Back to basics: Operations security

By Cynthia Flores-Wilkin, Operations Security Program Manager, Directorate of Plans, Training, Mobilization and Security

FORT CARSON, Colo. — Let’s start first with the definition of operations security (OPSEC) and why it’s important. OPSEC is a process of identifying critical information for mission success by analyzing how adversaries might learn this critical information and taking the countermeasures required to prevent the adversaries from interpreting or piecing together critical information in time to be useful. OPSEC protects sensitive or critical information from adversary observation or collection.

The OPSEC process provides a framework for the systematic and continuous process necessary to identify and protect critical information using the following steps:

• Identification of critical information. Determine what information needs protection.
• Analysis of threats. Identify the adversaries and how they can collect information.
• Analysis of vulnerabilities. Analyze what critical information friendly forces are exposing.
• Assessment of risk. Assess what protective measures should be implemented.
• Application of appropriate OPSEC measures. Apply measures that protect critical information.
• **Assess effectiveness.**Continuously monitor and update, as security is never a one-time task.

The practice of OPSEC involves using the five-to-six step process to protect critical, unclassified information from adversaries by identifying, analyzing and mitigating risks. It centers on protecting data through behavior changes, such as limiting public sharing, using strong passwords, enabling two-factor authentication (2FA) and applying software updates.

Essential Daily OPSEC Practices:

• **https://www.google.com/search?q=Password+Hygiene&mstk=AUtExfCDbCayGm4vGp9c56dp2M6cOSCcwqy08dnzlispYaMNz4vkBZlvytVyoZHgGDt7WchguZbfIu1mCwBZ6NMyoGE_agf-7biJ4-23B1KtgWiSxzYRJTuRlATnMaWpV60Vacg&csui=3&ved=2ahUKEwieztL26sCSAxWg-jgGHRmYLscQgK4QegQIBRAB:**Use unique, complex passwords and a password manager.
• **https://www.google.com/search?q=Digital+Cloaking&mstk=AUtExfCDbCayGm4vGp9c56dp2M6cOSCcwqy08dnzlispYaMNz4vkBZlvytVyoZHgGDt7WchguZbfIu1mCwBZ6NMyoGE_agf-7biJ4-23B1KtgWiSxzYRJTuRlATnMaWpV60Vacg&csui=3&ved=2ahUKEwieztL26sCSAxWg-jgGHRmYLscQgK4QegQIBRAD:**Use a VPN on public Wi-Fi, enable 2FA on all accounts and use browser privacy tools.
• **https://www.google.com/search?q=Behavioral+Changes&mstk=AUtExfCDbCayGm4vGp9c56dp2M6cOSCcwqy08dnzlispYaMNz4vkBZlvytVyoZHgGDt7WchguZbfIu1mCwBZ6NMyoGE_agf-7biJ4-23B1KtgWiSxzYRJTuRlATnMaWpV60Vacg&csui=3&ved=2ahUKEwieztL26sCSAxWg-jgGHRmYLscQgK4QegQIBRAF:**Stop posting real-time locations or sensitive work/personal information on social media.
• **https://www.google.com/search?q=Device+Security&mstk=AUtExfCDbCayGm4vGp9c56dp2M6cOSCcwqy08dnzlispYaMNz4vkBZlvytVyoZHgGDt7WchguZbfIu1mCwBZ6NMyoGE_agf-7biJ4-23B1KtgWiSxzYRJTuRlATnMaWpV60Vacg&csui=3&ved=2ahUKEwieztL26sCSAxWg-jgGHRmYLscQgK4QegQIBRAH:**Lock devices when idle, use webcam covers and install updates immediately.
• **https://www.google.com/search?q=Data+Minimization&mstk=AUtExfCDbCayGm4vGp9c56dp2M6cOSCcwqy08dnzlispYaMNz4vkBZlvytVyoZHgGDt7WchguZbfIu1mCwBZ6NMyoGE_agf-7biJ4-23B1KtgWiSxzYRJTuRlATnMaWpV60Vacg&csui=3&ved=2ahUKEwieztL26sCSAxWg-jgGHRmYLscQgK4QegQIBRAJ:**Delete or do not create unnecessary accounts and data trails.

Key benefits of learning OPSEC:

• Minimizing risk to personal/professional data. It helps identify critical, sensitive information and reduces likelihood of it being exposed.
• Preventing proactive attacks. By recognizing vulnerabilities, such as social oversharing, you can prevent threat actors from utilizing this information for malicious activities.
• Enhance digital security. It teaches proper handling of information, such as avoiding credential reuse and securing online activity, which strengthens overall cybersecurity.
• Developing a protective mindset. It fosters a habit of assessing risks, which can protect not the individual, but also their family and workplace.
• Secure information beyond information technology. It addresses both physical security and human behavior, ensuring that security measures are comprehensive rather than just focused on technology.

Learn OPSEC. Go back to the basics and develop the protective mindset.