Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Introduction to Operations Security (OPSEC) Every individual within DA should be able to answer these questions: - What is OPSEC? - Why is OPSEC important to my organization? - What information must I protect? - How can I contribute to the OPSEC program? What is OPSEC? - OPSEC is a five-step process designed to protect sensitive unclassified information in order to keep our sensitive/critical information out of the hands of the “bad guys”. • Define the Critical Information • Determine the Threat • Determine the Vulnerabilities • Calculate the Risks and Impact • Apply Countermeasures. Why is OPSEC important to my organization? - We are in a world increasingly dependent on information. In this world, pieces of information may be assembled in order to form the “big picture” of an organization or operation. - Successful military operations depend on secrecy and surprise. Unfortunately, poor OPSEC practices can result in death. What information must I protect? - Critical Information: the details about operations and our mission that we must protect so our adversaries cannot use it against us. • Military operations (deployment & redeployment dates, dates of field exercises, flight information, etc.) • Any issues with the unit • Anything concerning security • Equipment issues • Locations of units • Military language training requirements, throughput, critical shortages, etc. How can I contribute to the OPSEC program? - Know the Commander’s Critical Information. - Know who your Unit/Installation OPSEC Officer is and how to contact him/her. - Limit what you say on telephones. Whether they’re land lines, cordless or cell phones they can all be “tapped”. - Limit what you say out in public. You never know who is trying to listen in on your conversations. - Censor what you put in e-mails and on social networking sites. Assume all info on the Internet can be seen by the general public. 18 June 12 The 5-Step OPSEC Process #1 - Define the Critical Information • Critical information is information that would harm the organization’s ability to effectively carry out normal operations if obtained by an adversary. #2 - The Threat • Foreign governments, disgruntled employees, terrorists, criminals, hackers, competitors, dishonest employees #3 - The Vulnerability • Visible or known weaknesses an adversary can exploit to obtain critical information. Examples: Inappropriate use of email/attachments/web Lack of awareness: don’t know what to protect or who to protect it from Poor access controls Failure to comply with security policies #4 - Risk & Impact • • RISK: The likelihood of an undesirable event occurring and the consequences of that occurrence! IMPACT: If the adversary exploits your vulnerability, what will it cost? Money People Time Efficiency Effectiveness Reputation #5 - Countermeasures • • • • Do not discuss critical information with anyone who does not have a “need-to-know.” Safeguard sensitive information the same way you would protect classified information. Use common sense and camouflage sensitive information. By providing OPSEC training to all employees, every employee becomes a “sensor,” able to recognize and respond to some of the clues that could eventually manifest into a large-scale security incident. What’s more, by knowing what represents a “vulnerability,” each employee can be a part of the overall security of the organization. Common OPSEC violations • Phone Directory This may seem unimportant but if retrieved by an adversary, that adversary will have a dangerous insight into the structure of the organization. That person may be able to impersonate certain high-level individuals or target specific employees. • Items Thrown in the Trash “Dumpster diving” is a common occurrence and if documents are not properly destroyed, an adversary can retrieve important information from pieces of e-mails, resumes, travel orders, contract information and phone messages that have been thrown in the trash. • Visitors If visitors are not properly cleared (for instance, if someone “piggybacks” through a security door) they will have physical access to computer systems and unsecured documents. REMEMBER Every operation has vulnerabilities All indicators can’t be eliminated But risk can be mitigated. 18 June 12