Printer Friendly

The key to OPSEC.


TECHNOLOGY AND INFORMATION are America's most valuable products. Their value increases daily as Third World countries move into the ranks of technology users and second world countries seek to become technology producers. The technology level difference between America and these new developing countries can be measured in years, if not in generations of new scientists.

The rate of technology change between us and these developing countries is probably exponential. They have little choice if they want to catch up. They can buy technology or steal it.

During the latter half of the Vietnam War, the military discovered that our B-52 bombers were striking empty communist bases. Prior targeting confirmed the presence of soldiers, but when the bombers arrived, the bases were empty. An investigation later found that Strategic Air Command mission preparations were telegraphing the location of their targets. The Vietcong had several hours' warning and time to move.

The military developed a new program to be sure that routine operations did not reveal secrets to the enemy. The program was successful and was called Operations Security (OPSEC). Today, most government defense contractors have OPSEC programs to protect their government classified, sensitive, and export control information. Many companies in the commercial sector are also using OPSEC applications to protect their proprietary secrets.

OPSEC differs from the traditional information security approach in the following three basic ways:

* It is a fully integrated control system. OPSEC's structure parallels the information structure it monitors. The information system serves as the feedback loop on the OPSEC system.

* To be effective, OPSEC must have total commitment through the entire management chain to the employees.

* Information security is everyone's responsibility, not just the security staff.

A key oversight group, the OPSEC Coordinating Committee, manages OPSEC activities. This committee includes senior members from the major organizational functions using classified and sensitive information. The OPSEC program manager receives management advice and guidance from the OPSEC Coordinating Committee and controls the activities of the OPSEC working groups.

OPSEC working groups are in each organizational functions using classified or sensitive information. These working groups identify and test potential information insecurities. The working groups then report confirmed insecurities to the coordinating committee for organizational and procedural remedies.

An active OPSEC program does not mean it is effective. To be effective, the program must systematically investigate and identify information insecurities. Path and barrier analysis (1) provides a framework for this process. The following axiom is the basis for path and barrier analysis: As information increases in value, so does its propensity to migrate toward unwanted recipients.

Controlling this migration prevents compromise. Path and barrier analysis involves following steps:

* Identify applicable information transfer mediums. These transfer mediums are knowledge, document, data, and application. Information can be changed from one medium to another and can exist in more than one medium.

* Identify migration paths for each information transfer medium.

* Estimate the information's rate of flow (RoF) along each path. For example, the notation for the rate of flow along path (A) is ([Rof.sub.A]).

* Place barriers to bar migration in each path. Barriers are policies, procedures, programs, or safeguards that control, monitor, or prohibit information migration.

* Estimate each barrier's probability of failure to deny migration. The notation for the probability of failure for each barrier on a path is ([p.sub.2] [p.sub.2] . . . [p.sub.n]).

* Calculate each path's joint probability of failure. The notation for the joint probability of failure on path (A) is [P.sub.a] = [p.sub.1] X [p.sub.2] X . . . [p.sub.n].

* Calculate potential vulnerability for each path. The notations for the potential vulnerability of path (A) is [VUL.sub.A] = [RoF.sub.A] X [P.sub.A]. An OPSEC analyst uses potential vulnerabilities to ranks paths for upgrade.

* Calculate the probability for system success. The notation for system success is Q = 1 - ([P.sub.A] X [P.sub.B] X . . . [P.sub.N]).

See the accompanying chart for an example.

Knowledge is, in this article, information retained in the employee's memory. Other media include their laboratory books and personal records. The knowledgeable worker obtains information through participating in the project development process, acquiring experience through routine work with the process, reviewing process reports, and performing a detailed investigation or assessment of the process.

The knowledgeable worker has a more detailed understanding of the process than the average employee. For OPSEC, he or she is an original information source.

Migration paths for the knowledge medium. The knowledgeable worker is both the respiratory of information and transfer agent. The individual transfers his or her knowledge to other people by briefings or conversations with other employees, releasing the information to uncleared people, or transcribing his or her knowledge in another information transfer medium.

Barriers that bar the migration of information. Two barriers to information migration from knowledgeable workers are barriers that apply to all information media and barriers to select and control personnel.

Barriers that apply to all information media include the following:

* A general information security policy.

* A single information security organization. The organization is responsible for classification, document control and accountability, computer security, and information transfer and release functions.

* A separate counterintelligence organization to monitor the information security organization. Counterintelligence is responsible for law enforcement liaison, compromise investigations, technical security countermeasures, surveillance, and audits and assessments.

* A separate OPSEC organization to provide management with an oversight and analysis capability.

* Barriers to control personnel include the following:

* a comprehensive prosecution policy,

* a need-to-know policy,

* a personnel security clearance program for all employees handling classified and sensitive information,

* a personnel reliability or assurance program for knowledgeable workers,

* a security education/awareness program for all personnel,

* a management security indoctrination program.

Documents are still the largest information media. This should change as computer and feisch record management become popular. Documents include any recorded media, such as papers, pictures, models, and drawings. These media can be read directly and do not require a machine to interpret or amplify.

Document protection levels, such as classified, sensitive, export controlled information, Privacy Act, show the necessary protection for each document. When these levels are clearly marked on each document, protection approximates the measures used to protect physical assets.

When protection levels have not been marked on a document, the document becomes a potential time bomb. No one is certain of its status without a classifier or management review. This poses a great danger for compromise.

Migration paths for the document medium. Documents are released to

* the customer;

* regulatory agencies;

* litigation, Freedom of Information Act, and Privacy Act requests;

* stocholders or holding companies;

* professional associations, international seminars or agencies, and requests for papers under technology release programs;

* peer review groups;

* the public by public relations announcements, briefings, or other releases;

* potential contractors and subcontractors under a Request for Proposal;

* contractors, subcontractors, vendors, or other providers; and

* employees for action, information, or courtesy.

Documents are disposed by retiring them to records holding areas, classified destruction, and trash baskets.

Barriers that bar the migration of documents. Effective document control is hampered by the numbers of documents and their copies. Many company documents should never have been written. Many more should never have been retained. The following truisms may provide insight into proper barriers.

* A secret known by more than one person is no longer a secret.

* If you don't want to read it in the press tomorrow, don't write it today.

* If you don't have a contractual, legal, or operational requirement to keep it, destroy it.

* If he or she doesn't have to refer to it on a frequent (daily or weekly) basis, don't give him or her a copy.

* If he or she doesn't need to know, don't let him or her read it.

* If protection levels are not marked on a document, treat it as classified until it is reviewed and marked.

Deploying barriers to prevent document migration requires a systematic approach. All elements of the company information system must be included under the same oversight. General barriers introduced under the section on the knowledge information transfer medium are appropriate. The following path-specific barriers might be appropriate:

* Review all documents and mark protection levels. Documents releasable to the public should be marked "Releasable." Review can be done by a government classifier or by management for all other documents.

* Review all documents leaving the organization to confirm their protection level. Certify documents releasable to the public.

* Combine or reduce the number of internal reports. Encourage concise and objective writing. Discourage the use of inflammatory words, waffling, and reports graded by weight rather than content.

* Start a need-to-have and need-to-know policy.

* Stop the distribution of courtesy copies.

* Prohibit "private copy" documents or private files.

* Discourage letters of instruction or notices in effect over one year. From a litigation standpoint, it is safer to use the formal procedure system.

* Require all documents be marked with a retirement date and destruction date.

* When a document is retired, destroy excess copies.

* Set up reference libraries for the review of restricted or retired documents. Copies can be made and controlled for a justified need.

* Control unsupervised use of copy machines.

Data is all media that must be read or amplified by a machine. This includes computerized data, feisch, tape recordings, and photography.

Migration paths for the data medium. Feisch, recordings, and photographs are physical in nature. Handle these as documents. Computer data is not physical and must be handled differently. If you assume the computer is a repository, then the data migration paths are the system outputs. These include hard copy (document), visual transfer (knowledge), and electronic transfer to another data system.

Barriers that bar the migration of data. Many data migration paths have been mentioned. If the path involves hard copy, then they should be handled as documents. If the path involves personnel knowledge, then handle as knowledge.

A major problem with data systems that contain data of different protection levels is the protection level of manually entered data, generated data, and compilations of data. Since data files are not periodically reviewed to confirm protection levels, handle all such computer data as potentially classificable until reviewed.

Here are some suggestions to follow:

* Control access to all data files by a list of authorized users and machines. As a part of the access protocol, each satellite machine should have a "firm ware" identification number. Record this number, user password, data time, and files accessed for audit.

* All printed computer records are documents and should be treated as such.

* Issue all blank computer floppy disks, cartridges, and Bernoulli boxes as accountable documents. Mark them with the highest permissible protection level possible in order to protect them.

* Issue all program software as accountable documents.

* Prohibit personal software, floppy disks, cartridges, and Bernoulli boxes on-site.

* Prohibit software from leaving the site without approval.

The applications medium covers plant visitors, vendors, subcontractor subassemblies, prototype displays, reverse engineering of production models, and coproduction projects.

In 1950, Eliji Toyoda, later the chairman of the Toyota Motor Corporation, was sent to the United States on a commercial intelligence mission to learn about Detroit's manufacturing methods. For over a month, Toyoda visited Chrysler, Studebaker, General Motors, and Ford auto plants. He methodically observed the production lines, machinery, and workers that made the best automobiles. He learned what worked and what didn't work and kept detailed notes of these operations.

Thirty-three years later, it was America's turn to come to Japan. Detroit's

premier manufacturer, General Motors, signed a joint-venture agreement with Toyota.

Migration paths for the applications medium. Here are some migration paths:

* plant visits

* vendors, contract workers, construction workers, foreign nationals

* prototype displays at trade shows

* subcontractor subassemblies

* products released to the public

Barriers that bar the migration of applications information. A cost-benefit analysis should be the basis for any decision that might jeopardize classified or sensitive applications. The sponsoring function (marketing, operations, public relations) determines the benefits. Security draws up a proposed security plan for the application and estimates the costs.

Estimating probabilities may seem difficult, but this is not necessarily the case. Experienced security managers can estimate either the failure or success of their programs within 10 to 15 percent. Considering that human error rate for applying procedures is (3 X [10.sup.-3]) for each employee per each occurrence (2), this may be accurate enough.

Unless accurate data or specific experience exists, the following table of probabilities may be helpful. Any system used must be consistent.

OPSEC programs are here to stay. The measures proposed in path and barrier analysis are not new. But, this process represents a comprehensive system. It's a place to start.

(1) For safety aspects of path and barrier analysis: Barrier Analysis, Idaho Falls, EG&G, July 1985.

(2) Errors of omission where the items omitted are embedded in procedure. Reactor Safety Study, Appendix III, Failure Data, WASH-1400 (October 1975).

G. H. Zimmer, Jr., CPP, is a security consultant in Richland, WA. He is a member of ASIS.
COPYRIGHT 1990 American Society for Industrial Security
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 1990 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:path and barrier analysis keys to effective operations security
Author:Zimmer, G.H., Jr.
Publication:Security Management
Date:Sep 1, 1990
Previous Article:Holding down the fort.
Next Article:Perceiving is believing.

Related Articles
The Antiterrorism Handbook.
OPSEC: not for government use only.
Is regulation the answer?
Chicksands: A Millenium of History.
Is the secret out?
OPSEC for the private sector.
Vulnerability assessment: correctional facilities are only as secure as their weakest point.
The genuine article: propulsive, compulsive entrepreneur Richard Bard's OpSec seeks brand security.

Terms of use | Copyright © 2016 Farlex, Inc. | Feedback | For webmasters