Operations security (OPSEC) is a process that identifies critical information to determine if friendly actions can be observed by adversary intelligence systems, determines if information obtained by adversaries could be interpreted to be useful to them, and then executes selected measures that eliminate or reduce adversary exploitation of friendly critical information.
The underlying principles of denying an adversary information are centuries old. In fact, George Washington was quoted as saying: "Even minutiae should have a place in our collection, for things of a seemingly trifling nature, when enjoined with others of a more serious cast, may lead to valuable conclusion." Millennia before, Sun Tzu wrote, “If I am able to determine the enemy’s dispositions while at the same time I conceal my own, then I can concentrate and he must divide.”
OPSEC as a methodology was developed during the Vietnam War, when Admiral Ulysses Sharp, Commander-in-chief, Pacific, established the “Purple Dragon” team in order to determine how the enemy was able to obtain advanced information on military operations.
The team realized that current counterintelligence and security measures alone were not sufficient. They conceived of and utilized the methodology of “Thinking like the wolf”, or looking at your own organization from an adversarial viewpoint. They discovered that US forces were unvarying in their tactics and procedures, and were able to make certain predictions based on that knowledge.
When developing and recommending corrective actions to their command, they then coined the term “Operations Security” 
The following information was provided by Sam Fisher, Lead of the Purple Dragon team, to The Operations Security Professional's Association:
Sam served for 4 years in the Air Force and was an Intel Analyst in the Korean War. After the Korean War, he went on to work with the NSA in the same capacity. Fast forward to Vietnam, when it became apparent that "Charlie" was somehow getting advanced information regarding upcoming operations. Admiral Sharp formed two working groups in order to determine the cause.
One of these groups was the CI group. After a long analysis, they concluded that "the enemy was everywhere". That wasn’t exactly the smoking gun that they were hoping for.
Fisher's group was the COMSEC group. They decided to institute a then-experimental COMSEC survey, which involved interviewing mission participants and planners and determining organization structure. At first, there was resistance as to the format of the survey, but it was concluded that an interview structure was the best.
But then who to do the interviews? CI and Comm. folks both said that they were "too busy" to do it, so they approached the Operations group. Col. Chance took the idea and elaborated on it to include vulnerability analysis and exploits. Then, he formed TDY teams to officially conduct the analysis.
Now here's the interesting part. According to Sam, they requested that they be able to keep the name "purple dragon". See, the name was given to the particular study, and was not meant to be a permanent name. In fact, the name was chosen from a list of available program names provided by JCS, and was chosen because it sounded good.
I also asked him about the dragon itself (which prompted the above answer), as I was curious how they saw it. There was never an official determination, but he likes the idea of the dragon as the good guy, and guarding the “treasure”.
According to Sam, the team was putting the final touches on the report in Col Chance's office, when they realized that they needed a name for what they were doing. Looking at it, they felt that it was essentially Operations Analysis, but felt that they were doing something unique, and it shouldn't share a name with thousands of other programs. That's when Sam mentioned that the NSA wouldn't contribute personnel (namely, him) without a security element. Col. Chance suggested the name Operations Security, and the rest is history.
After 'Nam, Sam, Ron Samuelson and Tom Kerry tried to pitch the principles of OPSEC to other government organizations. Although they all seemed to think that it was a great idea, none of them wanted to work together. That's when they saw a need for an interagency OPSEC group. (See where this is going?)
They tried to pitch this idea to every conceivable group, and achieved only limited success. The NSA (Adm. Bobby Inman, specifically) liked the idea, but didn't want official involvement. The military branches wouldn't touch it with a ten-foot pole. The DOE, however, liked the idea and committed some support to it, but it was the GSA that contacted Sam and offered its full support.
Sam drafted up a document describing the need for and use of this type of organization and gave it to his friend, Ken DeGraffenreid liked it, and wanted to get it to the President (Reagan) as soon as possible. Unfortunately, the re-election campaign took priority, but several years later, NSDD298 made it to the desk of General Colin Powell for review. A “friend” at the White House contacted Ron Samuelson to inform him that the draft was going to be rejected because Powell objected to the phrasing. Ron quickly dictated a new introduction and other elements.
Shortly after that day, NSDD298 was officially drafted and signed, forming the Interagecy OPSEC Support Staff (IOSS). 
1) Identification of Critical Information: Identifying information vitally needed by an adversary, which focuses the remainder of the OPSEC process on protecting vital information, rather than attempting to protect all classified or sensitive unclassified information.
2) Analysis of Threats: the research and analysis of intelligence, counterintelligence, and open source information to identify likely adversaries to a planned operation.
3) Analysis of Vulnerabilities: examining each aspect of the planned operation to identify OPSEC indicators that could reveal critical information and then comparing those indicators with the adversary’s intelligence collection capabilities identified in the previous action.
4) Assessment of Risk: First, planners analyze the vulnerabilities identified in the previous action and identify possible OPSEC measures for each vulnerability. Second, specific OPSEC measures are selected for execution based upon a risk assessment done by the commander and staff.
5) Application of Appropriate OPSEC Measures: The command implements the OPSEC measures selected in the assessment of risk action or, in the case of planned future operations and activities, includes the measures in specific OPSEC plans. 
An OPSEC assessment is an intensive application of the OPSEC process to an existing operation or activity by a multidisciplined team of experts. Assessments are essential for identifying requirements for additional OPSEC measures and for making necessary changes in existing OPSEC measures. Additionally, OPSEC planners, working closely with Public Affairs personnel, must develop the Essential Elements of Friendly Information (EEFI) used to preclude inadvertent public disclosure of critical or sensitive information.