(SANITIZED)
Document Type:
Collection:
Document Number (FOIA) /ESDN (CREST):
CIA-RDP87B01034R000500060017-7
Release Decision:
RIPPUB
Original Classification:
K
Document Page Count:
2
Document Creation Date:
December 21, 2016
Document Release Date:
March 6, 2008
Sequence Number:
17
Case Number:
Publication Date:
November 10, 1982
Content Type:
LETTER
File:
Attachment | Size |
---|---|
![]() | 116.19 KB |
Body:
Approved For Release 2008/03/06: CIA-RDP87BO1034R000500060017-7
Department of Energy
Washington, D.C. 205:45
NOV101982
Chairman
DCI Security Committee
CIA Headquarters
Washington, DC 20505
We have reviewed the UDIS proposal relating to a National Policy on Damage
Assessments and have found it to be useful and constructive. This Department
tends to agree with the proposal for National level guidance, with an emphasis
on guidance rather than control. Such guidance should set out broad minimum
requirements in the assessment process, while giving agencies reasonable
parameters in which to operate.
The policy should recognize, however, that such latitude may tend to encourage
some agencies_to apply only the minimum required procedures. In the formula-
tion of policy details, it should be recognized that the information security
practices of different agencies are widely varied, often being influenced by
manpower resources and the volumes and levels of classified processed. For
example, while a cabinet level department may currently have a damage assess-
ment data base of its own, most small agencies have never even considered
establishment of such a data base.
Nevertheless,' the Department of Energy concurs with, and supports the UDIS
proposal on Damage Assessments.
Sincerely,.
?Membe'it
DCI Security Committee
DOE review completed.
Approved For Release 2008/03/06: CIA-RDP87BO1034R000500060017-7
Approved For Release 2008/03/06: CIA-RDP87B01034R000500060017-7
SECRET
7. The report also notes, as a final point, that agencies
which have not yet issued regulations implementing ISOO Directive
No. 1 ought to do so. (U)
8. I certainly share the concerns of the UDIS. At CIA, we
already have in place mechanisms to conduct damage assessments
both internally and at our industrial contractor facilities.
Security infractions are investigated and appropriate administra-
tive actions are taken. Punishments range from verbal reprimands
through termination from employment, depending on the gravity of
the infraction. We have found our Reinvestigation Program-and
our Agency's use of the polygraph to be exceptionally helpful
tools in such matters. More'recently, we have drafted a new
Agency regulation directed specifically at the conduct of damage
assessments. (U)
9. CIA is now heavily involved in security reeducation,
both in-house and among our industrial contractor population.
I believe that this progam will go a long way toward sensitizing
our people to the need for protecting the classified data with
which they are entrusted. I would like to see information on the
weaknesses of U. S. Government classified information control
systems receive judicious dissemination. We can all learn from
our mistakes to improve our security posture. Within that
context, I-consider it useful.to pursue development of an
unauthorized disclosure database, as suggested by UDIS, pro-
vided that proper dissemination controls can.be developed and
exercised. I would suggest that SECOM is the appropriate forum
in which to pursue such an initiative. (U) .00t'- r?
Approved For Release 2008/03/06: CIA-RDP87B01034R000500060017-7