Vacation

Pop Quiz time fellow OPSECers:

Q: Which of the following is the BEST example of an out-of-office statement for your work email?

A: I’m not in. Don’t know where I’m going. Don’t know how long I’ll be gone. Don’t know when I’m coming back – and neither do you. OPSEC Baby! I will be checking email daily.

B: I am currently out of the office for 14 glorious days. I finally got my vacation approved and I’m taking the little woman, Junior and baby girl to the Atlantis Resort (and casino!!). For any security issues don’t even think about contacting me! Instead, please contact Regional Security Manager Susie Smith at (555)-555-1234. BTW: she is also the SAP coordinator. Assuming I actually come back to work (ha-ha) all emails will be addressed on my return.

C: I am currently out of the office. If you need immediate assistance please contact Joe Smith at (555)-555-1234.

D: I am on travel until the first of next month. I’m attending a classified conference which means I won’t have my laptop during the conference (8am – 5pm each day). I can’t even check during lunch so I’ll be leaving my laptop in my hotel room but I promise to get back to you after 5pm. If you really need to contact me call the Springfield Marriott and ask for me (room 209), Steve Jones (room 426) or Joey Smith (room 427) and they’ll put you through. For those of you working on Project Nighttrain – I won’t have access to JWICS or SIPR until I get back so don’t bother sending anything to those accounts. Have a great day.

Assuming I don’t have to actually give you the correct answer I surely hope you get the point. What you put in your out-of-office statement – or your voicemail message – must be free of sensitive information. This also speaks to need-to-know. There are a multitude of reasons why this is important and a multitude of ways an adversary could exploit your information – suffice to say that you need to heed this advice. Keep your out-of-office email statements and your voicemail recordings short and to the point. Don’t include any information that doesn’t absolutely need to be there.

Keep the Faith!
Revelator

Vacation – The Go-Go’s

Even if it quacks like a duck…

…it might not be a duck.

Your adversary isn’t going to be honest about who they are or what they’re after. If they were, they wouldn’t be in business for very long! Instead, they’re often going to pretend to be something you trust or expect.

  • Be wary when receiving unsolicited phone calls, emails, or visits, especially if the person contacting you is asking for information you wouldn’t reveal to a stranger. Verify their identity before giving them anything
  • Don’t give out personal information about employees or non-public information about your company. Both are common targets for corporate spies or competitors
  • Don’t respond to emails asking for financial information or prompting you to log in, and don’t trust links in emails. If you feel the email may be legitimate, contact the sender using their public contact information to confirm
  • Make sure that websites are secure before sending any sensitive information. Whenever possible, encrypt it first
  • Double-check the URL before submitting information via the web. There’s a big difference between www.yourbank.com and www.yourbank.co.
  • Keep your antivirus and antimalware software up-to-date. Install and use a firewall

Social engineers rely on the mental shortcuts that we tend to form. We see someone with a clipboard, and we assume they’re here on official business. We get an email or phone call with very dire warnings (“The IRS is going to have me arrested??”), and we naturally want to solve those problems as quickly as possible.

Whenever someone seems to want you to feel or act a certain way, especially when it’s with a sense of urgency, stop and think about what they’re actually trying to get you to do. When you do that, you break the social engineer’s script and are less likely to fall victim to their techniques.

 

Who we are

Our Mission: To foster the development of the Operations security discipline; to enable collaboration and advancement of the tradecraft of OPSEC, while simultaneously advancing for the profession within the government, private and public sectors. OSPA also promotes adoption of the process in other areas not traditionally covered by existing OPSEC programs. Education, sharing of best practices, and providing subject matter assistance are the pillars of OSPA.

The Operations Security Professional’s Association (OSPA) is a tax exempt, Non-profit organization dedicated to improving awareness of Operations Security in both the public and the private sector. We believe that OPSEC is a tool that can benefit everyone, from neighborhood watch programs to military missions.

We provide free resources, tools, education, and collaboration for a wide variety of applications. Our website serves as a repository for information that anyone can adapt and use.

OSPA members work together towards creating and sharing information on a wide range of subjects, such as information security, OPSEC briefings, Security Briefings, OPSEC program management and more.

OSPA takes its commitment to members very seriously, and stands firm to a commitment of service, transparency and ethical behavior.

In order to meet this commitment, OSPA will always strive to keep members informed of all internal workings, and will always be available for direct contact.

The official OSPA Constitution and Bylaws (pdf): OSPA Constitution and Bylaws


About the OSPA logo

The OSPA logo is a purple dragon protectively clutching the earth. The purple dragon has a special significance in the OPSEC community, as it was the mascot of the original team that developed the process. In mythology, the dragon is known for protecting treasure; it’s often depicted guarding gold or other riches. With OPSEC, the dragon is protecting those things that are important to us. The OSPA logo depicts the “purple dragon” of OPSEC protecting the world.


Ethics

Ethics are of the highest concern for both OSPA and the OPSEC Community, as a whole. In keeping with this high ethical standard, OSPA observes the following code of ethics:

  1. Perform all professional activities and responsibilities with due diligence and honesty.
  2. Maintain the highest ethical standards in professional and personal conduct.
  3. Employ the OPSEC Process to protect critical and sensitive information.
  4. Promote the concepts of Operations Security within Government and Private Industry.
  5. Maintain professional competence at all times and continually seek out opportunities for self development and collaboration with other OPSEC professionals.
  6. Provide mentorship to other OPSEC professionals.
  7. Refrain from any activity or act which might imply a conflict of interest with professional duties or which would damage the reputations of other professionals, employers, the OPSEC profession and the OSPA.
  8. Adhere to the bylaws of OSPA, use OSPA and OPSEC Academy materials as intended, and respect fellow professionals

Something for Everyone

Material for members and non-members alike

OSPA believes that everyone deserves to be given the information that they need to keep them and those around him safe. OSPA also recognizes that OPSEC is an important tool in your goal to protect lives and livelihoods. We make information, programs and material available for free to all and constantly strives to meet the needs of the growing OPSEC community, which includes military, government, families, communities, corporations and more.

OSPA is proud to count among its members some of the most accomplished and experienced OPSEC professionals in the world. And this is the real strength of the Association; members that are willing to reach out and help each other in their own OPSEC programs.

  • OPSEC Awareness material
  • The OPSEC Correlation Analysis Tool
  • Member’s chat and forums
  • OSPA project tracking
  • Critical Information List (CIL) generator
  • OPSEC plan creation tools
  • Direct access to a stable of Subject Matter Experts
  • Direct access to the OSPA board and committees
  • OPSEC analysis tools
  • On-line and real world events exclusive to OSPA members
  • New releases of beta programs and material
  • Access to the OPSEC Support Request Form
  • Open Source Intelligence (OSINT) Assessment Tool
  • OPSEC Continuity Book Template

Join OSPA

Joining the Operations Security Professional’s Association (OSPA) gives you full access to advanced professional resources, including tools, subject matter experts, prepared briefings and materials, and peer collaboration. Your membership dues are used to advance the field and awareness of OPSEC, organize security training events, develop programs and material, assist underfunded programs, reach out to the community and more.

  • Recognition as an OPSEC Professional
  • @opsecprofessionals.org email account
  • Periodic OPSEC journal
  • OPSEC Email alerts
  • professionally developed training materials Awareness products
  • Video, poster and print OPSEC awareness material
  • Direct access to peers, which encourages networking and mutual aid
  • (Optional) publication in the OPSEC professional database/listing

Click here for the membership application

Dues are $60 a year.
Payment can be made via check, paypal, or credit card.

To pay by check, select the “mail a check” option.
The mailing address is:
OSPA Memberships
1467 Braden Loop
Glen Burnie, MD 21061