September 23rd, 2002, 06:05 PM
Establishing an Operations Security Program (OPSEC)
I hope this information will help you in establishing an OPERATIONS SECURITY PROGRAM (OPSEC).
For those that are not aware
And I hope everyone takes this information and puts it forth to thier work every day.
OPSEC is not a security program. It is an effective and sucessful way to ensure the sucess of a mission!
What Every OPSEC Professional Should Know.
The OPSEC Program Manager wears many hats.
-> Intelligence Liaison
-> Research Specialist
-> And yes, at times, "The Bearer of Bad News"
As you get your OPSEC program started, make a lot of friends and contacts. Start with the local security forces and offices, such as the Office of Special Investigations. Talk to your local town, county, and state police departments. Ask the different outside agencies that your organization does business with who their OPSEC Program Managers are. Get to know your communications security, emissions security, and information security experts. Don't be afraid to tap into other DoD or Government agencies for information, help, or answers.
READ AND RESEARCH CONTINUALLY. LEARN EVERYTHING YOU CAN ABOUT SPECIFIC THREATS AND VULNERABILITIES.
Identify your organization's critical information. Remember, this isn't the classified stuff. This is all the unclassified information that we put in the trash; talking shop outside the workplace; or our predictable daily actions. Now, think outside the box, looking inside. Honestly ask yourself, "If I were the enemy, how would I disrupt or stop the organizationˇ¦s operations or way of doing business?"
Answering that question should assist you in determining what information is critical to your organization. Examples of critical information: aircraft status, personnel strength, organizational relationships, deployment information, operational tactics, flying schedules, inspection results, recall roster, shortfalls, duty schedules, equipment upgrades, failure rates, contractor supportˇK the list is endless because every organization and its operation is different.
Does your organization have threats? Or an adversary/enemy? The answer is most likely YES to both.
Some potential adversaries are listed below:
-> Foreign governments and or inspectors
-> Disgruntled employees
-> Dishonest employees
One common denominator with the last two examples is that they are people within the organization. Be aware of obvious personality changes. Try to identify who is a weak security link. Ask yourself, "Who is writing bad checks? Who are the alcoholics? What individuals always withdraw from the group?"
Vulnerabilities and the OPSEC Program Manager. Remember the part about being the bearer of bad news? No one likes to be told that they can't bring their brand new Palm Pilot into the office anymore. OPSEC is very similar to risk management. Ask yourself, "Is there a better or safer way of doing business?" It is always a good think to have a recommendation or solution ahead of time. OPSEC is not a security program. It is an effective and successful way to ensure the success of a mission!
Assess the risks. Determine if they are acceptable. Develop and apply your countermeasures. About 90% of all countermeasures don't cost a penny. Is personal convenience more important than the mission?