OPSEC for NGOs
The recent (and ongoing) abduction incident in Niger is an interesting case study. In summary, two trucks loaded with armed men arrived at a CARE guest house in Dakoro. The gunmen forced their way past the guard, abducted five aid workers and a driver, and escaped toward Mali. During the preliminary investigation, officials learned the kidnappers were looking for an Italian; who was supposed to be staying at the guest house. The fortunate Italian, who was unaware of the threat, had spent the night elsewhere. When the frustrated kidnappers couldn't find him, they seized staff members of the Niger-based NGO Befen and the Chadian health group Alerte-Sante instead. (Our hopes for a speedy and successful resolution go out to the abducted, their friends, families, and colleagues.)
This certainly did not appear to be an opportunistic crime. The kidnappers knew about the guest house and that an Italian male was staying there. They had to get their information from somewhere, which prompts this brief discussion of Operations Security.
Operations Security (or OPSEC as the military and intelligence communities like to call it) is the process of identifying, controlling, and protecting information that could be used by someone that wants to cause harm or loss to your organization and its operations. The classic operations security process consists of five steps:
Identification of Critical Information – The first step is determining what information is critical. This is any information that someone planning harm against your organization could benefit from. Some examples of critical information include:
Analysis of Vulnerabilities – Once you’ve identified types of critical information and those who might benefit from it, the next step is to determine how this information might be compromised. Here are a few "lessons learned" examples of how critical information has been unintentionally disclosed:
Application of Appropriate Operations Security Countermeasures – The final step is implementing countermeasures that prevent or reduce the chances of critical information being compromised. Refer back to the vulnerabilities you have identified and apply fixes through policies, procedures, and education efforts. For the examples above, countermeasures could include:
During World War II, posters like the one above appeared across the United States with the catchy slogan, "Loose Lips Sink Ships" (otherwise, unguarded talk about critical information might find its way to enemy submarines; with significant consequences). In a nutshell, that’s what OPSEC is all about. And in some cases, the process can be just as important to humanitarian organizations as it is to governments.
This certainly did not appear to be an opportunistic crime. The kidnappers knew about the guest house and that an Italian male was staying there. They had to get their information from somewhere, which prompts this brief discussion of Operations Security.
Operations Security (or OPSEC as the military and intelligence communities like to call it) is the process of identifying, controlling, and protecting information that could be used by someone that wants to cause harm or loss to your organization and its operations. The classic operations security process consists of five steps:
Identification of Critical Information – The first step is determining what information is critical. This is any information that someone planning harm against your organization could benefit from. Some examples of critical information include:
- Guest house locations
- Meeting schedules
- Office floor plans
- Travel itineraries
Analysis of Vulnerabilities – Once you’ve identified types of critical information and those who might benefit from it, the next step is to determine how this information might be compromised. Here are a few "lessons learned" examples of how critical information has been unintentionally disclosed:
- Food aid distribution plans discussed in a public place
- Photos of an office showing security measures posted on a Facebook page
- A travel itinerary placed on an office bulletin board that could be seen from an outside window
- A list of staff names and residence addresses left on a desk after working hours
Application of Appropriate Operations Security Countermeasures – The final step is implementing countermeasures that prevent or reduce the chances of critical information being compromised. Refer back to the vulnerabilities you have identified and apply fixes through policies, procedures, and education efforts. For the examples above, countermeasures could include:
- Being careful when talking about critical information in public places
- Avoiding posting critical information on the Internet
- Keeping travel itineraries known only to a few people
- Locking up critical information at the end of the day
During World War II, posters like the one above appeared across the United States with the catchy slogan, "Loose Lips Sink Ships" (otherwise, unguarded talk about critical information might find its way to enemy submarines; with significant consequences). In a nutshell, that’s what OPSEC is all about. And in some cases, the process can be just as important to humanitarian organizations as it is to governments.
Labels: OPSEC
1 Comments:
Interesting article but the challenge for humanitarian agencies is that this collides with the acceptance strategy and high visibility approach. So this OPSEC can only be used in case an organisation has or has switched to low profile, protection strategy.... The other fact is that the communities NGOs are often hosted are very small and to get access to information you have expose yourself - the only way is to make your behaviour less predictable, change times at the last, inform driver about mission last moment etc.... This might help...
Post a Comment
<< Home