Operations Security (OPSEC) is a great tool to help protect
sensitive information. The five step process is an outstanding resource and
exercise to determine exactly what should be protected and how to do it.
Understanding OPSEC and its application to a program, event or activity
empowers the user to control information.
Having said that, many organizations miss the mark on OPSEC and security training. Too many times OPSEC is nothing more than a “bumper sticker” slogan.
Meaning, if we invoke the magic words, we’ll be fully protected. However,
nothing could more harmful.
Here’s a few examples of misguided OPSEC training from
various security and OPSEC seminar and training venues. The word OPSEC was used
many times, but the application and relevance never connected. In one event
OPSEC meant to not throw away your plane tickets because a dumpster diver at going
through your home garbage would know that you had recently traveled At
another venue, attendees were told not to use family stickers or names on their
cars because kidnappers would take their children. At another event others were taught to never,
ever, EVER have a Facebook account because it would jeopardize national
security. There are many more examples
not including the many posters with other irrelevant OPSEC slogans.
Though there is nothing inherently wrong with helping
employees protect their families and homes, it has nothing to do with
protecting sensitive parts of a program or mission. Such training could result
in employees losing focus on what is important.
Okay, before you get upset with me for raining on the OPSEC parade, a little background is
necessary. I’m a cold warrior. I served in Germany in the 80s when a threat was
just behind the Iron Curtain. At the time we were well trained in what we could
write home about, what we could say on the phone, and how to communicate our
mission when we went on training exercises.
At the time OPSEC practitioners understood that soldiers
traveled, communicated, and performed their duties in very public settings.
However, they knew to focus protection efforts on what was not so visible. It
was well worth the effort to train on how to determine what was sensitive and
how to communicate effectively without giving the sensitive information away.
So, they applied the Five Step OPSEC Process:
- Identify Information You Want to Protect-Testing a big Cold War Antenna
- Analyze the Threat-Cold War Bad Guys Looking at Our Capabilities
- Analyze Vulnerabilities-Antenna Can Be Seen From Several Miles Away
- Assess Risk-If Cold War Bad Guys See Our Antenna, They’ll Understand Our Capabilities
- Apply Countermeasures-Erect Antenna Only On A Military Base And At Night, Don’t Discuss Antenna Or Mission Parameters Outside Of The Office, Etc.
This OPSEC asssessment might be a little oversimplified, but hopefully relays the
intent of good OPSEC training. In many venues, OPSEC seems to teach risk
avoidance, seemingly ignoring the first step of the OPSEC process. Instead of
identifying information to protect (critical information) we ask everyone to
stay off the internet or we direct training to protecting our homes and
families. We never hit the essence.
These lessons also propose that security and OPSEC
professionals to go against enterprise policy. For example, I attended training
where the instructors made comments such as “I hope you are not still using a
mailbox” and “You and your cleared employees should NEVER use (insert your
favorite social network: Facebook, LinkedIn, Twitter, etc.).” However, this is
conflicting advice as almost every government agency and defense contractor has
a social network page. Enforcing such policy would go against existing
enterprise practices. A security practitioner could never enforce it and would
instantly lose credibility.
So, why not take a lesson from the Cold War and get back to
basics. It’s better to understand what OPSEC is and identify and mitigate
risks. Otherwise we lose focus and credibility by not assessing and protecting
what is important.
Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . Jeff is an accomplished writer of non-fiction books, novels and periodicals. He also owns Red bike Publishing. Published books include: "Get Rich in a Niche-Insider's Guide to Self Publishing in a Specialized Industry" and "Commitment-A Novel". Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training" See Red Bike Publishing for print copies of: Army Leadership, The Ranger Handbook, The Army Physical Readiness Manual, Drill and Ceremonies, The ITAR,and The NISPOM
No comments:
Post a Comment