UPDATE: After writing this post, I was put in contact with Jack Emanuelson, a board member of the national OPSEC Professionals Society (OPS). He was gracious enough to contribute some fantastic information on this topic. Read his posting here: OPSEC is really not OPSEC.
I went to Google to find a good resource on Operational Security (OpSec) for a talk that I am doing in a couple of weeks. One of the top hits was US Army Regulation 530-1, the manual that describes how the army conducts operational security. OpSec is a systematic process to assess what information an adversary can collect that could be interpreted or pieced together to derive critical information in time to be useful to adversaries and measures to reduce the availability or impact of that information.
What struck me as ironic is that the document is labeled “For Official Use Only” (FOUO) which means that the government intends to limit its distribution. I don’t think the FOUO label has been very effective. To see what I mean, simply use one of the most valuable tools for assessing information leakage…Google:
Hmm, more than 11 Million results. If there was only one result, I would not have written this blog posting. Of course, not every hit is an actual FOUO document and I am sure that the irony of labeling the Army Regulation 530-1 document as “Unclassified/For Official Use Only” was not lost on the folks who made that decision, since they wrote the book on OpSec.
And for the record, I hate it when a leak of sensitive government information occurs and the whole Wikileaks thing was a colossal travesty. I am also very thankful to live in a free country with a government that works hard to balance openness with national security. OpSec, after all is, looking at the culmulative information available to your adversary and the bad guys have already ran this query.
By the way, I did find an excellent resource and it is not labeled “FOUO.” This one is at http://www.hss.doe.gov/HQSecOp/operations_security/Basic_OPSEC.pdf
This document covers essential information pertaining OPSEC and is also a valuable source for a security awareness program on controlling what gets published on the Internet about your organization and family.
By the way, anything that I blog about does not reflect issues, vulnerabilities, tools, current initiatives, or security practices at my place of employment. I stick to things that interest me, that I teach on, or that are currently in the news.