101.1 Discuss the concept of ORM
- - A decision-making tool used by personnel at all levels to increase effectiveness by identifying, assessing, and managing risks.
- - Increases Navy's ability to make informed decision by providing a standardized ORM process.
- - Minimizes risks to acceptable levels to accomplish the mission.
- - Applies on/off duty, 24/7/365.
101.1 What are the 3 levels of ORM?
- 1. In-depth - ample time to apply the ORM process to the fullest; thorough research and analysis, testing, etc. available
- 2. Deliberate - ample time to apply ORM process to obtain the "best" answer for mission or task
- 3. Time critical - used on daily basis; lack of time for analysis
101.1 What are the 4 principles of ORM?
- 1. Accept risk when benefits outweigh the cost
- 2. Accept no unnecessary risk
- 3. Anticipate and Manage risk by planning
- 4. Make risk decisions at the right level (who can make decision on the risk)
101.2 What are the 5 steps of ORM?
- 1. Identify the hazards
- 2. Assess the hazards
- 3. Make risk decision
- 4. Implement controls
- 5. Supervise (and refine)
101.2 Explain Step 1 of ORM
- 1. Identify the hazards
- - a hazard is any condition with the potential to negatively impact mission accomplishment or cause injury, death, or property damage.
- - Should have the larger portion of the time allotted (can't manage if unknown).
101.2 Explain Step 2 of ORM
- Assess the Hazards
- - determine the associated degree of risk in terms of probability and severity
| Severity || Description |
| Catastrophic I || Loss of ability to accomplish mission; death or disability |
| Critical II || Significantly degraded mission capability, partial disability or severe injury |
| Moderate III || Degraded mission capability, minor injuries |
| Negligible IV|| Little to no advers effect |
| Probability || Description |
| A || Frequent to occur |
| B || Likely |
| C || Occasionally |
| D || Seldom |
| E || Unlikely |
101.2 Explain Step 3 of ORM
- Make Risk Decisions
- Three basic actions to lead to making informed decision:
- - Identify Control Options - develope 1 or more control options (engineering, administrative, or physical)
- -Determine control effects
- - Make risk Decision - are the controls enough to continue
101.2 Explain Step 4 of ORM
- Implement Controls
- -Communicate plan clearly, act on what has been decided, and continue
101.2 Explain Step 5 of ORM
- -Supervise the controls in order to determine effectiveness. Review as necessary.
- Three actions required:
- 1. Monitor effectiveness
- 2. determine the need for further assessment
- 3. capture lessons learned
101.3 Explain the risk assessment matrix and how Risk assessment codes are assigned
101.4 Discuss the fundamentals of Personnel Security
- Relates to the personnel, and need to know regarding classified information.
- Does the person have a clearance? Do they have a need to know? etc.
- Personnel undergo background investigation to determine if eligible to hold a clearance, and are adjudicated following a favorable result.
101.4 Discuss the fundamentals of Information Security
Ensure the information is classified and shared at the appropriate levels
- Information is classified per 4 levels:
- 1. Unclassified
- 2. Confidential - cause damage to the national security.
- 3. Secret - serious damage to the national security.
- 4. Top Secret - exceptionally grave damage to the national security
Information can be further restricted into SCI
101.4 Discuss the fundamentals of Physical Security
Ensure the information/space is properly secured, meets security standards, prevents access of unauthorized personnel, etc.
101.4 Discuss the fundamentals of Communications Security
Utilizing appropriate channels to discuss classified information
101..5 Define and discuss security classification levels, receipt, custody, document
markings and handling requirements for the following:
a. TOP SECRET, SECRET, CONFIDENTIAL
f. Allied Information/NATO Control Documents
.6 Discuss the difference between a classification marking, releaseability and handling
.7 Define and discuss how to find authorized document markings and explain the
b. REL TO USA, (eg. FVEY, ACGU)
j. Downgrading and declassification instructions
.8 Discuss Original Classification Authority and what organizations have this authority.
- SecNav and officials delegated the authority.
- For TS - SECNAV personally designates certain officials
- For S - SECNAV authorizes the CNO to designate certain officials
.9 Discuss derivative classification authorities and downgrade/declassification
Individual who do not have OCA and must base their classification based on the highest classification the sources used.
.10 Explain the process for determining declassification dates and how these are
marked in the overall classification line.
- Automatic declassification:
- all classified records auto declass on 31 December of the year that is 25 years from date of the original classification
Systematic - review for declassification of classified info contained in records that have been determined by the archivist of the US to have permanent historical value.
Mandatory - review in response to a request that meets the requirement.
Downgrade - information may be requested to be downgraded if certain conditions are met, or if the relevant event/info has passed.
.11 Describe classified destruction procedures to include classified documents and
Shredding (NSA approved shredders), wet pulping, mutilation, burn, chemical reduction, etc.
.12 Explain the purpose of your Command Emergency Action/Destruction Plan.
Emergency action plan in event of event that may result in likely loss or compromise of classified information. I.e. natural disaster, enemy overrun, civil unrestStart with highest classification first - Crypto/SAP, TS / SI, S, C
.13 Define and discuss the following:
- Access - personnel shall be investigated and adjudicated eligibility. HICE or designees may grant SCI access after:
- -Pre-nomination interview
- -validation of need to know
- -favorable determination of eligibility
- -signing non disclosure
- -complete SCI indoc
- -US citizen
- -of sound character and unquestionably loyal to US
- -person or close relatives be free from any potential coercion from family members with ties to foreign nationals
- Need to know:
- does person have a legit reason and need to know for the success of a mission
.13 Define and discuss the following:
d. Transmission security
e. Working papers
f. Unauthorized SCI Disclosures
g. Protection of sources and methods
- Transmission security
- are the channels and methods used to transmit classified information appropriate for the classification level (no TS on GENSER)
- Working papers
- notes, working paragraphs, other items used in creating final intel products but not meant for dissemination itself.
- Unauthorized SCI disclosure
- sharign SCI information with individuals that do not have access. Report immediately to chain of command
- Protection of source/methods
- main reason things are classified as such. Vital to intel; burned source is a dead source
.14 Describe proper classified transportation and transmission modes to include
procedures for using Defense Courier Service.
| Method || TS || S || C |
| Def Courier || Y || Y || Y |
| State Dep Courier || Y || Y || Y |
| Clr Mil, Civ, Comm Air/ship || Y || Y || Y |
| Crypto System || Y || Y || Y |
| Protected Distro Sys ||Y || Y || Y |
| DoD Approved contractor || N || Y || Y |
| USPS register/express main || N || Y || Y |
| USPS Certified/first class || N ||N || Y |
.15 Discuss the difference between the SSO and Security Manager.
SSO deals with SCI
Security manager deals with GENSER
.16 Define both a loss and a compromise of classified material, and the steps taken in
the event you discover either has occurred.
loss - can not physically account for the information. It may or may not be compromised
Compromise - unauthorized disclosure to person(s) who does not have authorized access, valid clearance, or need to know.
Report to chain of command and Security manager/SSO. GO up one step if CoC is suspected to be involved.
.17 Discuss the duties of a command Information Assurance Manager, to include
responsible for the information assurance program
Spillage - report to CoC, Security Manager/SSO. GO up one on CoC if CoC is involved.
.18 Discuss the various functions of a STE to include establishing secure
communications, proper clearance levels, key control and custodian
- newest voice/video comms.
- it's for use on the Integrated Services Digital Network.
- Consist of host terminal and security core.
- Host terminal provides hardware and software
- Security core is KSV-21 crypto card that provides the security aspects.