Use good OPSEC: Identify, safeguard personal or operational information

U.S. Army Graphic

Many people believe that if information is not classified, it is OK to share. However, this is not at all accurate. Would you post your full name, birth date, and Social Security number on a bulletin board or website? Would you tape the code to your home’s alarm system to your front door? Of course not! Is any of the information classified? No, but you understand the harm that could come from sharing that information with strangers, so you keep it secure. Whether you’ve realized it or not, you’ve been practicing Operations security or OPSEC.

OPSEC focuses on identifying and safeguarding sensitive or critical information, whether it’s about you, your family, your coworkers, your overall mission, or your day-to-day operations. Whether we realize it or not, every day there are adversaries, such as terrorists, spies, and criminals, trying to access this type of information. They piece together bits of data, especially open-source information, to determine the big picture related to our missions. Use of OPSEC every day can help make sure this does not happen. Your understanding and use of sound OPSEC practices may save lives… including your own.

An adversary is any person or group that collects information about a U.S. military command, personnel, family member etc. and intends to use that information to cause harm to operations and assets and includes foreign intelligence organizations, terrorist groups, lone criminals, and organized criminal enterprises.

Adversaries may use multiple methods to collect information:
» Searching trash containers
» Monitoring radio frequencies, cellphones, wireless devices, email, faxes, and telephones
» Monitoring and exploiting the Internet and social media
» Elicitation, eavesdropping, and electronic surveillance

Critical information is specific facts about our intentions, capabilities, and activities needed by our adversaries to cause unacceptable consequences for our mission accomplishment. In addition, critical information is any information that you or your mission manager considers sensitive.

Examples of critical information:
» Names and photos of you, your family, or coworkers
» User names, passwords, and computer and networking information
» Personnel information, including rosters, clearance levels and personal addresses and phone numbers
» Operational, security, and budget information, logistical data
» Mission capabilities or limitations
» Building plans, schedules, and travel itineraries
» Social Security numbers, credit card numbers, and banking info

Countermeasures are steps taken to mitigate risk and reduce the loss of critical information.

Some countermeasures you should employ include:
» Properly shredding classified and sensitive information, including personally identifiable information
» Using appropriately encrypted radios, telephones, faxes, and email communications
» Never speaking about classified or sensitive information in public
» Always applying the need-to-know principle
» Thinking before you speak
» Adhering to all security and information assurance policies and procedures

Social networking sites, such as Facebook and Twitter, are great ways to connect with people, share information, and market products and services. However, these sites can also provide adversaries with the critical information they need to disrupt your mission and harm you, your coworkers, or even your family members.

Think before you post! Remember, your information could become public at any time due to hacking, configuration changes, social engineering, or the business practice of selling or sharing user data.