OPSEC (operational security) is an analytical process that classifies information assets and determines the controls required to protect these assets.
OPSEC originated as a military term that described strategies to prevent potential adversaries from discovering critical operations-related data. As information management and protection has become important to success in the private sector, OPSEC processes are now common in business operations.
Operational security five-step process
Operational security typically consists of a five-step iterative process:
1. Identify critical information: The first step is to determine exactly what data would be particularly harmful to an organization if it was obtained by an adversary. This includes intellectual property, employees' and/or customers' personally identifiable information and financial statements.
2. Determine threats: The next step is to determine who represents a threat to the organization's critical information. There may be numerous adversaries that target different pieces of information, and companies must consider any competitors or hackers that may target the data.
3. Analyze vulnerabilities: In the vulnerability analysis stage, the organization examines potential weaknesses among the safeguards in place to protect the critical information that leave it vulnerable to potential adversaries. This step includes identifying any potential lapses in physical/electronic processes designed to protect against the predetermined threats, or areas where lack of security awareness training leaves information open to attack.
4. Assess risks: After vulnerabilities have been determined, the next step is to determine the threat level associated with each of them. Companies rank the risks according to factors such as the chances a specific attack will occur and how damaging such an attack would be to operations. The higher the risk, the more pressing it will be for the organization to implement risk management controls.
5. Apply appropriate countermeasures: The final step consists of implementing a plan to mitigate the risks beginning with those that pose the biggest threat to operations. Potential security improvements stemming from the risk mitigation plan include implementing additional hardware and training or developing new information governance policies.
OPSEC and risk management
When it comes to risk management, OPSEC encourages managers to view operations or projects from the outside-in, or from the perspective of competitors (or enemies) in order to identify weaknesses. If an organization can easily extract their own information while acting as an outsider, odds are adversaries outside the organization can as well. Completing regular risk assessments and OPSEC is key to identifying vulnerabilities.
The Center for Development of Security Excellence (CDSE) offers diverse security training for military members, Department of Defense (DoD) employees and DoD contractors. CDSE's training programs are presented through a variety of platforms including e-learning, webinars, virtual classes and in-person instruction. Topics covered in OPSEC training include:
- Insider threats
- Personnel security
- Physical security
- Operations security
CDSE's OPSEC Awareness training program is presented on their Security Awareness Hub. This course is free and its goal is to ensure safe and successful operations and personal safety by providing information on the need to protect unclassified information regarding operations and personal information.