Operations security (OPSEC) is a term originating in U.S. military jargon, as a process that identifies critical information to determine if friendly actions can be observed by enemy intelligence, determines if information obtained by adversaries could be interpreted to be useful to them, and then executes selected measures that eliminate or reduce adversary exploitation of friendly critical information.
In a more general sense, OPSEC is the process of protecting individual pieces of data that could be grouped together to give the bigger picture (called aggregation). OPSEC is the protection of critical information deemed mission essential from military commanders, senior leaders, management or other decision-making bodies. The process results in the development of countermeasures, which include technical and non-technical measures such as the use of email encryption software, taking precautions against eavesdropping, paying close attention to a picture you have taken (such as items in the background), or not talking openly on social media sites about information on the unit, activity or organization's Critical Information List.
OPSEC is a five-step iterative process that assists an organization in identifying specific pieces of information requiring protection and employing measures to protect them.
An OPSEC Assessment is the formal application of this process to an existing operation or activity by a multidisciplinary team of experts. These assessments identify the requirements for additional OPSEC measures and required changes to existing ones. Additionally, OPSEC planners, working closely with Public Affairs personnel, must develop the Essential Elements of Friendly Information (EEFI) used to preclude inadvertent public disclosure of critical or sensitive information. The term "EEFI" is being phased out in favor of "Critical Information," so all affected agencies use the same term, minimizing confusion.
In 1966, United States Admiral Ulysses Sharp established a multidisciplinary security team to investigate the failure of certain combat operations. This operation was dubbed Operation Purple Dragon, and included personnel from the National Security Agency and the Department of Defense.
When the operation concluded, the Purple Dragon team codified their recommendations. They called the process "Operations Security" in order to distinguish the process from existing processes and ensure continued inter-agency support.
In 1988, President Ronald Reagan signed National Security Decision Directive (NSDD) 298. This document established the National Operations Security Program and named the Director of the National Security Agency as the executive agent for inter-agency OPSEC support. This document also established the Interagency OPSEC Support Staff (IOSS).
Although originally developed as a US Military methodology, Operations Security has been adopted worldwide for both military and private sector operations. In 1992, the North Atlantic Treaty Organization (NATO) added OPSEC to its glossary of terms and definitions.
The private sector has also adopted OPSEC as a defensive measure against competitive intelligence collection efforts.
Military and private sector security and information firms often require OPSEC professionals. Certification is often initially obtained from military or governmental organizations, such as:
the U.S. Army, 1st Information Operations Command,
the Interagency OPSEC Support Staff, and
the Joint OPSEC Support Element.
Manage research, learning and skills at defaultLogic. Create an account using LinkedIn or facebook to manage and organize your IT knowledge. defaultLogic works like a shopping cart for information -- helping you to save, discuss and share.