T H E  R I S K  C O M M U N I C A T O R

The Monthly Newsletter of the
Security Analysis and Risk Management Association
March 2012
SARMA Logo 5-Year - NoLtr
In This Issue
Emanuelson: OPSEC At A Crossroads, Part II
SARMA's Enhanced Membership Program
Key Reports: Chinese Hacking, The Internet And Domestic Radicalization, and More
Jobs: New Positions At ABS, DHS, etc.
Thanks to
Our Silver-Level Corporate Patrons


ABS Logo

AcuTech Logo


 

Booz Allen Logo


Secure Mission Solutions Logo 

Thanks to
Our Bronze-Level Corporate Patrons
PwC Logo (new)

VRisk logo
Need Your Own Copy of The Risk Communicator?
Join Our Mailing List
Write for Us
Have you seen a story you would like to see included in The Risk Communicator? Do you have a research project you want to share with your colleagues? If so, please contact the newsletter staff at newsletter@sarma.org.
Get Involved, Get More from SARMA
SARMA Website
SARMApedia
Volunteer to Serve
Feedback/Input
Join SARMA
Legal Matters
Copyright 2012
SARMA
All Rights Reserved

Privacy Policy

The views expressed in The Risk Communicator reflect the views of their authors, and do not neccesarily reflect the views of SARMA, the US Government or the employers or clients of the contributors.
President's Corner


Dear Fellow SARMA Members,

 

The year has gotten off to a fast start for SARMA on many fronts. Among other things, we've had our most successful January and February yet for corporate fundraising. In addition to returning Corporate Patrons ABS Consulting (Silver), Visual Risk Technologies (Bronze) and the PMC Group (Bronze), we were also thrilled to welcome ICF International (Silver). In addition, I would be remiss to not mention the generous support provided for our inaugural Advisory Council luncheon meeting in February by our long-time corporate patron PricewaterhouseCoopers (PwC). This is all great news, but we must also maintain this momentum if we are to make progress implementing the rest of this year's ambitious agenda. To that end, we continue to work to identify an individual who can help guide this effort and provide the necessary focus. In the interim, I ask each of you to do what you can to assist -- whether by joining SARMA as a dues-paying member, renewing an annual membership or existing corporate support, or helping to identify prospective new corporate patrons.

 

Another place where we are poised to reach new heights in the early months of 2012 centers on our social media initiatives. As I write this, we have just welcomed the 1,000th member to our SARMA LinkedIn Group page. Beyond the fact that social media has forever changed the way we communicate with one another, the rapid growth of our LinkedIn Group page is interesting for several other reasons. First, it underscores the degree of interest in the subject of security risk. Secondly, the broad cross-section of countries represented also demonstrates just what a truly global issue this is. Given this global interest, I am pleased to announce that the Chair of our International Affairs Committee, Julian Talbot, will be leading a pilot program to test the concept of establishing SARMA chapters in other countries. While the focus of the pilot will be on establishing the SARMA brand in Australia, the hope is that, if this model proves successful, it can be exported to other countries where we have seen significant interest on LinkedIn and through other contact with the Association.

 

We are also moving rapidly to finalize an expanded agenda of events here in the United States. In addition to the annual conference in late September (dates to be announced soon), this will include a series of webinars and at least one half-day symposium to be held in June. Continuing our tradition of ensuring such events are both highly relevant and timely, the SARMA Executive Committee recently approved "Federal, State and Local Perspectives on PPD-8 and Implementation of the National Preparedness System" as the theme for the symposium. Beyond the expanded agenda of events, I can also say there have been substantive discussions over the past several months between SARMA and other like-minded organizations about where and how to best contribute to the effective implementation of the National Preparedness System, as well as establishing a training and certification program for public-sector security risk managers. In addition, Board Members Andrew Harter and Ben Nerud are leading an effort to map the current and future information technology requirements of the Association. Called the SARMA Systems Renewal Project, this initiative will allow SARMA to make well-informed decisions about how to recapitalize our information technology. More to follow on all of this in the months ahead!

 

Finally, as you may recall, I reported last month that our long-time Editor, Avi Klein, would be leaving us at the end of March. I'm pleased to announce that we've succeeded in filling that void. This past week, SARMA extended an offer to Daniel Verton to succeed Avi as Editor of The Risk Communicator in April. Dan is an award-winning journalist who brings more that 15 years of experience covering homeland security and other issues. He is also the author of several books on security, and has testified before Congress on critical infrastructure protection. Please join me in welcoming Dan to the SARMA family!

 

My best,

Kerry

 

Kerry L. Thomas

President

 

Analysis

Operations Security (OPSEC) At A Crossroads: Part II      

by Jack Emanuelson   

 

When formal OPSEC developed during the Vietnam War (see Operations

Security [OPSEC] At A Crossroads: Part I, in the February issue of The Risk Communicator), the practice was confined primarily to the military and national security environment. But it wasn't long before others, including law enforcement and private industry, found that the OPSEC concept was useful to them as well, and the practice has since proven valuable to organizations and individuals far beyond those with complex security requirements.

  

Even at the national security level, for instance, OPSEC policy as described in NSDD 298[i] limited its scope to U.S. government national security activities, capabilities or intentions. These national level interests have always included such activities as State Department treaty and economic negotiations. However, events in the recent past necessitate expanding the scope of the National OPSEC Program to encompass, at a minimum, the terrorist threat, security of the nation's borders, protection of national critical infrastructures and the war on drugs.   

  

Likewise, while the United States' National OPSEC Program has been expanding, the risks to private-sector assets have also increased. An organization involved in research or production of goods and services must recognize its adversaries and the critical information they seek. This is especially true in today's global economy. The quality of private sector intelligence gathering is increasingly professional and robust, and is often directly supported by a country's formal intelligence service.

  

OPSEC At The Crossroads

A crossroads offers two or more routes to take, and in the case of OPSEC one approaches it from the well-worn path of traditional OPSEC, using the five-step risk management process: 1. Identification of the asset to be protected; 2. Analysis of the threat in terms of the opponent's intent and capabilities; 3. A search for vulnerable information that could lead the adversary to piece together or infer critical information through open sources and observation; 4. Leadership analysis of the acceptable level of risk and, if necessary, approval of OPSEC measures to lower risk; and 5. Implementation of the approved OPSEC measures and continuous monitoring of all risk components to detect change and respond accordingly.   

  

The issue is not whether to expand the use of OPSEC. That is a given. Rather, the question is whether to use OPSEC as a systematic risk management tool to support decision-makers or to let it morph into something else. Some would create a new definition of OPSEC that covers all activities associated with security (i.e., physical, virtual, personal, organizational or anything else that might provide protection of an asset). This proposed new version of OPSEC would not be the highly focused process that has only one purpose: To identify critical information and limit the adversary's capability to deduce the critical information from open sources or observation.   

  

Where did this idea of a modified OPSEC come from? The answer begins with a quick look at NSDD 298, in particular with the introduction of the term "sensitive." The directive states:

             

"Each Executive department and agency assigned or supporting national security missions with classified or sensitive activities shall establish a formal OPSEC program..."[ii]

  

There is no definition of "sensitive" given in the policy. Therefore, if an organization has anything to do with national security and has any sensitive activities, it must have an OPSEC program. A sensitive activity might be interpreted as any function involving sensitive information, such as processing payroll information with names, social security numbers and salaries. While protections of this information may be warranted, there is no need to employ the OPSEC risk management process -- following established laws, regulations and procedures to protect the easily identifiable sensitive information should be sufficient.

  

The second issue with NSDD 298 is that parts of the policy are often taken separately and totally out of context. The classic example of this is the wording at the very end of the OPSEC process description:

  

"OPSEC thus is a systematic and proved process by which the U.S. Government and its supporting contractors can deny to potential adversaries information about capabilities and intentions by identifying, controlling and protecting generally unclassified evidence of the planning and execution of sensitive Government activities."[iii]

   

The above wording does not refer to the previous portions of the directive that note that OPSEC protects classified activity and helps prevent the inadvertent compromise of classified U.S. government activities, capabilities or intentions. This is a crucial element of the proposed changes. One often hears planners say, "OPSEC has nothing to do with classified information." The phrase emanates from people not reading the basic NSDD policy and understanding what critical information is. While critical information may be either classified or otherwise sensitive, it must meet the criterion of being the core information that an adversary needs to defeat or gain an advantage over the organization. Just because information has been declared "For Official Use Only" does not mean that it is critical information worthy of an OPSEC analysis.

  

The meaning of OPSEC is acquired knowledge, and for many their understanding is based on little more than hearsay. Most current members of government and private sector leadership have never had an exposure to the OPSEC risk management methodology or practical involvement in the process. When OPSEC enters their milieu, they are given some version of the above out-of-context description of OPSEC and are expected to understand the concept in its entirety. As a result of this continued misunderstanding, there stands a good chance that the OPSEC risk management process may be damaged by a future revision to National OPSEC Policy, based on misconceptions about OPSEC risk management, and be supplanted by what have in the past been nothing more than good security practices. The two, OPSEC and security, must function in concert but remain distinct operations.

  

There is no easy answer to this problem. The OPSEC risk management process obviously needs to continue as an essential element of risk decision-making. But what of all the other issues that the "new" OPSEC is supposed to cover? If only there was a term to describe the collective security afforded an operations or activity. It could be "operational security," but this would not clear the air (i.e., the two terms are too similar and the acronym for operational security would also be labeled OPSEC). One possibility is to stick with "security" to describe the collective protection given an operation or activity. When the application of the OPSEC risk management process is determined to be essential to overall security, OPSEC becomes a contributing factor.

 

At a minimum, the solution to the crossroads issue must contain the provision that, when using the term OPSEC, it only be applied to critical information identified through the risk management process. As stated by the U.S. Marine Corps: "Without understanding the critical information which should be protected, there can be no specific determination that OPSEC vulnerabilities [i.e., exploitable indicators that may lead to the critical information] exist."[iv]

 

Jack Emanuelson is an independent contractor specializing in OPSEC and information assurance. He earned his BS in Business Administration from the American University and an MBA from George Washington University, and is a graduate of the U.S. Army Command & General Staff College. He previously occupied the David G. Boak Operations Security Chair at the National Cryptologic School. Jack is retired from the U.S. Civil Service and is a Lieutenant Colonel, AUS (Ret).



[i] The White House, National Security Decision Directive Number 298, National Operations Security Program, January 22, 1988.

[ii] NSDD 298.

[iii] NSDD 298.

[iv] Marine Corps Order 3070.2, Subj: The Marine Corps Operations Security (OPSEC) Program, 18 May 2007.

 

Membership Information

 

SARMA'S 2012 Enhanced Membership Program

 

SARMA continues to support the needs of the security community by providing added value and keeping our membership rates as low as possible. In particular, we support federal, state and local government employees with a reasonable Government Member rate, and seek to encourage the education of students in the security analysis field by keeping the Student Member rate at an affordable level.

 

New in 2012, the enhanced SARMA membership program includes the following: 

  • Welcome letter and personalized membership certificate
  • 10% discount on all event registrations
    • An expanded event schedule
    • Annual Conference
    • SARMA Advisory Council meetings
    • Networking socials
    • Educational events
    • Job fairs
    • Webinars
    • Policy forums
  • Monthly SARMA newsletter
  • Exclusive and free members-only events and webinars
    • Board meetings, networking socials
    • Annual meeting
    • Monthly committee meetings
  • Access to exclusive information   
    • Annual Conference speaker presentations 
    • Conference attendee lists
    • SARMA member directory ("opt-in" only)
    • Free digital subscription to partner organization newsletters
    • Detailed calendar of third-party events of interest to the security risk community
  • Opportunities to become involved in various SARMA committees and efforts benefiting the security risk community

Click here to join SARMA as one of our growing number of dedicated members, or contact Paula Copperthite, Director of Membership and Outreach, at paula.copperthite@sarma.org for more information.

 

Key Reports
 
USCC: Chinese Capabilities for Computer Network Operations and Cyber Espionage  
 
A new report from the  U.S.-China Economic and Security Review Commission provides "a comprehensive review of current Chinese efforts to integrate computer network operations into a broader military and intelligence context."

 
US Senate: A Case Study in Online Islamist Radicalization and Its Meaning for the Threat of Homegrown Terrorism

A new report from the US Senate Committee on Homeland Security and Governmental Affairs takes a close look at the case of Zachary Chesser and draws lessons about the role of the Internet in fomenting homegrown terror.


FATF: International Standard on Combating Money
Laundering and the Financing of Terrorism & Proliferation
 

A new report fr
om the Financial Action Task Force provides recommendations for a "comprehensive and consistent framework of
measures which countries should implement in order to combat money laundering and terrorist financing, as well as the financing of proliferation of weapons of mass destruction."

 

Jobs

ABS Consulting: Junior Risk Analyst


ABSG Consulting Inc. is seeking talented professionals to provide technical and management consulting services to the Federal Government, specifically in the area of homeland security risk analysis. Tasks focus primarily on methodology development, metrics design, qualitative and quantitative analysis, and risk modeling.  

Read the notice

ABS Consulting: Risk Analyst

ABSG Consulting Inc. is seeking talented professionals to provide technical and management consulting services to the Federal Government, specifically in the area of homeland security risk analysis. Tasks focus primarily on methodology development, metrics design, qualitative and quantitative analysis, and risk modeling.

Read the notice 

DHS: Operations Research Analyst

  

DHS National Protection and Programs Directorate is seeking applicants to provide technical support and subject matter expertise for execution of strategic quantitative risk assessments. Responsibilities include developing tailored risk and decision analytics, support tools and technical assistance; advancing risk and decision analytics, support tools and technical assistance, and promoting effective homeland security risk communications and enhance risk communications techniques.

  

  

Visual Risk Technologies: Safety and Security Risk Consultant

  

Visual Risk Technologies is seeking applicants to contribute to the firm's creative approaches and proven software solutions that are in use by a variety of corporate and government clients in the homeland security, transportation, energy, and chemical industries. The position will provide expert guidance to technical staff and conduct independent research and analysis culminating in written reports and oral presentations.

  

FEMA: Program Analyst

  

FEMA is seeking applicants to, among other tasks, conduct research and performs analytical tasks for risk analysis, risk management, and critical infrastructure protection initiatives and programs. The successful applicant will also provide assistance for obtaining, analyzing, and processing data related to critical infrastructure and all-hazards risk in support of assessments and analyses.
   
Read the notice