Hear ye! Hear ye! Hear ye! I’ve got a message for you. It’s not the most important one I’ll ever give or the best written one I’ve ever given but it does go to the heart of an argument that has been raging since the early ’70’s. And the question is this: How long should a Critical Information List (CIL) be?
The best CIL I’ve ever seen was in an organization that required all personnel to wear badges within the confines of the building. The organization took their 12-item CIL - I say again their 12-item CIL - put it on a card and laminated it for all personnel to wear with their identification badge. Each person in the organization had access to the CIL at all times. This is about as good as it gets folks.
On the other hand, a good number of seasoned OPSEC professionals disagree with me on this subject. They’ll tell you that a “comprehensive” CIL is the only way to ensure that all of your critical information will be protected. Sound logic to be sure. Unless you take into account the human factor. I don’t know how many of you have photographic memories and can remember a 73, or 103 or 276 item CIL, but I sure can’t. 276 items! Are you freaking kidding me? How is this usable? My personal experience is that when I’m shown a CIL with more items than my wife’s grocery list I tend to ignore it. I know I can’t memorize it and if I’m on the phone or typing an email I most likely won’t consult the “Big Book of CILs” to see if I should be communicating the information. But if you show me a list that I can wrap my brain around, say about 20 items, then I’ll study that sucker and be able to commit most of it to memory. And even if I can’t memorize it I can pin it up somewhere in my cubicle where I can actually consult it quickly if need be.
There are too many things in our complicated lives to remember already. I’m forever writing things on sticky’s so I don’t forget them. Then I’ve got the task list in my Microsoft Outlook so I don’t forget anything. I’ve also got a long to-do list in my 7-Habits Daily Planner which is also loaded onto my Blackberry and then as a fail safe, I’ve got my wife around who is constantly reminding me of things I’ve already forgotten. And when I do make it to the grocery store my wife will make a list for me because she just knows I’ll forget something.
And finally on the subject of short CIL’s - remember the KISS Principle - Keep It Simple Stupid. The shortest Critical Information List I ever saw had only one item. “We are a military organization charged with protecting the freedom of the American peoples and their allies - keep your damn mouth shut!” I could argue that there should probably me a couple of more items but damn it - I like their attitude.
Keep the Faith!
Revelator
1. August 2008 at 03:11
Does it make sense to use two CILs? Or even more? Like giving a CIL to the IT department with their stuff, and a CIL to reception, etc?
1. August 2008 at 16:39
For me - I want an individual CIL for each section or sub-section in the organization. I want every single employee to have posted in their cubicle a CIL that speaks to the specific information they are dealing with on a day to day basis. Certainly these individual CILs will need some items that apply to all unit/company members but from then on it should be specific to their mission. If I work in supply I want to see a CIL that speaks to supply. Same for admin, weapons and all other areas. I may even keep a copy of the complete CIL package so I can understand the big poicture but for a quick reference I want to see my stuff and not have to dig through seven pages of crap to get to it. Critical to the success of such a CIL package is education. Each employee needs to understand that a big CIL exists and also how each section relates to the overall security of a project, mission, or organization.
Revelator