To make a security plan, you need to know your OPSEC. That's what the military calls "Operational Security" — the basics of how to keep operations secret and therefore safe. The five-step OPSEC process includes: Show
OPSEC is a way to protect information.In short, OPSEC is a way to protect information. It's also a process that helps you identify what information needs protection and how it can be used against you. What does that mean? Well, if your cookie recipe has been stolen, then I don't think “cookies” are important enough to merit protection. But if the ingredients list contains an ingredient that is toxic to dogs or children—because cookies aren't just for humans anymore!—then maybe those details should be protected. As with many things in life, it's not about what you have explicitly but about what others might get from having access to it. In other words: Information security isn't just for computer geeks; everyone should be taking steps toward protecting their own personal OPSEC data every day! Step 1. Identify Critical InformationThe first step in the OPSEC process is to identify critical information. What does this mean? It means identifying what is important to your organization, and then knowing how to protect it. Because every organization has different needs and priorities, there's no magic bullet approach that applies across the board for all companies—this is why it's so important for you as an employee or manager to get familiar with your company's security protocols before starting a project that requires sensitive data. Step 2. Analyze Your ThreatsThe second step in the OPSEC process is to analyze your threats. Here, you'll need to identify the threat and determine its likelihood, capability, and intention. To begin, ask yourself: Who are my adversaries? What are their capabilities? How much do they know about me and my organization? Next, comes a critical question: What do I really care about? This will help determine what assets can be attacked by your adversary (your people or physical infrastructure). Your assets may include personnel information such as medical records or social security numbers; financial information like credit card numbers; intelligence data; research reports; customer lists; business plans; trade secrets or proprietary information; customer databases containing sensitive personal details such as Social Security Numbers and home addresses of customers who bought products from your company—the list goes on. Step 3. Analyze VulnerabilitiesVulnerabilities are gaps in security and a way for the enemy to exploit your information. For example, if you use social media and post pictures of yourself in uniform on Facebook, then that could be a vulnerability to an adversary. If you have images of classified material on your cell phone and it gets lost or stolen, this is another high-risk vulnerability. The third step in the OPSEC process is analyzing vulnerabilities so you can determine how to mitigate them. There are several ways to analyze vulnerabilities:
Step 4. Assess RiskIn this step, you evaluate the likelihood of an event happening and its potential consequences. This includes assessing how likely it is that you will be targeted, how likely it is that your information can be exploited, and what are the consequences of the threat of exploiting your information. Step 5. Develop CountermeasuresAs the last step, you'll identify who will implement the countermeasures. The person or team that implements a countermeasure is responsible for its success. In addition to identifying who will implement your countermeasures, it's also important that you identify who will monitor and maintain them. Monitoring and maintaining include making sure that all of the components of your countermeasure are working properly and ensuring they're constantly updated as needed. You should also have someone in charge of evaluating whether or not your OPSEC plan is working properly. This person should take an objective look at things like how many people know about each piece of sensitive information and whether or not any of those people could leak that information if they wanted to do so (which might require changing certain aspects). Lastly, make sure that someone has been assigned responsibility for approving any changes made during this step so everyone knows what's going on! ConclusionSo, now you know what OPSEC is and the five-step process for following it. It’s important to remember that OPSEC is not rocket science—it’s common sense. Most of us have never had to consider whether information about where we live, work and play could be used against us or our loved ones. But if you think about it, there are often clues in plain sight that share a lot more than we realize. So, take a few minutes to identify critical information about yourself and keep it safe and secure using these simple steps above. It’s really easy when you know-how!
Learn about Operational Security (OPSEC) in Data Protection 101, our series on the fundamentals of information security.
Operational security (OPSEC), also known as procedural security, is a risk management process that encourages managers to view operations from the perspective of an adversary in order to protect sensitive information from falling into the wrong hands. Though originally used by the military, OPSEC is becoming popular in the private sector as well. Things that fall under the OPSEC umbrella include monitoring behaviors and habits on social media sites as well as discouraging employees from sharing login credentials via email or text message. The Five Steps of Operational SecurityThe processes involved in operational security can be neatly categorized into five steps:
Follow these best practices to implement a robust, comprehensive operational security program:
Risk management involves being able to identify threats and vulnerabilities before they become problems. Operational security forces managers to dive deeply into their operations and figure out where their information can be easily breached. Looking at operations from a malicious third-party’s perspective allows managers to spot vulnerabilities they may have otherwise missed so that they can implement the proper countermeasures to protect sensitive data.
|