vulnerabilities  that  are  significant  for  the  particular facility. Third, the AIS Facility Security Manual, the Operations  Manual,  and  other  appropriate  documents should  be  reviewed  to  determine  what  the  specified security operating procedures are. And last, the AIS facility organization chart and job descriptions should be  examined  to  identify  positions  with  specific  security or  internal  control  responsibilities.  This  background material  forms  the  basis  for  the  development  of  the inspection plan. A number of general questions should be  considered  when  formulating  the  inspection program. The following are examples: What are the critical issues with regard to security?   Does   the   AIS   facility   process classified or otherwise sensitive data? Does the processing duplicate that of other data centers, thereby  providing  some  sort  of  backup  or contingency capability? Or is it a stand-alone activity  processing  unique  applications?  What are  the  critical  applications  in  terms  of  the inspection emphasis? What measures are least tested in day-to-day operations? For example, if the computer fails every day at 1615 because of power switchovers, the   immediate   backup   and   recovery requirements are likely to be well formulated and tested. However, the complete disaster recovery plan probably has not been tested, unless there is a specific policy to do so. This is a key point. Security   measures   of   this   type   are   often inadequately exercised. What   inspection   activities   produce   the maximum results for least effort?  A test of fire detection sensors under surprise conditions tests not only the response to alarms but also the reaction  of  the  fire  party  and  the  effectiveness  of evacuation plans. In interviewing personnel, the team   should   design   questions   to   elicit comprehensive  answers.  For  example,  the question   “How   would   you   process   an unauthorized  job?”  is  likely  to  elicit  more information  than  “Are  job  authorization  controls effective?” The most likely answer to the second question  is  a  simple  and  uninformative  “Yes.” What are the security priorities? Because of particular policy, a request for an investigation, or   an   incident   of   loss,   interruption,   or compromise, the testing of a particular security measure  probably  should  receive  more  emphasis than another equally important but noncurrent 4-32 topics. One must, however, avoid irrational concentration on anyone aspect of the program. Management overemphasis as a result of a recent security  breach  should  be  tempered  with  a rational  approach  toward  investigating  all aspects  of  computer  security. Another step in the process of developing an inspection  plan  is  the  review  of  previous  inspection reports. Many times these identify weaknesses or concerns that should have been corrected, and so should bean  item  of  special  attention  in  the  current  inspection. CONDUCTING INSPECTIONS Advantages  can  be  gained  from  using  both scheduled  and  surprise  inspections.  A  scheduled inspection  should  meet  the  general  policy  requirements of the particular facility and should occur at least annually. This could be a major inspection conducted by an outside command, an internal inspection, or a spot check inspection to review specialized items of interest, perhaps as a result of previous inspection reports of findings. The distinguishing characteristic is that it is scheduled  in  advance,  with  a  resultant  flurry  of preparation by the AIS facilities. It motivates cleaning up loose ends, but limits what can really be learned from the  inspection. A surprise inspection is designed to test on a no-notice basis certain elements of security and control. It should be approved by the commanding officer of the command in charge of the AIS facility. It can be accomplished   by   the   command   or   an   external inspection team. It can be used to test those elements best reviewed on a surprise basis, such as fire response, access control, and personnel complacency. When a scheduled inspection is conducted, the first step  normally  is  to  interview  AIS  personnel.  Generally, the  first  walk-through  includes  interviews  with  the  AIS technical  manager.  Searching  questions,  rather  than leading questions, should be the rule, and the best approach is to allow the interviewee to talk as freely as possible. If you are the interviewer, ask questions to put the  interviewees  in  the  position  of  probing  for  their answers. For example, “What is your biggest access control problem?” not “Do your people wear badges?” Ask  how  illegal  entry  or  sabotage  would  be accomplished.  Do  not  hesitate  to  ask  the  same questions of more than one person. It is interesting how varied the responses can be. The conduct of the interviewer is important. Strive to  be  open  in  dealing  with  interviewees.  Avoid allusions  to  private  information  and  obscure  references