How to conduct an Opsec Assessment

Operational Security (OPSEC) Assessments are conducted to evaluate an adversary's or competitor's ability to access your critical information or areas. OPSEC Assessments directly benefit anyone desiring to protect information or assets from disclosure or harm. Operations Security (OPSEC) Assessments enable insight to your predictable indicators and exploitable procedures while presenting specific measures to counter potential vulnerabilities. Assessments are ideally conducted internally but can be performed by trusted external experts if need be.

[edit] Steps

1. Identify information critically important to the organization, mission, project or home [personal information, mission details, plans, capabilities, key personnel deployment data, medical records, network or safehouse schematics, etc.]
2. Identify the relevant adversaries, competitors or criminals with both intent and capability to acquire your information or penetrate your perimeter.
3. From the adversary's, competitor's, or thief's perspective, identify potential vulnerabilities and means to gains access to results of step 1. Interview a representative sample of individuals if you can.
4. Assess the risk of each vulnerability by its respective impact to mission accomplishment/performance if obtained.
5. Formulate specific measures that counter identified vulnerabilities. Prioritize and then enact relevant protection measures.
6. Evaluate and measure effectiveness, and adjust accordingly.

[edit] Tips

• Zero vulnerabilities are not realistic; however 100% awareness is. Keep your critical information list limited to about 10 items. The list should not be too secret. As a general rule, those who are aware of what to protect have a better chance of protecting it as opposed to those unaware of its value.
• Obtain threat data from the experts whenever practicable, don't try to perform all the analysis on your own unless you absolutely have to.
• It will be cost prohibitive, and a complete waste of time, to attempt to protect information already publicly accessible. Focus on what can be protected versus what has already been revealed.
• Observations, findings and proposed counter measures need not be a long drawn-out report. A plan of actions and milestones to mitigate vulnerabilities can be little more than a brief.
• Integrate OPSEC into planning and decision processes from the beginning. Waiting until the last minute before conducting an assessment may be too late for effective measures to take effect.
• Regular assessments ensure your best protection.
• OPSEC often provides low cost solutions to high tech problems.

[edit] Trips

• Always apply LEGAL and ETHICAL standards / methodologies.
• There is no need to replicate adversarial techniques irrelevant to your unique situation — i.e. if there is no indication that potential intruders intend to and/or have the capability of entering your perimeter with false identification cards, then there is no need replicate that potential vulnerability. Worrying about the least likely things will result in not enough attention being paid to the most likely things.