Operations Security

1 OSPA, 2009 ( ) Operations SecurityIntroductionThis OPSEC Presentation was developed by OSPA and is intended as an overview of the concepts and applications of is NOT a presentation on Military OPSEC, nor Civilian OPSEC or any other specific application, but a demonstration that OSPEC can be applied in any environment due to the universal concepts and portability of the discipline. The world is changing-getting smaller. Corporations, civilians and the government work together as never before. OPSEC can keep Cox, OSPA, PresidentOSPA ( )Module 1: Introduction to OPSECO perations Security -What it is and isn tOPSEC: " Operations Security (OPSEC) is an analytic process used to deny an adversary information -generally unclassified -concerning friendly intentions and capabilities by identifying, controlling, and protecting indicators associated with planning processes or Operations .

2 OPSEC does not replace other Security disciplines it supplements them."In other helps you control information that could be used against can be used to increase safety and Security in ANY setting and for ANY is: A process that helps you examine your day-to-day activities from an adversary s point of view A tool that helps you understand what an adversary can learn about your organization from youractivities. A risk assessment tool OPSEC is: A way to identify Security risks and countermeasures A method that can be adapted to any operation, program, event or situation A cost-effective addition to your Security arsenal A mindset, a way of life!

3 OPSEC is not: A strict set of rules and procedures An expensive and time-consuming process-OPSEC can be low-cost or free A process that is only used by the Government or Military. OPSEC can be used by corporations, schools, communities and some of the following traditional Security programs: Personnel Security Physical Security Communications Security Information SecurityCompliance is normally enforced through other procedures and OPSEC is a method and a process that can be practiced without memorizing a single rule !

4 Or, OPSEC can be an and fun addition to your overall Security program. OPSEC can be a , structured program with its own staffing and support,When can OPSEC be used? Planning and Forecasts Planning for Special Events Special Training Exercises Plans and Standard Operating Procedures Methods, Sources, and Technical Tradecraft At home and on vacation To supplement existing Security procedures Contracts/Bidding Processes Software and Source Code New designs, technical drawings, blueprintsAnd, OPSEC Supplements all of your other Security Programs!

5 ConclusionOPSEC is an adaptable tool and method that can be applied to any situation and any organization or can be a formal program, or an addition to your Security program. As long as it s there! The more OPSEC you have, the stronger your Security posture. OSPA ( )Module 2: OPSEC and YouHow OPSEC affects the individuals, and the role they play. THE MOST IMPORTANT Security TOOL IN FOUND IN THE MIRROR. No matter your position, title or job, YOU have a part to play in Person Is An OPSEC Sensor!Every person in your neighborhood, company or organization is able to be a part of the Security solution by: Knowing the threats Knowing what to protect Knowing how to protect it!

6 And it s mostly the front line individual that s targeted,And it s the front line individual that s better able to detect potential compromises. A cat burglar is captured due to good OPSECC onclusionEvery person involved, and even family members, should be considered a part of the overall Security one of us can detect and help avert a threat. No matter your role, rank or position, you re important in OPSEC!OSPA ( )Module 3: The OPSEC ProcessOPSEC in five steps (and also in two!)The OPSEC CycleThe OPSEC 5-step Process is more accurately described as a continual cycle of identification, analysis and : Adversary (AKA- Bad Guy )An adversary is anyone who contendswith, opposesor acts against your interest and must be denied critical information.

7 It could be as simple and obvious as your opponent in any game, or as complex and unknown as a spy, agent of a foreign government, or a that each adversary will have its own motivationsand capabilitiesExamples include: Terrorist groups, foreign and domestic Criminals Organized crime groups Extremists Foreign Intelligence Services Hackers/Crackers Insider ThreatsDefinition: Vulnerability (AKA- Weakness )A vulnerability is a weaknessthat can be exploitedby an adversary to obtain your critical information, and it can be present in any facet of your Operations .

8 Vulnerabilities can come from many sources in your operation to include the physical environment of the work area, the office operating procedures, computers, or a myriad of other sources. A vulnerability is weakness that canbe exploited by an adversary if it is discovered. A vulnerability exists when critical information is susceptible to exploitation by an Categories: Communications Public Affairs Department Critiques and after action reports Mail Trash E-mailDefinition: Indicator (AKA- Clue )An indicator is a piece of informationor an activitythat can be observedand combinedwith other information to reveal sensitive information.

9 An indicator acts as a clue to reveal information about an activity and will be the subject of analysis. Examples of indicators: Increased training Unusual deliveries Advanced parties An increase in related personnel actions,such as TDY/business travel, financial preparation, etc. Large and frequent meetings Increased overtime Press releases and news itemsDefinition: Threat Threat refers to the combination of an adversaryand their intentions to undertake actions detrimental to friendly activities or Operations . A threat can be thought of any potential danger that a vulnerability will be exploited by a threat intent AND capability must exist to be considered a threat.

10 Ask yourself: Does this person/group want to cause me/us harm? And, if so: Are they able to do so? Definition: Risk and Impact Risk is the probabilitythat an adversary will compromiseyour critical information. Impact is the effect that this compromise would have on your organization. Impact is the what would it mean : Countermeasure A Countermeasure is ANYTHING that can reduceor negatean adversary s ability to exploit a other words, it s whatever works to lower risk to an acceptable example: Changing your routine and routes Altering your schedule Varying routes for company-markedvehicles Using encryption/VPN Using unmarked cars when travellingin foreign countries When on vacation, having a trustedfriend take in your mail andnewspapers, turn on lights, etc Training employees to avoid discussing personal/company informationin publicThe OPSEC ProcessOfficially, there are five steps in the OPSEC process:Step 1.