk HVF’s network and systems. The operational issue was the employee stated that the highlyspecialized programs he was running required the highly customized andconfigured Apple laptop and taking the device would mean that he could nolonger continue supporting mission critical efforts while waiting for IT tohave a replacement device ordered and delivered. The President being new to FOCI mitigation expressed to me that theywere extremely concerned about the potential optics and impact a securityinfraction would have on the company’s current agreement, current contracts andfuture business. They were alsoconcerned that taking the laptop out of service and the time down for theemployee not having a capable device to perform work until a replacement deviceprovided by IT would jeopardize current contractual obligations.
Their initial response was to go to the legaldepartment and attempt to silence me. Iresponded to this action by scheduling an in person meeting with the President, listened to their concerns and then tookthe time to explain to him the worst-case scenarios and best-case scenarios ofspecific outcomes. Explaining therequirement to report noncompliance and the negative impacts of not doingso. I advised the following: · The company had solid security policies andprocedures in place and those capabilities proved their effectiveness inidentifying the device showing on our network.· The IT team properly initiated the IncidentResponse Policy and Procedures spelled out in the company’s ECP by immediatelycontacting me in my role as the Facility Security Officer (FSO). I then explained that this was a great opportunity to furtherstrengthen our processes and procedures for the transfer of foreign Parentpersonnel to the Federal business unit. Once I alleviated the Presidents fears, he agreed and approved my proposedcourse of action.
Upon hearing hisresponse, I reached out to the Government Security Committee (GSC), advisedthem of the planned course of action, received their concurrence to moveforward with reporting the infraction to the Defense Security Service (DSS). In the report to DSS, I explained the circumstance of the event and themitigation / get well strategy. The planI devised and executed involved working with the foreign Parent IT team having developedand deployed an IT asset tracking process that is activated upon transfer of a foreignParent employee to the company. Theautomated process tracks the status of the employee’s foreign Parent IT assetand sends notifications of the status of the device to the IT staff, theemployee’s new manager and to the security team.
The goal is to keep the company apprised ofany potential foreign Parent mobile device still listed as in the possession ofa foreign Parent transfer. To enable theemployee to continue to support the contracts he was working, the laptop wasreimaged by the IT department and reissued to the employee to use while waitingfor an equal level system to be custom ordered and delivered. Once the replacement device was received the foreignParent device was reimaged and sent back to the foreign Parent. In addition, I took action to update our newemployee onboarding training to educate both managers and foreign Parenttransfers of the foreign Parent tracking process.
The messaging explained that employees arenever to do any work on foreign Parent computing system. DSS was pleased with the company’s response and did not issue any typeof violation. After hearing the responsefrom DSS, the President developed a level of comfort and understanding movingforward regarding reporting when necessary. Identifying the infraction, strengthening the company’s policies,procedures, training and notifying DSS of the situation ultimately built goodwill with the agency showing that we view them as a partner, have transparentoperations resulting in further strengthening the relationship. Doing the right thing, is never the wrong choice.