Developing a Technical Security Program
Once a client has gone through the process of locating a legitimate professional TSCM service provider, the next step is to develop a technical security program that addresses the requirements of the individual or organization.
Many customers will contract TSCM services as a one time event due to a particular issue or circumstance that has arisen. While
it is important to have services performed, if any possibility of compromise exists, they are performed as a reaction to a situation rather than trying to prevent it before it happens. Other clients will contract TSCM services during high risk events such as confidential meetings, during times of labour negotiations, legal matters, personal circumstances or business deals and acquisitions. Still, others will conduct periodic inspections as a matter of due diligence. Businesses should also consider TSCM services after building modifications, new construction or any activity that provides relatively unsupervised access to a target location.
The most beneficial strategy is to develop an ongoing program as a preventative measure combined with inspections during higher risk events or situations. This allows information to be compared from each service, which will better enable the operator to detect changes or differences in both the electronic and physical environment that may indicate possible compromise. It also
places an organization in a better position to intercept an attempt by an eavesdropper or someone trying to acquire confidential information in the gathering stage before the information can be abused.
Of course more frequent TSCM services will provide better protection, but even bi-annual or annual inspections as part of an
overall technical security program will go a long way in helping protect a customer's privacy and information. It is the responsibility
of businesses and organizations of all sizes to take reasonable steps, including TSCM services, to protect their information.
When scheduling TSCM services, many if not most are organized to be performed at night. While this is more covert and enables the work to be completed without employees or other individuals being aware and provides better and far less intrusive access to all areas, it is not always the best time to be performing TSCM services. Considering that the majority of business is done during the day, surveillance attempts or electronic devices that may be utilized are more likely to be in place and active during the daytime hours.
While it is not always practical to perform TSCM services during the daytime, a silent walk through during daytime business hours combined with an RF spectrum sweep to collect data for comparison should be performed with the more intrusive testing performed in the evening. In-place monitoring should be performed periodically or during sensitive events or meetings.
TSCM sweeps performed during the evening hours require extra attention to the physical portion of the service due to the greater possibility of devices being inoperable during this time as well as providing more complete non-disruptive access to all areas.
For larger businesses, corporations and organizations that have several offices or locations, depending on the distance between these locations, they may require more than one service provider. In this case, each inspection can be scheduled independently.
If a single TSCM company is to be used for all locations then a schedule will have to be developed according to both company needs and operator availability. The ability for a TSCM service provider to perform the required or normal scope of work when traveling, along with the added expense must also be considered. For international locations, legal issues, equipment restrictions and time limitations are also important factors.
The frequency of regular TSCM sweeps will be dependent on the perceived threat level and the budget approved and should be decided between the TSCM operator and the client. Services should be performed at random intervals so a set discernible pattern
is not detected. The individuals aware of TSCM services being performed should be kept to an absolute minimum and informed
on a need to know basis only. This might include waiting until cleaners, maintenance or repair personnel have completed their responsibilities and have left the premises. The less visible the entire process is, the more effective it will become.
It will be of vital importance that TSCM personnel have access to all areas involved including telephone and computer or data rooms/centers, mail rooms, all required offices, boardrooms, telephone cabinets, closets and stairwells etc. It is also important that any adjoining offices or rooms in close proximity of the surveyed area are accessible, as quite often they are implicated in surveillance or eavesdropping activities.
The client representative who is responsible for contracting and scheduling should always develop a working plan with the TSCM provider rather than issuing one themselves. The TSCM provider will be able to offer opinions and recommendations as to what areas should be included in the service schedule. Also the client representative should be onsite at all times during any services to answer questions, provide access to additional areas if required as well as to monitor the inspection/survey process itself.
It should be noted that while TSCM services will often include computer/network or cyber security analysis and assessments, computer forensic services should be considered when the protection of sensitive, confidential or proprietary information is concerned. Computers and their networks have become common targets for attack from both external and internal sources. For
the purposes of due diligence, random audits are often utilized as part of a complete protection or security policy as well as when
employee dismissals, resignations or disciplinary actions are involved. Computer Forensics should only be performed by trained
and qualified individuals.
TSCM services provide customers with a snapshot of conditions at a particular time and their effectiveness is directly related to the successful implementation of other security measures. While there can be considerable value in a one time inspection, TSCM services should be implemented as part of an ongoing security program to provide the best level of protection.