Friday, December 1, 2017

Operations Security (OPSEC)

 
Operations security (OPSEC) is a process that identifies critical information to determine if friendly actions can be observed by an adversary, determines if information obtained by adversaries could be interpreted to be useful to them, and then executes selected measures that eliminate or reduce adversary exploitation of friendly information. In a more general sense, OPSEC is the process of protecting individual pieces of data that could be grouped together to give the bigger picture (called aggregation).
 
OPSEC is most effective when fully integrated into all planning and operational processes.  OPSEC should also be a part of your personal daily routines and activities. An adversary won’t just target you during duty hours, or through official channels, but will look for any weakness or vulnerability that he or she can exploit.
 
OPSEC is a continuous process.
 
The OPSEC process involves five steps:
 

 
1. Identification of Critical information: Critical information is information about friendly intentions, capabilities and activities that allow an adversary to plan effectively to disrupt their operations.
 
2. Analysis of Threats: A Threat comes from an adversary - any individual or group that may attempt to disrupt or compromise a friendly activity. Threat is further divided into adversaries with intent and capability. The greater the combined intent and capability of the adversary, the greater the threat.
 
3 .Analysis of Vulnerabilities: Examining each aspect of the planned operation to identify OPSEC indicators that could reveal critical information and then comparing those indicators with the adversary’s intelligence collection capabilities identified conducting analysis of threats. Threat can be thought of as the strength of the adversaries, while vulnerability can be thought of as the weakness of friendly organizations.
 
4. Assessment of Risk: The core premise of assessment of risk is that the probability of compromise is greatest when the threat is very capable and dedicated, while friendly organizations are simultaneously exposed.
 
5. Application of Appropriate OPSEC Countermeasures: Countermeasures must be continually monitored to ensure that they continue to protect current information against relevant threats. Countermeasures include, controlling one's own actions; countering adversary intelligence collection; and creating difficulty for adversary analysts seeking to predict friendly intent.  
 

Know The Laws of OPSEC
 
The First Law of OPSEC
If you don’t know the threat, how do you know what to protect? Although the first step in the OPSEC process is identifying your critical information, different adversaries will be interested in different types of information. Foreign intelligence services are interested in your operations, capabilities and limitations, while criminals are more interested in your personal information. Terrorists may be interested in both. Some threats change from location to location, while others remain the same. You need to make sure that members of your organization know the threat environment for your unit’s location so they can determine what to protect.
 
The Second Law of OPSEC
If you don’t know what to protect, how do you know you are protecting it? The "what" is your critical and sensitive information that the adversary needs to meet his objective. This, of course, depends on your response to the first law of OPSEC. Too many times individuals have found that they were concentrating on protecting information that was already known or wasn’t really important to the adversary.
 
The Third Law of OPSEC
If you are not protecting it (the critical and sensitive information), the adversary wins. You conduct vulnerability assessments to determine how an adversary can exploit your information. These assessments need to look at what you do and how you do it to determine if there is an inadvertent leak of information. Based on the findings of the assessment, you develop countermeasures to the vulnerabilities and the commander then determines what risks are unacceptable and what risks are acceptable
.
On-Line OPSEC Training & Resources
 
You can learn more about OPSEC by taking free, on-line training courses provided by the Department of Defense. I encourage anyone interested in OPSEC to complete all three of these on-line courses.
 


New Faces of Threat Computer Based Training
 
 
The DoD Education Activity provides OPSEC information on their web-site
 
IVPN'S, four part article, "Online Privacy Through OPSEC and Compartmentalization" is an excellent overview of personal OPSEC.
 
My guide to Individual OPSEC and Personal Security is available here. 
 

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.