to other people or events or in any other way cultivating an air of mystery or superiority. It goes without saying the use of good human relations techniques is essential to a successful interview. Nothing can be gained by being  belligerent  and  antagonizing  the  interviewee. Your conduct should be firm and inquisitive, but also calm, sincere, and open. Probe in some detail any answer that appears evasive or defensive. Taking notes is a matter of individual preference. Some people take very adequate notes at listening speed.  Others  must  devote  all  their  attention  to listening. If note taking is a problem, the interview could be conducted by two-person teams. Another alternative is to use a portable tape recorder, making certain the interviewee knows in advance that the interview is being taped. If a two-person team or a tape recorder is not available, attempt to listen and absorb as much as possible, then record notes and impressions directly after the conclusion of the interview. The evaluation tests can be scheduled or come as a surprise. Most security inspections include testing the emergency, fire, evacuation, and disaster recovery activities. Access controls should also be tested on a no-notice basis. Tests are best scheduled or conducted early  in  the  inspection  rather  than  after  everyone  is alerted to the presence of the inspection team. Special concern, guidance, and instructions must be taken into consideration when the AIS facility has armed guards. It is possible to test the adequacy of programmed controls and data authorization by submitting jobs that attempt to bypass these controls. Take care not to destroy live data. However, if AIS upper management believes error detection and correction controls really work,  then  there  should  be  no  objection  to  the introduction of deliberate errors to test these controls. The inspection team should convene periodically, preferably at the end of each day’s activity, to review progress and to compare notes. Areas of weakness or concern should be highlighted, and additional tests or interviews  scheduled  to  investigate  further  any particular areas of concern. Copies of the inspection working paper should be classified, numbered, dated, and organized for ease of understanding, review, and comparison. At the completion of the inspection, a written report is to be prepared immediately, while impressions are still fresh. As a rule, the inspection report includes: An executive summary; A   description   of   the   inspection—dates locations, scope, objectives, and so forth; A detailed report of observations made; Conclusions drawn from the observations; and Recommendations for corrective actions, as appropriate. The degree of cooperation received should be noted and favorable  conclusions  should  be  given  the  same prominence  as  deficiencies.  Tables,  charts,  and matrices of results, statistical tests, and conclusions may be very helpful. Distribute the final report to the AIS facility  and  the  command  upper  management  as prescribed in the planning phase. INSPECTION  FOLLOW-UP An inspection is of little use unless it is the basis for improvement, correction, and management follow-up. The responsibility for implementation of such activity normally resides with the commanding officer (CO) of the  command.  The  CO  must,  in  turn,  assign responsibilities   for   corrective   action.   The   best approach is to summarize each major deficiency on a control   sheet,   outlining   requirements,   problem definition, responsibility, action taken or required, and follow-up action. In addition, an indication should be made of the date that action should be completed, or if it is to continue. Some of the corrective action may require additional funds; this should be noted. Corrective  action,  follow-up,  and  disposition  of  the deficiencies should follow a recurring reporting cycle to   upper   management.   Quarterly   reports   are recommended  for  any  inspection  control  items  still open. The final step is a frank and honest evaluation of the inspection itself by AIS facility management and the inspection  team.  A  group  discussion  should  be  held with  the  expressed  purpose  of  improving  future inspection procedures and processes. The inspection plan may need to be amended or the team composition may  need  to  be  changed.  The  emphasis  of  the inspection should always be positive—one of helping AIS management at all levels to improve the security and control of the AIS facility. DATA  PRIVACY The Privacy Act of 1974 (Public Law 93-579) imposes  numerous  requirements  upon  naval  commands to prevent the misuse or compromise of data concerning individuals. Navy AIS facilities that process personal data must provide a reasonable degree of protection against  unauthorized  disclosure,  destruction,  or 4-33