Cyber & IT Supervisory Forum - Additional Resources

TLP:GREEN

OPSEC Cycle 25

A cycle established to support continuous oversight. The OPSEC Cycle consists of the identification of Critical Information and OPSEC Indicators; identification and analysis of relevant threats; analysis of vulnerabilities; assessment of risks; application of appropriate countermeasures; and periodic assessment of effectiveness. A measure of the potential degree to which protected information is subject to loss through a threat actor’ s exploitation. Measures taken by an organization, facility, or entity to protect itself against all acts designed to or which may impair its effectiveness. Security also may represent a condition that results from the establishment and maintenance of protective measures to safeguard against hostile acts or influences. Where applied to the protection of sensitive information, CUI, or classified information, "security" in this context refers to the condition that prevents unauthorized persons from having access to official information that is safeguarded to protect the national interests. A process of evaluating the risks to information based on susceptibility to intelligence collection and the anticipated severity of loss A threat is any threat actor(s) that have the capability and intent to take any actions detrimental to the success of an organization’s activities or operations.

Risk 26

Security 27

Risk Assessment 28

Threat 29

Vulnerability 30

A weakness a threat actor can exploit to get critical information. Anything that might make critical information available to an adversary.

TOPS Framework The same OPSEC strategies and guidelines that are important to protect governments and organizations’ information are useful in identifying your personal information which can be rapidly exploited by threat actors should you not take proactive steps in mapping your vulnerabilities, assessing your risk, applying countermeasures, and re-assessing your Digital Footprint. 31 To combat Digital Exhaust, it is recommended that you conduct a personal risk assessment of what they define as acceptable levels of risk for themselves and their family.  This personal risk assessment often involves you assessing what pieces of their personal information form key assets, what they can remove online, what they cannot remove online, what they can obfuscate through deception and/or disinformation or simply allowing errors that may exist with Data Brokers and Data Aggregation websites to hold misinformation which also obfuscates an identity or exact personal information.  Before a user can conduct a risk assessment, it is important they have the right mindset and then use a framework. One framework they can use is called TOPS .  TOPS stands for Threats, Opportunities, Preventative Measures and Strengths . This framework is applied as follows:

TLP:GREEN