|High||A comprehensive system of operations security should be in place and adapted with time.|
|Medium||A limited set of counterintelligence efforts should be undertaken for key high-valued systems and operations.|
|Low||Obvious sources of intelligence should be reduced where not burdensome.|
A limited set of counterintelligence efforts should be undertaken for key high-valued systems and operations.
For enterprises with a small number of higher valued content or for an enterprise with substantial amounts of medium risk content, it is reasonable to have a limited counterintelligence program. This is similar to a comprehensive program, except that it is not applied across the board, but rather only to small subsets of the enterprise where it is particularly important. As a good example, trade secrets are often very important to an enterprise, even though most of the enterprise doesn't need to know them in order to prosper. A limited counterintelligence program to protect these trade secrets is likely a sound approach.
Obvious sources of intelligence should be reduced where not burdensome.
It is always reasonable and prudent to reduce obvious sources of intelligence that can be harmful. For example, reducing the presence of email addresses on Web sites reduces the number of spam emails to those addresses, using a network address translation (NAT) firewall reduces the number of attack packets that reach typical computers, and shutting down open access to disk areas on enterprise computers stops remote users from accessing all of the files on those computers. These are obvious, simple, not expensive, and should be used as a matter of diligence unless there is a good reason not to do them.