OPSEC (Operations Security) 2504

Analytical process used to deny an adversary information, generally unclassified about our intentions and capabilities by identifying, controlling, and protecting indicators associated with our planning process or operations

- Supplements other security disciplines, not replaces them

Operations Security (OPSEC)

5 Step OPSEC Process

1. Identification of critical information
2. Analysis of threats
3. Analysis of vulnerabilities
4. Assessment of risk
5. Application of countermeasures

Defines information in need of protection and analyzes how that information may be inadvertently compromised

Identification of critical information

Are the aspects of an operation that, if known the adversary would subsequently compromise, lead to failure or limit the success of the operation

Essential Elements of Friendly infromation (EEFI)

Analysis of threat

Elements of a threat:

• Intent

• Capability

Does an adversary intend to gain our sensitive/critical information?

Intent

Is the adversary capable of gaining the information

Capability

Anyone who opposes, or acts against law enforcements interests

Adversary

Identify ways that adversaries use to gather information

Communications (electronic devices to obtain infromation on police operations and personnel)

Imagery (The use of still video camera to obtain visual representation of Law Enforcement Personnel or operations)

Trash (Process of searching trash and gather data on people and activities)

Open source (published material)

Human (the process of watching, listening, and asking questions about the abilities and intentions of Law Enforcement Agency)

Computer accessing

Risk is determined by analyzing three factors:

1. Threat

2. Vulnerability

3. Impact

When calculating risk, following questions need to be addressed:

Is the risk great enough to do something about the threat?

How would the loss of sensitive data affect your operations?

What would be the cost of losing sensitive information?

Refers to anything that effectively negates an adversary’s ability to exploit vulnerabilities

Application of countermeasures

Examples of countermeasures

• Procedural changes

• Background checks (police personnel)

• Physical security (access control)

• Limiting web page access

• Shredding sensitive documents

• Monitoring public conversations

• Not using e-mails to discuss sensitive operations