Thinking about OPSEC audits
There are four reasons (we are not talking of statutory requirements, but, rather of underlying reasons) why audits of any type, OPSEC or other, might be performed.
The first reason is that a program may be being implemented, and that we wish to get some baseline indicator of where we stand, in order to gauge what needs to be done, and to judge future progress.
A second reason to perform an audit is to judge the current state of a program. From this type of audit comes kudos for things well done and suggestions for improvement in areas where improvement is needed, either because the program being audited has not kept up with changes in the environment, or because there have been oversights.
A third reason is to show that something is being well done, generally to bring attention to this to someone higher up the food chain.
Finally, an audit can be done as a thinly-disguised plan to place blame for something, generally on someone – or some group – in particular.
Since most organizations know little or nothing about OPSEC, we will focus here on the first reason for doing an OPSEC audit, which is figuring out where you stand and where you need to be going.
Most organizations have information that, while not actual trade secrets, is best kept private. This is because organizations have adversaries or competitors who could use this information to their advantage and your disadvantage. Sometimes this information is direct in and of itself, and sometimes the information is an indicator that information is out there. As an example of an indicator, if your employees suddenly start attending conferences in some specialized field it is probably an indicator that you are either looking to do something in that field, or are actually doing something in that field.
There are two things that must be done when you begin an OPSEC audit. First, you must identify who are your adversaries. This means specific adversaries, not generic adversaries. The reason for this is that you will be under attack by specific individuals, groups, or organizations, each of which will have different interests, histories, and capabilities.
The second task is, once the adversaries are identified, figuring out what information is valuable to them. Remember that what you think is important may not be important to your adversary. Also remember that life is not perfect, and you may make a judgment call that is reasonable, but wrong. Unfortunately, the nature of risk management is such that you can never completely eliminate risk. As an example, some time ago a company invented a new longer-lasting bulb, based on a newly designed filament. A foreign competitor was taking a tour of the plant, and was deliberately shown only the generic manufacturing processes, and nothing to do with the new filament. This gave the manufacturer some feeling of comfort – until their product hit the market first in the hands of their competitor. As it turned out, the filament specifications had been previously stolen in an act of economic espionage, but the company was lacking some of the base manufacturing knowledge for the simple construction of the bulb, information that was being given away.
While we have emphasized the importance of identifying specific adversaries and their information requirements, this does not mean that you should not identify the information that you think might be important: You will need to deal with this, also.
Once you have identified information that might be of value to others, and who those others might be, you will be ready to start dealing with the protection of that information, which we will address later.