Operations Security (OPSEC):
The Process
Visitors Since
October 15, 2001.
Past Articles
* Computer Security
* Foreign Espionage
* Industrial Espionage
* Personal Security
* Personnel Security
* Physical Security
* Security Management
Other Security Links
E-Mail Us
* ASIS
* NCMS
* VSAC
* Webmaster
We join with those who mourn the loss of life, the injuries, and the disruption of lives caused by the attacks against Washington, DC, and New York, N.Y. All those effected -- the brave people who helped in rescue efforts, those involved in America's response to terror and in the war with Iraq-- are in our thoughts and prayers.
.
ITT Industries, Systems Division
Vandenberg AFB, CA
In 1988, National Security Decision Directive (NSDD) 298 was signed by the President directing establishment of a formal OPSEC program in many executive departments and agencies. NSDD 298 promulgated much of the work that was accomplished during the Vietnam War and formally implemented a process to analyze operations, assess risks, and develop countermeasures against those risks. What is the process that worked so well. . .
THE OPSEC PROCESS
There is no simple rule to identify what information, operation, or event needs protection as it varies from unit to unit, organization to organization. Only a clear understanding of the threat, knowledge of your organization’s mission, and basic common sense can help.
The OPSEC process focuses on the protection of information and operations from unauthorized disclosure to your competitors, adversaries and others who do not have a need to know for the information. The process also helps prevent or reduce the inadvertent release of technical information to these same individuals.
Now, what is the OPSEC process? It is five steps used to determine what needs to be protected, if it can be, and how. The steps are: (1) identify critical information; (2) identify the threat to the information, (3) identify the vulnerabilities of the critical information, (4) evaluate the risk to the information and, (5) recommend countermeasures to eliminate or reduce the risks.
The OPSEC process doesn’t stop at this point. It requires continual assessment of the status of the threat, and effectiveness of the countermeasures. Since the threat may change or become obsolete, the risk may be reduced or eliminated and countermeasures changed accordingly. Understanding the mission, the function of your job and organization and how each fits into the overall mission, leads right into the first step of the OPSEC process which is:
* Identify your critical information. First of all, what is critical information? Very simply, it’s that information about intentions, capabilities or activities that must be protected from loss in order to keep an adversary from gaining significant economic, political, or technological advantage. With that definition in mind, write down questions you would ask if you were an adversary or competitor. What “key items” would you, as an adversary or competitor, want to know about the particular operation, project, unit or office. Once this step is completed, you can go onto the second step in the OPSEC process.
* Know the threat. Consider what you have been told about the threat to your operating location, or any individual program, project or operation you are associated with and see if the items of critical information you have developed are in jeopardy. If so, go on to the third step in the process.
* Identify any vulnerabilities (indicators) to the critical information you have developed. View your organization as an adversary might view it. Actions and things that can be observed or other data that can be interpreted or pieced together to derive your critical information, must be identified. Once this is done, then go on to the fourth step in the OPSEC process.
* Evaluate the Risk. This step involves balancing a vulnerability against the threat. The level of risk against exploitation by an adversary will result in the last step of the process.
* Apply appropriate countermeasures. Application of appropriate countermeasures depends on the level of risk that can be accepted. The most effective countermeasures are simple, straightforward, procedural adjustments that effectively eliminate or minimize the generation of indicators that reveal your items of critical information.
(Editor’s Note: This ends the first installment – next issue we’ll
discuss "The Threat.")
[Webmaster's Note: This article originally appeared in the December 2000 issue of the VSAC News.]