OPSEC (operational security) is an analytical process that classifies information assets and determines the controls required to protect these assets. OPSEC originated as a military term that described strategies to prevent potential adversaries from discovering critical operations-related data. As information management and protection has become important to success in the private sector, OPSEC processes are now common in business operations.
Operational security five-step process
Operational security typically consists of a five-step iterative process:
1. Identify critical information: The first step is to determine exactly what data would be particularly harmful to an organization if it was obtained by an adversary. This includes intellectual property, employees' and/or customers' personally identifiable information and financial statements.
2. Determine threats: The next step is to determine who represents a threat to the organization's critical information. There may be numerous adversaries that target different pieces of information, and companies must consider any competitors or hackers that may target the data.
3. Analyze vulnerabilities: In the vulnerability analysis stage, the organization examines potential weaknesses among the safeguards in place to protect the critical information that leave it vulnerable to potential adversaries. This step includes identifying any potential lapses in physical/electronic processes designed to protect against the predetermined threats, or areas where lack of security awareness training leaves information open to attack.
4. Assess risks: After vulnerabilities have been determined, the next step is to determine the threat level associated with each of them. Companies rank the risks according to factors such as the chances a specific attack will occur and how damaging such an attack would be to operations. The higher the risk, the more pressing it will be for the organization to implement risk management controls.
5. Apply appropriate countermeasures: The final step consists of implementing a plan to mitigate the risks beginning with those that pose the biggest threat to operations. Potential security improvements stemming from the risk mitigation plan include implementing additional hardware and training or developing new information governance policies.