Operations Security (OPSEC) Checklist For Publicly Accessible Army Websites (v 5.0)

Reviewer's Name:  

Date/Time of Review:  

Organization Reviewed:  

Primary IP Address/URL:  

Management Controls (Management Controls are contained in the policy published by the Office of the Secretary of Defense, titled: Establishing and Maintaining A Publicly Accessible Department Of Defense Web Information Service, 9 January 1998.):

1. Does the Web Site contain a clearly defined purpose statement that supports the mission of the DoD Component?

2. Are users of this Web Site provided with a privacy and security notice prominently displayed or announced on at least the first page of all major sections of each web information service?

3. If applicable, does this Web Site contain a Disclaimer for External Links notice, when a user requests any site outside of the official DoD web information service (usually the .mil domain)?

4. Is this Web Site free of commercial sponsorship and advertising?

DEPSECDEF Guidance (These elements were pulled directly from the DEPSECDEF memo, Information Vulnerability and the World Wide Web, dated, 24 Sept 98.):
 

1.  Operational Information:

    a.  Does the Web Site contain any information indicating plans or lessons learned which would reveal military operations, exercises or vulnerabilities?

    b.  Does the Web Site reference any information that would reveal sensitive movements of military assets or the location of units, installations, or personnel where uncertainty regarding location is an element of the security of a military plan or program?

 

2.  Personal Information:  Does the Web Site contain personal information in the following categories about U.S. citizens, DOD employees and military personnel:

    - Social Security Account Numbers?

    - Dates of Birth?

    - Home Addresses?

    - Home Telephone Numbers?

    - Names, Locations, or any other identifying information about family members of DOD employees or military personnel?
 

3.  Technological Data (Technical data creates a unique challenge to the OPSEC posture of an organization and to National Security as a whole. Certain technical data, when compiled with other unclassified information, may reveal an additional association or relationship that meets the standards for classification under Section 1.8 (e) E.O. 12958.)  Does the Web Site contain any technical data such as:

    - Weapon Schematics?

    - Weapon System Vulnerabilities?

    - Electronic Wire Diagrams?

    - Frequency Spectrum Data?

OPSEC Considerations ("Tip-off" indicators are pulled directly from AR 530-1, Operations Security (OPSEC) regulation, dated 3 Mar 95. Tip-off indicators highlight information that otherwise might pass unnoticed. These are most significant when they warn an adversary of impending activity. This allows him to pay closer attention and to task additional collection assets.)  Does the Web Site contain relevant information in the following categories that might reveal an organizations plans and intentions?
 

1.  Administrative:

    - Personnel Travel (personal and official business)?

    - Attendance at planning conferences?

    - Commercial support contracts?
 

2.  Operations, Plans, and Training:  

    - Operational orders and plans?

    - Mission specific training?

    - Exercise and simulations activity?

    - Exercise, deployment or training schedules?

    - Unit relocation/deployment?

    - Inspection results, findings, deficiencies?

    - Unit vulneribilities or weaknesses?
 

3.  Communications:

    - RF emissions and associated documentation?

    - Changes in activity or communications patterns?

    - Use of Internet and/or e-mail by unit personnel (personal or official business)?

    - Availability of secure communications?

    - Hypertext links with other agencies or units?

    - Family support plans?

    - Bulletin board/messages between soldiers and family members?
 

4.  Logistics/Maintenance::

    - Supply and equipment orders/deliveries?

    - Transportation plans?

    - Mapping, imagery and special documentation support?

    - Maintenance and logistics requirements?

    - Receipt or installtion of special equipment?

Key Word Search: Using the following "key words" conduct a search using the search tool.  As a result of this search, conduct a random screen of any documents found:

    Deployment Schedules
    Exercise Plans
    Contingency Plans
    Training Schedules
    Inspection results, findings, deficiencies
    Biographies
    Family Support Activities
    Phone Directories, Lists

Key words found and corrected:  

By necessity this checklist is generic in nature. There are many other indictors possible for the wide range of military operations and activities.

This checklist is not a panacea for complete organizational OPSEC program. If an organization has not invested the effort to analyze it's own critical information, then this list may only tend to exacerbate the problem.

Within the context of information assurance, the World Wide Web should not be treated any differently from any other potential vulnerability. Security of information on publicly accessible web sites must be viewed in the context of an organization's overall OPSEC posture.