OPSEC

OPSEC

Operational Security

The 5 Steps of OPSEC

Identify Critical Information

OPSEC

The five-step OPSEC process provides the framework to answer important questions about risk and allows us to protect critical information. The OPSEC process consists of five steps:

Identify critical information – what information must be protected and why.

Critical information includes:

1. • Information about friendly activities, intentions, capabilities, and limitations

2 • Information relating to military technologies, vulnerabilities, and performance data

3 • Intelligence capabilities, collection methods, personnel strength, and dispersement

4 • Personal information about people we work with

5 • any information that is useful to an adversary

Analyze Threats

OPSEC

Analyze threats – which are your adversaries and what their goals are:

1. • Threats to the success of a mission result from the efforts of adversaries.

2. • Who is an adversary?

4. • An individual, group, organization, or government that must be denied critical information

5. • Not necessarily a sworn enemy, foreign government, or military power

6. • Any person or group whose intentions and capabilities are contrary to ours

Analyze Vulnerabilities

OPSEC

Analyze vulnerabilities - what weaknesses can an adversary exploit:

1      • A vulnerability exists when an adversary can:

2. • Exploit weaknesses to obtain critical information

3. • Take timely action against our mission based on that information

Assess Risks

OPSEC

Assess risks - If adversary exploits a weakness how it will affect the mission?

To assess risks:

1 • Consider the consequences of your actions

2. • Will something you do or say provide an indicator to an adversary?

3. • How would an adversary benefit from the indicator?

4. • What's the effect on the mission?

5. • What is the cost of avoiding the risk?

Apply OPSEC Countermeasures

OPSEC

Apply OPSEC countermeasures – how will you protect critical information

OPSEC countermeasures:

1. • Minimize predictable patterns

2. • Conceal indicators that may point to critical information or vulnerabilities

3. • Make indicators seem unimportant

4. • May be as simple as choosing not to talk about something

5. • Protect critical information