Updating Opsec with latest updates

src/SUMMARY.md

@@ -4,7 +4,7 @@
 - [How to Navigate the Website](./intro/how-to-navigate-the-website.md)
 - [Overview of Each Framework](./intro/overview-of-each-framework.md)
 
 # Frameworks
 
 - [Community Management](./community-management/README.md)
   - [Discord](./community-management/discord.md)
@@ -18,21 +18,23 @@
   - [Staying Informed & Continuous Learning](./awareness/staying-informed-and-continuous-learning.md)
   - [Resources & Further Reading](./awareness/resources-and-further-reading.md)
 - [Operational Security](./opsec/README.md)
-  - [Core principles](./opsec/principles/README.md)  
-    - [Principles in detail](./opsec/principles/principles.md)
-    - [The five steps](./opsec/principles/five-steps.md)
-    - [Web3 considerations](./opsec/principles/web3-considerations.md)
-  - [Threat Modeling overview](./opsec/threat-modeling-overview.md)
-  - [Risk Management](./opsec/risk-management.md)  
-  - [Governance & Program Management]()  
-
+  - [Overview](./opsec/overview/README.md)  
+    - [Security Fundamentals](./opsec/overview/security-fundamentals.md)
+    - [Implementation Process](./opsec/overview/implementation-process.md)
+    - [Web3 considerations](./opsec/overview/web3-considerations.md)
+  - [Threat Modeling Overview](./opsec/threat-modeling-overview.md)
+  - [Risk Management Overview](./opsec/risk-management-overview.md)
+  - [While Traveling](./opsec/travel/overview.md)
+    - [Quick Guide](./opsec/travel/quick-guide.md)
+    - [Thorough Guide](./opsec/travel/guide.md)
+  - [Governance & Program Management]()
   - [Control Domains]()
   - [Lifecycle]()
   - [Monitoring & Detection]()
   - [Incident Response & Recovery]()
   - [Continuous Improvement & Metrics]()
   - [Integration & Mapping to Other Frameworks]()
   - [Appendices]()
 - [Wallet Security](./wallet-security/README.md)
   - [Cold vs Hot Wallet](./wallet-security/cold-vs-hot-wallet.md)
   - [Custodial vs Non-Custodial](./wallet-security/custodial-vs-non-custodial.md)
@@ -135,7 +137,7 @@
   - [Partition Encryption](./encryption/partition-encryption.md)
   - [Volume Encryption](./encryption/volume-encryption.md)
 
 
 # About this
 
 - [What It Is](./intro/what-is-it.md)

src/config/SUMMARY.md.develop

@@ -18,14 +18,16 @@
   - [Staying Informed & Continuous Learning](./awareness/staying-informed-and-continuous-learning.md)
   - [Resources & Further Reading](./awareness/resources-and-further-reading.md)
 - [Operational Security](./opsec/README.md)
-  - [Core principles](./opsec/principles/README.md)  
-    - [Principles in detail](./opsec/principles/principles.md)
-    - [The five steps](./opsec/principles/five-steps.md)
-    - [Web3 considerations](./opsec/principles/web3-considerations.md)
-  - [Threat Modeling overview](./opsec/threat-modeling-overview.md)
-  - [Risk Management](./opsec/risk-management.md)  
-  - [Governance & Program Management]()  
-
+  - [Overview](./opsec/overview/README.md)  
+    - [Security Fundamentals](./opsec/overview/security-fundamentals.md)
+    - [Implementation Process](./opsec/overview/implementation-process.md)
+    - [Web3 considerations](./opsec/overview/web3-considerations.md)
+  - [Threat Modeling Overview](./opsec/threat-modeling-overview.md)
+  - [Risk Management Overview](./opsec/risk-management-overview.md)
+  - [While Traveling](./opsec/travel/overview.md)
+    - [Quick Guide](./opsec/travel/quick-guide.md)
+    - [Thorough Guide](./opsec/travel/guide.md)
+  - [Governance & Program Management]()
   - [Control Domains]()
   - [Lifecycle]()
   - [Monitoring & Detection]()

src/opsec-old/cloud-third-party/README.md

@@ -0,0 +1,45 @@
+---
+tags:
+  - Security Specialist
+  - Operations & Strategy
+  - Devops
+  - SRE
+---
+
+# Cloud and Third-Party Security
+
+In today's interconnected digital ecosystem, organizations rely heavily on cloud services and third-party vendors to operate efficiently. However, these dependencies introduce security risks that must be carefully managed.
+
+## Introduction
+
+Cloud and third-party security focuses on protecting data and operations that depend on external providers. It encompasses the assessment, monitoring, and management of security risks associated with cloud services, software-as-a-service (SaaS) applications, and third-party vendors that have access to your systems or data.
+
+## Key Components
+
+This section covers the following aspects of cloud and third-party security:
+
+1. [G-Suite Security](./g-suite-security.md) - Securing Google Workspace (formerly G-Suite) environments
+2. [Cloud Security Fundamentals](./cloud-security-fundamentals.md) - Essential security considerations for cloud environments
+3. [SaaS Security](./saas-security.md) - Securing software-as-a-service applications
+4. [Vendor Security Assessment](./vendor-security-assessment.md) - Evaluating and monitoring the security of third-party vendors
+5. [API Security](./api-security.md) - Securing application programming interfaces
+
+## Risk-Based Approach
+
+Cloud and third-party security should be implemented based on the sensitivity of the data being handled and the criticality of the services provided:
+
+1. Inventory all cloud services and third-party relationships
+2. Classify providers based on the data they handle and criticality to operations
+3. Implement appropriate security controls and monitoring based on risk levels
+4. Regularly review and audit third-party security practices
+
+## Web3 Considerations
+
+In Web3 environments, cloud and third-party security includes additional considerations:
+
+- The security of blockchain infrastructure providers
+- The risks associated with decentralized services and protocols
+- The assessment of smart contract dependencies
+- The security of Web3 development and deployment tools
+
+The guidance in this section addresses both traditional and Web3-specific cloud and third-party security considerations. 

src/opsec-old/core-opsec-principles.md

@@ -0,0 +1,148 @@
+---
+tags:
+  - Security Specialist
+  - Operations & Strategy
+  - Devops
+  - SRE
+---
+
+# Core OpSec Principles
+
+Operational security is built on fundamental principles that guide the implementation of security controls and practices. These principles provide a foundation for developing a comprehensive security posture that protects your organization's assets, operations, and reputation.
+
+> **Practical Example: Web3 Organization**
+>
+> Consider a Web3 project managing a DeFi protocol with a treasury of $10M in assets. Proper operational security would involve:
+>
+> - **Multiple security layers**: Hardware wallets for cold storage, multi-signature requirements for transactions, regular security audits, and continuous monitoring
+> - **Access control**: Only specific team members have access to deployment keys, with different permission levels for development, testing, and production environments
+> - **Compartmentalized information**: Private keys for multi-signature wallets are distributed among trusted team members with no single person having access to all keys, and sensitive incident response procedures are only shared with the security team
+> - **Regular threat assessment**: The team conducts quarterly reviews of potential attack vectors, from smart contract vulnerabilities to [social engineering](../awareness/social-engineering.md) attempts targeting team members
+
+## Defense in Depth
+
+Defense in Depth is the practice of layering security controls throughout your systems and processes, so that if one control fails, others will provide protection.
+
+> **🔗 Related Framework:** This principle is applied across multiple frameworks including [Infrastructure](../infrastructure/) with [Zero-Trust Principles](../infrastructure/zero-trust-principles.md) and [Network Security](../infrastructure/network-security.md).
+
+### Implementation
+
+1. Deploy multiple security controls that address the same risk in different ways
+2. Implement security at various layers: physical, technical, administrative, and human
+3. Ensure no single point of failure exists in your security architecture
+4. Review the effectiveness of security layers regularly to identify gaps
+5. Foster a [security-aware mindset](../awareness/cultivating-a-security-aware-mindset.md) across all team members
+
+## Principle of Least Privilege
+
+The Principle of Least Privilege dictates that users, systems, and processes should have only the minimum access rights necessary to perform their functions.
+
+> **🔗 Related Framework:** For comprehensive implementation, see [Identity and Access Management](../iam/) and [Role-Based Access Control](../iam/role-based-access-control.md).
+
+### Implementation
+
+1. Grant the minimum level of access required for users to perform their duties
+2. Review and adjust access rights when roles change
+3. Implement role-based access control (RBAC) to standardize permissions
+4. Use time-limited and just-in-time access for administrative privileges
+5. Regularly audit access rights to identify and remove excessive permissions
+6. Establish a thorough offboarding process to immediately revoke access when team members leave
+7. Remove credentials for deactivated accounts, as these can become security liabilities even when dormant
+
+## Need-to-Know Basis
+
+Information should only be shared with individuals who require that information to perform their duties.
+
+> **🔗 Related Framework:** This principle is supported by practices in [Data Protection](../operational-security/data-protection/) and aspects of [Privacy](../privacy/).
+
+### Implementation
+
+1. Classify information based on sensitivity and restrict access accordingly
+2. Compartmentalize sensitive information to limit exposure in case of a breach
+3. Implement clear data handling and sharing policies
+4. Train team members on proper handling and sharing of sensitive information through regular [security training](../awareness/security-training.md)
+5. Use secure communication channels for sensitive information
+
+## Threat Modeling for OpSec
+
+Threat modeling involves systematically identifying potential threats, vulnerabilities, and attack vectors to prioritize security controls.
+
+> **🔗 Related Framework:** For detailed methodology and implementation, see the [Threat Modeling](../threat-modeling/) framework, including guides on how to [Create and Maintain Threat Models](../threat-modeling/create-maintain-threat-models.md) and [Identify and Mitigate Threats](../threat-modeling/identity-mitigate-threats.md).
+
+### Implementation
+
+1. Identify critical assets and operations that need protection
+2. Enumerate potential threats and their impact on your organization
+3. Assess vulnerabilities that could be exploited
+4. Evaluate existing controls and their effectiveness
+5. Develop a prioritized plan to address identified risks
+6. Maintain awareness of common [threat vectors](../awareness/understanding-threat-vectors.md) relevant to your organization
+
+## Risk Assessment and Management
+
+Systematic evaluation and prioritization of security risks to guide resource allocation and security decision-making.
+
+> **🔗 Related Framework:** For comprehensive risk management strategies, refer to [Governance](../governance/) and [Risk Management](../governance/risk-management.md).
+
+### Implementation
+
+1. Identify and categorize assets based on their value and criticality
+2. Assess threats and vulnerabilities relevant to those assets
+3. Determine the likelihood and potential impact of security incidents
+4. Implement controls based on risk levels
+5. Regularly reassess risks as the environment and threats evolve
+
+## Continuous Monitoring and Improvement
+
+Security is not a one-time implementation but a continuous process of monitoring, evaluating, and improving.
+
+> **🔗 Related Framework:** For implementation details, see the [Monitoring](../monitoring/) framework, including [Guidelines](../monitoring/guidelines.md) and [Thresholds](../monitoring/thresholds.md). Also relevant is [Incident Management](../incident-management/) for response to detected issues.
+
+### Implementation
+
+1. Establish security metrics to measure the effectiveness of controls
+2. Implement monitoring systems to detect security events and anomalies
+3. Conduct regular security assessments and penetration tests
+4. Learn from security incidents and near-misses
+5. Update security controls based on new threats, vulnerabilities, and technologies
+6. Ensure team members are [staying informed and continuously learning](../awareness/staying-informed-and-continuous-learning.md) about evolving security threats
+7. Utilize available [security resources](../awareness/resources-and-further-reading.md) to keep your security practices current
+
+## Web3-Specific OpSec Principles
+
+In addition to traditional OpSec principles, Web3 environments require consideration of:
+
+> **🔗 Related Framework:** Explore the dedicated [Web3-Specific OpSec](../operational-security/web3-specific-opsec/) framework for comprehensive guidance.
+
+### Transparency vs. Privacy
+
+Balancing the transparent nature of blockchain with the need for operational privacy.
+
+### Implementation
+
+1. Understand what information is publicly visible on-chain
+2. Develop strategies to maintain operational privacy while utilizing public blockchains
+3. Use privacy-enhancing technologies where appropriate
+
+### Immutability and Finality
+
+Recognizing that blockchain transactions are generally irreversible, requiring heightened security before execution.
+
+### Implementation
+
+1. Implement robust verification procedures before executing transactions
+2. Use multi-signature requirements for high-value transactions
+3. Deploy transaction simulation tools to verify outcomes before execution
+
+### Self-Custody Responsibility
+
+> **🔗 Related Framework:** For detailed guidance on wallet security practices, see the [Wallet Security](../wallet-security/) framework.
+
+### Implementation
+
+1. Develop clear procedures for wallet security
+2. Implement separation of duties for transaction approval
+3. Balance security with operational efficiency
+4. [Stay up-to-date](../awareness/staying-up-to-date.md) with best practices in wallet security and custody solutions
+
+By adhering to these core principles, organizations can build a strong foundation for operational security that addresses both traditional and Web3-specific security challenges.

src/opsec-old/data-protection/README.md

@@ -0,0 +1,47 @@
+---
+tags:
+  - Security Specialist
+  - Operations & Strategy
+  - Devops
+  - SRE
+  - Compliance
+---
+
+# Data Protection
+
+Data is one of an organization's most valuable assets, and protecting it throughout its lifecycle is a critical component of operational security.
+
+## Introduction
+
+Data protection encompasses the strategies, policies, tools, and techniques used to secure data at rest, in transit, and in use. It involves not only technical controls but also procedural and administrative measures designed to safeguard sensitive information from unauthorized access, use, disclosure, disruption, modification, or destruction.
+
+## Key Components
+
+This section covers the following aspects of data protection:
+
+1. [Data Classification](./data-classification.md) - Categorizing data based on sensitivity and value
+2. [Encryption](./encryption.md) - Protecting data through cryptographic methods
+3. [Data Loss Prevention](./data-loss-prevention.md) - Controls to prevent unauthorized data exfiltration
+4. [Secure Data Sharing](./secure-data-sharing.md) - Methods for securely sharing data with authorized parties
+5. [Data Backup and Recovery](./data-backup-recovery.md) - Ensuring data availability and resilience
+6. [Data Minimization and Retention](./data-minimization-retention.md) - Principles for data lifecycle management
+
+## Risk-Based Approach
+
+Data protection should be implemented based on the sensitivity and value of the data being protected:
+
+1. Identify and classify data based on sensitivity and regulatory requirements
+2. Assess the potential impact of data breaches or loss
+3. Implement appropriate security controls based on risk levels
+4. Regularly audit data protection measures and adapt to evolving threats
+
+## Web3 Considerations
+
+In Web3 environments, data protection includes additional considerations:
+
+- The balance between on-chain transparency and privacy
+- Protecting cryptographic secrets that control assets
+- The implications of immutable data stored on blockchains
+- Privacy-preserving techniques for blockchain interactions
+
+The guidance in this section addresses both traditional and Web3-specific data protection considerations, helping organizations implement appropriate safeguards regardless of their technological environment. 

src/opsec-old/device-endpoint-security/README.md

@@ -0,0 +1,45 @@
+---
+tags:
+  - Security Specialist
+  - Operations & Strategy
+  - Devops
+  - SRE
+---
+
+# Device and Endpoint Security
+
+Securing the devices used by your organization is a critical component of operational security. Endpoints such as laptops, desktops, mobile devices, and servers are common entry points for attackers and require robust protection.
+
+## Introduction
+
+Device and endpoint security encompasses the policies, tools, and practices that protect individual computing devices from threats. As the boundary between work and personal devices blurs, and as remote work becomes more common, securing endpoints has become increasingly challenging and important.
+
+## Key Components
+
+This section covers the following aspects of device and endpoint security:
+
+1. [Standard Operating Environment](./standard-operating-environment.md) - Establishing and maintaining secure baseline configurations
+2. [Endpoint Protection](./endpoint-protection.md) - Tools and technologies to protect endpoints from malware and other threats
+3. [Mobile Device Security](./mobile-device-security.md) - Securing smartphones, tablets, and other mobile devices
+4. [Secure Configuration](./secure-configuration.md) - Hardening devices through secure configuration practices
+5. [Patch Management](./patch-management.md) - Keeping systems updated to address known vulnerabilities
+
+## Risk-Based Approach
+
+Device and endpoint security should be implemented based on the sensitivity of the data being handled and the criticality of the device to operations:
+
+1. Inventory all devices that access organizational resources
+2. Classify devices based on the data they handle and criticality to operations
+3. Implement appropriate security controls based on risk levels
+4. Regularly audit device compliance with security policies
+
+## Web3 Considerations
+
+In Web3 environments, device and endpoint security includes additional considerations:
+
+- Securing devices used for cryptocurrency transactions and wallet security
+- Protecting hardware wallets and other specialized Web3 hardware
+- Addressing the risks of browser-based Web3 interactions
+- Securing devices that participate in blockchain networks (e.g., validator nodes)
+
+The guidance in this section addresses both traditional and Web3-specific device and endpoint security considerations. 

src/opsec-old/digital-identity-access/README.md

@@ -0,0 +1 @@
+# Digital Identity and Access Management