INSPECTION PREPARATION The inspection  should  be  conducted  by  some department  or  facility  outside  the  span  of  control  of  the AIS technical manager. One of the main principles in selecting an inspection team is that members should not be responsible for AIS operations. Team members should have some knowledge of data processing and, if possible,  basic  inspection  principles.  A  programming or AIS operations background is desirable but not essential. An experienced military or civil service user of AIS services might have the necessary qualifications. The role of the team is not to develop security controls, but  to  evaluate  established  controls  and  procedures. Also, the team should not be responsible for enforcing control   procedures,   which   is   clearly   an   AIS management responsibility. The  character  of  each  of  the  inspection  team members is extremely important. Judgment, objectiv- ity, maturity, ability, and a probing nature will all affect the success of the inspection. The leader of the inspec- tion team must be able to organize the efforts, prepare a good written report, and communicate findings effectively. The leader should be an officer, warrant officer, chief petty officer, or U.S. civilian employee who is GS-7 or above. If not technically oriented, the team leader should be assisted by someone whose technical judgment and knowledge of AIS is reliable. The size of the team depends upon the size of the facility and the scope of the inspection. A large facility should  consider  including  personnel  from  the  following areas on the inspection team: Internal   inspection.   The  knowledge  and discipline  to  conduct  an  inspection  can  be provided through internal inspection specialists. Inquisitiveness, a probing nature, and attention to detail are typical characteristics desired for inspection board members. Even though an inspection team member generally is not trained in data processing technology, it should not be difficult  to  appoint  team  members  with  some data processing knowledge. Security.  A  security  officer  is  a  welcome addition to an inspection team. Computer operations. Technical expertise in data processing is required. Both programming knowledge  and  operations  experience  is  helpful. Perhaps  the  data  processing  internal  security officer has these skills and, if so, should be a prime candidate for the team. Using someone from the AIS facility being evaluated need not significantly  affect  the  objectivity  of  the inspection process. Users. Users have the most to gain from an effective  inspection  because  of  their  dependence on the AIS facility, yet too often they have little or  no  interest  in  AIS  controls  or  security measures.  To  encourage  participation  in  the  AIS security program, one or more users who are concerned   about   sensitive   data   being compromised,  disclosed,  or  destroyed  should  be motivated to join or should be appointed to the inspection team. Building management. Many of the physical security controls to be inspected—fire prevention and detection, air conditioning, electric power, access controls, and disaster prevention-relate to building management and engineering. Outside specialists.  Independent,   experienced viewpoints provided by outside consultants can be  very  helpful. The composition of the team can be flexible. One of the prime requirements is that it consist of people who are objective. If only one AIS facility is to be inspected,  the  members  of  the  team  can  be  assigned  for the term of the inspection and then returned to their normal jobs. If there are many AIS facilities under the jurisdiction of the command, it might be advisable to establish  a  permanent  inspection  team  to  review  all facilities  on  a  recurring  basis.  In  any  event,  the composition of the team should be changed periodically to bring in fresh viewpoints and new and different inspection   techniques. THE INSPECTION PLAN A   comprehensive   inspection   plan   must   be developed  to  properly  conduct  an  internal  inspection  of security. It should be action-oriented, listing actions to be  performed.  The  plan  must  be  tailored  to  the particular facility. It should include the report and report formatting requirement and the distribution of the final report. This means quite a bit of work is required in its development. The first step is to examine the security policy for the AIS facility. This policy may apply to an entire naval district, a command, a ship, a department, or a single  AIS  facility.  In  any  case,  the  security  policy should  be  reviewed  and  pertinent  security  objectives extracted  for  subsequent  investigation.  The  next  step  is to review the risk analysis plan, identifying those 4-31