Opsec Challenges to It

OPSEC Challenges to the Information Technology Sector

Introduction

Operations Security (OPSEC) is the process by which one may identify information that is critical to the accomplishment of their mission or function of their organization and apply appropriate safeguards to them after considering the nature and capabilities of adversarial systems. Critical information; that is, the “specific facts about friendly capabilities, activities, limitations (including vulnerabilities), and intentions needed by adversaries for them to plan and act effectively so as to degrade friendly mission accomplishment” (1).

Formally, OPSEC is an iterative, five-step process that is comprised of identifying critical information, analyzing the threat, analyzing the vulnerabilities, assessing risks and applying countermeasures (1); implied in the process is the need to periodically revisit existing countermeasures to gauge effectiveness and ensure proper and continued application. OPSEC is, in itself, not a security discipline. Rather, as the name implies, it is an operations discipline that may be applied to any venture, task or effort. OPSEC can further be referred to as information risk management (2; 3/p.14), drawing a clear parallel to Operational Risk Management (ORM).

The implementation of an OPSEC program is the responsibility of an organization’s senior leadership or, in a military organization, command. While specific requirements are generally delegated to lower levels, the senior leadership must appropriately resource, fund and champion the program in order for it to be effective. Furthermore, it is the leadership that is entrusted with the responsibility of weighing vulnerabilities against countermeasure cost and accepting any remaining risk on behalf of the organization.

This information paper will explore the role that OPSEC plays in the realm of Information Technology, and how traditional security disciplines may be leveraged to protect an organization’s...