Executive Summary

1. Background A comprehensive review of Corporate TSCM program conducted with emphasis upon the following points:
   • Policy and Program Review
   • The Present Conduct of TSCM Services
   • Alternatives for the Conduct of TSCM Services
   • Recommendations for the Establishment of a Comprehensive TSCM Program
2. Policy and Program Review:
   1. The highlights of the TSCM Policy and Program Review are as follows:
      • There are no current policies or procedures governing the conduct of TSCM Services within the Corporation.
      • A valid need exists for the formulation and distribution of a TSCM policy Guideline.
      • Centralized records reflecting the type and number of TSCM Services conducted do not exist.
      • No meaningful centralized data exists reflecting costs incurred by requesters as a result of TSCM Services provided to them.
      • No projections have been made as to the number and types of TSCM Services that will be required during the present CY and beyond.
      • No approved TSCM Contractor List has been established.
      • No TSCM Standards have been formulated and no quality control review procedures have been developed.
      • Criteria for identifying facilities eligible for one-time recurring TSCM Services have been established.
      • No procedures for requesting TSCM Services have been published.
      • Payment procedures for TSCM services have not been formalized
      .
   2. A recommended TSCM Program Guideline, addressing the above factors, is attached hereto as Enclosure 1.
   3. The Conduct of TSCM Services:
      1. A. The following alternatives and options were reviewed in arriving at a recommendation as to how TSCM Services should be conducted on the most cost-effective basis within the corporation:
         1. Employ a trained, experienced TSCM Technician and acquire the countermeasures equipment necessary for the accomplishment of the Corporate Security Division's TSCM Mission.
         2. Train all current Security Representatives in TSCM procedures and acquire the countermeasures equipment necessary for the accomplishment of the Corporate Security Division's TSCM Mission.
         3. Train two or more Telecommunications personnel in TSCM procedures. Familiarize all current Security Representatives with TSCM Procedures. Acquire the countermeasures equipment necessary for the accomplishment of the Corporate Security Division's TSCM Mission.
         4. Establish a National Account Agreement with one qualified TSCM Contractor for the conduct of the Corporate TSCM requirements.
         5. Establish two or more account agreements with several regional TSCM Contractors for the conduct of the Corporate TSCM requirements.
      2. Discussion of the advantages and disadvantages of each of the above options is contained in Enclosure 2.
      3. Recommendations:
         1. The proposed Corporate Technical Surveillance Countermeasures (TSCM) Program Guideline be approved and published.
         2. That options 3A(5) above (Establishment of two or more account agreements with approved TSCM contractors) be adopted.

TECHNICAL SURVEILLANCE COUNTERMEASURES (TSCM) PROGRAM

1. Explanation of Terms:

1. Conference Monitor: A limited TSCM survey that may be provided at sensitive conferences, briefings, or seminars.
2. Find: The discovery of a technical surveillance device.
3. Secure Area: An area where appropriate physical security measures are in place and Corporate CONFIDENTIAL Business Information is originated, used, and routinely discussed in the course of daily business operations.
4. Security Hazard: An insecure condition that could permit the physical or technical penetration of an area wherein sensitive Corporate Proprietary business information might be compromised.
5. Suspect Device: A Device that appears to be, but has not yet been shown to be, a technical surveillance device.
6. Technical Security: Those security measures taken to prevent the installation of technical surveillance devices and the exploitation of security hazards.
7. Technical Surveillance Device: A device installed to covertly monitor or record activities in a target area.
8. Technical Surveillance Countermeasures (TSCM) Program: Those security measures taken to find or prevent technical penetration of Corporate installations and facilities. Those measures include:
   1. Physical security that precludes unauthorized access to the area.
   2. Technical security.
   3. TSCM Surveys.
   4. TSCM threat briefings to selected Corporate personnel regarding the technical surveillance threat and the Corporate Security Division TSCM Program to counter that threat.
9. TSCM Survey: A security service provided by qualified personnel to detect the presence of technical surveillance devices and hazards and to identify technical security weaknesses that could aid in the conduct of a technical penetration of the surveyed facility. A TSCM Survey will provide a professional evaluation of the facility's technical security posture and normally will consist of a thorough visual, electronic, and physical examination in and about the surveyed facility.

Sensitive business information is collected using a number of covert and clandestine techniques. One such technique is the utilization of technical surveillance devices. Finds of such devices document the scope and potential continuing nature of the technical security threat.

Security hazards exist in some communications equipment in use throughout the Company. These weaknesses may be exploited and thus impair the security of sensitive business information.

Current electronic technology makes finding and neutralizing technical surveillance devices a specialized function requiring the costly utilization of highly trained personnel using advanced techniques and state-or-the-art equipment.

3. Limitations of TSCM Surveys

Upon the completion of a TSCM Survey, the requester will be furnished with reasonable assurance that the surveyed area is free of working technical surveillance devices. The requester will also be informed regarding all security hazards in that area, together with reasonable, cost-effective recommendations regarding the correction or elimination of such hazards. The requester should know that it is impossible to give positive assurance that there are no devices in the surveyed area, and that standards of physical security and access control must be maintained if the survey is to be of continuing value.

Each TSCM Survey Report will contain the following disclaimer:

"Technical services of the type conducted indicate the technical security status of the area and equipment examined at the conclusion of the survey, within the capabilities of the equipment utilized and the operational techniques employed. The security afforded by this current service will be immediately nullified by:

• Admission to the serviced area of persons who do not have the proper access and who are not escorted.
• Failure to maintain continuous and effective surveillance and control of the serviced area.
• Allowing repairs or alterations to, or within, the serviced area without the supervision of qualified and responsible personnel.
• The introduction of new furnishings or equipment into the serviced area prior to a thorough technical inspection of such items."

1. General: Corporate Security Division is responsible for the selective conduct of TSCM Surveys; providing TSCM services in such selected areas to ensure that they are devoid of technical surveillance devices; identifying hazardous conditions that could facilitate technical surveillance; and identifying technical security weaknesses. TSCM Surveys are highly specialized security services and as such are particularly vulnerable to any breach in operations security. Accordingly, all Corporate facilities or installations receiving TSCM services are required to use all reasonable means to continually protect the operational security of the TSCM program. TSCM Services shall be conducted only by personnel who meet the criteria established by Corporate Security Division, using the most effective equipment available. Because TSCM Services are expensive and qualified technical personnel are limited, a high degree of selectivity will be exercised in approving areas to be surveyed.
2. Specific:
   • Establish Corporate TSCM policy and manage the Corporate TSCM Program.
   • Provide information and conduct briefings regarding the technical surveillance threat and security hazards to Corporate personnel.
   • Establish and maintain standards for the performance of TSCM Surveys.
   • Evaluate and select contractors capable of performing TSCM Surveys in accordance with established Corporate TSCM policy.
   • Direct the conduct of TSCM Surveys.
   • Provide the requester with a non-technical written report detailing the findings of the TSCM Survey.
   • Investigate findings and coordinate the results of such investigations with appropriate local, state, and federal low enforcement agencies.

• Request TSCM Surveys only of those secure areas meeting the criteria set forth in paragraph 1c above.
• Insure that requests for TSCM Surveys are submitted and justified in accordance with paragraph 7 below.
• Insure telephone security within the area to be surveyed. At a minimum, this means that any and all telephones within the surveyed area should be installed and in an operational configuration. Disconnects, secure telephones, ringer isolator, etc., should be installed if required.
• Apply necessary physical security safeguards to prevent surreptitious access to the secure area and to prevent entry by unauthorized personnel during and after the survey.
• Remove all nonessential telephone, radio, television, computer, and recording equipment from the secure area.
• Ensure that all construction, interior decorations, and furnishings are complete and in place prior to the initiation of the TSCM Survey.
• Establish appropriate internal controls to ensure that the number of people who know that a TSCM Survey has been requested or planned, or is in progress, is kept to a minimum, on a strict need-to-know basis. This means maintaining a routine business atmosphere in the area before and during the conduct of the TSCM Survey, and precluding any talk in the area that would reveal that TSCM Survey is planned, in progress, or has been completed.
• Insure that the survey team has complete access to the survey area, that they are escorted by the individual having security responsibility for the area, and that site plans and blueprints are available upon arrival of the survey team at the facility/installation.

1. TSCM Surveys of common and uncontrolled areas, to which access is generally unrestricted such as hotel rooms, convention centers, cafeterias, conference and seminar rooms, etc., do not normally qualify for TSCM surveys. Surveys conducted under such conditions and circumstances are of little value and have proven counterproductive by having given the occupant or occupants a false sense of security, and by having used limited TSCM assets that could be used more productively in other, more sensitive facilities.
2. However, on an individual exception basis, TSCM Surveys may be conducted on such areas provided that:
   • Unrestricted access can be reasonably controlled through the addition or physical security devices and/or the deployment of guards.
   • In addition to a TSCM Survey, a Conference Monitor, (paragraph 1a above) is performed.
   • Corporate Security concurrence has been obtained by the conference/meeting sponsor.
3. Requesters should be aware that whenever possible, meetings and conferences that require discussion of sensitive business information should be held in facilities in which security is commensurate with the sensitivity of the information to be discussed.

Requests for a TSCM Survey should be sent by Restricted correspondence or electrical message to the Corporate Security Division Regional office that supports the requester. Do not make telephonic contact with Corporate Security Division or the designated TSCM Contractor when requesting a TSCM Survey, unless a secure telephone is used. Do not make secure telephone requests from the area to be surveyed. If possible, the request should be submitted at least 60 days in advance of the desired survey date. Periodic TSCM Surveys of areas required by Corporate TSCM procedures need not be requested under this Guideline, as they will have already been approved, in consultation with the responsible business group or staff element, for recurring surveys at irregularly scheduled intervals by Corporate Security Division. Requests for TSCM Services must include:

1. The address, building, and room number for the specific area to be surveyed.
2. The name of the organization or business activity responsible for the area.
3. The size of the area in square meters or feet.
4. The name of the individual who has security responsibility for the area.
5. The Corporate Security classification of the information to be protected in the area, to include a statement to the effect that Corporate CONFIDENTIAL business information is/is not originated , used or discussed on a daily, continuing basis.
6. A statement that:
   1. All construction is, or will be, complete at the time the TSCM Survey is to be conducted.
   2. All equipment is, or will be, in place at the time the TSCM Survey is to be conducted.
   3. Adequate physical security measures are, or will be, in effect to preclude the entry of unauthorized personnel during and after the completion of the survey.
7. The date by which the survey must be completed. State if conferences, relocations or other scheduled events are involved.
8. A floor plan of the surveyed area will be available.
9. If the request is for an area previously surveyed, identify actions taken to correct any previously noted security hazards and state the reason for the necessity of a resurvey. Once an area has received a TSCM Survey, another will not be performed unless:
   1. (1) Construction modifications have been made in the area.
   2. (2) Unauthorized personnel have had uncontrolled or unescorted access to the area.
   3. (3) Action has been taken to correct previously identified security hazards.
   4. (4) Corporate Security Division has approved the area for recurring TSCM Surveys.

The individual having security responsibility for the security of the area will:

1. Leave the suspect device in place and limit access to the area, to preclude tampering or removal.
2. Continue, in so far as possible, normal work in the area.
3. Brief only those persons who need to know of the device's presence.
4. Avoid such acts as discussing the suspect device in the same area in which it is located.
5. Inform Corporate Security Division immediately by secure means. Notification should be made via voice or facsimile, or from a telephone outside the system servicing the facility.

Options for the conduct of TSCM Services:

Option 1: Employ a trained, experienced TSCM Technician and acquire the countermeasures equipment necessary for the accomplishment of the Corporate Security Division's TSCM Mission.

1. Advantages:
   • Provides Corporate Security Division with a fully trained, experienced TSCM Technician dedicated to the conduct of TSCM Services.
   • Ensures in-house expertise and uniformity of services conducted throughout the Company.
   • No training costs would be incurred other than those associated with periodic updates and new equipment/development familiarization.
2. Disadvantages:
   • Envisions an estimated $65,000.00 annually in salary and benefits.
   • Envisions an undetermined increase in current travel expenditures.
   • Not practical in terms of current manpower and funding constraints. Operational requirements cannot support a Security Representative dedicated solely to TSCM Services.
   • Envisions a capital expenditure of $10,000-$60,000 to minimally equip a Central TSCM Facility. Minimal equipment requirements, together with reasonable acquisition costs estimates are provided in enclosure 3A.

1. A. Advantages:
   • Provides Corporate Security with four minimally trained TSCM Technicians.
   • Ensures in-house expertise and some degree of uniformity of TSCM Services conducted within the Company.
2. Disadvantages:
   • Envisions an undetermined increase in annual travel expenditures.
   • Envisions an initial Capital expenditure of $37,000-$118,200 to equip two Regional TSCM facilities. Minimal equipment requirements, together with reasonable acquisition costs estimates are provided in Enclosure 3B.
   • Envisions an initial expenditure of $10,000.00 to minimally train current staff members.
   • The majority of current staff members have neither the requisite background nor the desire to become involved in TSCM activities.
   • Current operational requirements, customers serviced, and geographic areas of responsibility are such that even partial dedication to the conduct of TSCM Services would have a detrimental effect on Corporate Security Division's ability to satisfactorily perform its mission.

1. Advantages:
   • Provides two or more individuals having the requisite skills, education, and electronic/communications background appropriate to TSCM Services.
   • Provides Telecommunications with two or more minimally qualified TSCM Technicians.
   • Provides corporate Security Division with four staff members familiar with TSCM procedures and terminology.
   • Provides in-house expertise and some degree of uniformity throughout the Company in the conduct of TSCM Services.
   • Provides for joint responsibility regarding TSCM and COMSEC activities within the Company.
2. Disadvantages:
   • Presents potential conflicts in terms of control, direction, funding, and program management.
   • Envisions an initial capital expenditure of $18,500-$59,100 to equip a Central TSCM facility; or $37,000-$118,200 to equip two regional facilities (Enclosures 3A and 3B).
   • Envisions an initial training expenditure of approximately $10,000.00 to minimally train two TSCM Technicians and four Security Representatives.
   • Envisions an undetermined annual expenditure for refresher training.
   • Envisions an undetermined increase in funding based on TSCM exclusive travel requirements.
   • Personnel reductions, funding limitations, and work-load constraints may preclude the participation of telecommunications personnel.

1. Advantages:
   • Provides Corporate Security Division with one contractor for the conduct of all TSCM Services.
   • Provides for uniformity of services and reports throughout the Company.
   • Provides for centralized program control, scheduling and billing.
   • Requires no capital expenditures for TSCM equipment.
   • Requires no expenditure for TSCM Training.
   • Does not significantly increase corporate Security Division travel expenditures.
2. Disadvantages:
   • Location of single contractor, may result in significant travel and/or per diem charges.
   • Potential exists that single contractor may not be able to react in a timely fashion to unscheduled or emergency requirements.
   • No valid data exists upon which to base a meaningful estimation as to what costs would be incurred through the use of a single TSCM contractor.

• Advantages:
  • Provides Corporate Security Division with several contractors for the conduct of TSCM Services.
  • Provides for contingency backup services in the event that one contractor cannot respond in a timely fashion to unscheduled or contingency requirements.
  • Provides for centralized scheduling, reporting and billing.
  • Requires no capital expenditures for TSCM Equipment.
  • Requires no expenditures for TSCM Training.
  • Does not significantly increase Corporate Security Division travel expenditures.
  • Provides for uniformity of services and reporting.
  • Strategic locations of multiple contractors may result in significant reductions in travel and/or per diem charges.
• Disadvantages:
  • No valid data exists upon which to base a meaningful estimation as to what costs would be incurred through the utilization of multiple TSCM contractors.
  • It may prove difficult to identify and evaluate multiple TSCM providers strategically located throughout the Company's area of operation.

Enclosure 3A
Centralized TSCM Facility

Equipment Requirements and Cost Estimates

The following minimum equipment requirements and cost estimates represent a one time capital outlay necessary to equip a central TSCM facility. Estimates do not include maintenance, calibration, and/or replacement expenditures.

Item	Item
Electronic countermeasures Receiver	$9,000-$25,000
Non Linear Junction Detector	$18,000-$30,000
Time Domaine Reflectometer	$1,500-$4,500
Miscellaneous Audio Amplifiers, meters, cables, etc.	$2,000-$4,000
TSCM Tool Kit	$100-$600

Enclosure 3B
Regional TSCM Facilities (2)

Equipment Requirements and Cost Estimates
The following minimum equipment requirements and cost estimates represent a one time capital outlay necessary to equip two regional TSCM facilities. Estimates do not include maintenance, calibration, and/or replacement expenditures.

Item	Cost
Electronic countermeasures Receiver	$9,000-$25,000
Non Linear Junction Detector	$14,000-$28,000
Time Domaine Reflectometer	$1,500-$4,500
Miscellaneous Audio Amplifiers, meters, cables, etc.	$2,000-$4,000
TSCM Tool Kit	$100-$600

BIBLIOGRAPHY

Magazine Articles

Costigan, Kelly, "The Bugged Fight Back," Science Digest, April 1985, p. 22.

Dyer, J. D., "The Technical Security Survey," Security Management, September 1984, pp. 141-144.

Johnson, Tim, "Is someone Bugging You?", Security Management, September 1984, pp. 141-144.

Kelly, Doug, "Make a Clean Sweep", Security Management, November 1983, pp. 96-97.

Kirvan, Paul F., "Designing a Telephone Equipment Room", Business Communications Review, Volume 14, Number 1, January/February 1984, pp. 26-33.

Levinson, Eric, "Securing Conference Areas", Data Processing and Communications Security, Volume 8, Number 2, December 1983, pp. 23-24.

Lydon, Kerrigan, "Technical Surveillance Countermeasures", Security World, February 1982, pp. 32-35.

Marx, Gary T., "The New Surveillance", Technology Review, May/June 1985, pp. 43-48.

Murray, Kevin D., "The Corporate Counterspy", Security Management, April 1981, pp. 48-51.

Nye, J. Michael, "A Manager's Guide to 'Tempest' Security", Administrative Management, March 1982, pp. 36-38.

Swift, Theodore N., "Training Countermeasures Specialists", Data Processing and Communications Security, Volume 8, Number 2, December 1983, pp. 21-22.

Ward, William, "Technical Surveillance: Some Basic Considerations", Assets Protection, Summer 1975, pp. 35-39.

Whidden, Glen H., "Plugging Some Loopholes in Eavesdropping Defenses", Data Processing and Communications Security, Volume 8, Number 2, December 1983, pp. 17-20.

Wilk, Charles D. and Donald E. Kraft, "The Passive Security Risks in Telecommunications", Security Management, August 1980, pp. 52-68.

Vendor Literature

Information Security Associates, Inc., 350 Fairfield Avenue, Stamford, CT 06902, 203-357-8051

Jarvis International Intelligence, Inc., 3212 N. 74th Ave E., Tulsa, OK 74115, 918-835-3130

Kevin D. Murray & Associates, PO Box 5004, Clinton, NJ 08809, 800-635-0811

Tim Johnson, Technical Security Consultants Inc., PO Box 1295, Carrollton, Georgia 30112, 1-770-836-4898

James Calhoun, Delphi Foundation,PO Box 411, San Antonio, TX 78292, 512-223-4363

This information was developed by a member of the security department of a major oil firm in the mid 1980s, at the direction of the Corporate Security Director.

The information is provided to assist in developing information useful in determining whether your organization should utilize in house resources or opt for contract services.

For further information, feel free to contact me.