From a confidentiality basis it is desirable to have as few
people/vendors involved in a sweep as possible, and to run your TSCM
operations in as low key a manner as you can manage. If you are the
CEO of a major company in Chicago it is ill advised to try to find a
sweeper in the Windy City, because there just 'aint any within
several hundred miles. Don't start asking your security department to
get bids and quotes from every firm within 50 miles because you will
be wasting their time, but instead hand pick and pre-screen a half
dozen national firms, and contract with them so that each firm gets
in the building once or twice a year.
Never rely on any single firm to provide you with sweep services, but
have several firms that you trust which you can bring to any of the
facilities the company may have. If the case of a corporate sweep in
Chicago you may need to engage a firm that in one or two days drive
away, but you will be happier by doing that then you will be with
engaging an under skilled, and under equipped "low bidder" in your
local are who is just doing sweep work for divorce cases.
It is also (and this may be blasphemy to some of you) ill advised for
the CEO to involve his security department in engaging a sweep firm
at the last minute. Instead, the CEO needs to set up a relationship
with a sweep firm far in advance of actually needing to have a sweep
done. In fact it is good for a sweep firm to be brought in, give them
a tour of the location (without the assistance of the security
department), and then pay them to write up the site security as they
see it from the technical intelligence angle. The CEO then calls in
his head of security and present the TSCM'ers report to them (minus
anything that mentions who the sweeper is), and ask the security
department to explain and resolve these weaknesses. Up to this point,
no actual sweep has been performed, and the sweep specialist can fly
in with little more then a briefcase and a notebook for a couple of
days. The actual sweep takes place at some future time, but not at
the time of the first visit.
While this may put the sweep firm at odds with the security
department, if the TSCM'er is able to shake weaknesses out of the
security posture of the building then the project was a success, the
security manager gets his departmental budget increased, and although
they may get some ruffled feathers they will fear the CEO bringing is
"specialists" from time to time for a secret audit.
Along these same lines the C-Suiter with overall responsibility for
the company needs to bring in a locksmith who is not local to the
area, and with whom the security department has no connections to
independently examine to all locks, doors, and jambs to ensure they
are as secure as the security department thinks they are. Ditto with
other specialized areas of the security professions like access
control, lighting, cameras, and so on.
The dicey part of this is that the CEO needs to perform some sort of
due diligence on the firm they are engaging, and there are a variety
of ways to do this without involving their own security department,
or tipping their hand to the wrong folks.
Hints:
Most convicted felons who offer sweep services can bullshit their way
past most corporate security people, but will get stopped dead in
their tracks by the CEO asking 10 basic questions, and 95% of all ill
equipped or ill skilled/trained (but non-criminal) sweepers can be
stopped dead with only 15 additional questions. This gives a CEO only
25 questions that they can ask and which they can be used to very
quickly determine just how legitimate, honest, and properly equipped
a sweep firm really is.
CEO's may also find it beneficial (and far more successful) to
involve their IT department (one senior person only) in sweeps
instead of the security department. However, is it important this
person know how to absolutely keep their mouth completely shut.
A sweeper or sweep firm will have allegiance to only one person in
the building at a time, so if the security department brings them in,
then they work for, and answer to the security department only. On
the other hand, if the CEO brings them in then they work for, and
answer to the CEO, and not the security department. My rule of thumb
is that it a C-Suiter brings me in, that I will only work for the
C-Suiter for one year after the date of my last engagement by the
firm. If the C-Suiter leaves for another firm then my relationship
with the company can be transferred to his replacement, or to the
security or IS departments.
Sometimes a CEO will bring in an outside sweep firm, have them scour
the facility, present their report to the executive suite and then
bring in their security folks in for an old fashion revival meeting
in which they find religion. The CEO then tells the security
department to work with the outside firm until both the inside and
the outside people are satisfied that all the issues has been
suitably addressed. After this the TSCM firm can be handed off to the
security department for future sweeps, or the CEO can keep the sweep
firm to work only directly for him
A little career survival advice to the corporate security people on
the list... your CEO is likely already having sweep work done... you
may not know about it, and may never find out about it... ask your
boss about this, but be sure to be sitting down when you get the
answer... you may not like what he tells you.
A little more career advice is that you should propose bringing in an
outside firm to perform sweeps for your C-suiters, and watch the
smile on your bosses face when he/she realize that your asking the
right questions and looking out for them proactively, which is what
you should be doing all the time anyway. Sure, you can do some sweep
functions in house, but one of the ways to find yourself exploring
the local job market is to try to perform your own sweeps.
Buy a few pieces of basic sweep gear to keep on hand for use between
periodic visits by an outside firm (a budget of 50k is reasonable),
but rely on an outside firm to bring 10-20 times this amount of
equipment when they do sweeps. Sure, you may know the building and
the company better then they do, but they know sweeps better then you do.
-jma
----------------------------------------------------------------------------------------------------
World Class, Professional, Ethical, and Competent Bug Sweeps, and
Wiretap Detection using Sophisticated Laboratory Grade Test Equipment.
----------------------------------------------------------------------------------------------------
James M. Atkinson Phone: (978) 546-3803
Granite Island Group Fax: (978) 546-9467
127 Eastern Avenue #291 Web:
http://www.tscm.com/
Gloucester, MA 01931-8008 E-mail: mailto:jm..._at_tscm.com
----------------------------------------------------------------------------------------------------
We perform bug sweeps like it's a full contact sport, we take no prisoners,
and we give no quarter. Our goal is to simply, and completely stop the spy.
----------------------------------------------------------------------------------------------------
Received on Sat Mar 02 2024 - 00:57:27 CST