Download Introduction to Operations Security (OPSEC)

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
Document related concepts

Computer and network surveillance wikipedia , lookup

Information privacy law wikipedia , lookup

Computer security wikipedia , lookup

Cyber-security regulation wikipedia , lookup

Medical privacy wikipedia , lookup

Information security wikipedia , lookup

Social engineering (security) wikipedia , lookup

Transcript 
Introduction to Operations Security (OPSEC)
Every individual within DA should be able to answer these questions:
- What is OPSEC?
- Why is OPSEC important to my organization?
- What information must I protect?
- How can I contribute to the OPSEC program?
What is OPSEC?
- OPSEC is a five-step process designed to protect sensitive unclassified information in order
to keep our sensitive/critical information out of the hands of the “bad guys”.
•
Define the Critical Information
•
Determine the Threat
•
Determine the Vulnerabilities
•
Calculate the Risks and Impact
•
Apply Countermeasures.
Why is OPSEC important to my organization?
- We are in a world increasingly dependent on information. In this world, pieces of information
may be assembled in order to form the “big picture” of an organization or operation.
- Successful military operations depend on secrecy and surprise. Unfortunately, poor
OPSEC practices can result in death.
What information must I protect?
- Critical Information: the details about operations and our mission that we must protect so
our adversaries cannot use it against us.
•
Military operations (deployment & redeployment dates, dates of field exercises, flight
information, etc.)
•
Any issues with the unit
•
Anything concerning security
•
Equipment issues
•
Locations of units
•
Military language training requirements, throughput, critical shortages, etc.
How can I contribute to the OPSEC program?
- Know the Commander’s Critical Information.
- Know who your Unit/Installation OPSEC Officer is and how to contact him/her.
- Limit what you say on telephones. Whether they’re land lines, cordless or cell phones they
can all be “tapped”.
- Limit what you say out in public. You never know who is trying to listen in on your
conversations.
- Censor what you put in e-mails and on social networking sites. Assume all info on the
Internet can be seen by the general public.
18 June 12
The 5-Step OPSEC Process
#1 - Define the Critical Information
• Critical information is information that would harm the organization’s ability to effectively carry out normal
operations if obtained by an adversary.
#2 - The Threat
• Foreign governments, disgruntled employees, terrorists, criminals, hackers, competitors, dishonest
employees
#3 - The Vulnerability
•
Visible or known weaknesses an adversary can exploit to obtain critical information.
Examples:
 Inappropriate use of email/attachments/web
 Lack of awareness: don’t know what to protect or who to protect it from
 Poor access controls
 Failure to comply with security policies
#4 - Risk & Impact
•
•
RISK: The likelihood of an undesirable event occurring and the consequences of that occurrence!
IMPACT: If the adversary exploits your vulnerability, what will it cost?
 Money
 People
 Time
 Efficiency
 Effectiveness
 Reputation
#5 - Countermeasures
•
•
•
•
Do not discuss critical information with anyone who does not have a “need-to-know.”
Safeguard sensitive information the same way you would protect classified information.
Use common sense and camouflage sensitive information.
By providing OPSEC training to all employees, every employee becomes a “sensor,” able to recognize
and respond to some of the clues that could eventually manifest into a large-scale security incident.
What’s more, by knowing what represents a “vulnerability,” each employee can be a part of the overall
security of the organization.
Common OPSEC violations
•
Phone Directory
 This may seem unimportant but if retrieved by an adversary, that adversary will have a
dangerous insight into the structure of the organization. That person may be able to
impersonate certain high-level individuals or target specific employees.
•
Items Thrown in the Trash

“Dumpster diving” is a common occurrence and if documents are not properly destroyed, an
adversary can retrieve important information from pieces of e-mails, resumes, travel orders,
contract information and phone messages that have been thrown in the trash.
•
Visitors

If visitors are not properly cleared (for instance, if someone “piggybacks” through a security
door) they will have physical access to computer systems and unsecured documents.



REMEMBER
Every operation has vulnerabilities
All indicators can’t be eliminated
But risk can be mitigated.
18 June 12
Related documents
Blue Grass Chemical Agent-Destruction Pilot Plant
Blue Grass Chemical Agent-Destruction Pilot Plant
111 opsec - Fleet Weather Center, Norfolk, VA
111 opsec - Fleet Weather Center, Norfolk, VA
slides - University of Cambridge Computer Laboratory
slides - University of Cambridge Computer Laboratory
전자상거래 요소기술
전자상거래 요소기술
A second look at Shoup`s lemma - Prosecco
A second look at Shoup`s lemma - Prosecco
This Article argues that intellectual property law stifles critical
This Article argues that intellectual property law stifles critical
How Others Compromise Your Location Privacy
How Others Compromise Your Location Privacy
Privacy-Preserving Applications on Smartphones Yan Huang
Privacy-Preserving Applications on Smartphones Yan Huang
Provider-1 MSP Technical Brief
Provider-1 MSP Technical Brief
Cybersecurity of Medical Devices
Cybersecurity of Medical Devices