Operational Security
(OPSEC)
PRESENTED BY
TOM M. CONLEY, CPP, CFE, CISM
PRESIDENT AND CEO
Copyright © 2009 The Conley Group, Inc. All Rights Reserved

Today’s Objectives
• What is OPSEC
• Understand the OPSEC
Process
• Learn how OPSEC applies to
YOU in YOUR environment
Copyright © 2009 The Conley Group, Inc. All Rights Reserved

What Is OPSEC?
• OPSEC Defined
• The OPSEC Process
–Critical Information
–Indicators
–Adversaries
–Vulnerabilities
–Protective Measures
Copyright © 2009 The Conley Group, Inc. All Rights Reserved

OPSEC Covers ALL
Organizational Areas
Public Affairs
Operations
COMPUSEC
Emanations
Acquisition
Personnel
COMSEC
Logistics
Physical
Copyright © 2009 The Conley Group, Inc. All Rights Reserved

OPSEC Definition 1
A process of routinely denying
potential adversaries information
about our capabilities and/or
intentions by identifying,
controlling, and protecting any
data or other information that
may provide evidence of the
planning and execution of
sensitive activities to our enemy.
Copyright © 2009 The Conley Group, Inc. All Rights Reserved

OPSEC Definition 2
The purpose of OPSEC is to reduce
the vulnerability of US and
coalition forces from successful
adversary exploitation of critical
information. OPSEC applies to ALL
activities that prepare, sustain, or
employ forces during all
operations. It prevents the display
of, or collection of, critical
information — especially while
preparing for and conducting
actual combat operations.
Copyright © 2009 The Conley Group, Inc. All Rights Reserved

Critical Information
• Critical information are the core secrets of
an activity, capability, or intention that if
known to the adversary, could weaken or
defeat the operation.
• Critical information is the information
about your operations an adversary needs
to achieve their goals.
• Critical information usually involves only a
few key items.
• If those items are unavailable to us they
could impact the way we conduct business.
• Our critical information is information
required to be successful in our jobs.
Copyright © 2009 The Conley Group, Inc. All Rights Reserved

Indicators
Information May Be
Collected By:
• Monitoring telephone and public
conversations
• Analyzing telephone directories, financial
or purchasing documents
• Position or "job" announcements
• Travel documents
• Blueprints or drawings
• Distribution lists
• Social engineering
• Information or items found in the trash
• Public Websites
Copyright © 2009 The Conley Group, Inc. All Rights Reserved

Adversaries
• Who are we talking about? In the
Cold War days you knew it was the
communist threat. Today, the Cold
War is over but new threats have
emerged.
• Economic superiority and political
gain are other driving forces. Our
former allies during the Cold War
and Desert Storm are now collecting
technology from us to gain an
advantage in the global market.
Copyright © 2009 The Conley Group, Inc. All Rights Reserved

Vulnerabilities
• Vulnerabilities are defined as the
characteristics of a system which can
cause it to suffer degradation as a result of
having been subjected to some level of a
hostile threat.
• Determining our vulnerabilities involves
analyzing how we conduct operations. We
must look at ourselves as the adversary
would.
• From this perspective we can determine
what are the true, rather than the
hypothetical, vulnerabilities.
Copyright © 2009 The Conley Group, Inc. All Rights Reserved

Protective Measures
• Vulnerabilities and specific threats
must be matched.
• Where the vulnerabilities are great
and the threat is evident, the risk of
exploitation should be expected. A
high priority for protection should be
assigned and corrective action
taken.
• Where the vulnerability is slight and
the adversary has a marginal
collection capability, the priority
should be lower.
Copyright © 2009 The Conley Group, Inc. All Rights Reserved

Information Collection
Signals Intelligence (SIGINT)
Imagery Intelligence (IMINT)
Human Intelligence (HUMINT)
Open Source Intelligence (OSINT)
Copyright © 2009 The Conley Group, Inc. All Rights Reserved

Consequences of an
OPSEC Failure
Copyright © 2009 The Conley Group, Inc. All Rights Reserved

How About
Workplace OPSEC?
• Handling sensitive or classified
information
• Clean desk?
• Talking about work matters
outside of the workplace
• You ARE NOT being a snitch if
you report suspicious activity
Copyright © 2009 The Conley Group, Inc. All Rights Reserved

OPSEC Simplified
Identify YOUR Critical Information
Analyze YOUR Threats
Analyze YOUR Vulnerabilities
Assess YOUR Risks
Employ Correct Protective Measures
Copyright © 2009 The Conley Group, Inc. All Rights Reserved

Who is Responsible for
OPSEC?
GOOD SECURITY IS A
GROUP EFFORT
Copyright © 2009 The Conley Group, Inc. All Rights Reserved

The Bottom Line
• The threat is REAL
• Protect our technological advantage
• Asymmetric Threats are today’s
concern and not always clearly
evident
• Practice common sense and include
OPSEC in your daily routines
• YOUR adversary IS watching – are
you?
Copyright © 2009 The Conley Group, Inc. All Rights Reserved

Summary
• OPSEC is an Analytic Process
• OPSEC is Adversary-Oriented
• Every Operation Has Vulnerabilities
• All Indicators Cannot Be Eliminated
• Risk Can Be Mitigated (vs. Avoided)
• An Effective Countermeasure is a
Good Countermeasure (anything
legal that works)
Copyright © 2009 The Conley Group, Inc. All Rights Reserved

Final Thoughts
THINK
OPSEC
Copyright © 2009 The Conley Group, Inc. All Rights Reserved

Questions?
Copyright © 2009 The Conley Group, Inc. All Rights Reserved