The Codex · Operational Security · Protocol OPSE-001

Personal OPSEC Fundamentals

Operational security is not paranoia — it is the disciplined practice of controlling what information you expose, to whom, and when. Most security failures are not technical. They are behavioural: information shared that did not need to be, in contexts that were not considered, with consequences that were not anticipated. This protocol establishes the baseline every member is expected to maintain.

Protocol OPSE-001

Classification Open

Compliance Sentinels and above — required · Knights — strongly advised

Requirements

The five-step OPSEC process must be applied to your personal information environment at least once annually: identify what information about you is critical, identify who could exploit it and how, identify where that information currently exists and who can access it, assess the probability and consequence of exploitation, and apply countermeasures proportionate to the risk.
All devices must be locked when unattended, without exception. A brief absence does not justify leaving a session open. Auto-lock must be configured; manual locking at departure is required regardless.
Sensitive work must not be conducted on screens visible to others in any public or semi-public environment. A privacy screen on any laptop used outside controlled premises is required at Sentinel rank and above.
Sensitive matters — financial, operational, membership-related, or personal — must not be discussed in any shared space: restaurants, transport, hotel lobbies, co-working spaces, or open-plan offices. This applies to telephone calls as much as face-to-face conversations.
All printed documents containing sensitive information must be shredded before disposal. They must not be placed in recycling bins, general waste, or any receptacle accessible to others.
Sensitive work must not be conducted on public or untrusted networks without a VPN. Hotel, airport, conference, and café wifi are untrusted by default. Mobile data via a controlled SIM is preferable to any shared network.
The information minimum principle must be applied consistently: share only what is necessary to achieve the required outcome. Not less — that creates its own problems. Exactly the minimum. If the necessity is not clear, the answer is not to share.

What Operational Security Is

The term originates in military doctrine: the process of identifying which of your own information could be exploited by an adversary, and taking steps to prevent that exploitation. Applied to civilian life, the adversary may be a competitor, a hostile actor, an opportunist, or simply the aggregated data systems that monetise personal information at scale.

Operational security is not about becoming invisible or behaving as though under constant threat. It is about being intentional. Most people leak information about themselves continuously and unconsciously — through their devices, their accounts, their conversations, and their habits. The practice of OPSEC begins with making that process conscious, and then making deliberate decisions about what to expose and what to protect.

The most common operational security failure is behavioural, not technical. It is information shared that did not need to be shared — in a context that was not considered, to a person who did not need to know, at a moment when no one thought to ask whether the disclosure was necessary.

The Five-Step Framework

The original military OPSEC process translates directly into personal practice:

Identify critical information. What do you know about yourself that, if known to the wrong party, could be used against you? Your location patterns, your financial position, your affiliations, your relationships, your schedule, your plans. List it explicitly rather than assuming you know what matters.
Identify the threats. Who might want that information, and what could they do with it? This does not require a specific adversary in mind. It requires an honest assessment of who benefits from knowing what you know about yourself — competitors, criminals, journalists, hostile parties, data brokers.
Identify your vulnerabilities. Where does your critical information currently exist? Who has access to it? Which of your current behaviours create unnecessary exposure? Social media posts, public registrations, unsecured conversations, and unreviewed app permissions are all vulnerabilities.
Assess the risk. For each vulnerability, how likely is exploitation and how severe would the consequences be? Not every gap requires the same response. Risk assessment determines where to concentrate effort.
Apply countermeasures. Reduce the exposure. Change the behaviour. Accept the residual risk only where it is genuinely acceptable and you have made a conscious decision to accept it.

Foundational Habits

The requirements listed above are not advanced measures. They are the floor — the minimum expected of every member without discussion or exception. Most represent changes that cost almost nothing in time or convenience once established as habit. A locked screen takes a second. Shredding a document takes a minute. The discipline is not in the individual act; it is in applying it consistently, every time, without assessing whether it seems necessary on this particular occasion.

The occasions where it seems least necessary are often the occasions where it matters most. A conversation in a quiet restaurant still carries across quiet rooms. A screen visible on a train is visible to everyone in the carriage. The lock screen left open for two minutes is sufficient for a determined observer.

Information shared cannot be unshared. Every disclosure is permanent. The question to ask before sharing is not "is this sensitive?" — it is "is sharing this necessary?" These are different questions with different answers.