ASIS CPP - Security Principles & Practices Flashcards

1
Q

Who is accountable for protecting the organization?

A

Leaders of Each Operating Unit

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

The Organization’s Security Function

A

Risk assessment, Policy & Supporting Infrastructure

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Who reports to a senior-level executive to ensure a strong liaison with leadership, demonstrate commitment and support and highlight the importance of security?

A

CSD

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Security department placement in the organization impacts its ability to:

A
  1. Expert influence
  2. Remain informed
  3. Garner resources to support programs and strategies
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Key competencies of the CSO

A
  1. Staff developer
  2. More strategies than tactical
  3. Highly ethical
  4. Responsible & dedicated
  5. Risk and crisis handler
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Security Managers

A
  1. Security managers are security specialists and business managers
  2. Effective security managers are the business partner
  3. Security managers should be in Senior management
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Ratio of direct reports to a single supervisor

A

Span of Control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

A limited number of direct reports

A

Effective Management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

The number depends on:

A
  1. Mature of work
  2. Type of organization
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Generally 1 ; 10 is best, but…

A

1 to 100 is possible with technology & flattened organization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Management is less important in team environments and flat organizations

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

And individual reports to only one supervisor

A

Unity of Command

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Three tools of a strategically-managed assets protection program

A
  1. Planning
  2. Management
  3. Evaluation
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Assets Protection Program Management

A

A single office (or person) should be the assets protection focal point

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Convergence

A
  1. 2005 definition (ASIS): the integration of traditional & IT security
  2. Contemporary definition: the merging of various fields to protect critical assets
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Factors that change the understanding of and approach to assets protection:

A
  1. Threats mutate
  2. Technology advances
  3. Management evolves
  4. Business transforms
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Five avenues to address risk:

A
  1. Acceptance
  2. Avoidance
  3. Reduction (mitigation)
  4. Spreading
  5. Transfer
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Balancing security and legal considerations:

A
  1. Strong security alleviates the need for legal protection
  2. Strong legal protections alleviate the need for security
  3. Finding the appropriate mix of both solutions is the key
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Five D’s (used to be 3 D’s)

A

Deter

Deny

Detect

Delay

Destroy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Five forces shaping assets protection:

A
  1. Technology and touch
  2. Globalization in business (increases risks to)
  3. Standards & regulation
  4. Convergence of security solutions
  5. Homeland Security & the international security environment
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Globalization in business (increases risks to)

A
  1. Business transactions
  2. Information assets
  3. Product integrity
  4. Corporate ethics
  5. Liability
  6. Far-flung people and facilitiates
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

The most effective defense-in-depth program mixes

A
  1. Physical measures
  2. Procedural measures
  3. Electronic measures
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Defense - in - Depth

A

Effective Security measures are not oppressive or burdensome

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Sarbanes-Oxley Act of 2002

A
  1. Formerly known as the Public Company Accounting Reform & Investor Protection Acts of 2002
  2. Became Law on July 30, 2002
  3. Passed in response to accounting Scandals at public companies in the late 1990’s and 2000’s
  4. Established new accounting standards and business practices for US public companies, their beards, and the public accounting firms that serve them
  5. Requires CEO to certify, the accuracy of their organization’s financial statements
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Surbanes-Oxley Act of 2002 (Ctd..)

A
  1. Compliance (particularly w/ Section 404) significantly burdens companies’ officers and boards and imposes both civil a criminal penalties on violators who commit fraud
  2. Established the Public Company Accounting Oversight Board
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Sarbanes - Oxley Acts of 2002 (Ctd…)

A
  1. Requires all publicly traded companies to have anonymous reporting methods for questionable accounting or auditing activities
  2. Limits an organization’s ability to provide strictly internal reporting mechanisms
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Standards in General

A

Address specific needs (like technical issues) health, safety, or environmental concerns, quality or compatibility require

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Compliance with a standard is voluntary but a regulation may require compliance with a standard

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Nine main types of standards

A
  1. Basic
  2. Product
  3. Design
  4. Process
  5. Specification
  6. Code
  7. Managment systems
  8. Conformity assessment
  9. Personal certification
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

International Organization for Standardization (ISO)

A
  1. ISO is not an acronym “ISO’s” Greek for “equal”
  2. The world’s largest standards developer, based in Geneva, Switzerland
  3. Non-governmental organizations; participants are volunteers
  4. Does not regulate legislate or enforce
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

ISO (cntd…)

A
  1. A network of national standards institutes from 159 member countries; each has one vote - the US representatives is the American National Standards Institute (ANSI)
  2. ISO standards often become recognized as industry best practices and defacto market requirements
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

ISO (cntd…)

A
  1. Based on international consensus, ISO standards address the global business community & are developed only when there is an identified market need or to facilitate international or domestic trade; ISO standards are designed to be globally relevant
  2. Employs a transparent process for developing standards based on consensus among the interested parties, not by majority vote: all major concerns & objections must be addressed
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

ISO (cntd…)

A
  1. Approximately 1000 technical groups in which more than 50,000 experts participate annually
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

Forged in 1916 as “clearing house” for Standards Developing Organizations (SDO’s) in the U.S.

A

ANSI

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

An organization’s, company, agency or group that develops standards

A

SDO

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

Administrator & coordinator of the U.S. private sector voluntary standardization system

A

ANSI

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

ANSI

A

Decentralized & partitioned into industrial sectors and supported by hundreds of private sector SDO’s

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

The only creditor of US Voluntary Consensus SDO’s

  1. 600 SDO’s in the US
  2. 200 SDO’s accredited by ANSI to develop American National Standards including ASIS NFPA & SIA
A

ANSI

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

The sole US representative to the two major non-treaty international standards

Organizations: ISO & IEC (International Electrotechnical Commission)

A

ANSI

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

Represents more than 125,000 companies and organizations & 3.5 million, professionals worldwide

A

ANSI

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

Provide broad descriptions of how operations will be conducted

A

Policies

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

May be affected by different regulations for different businesses such as:

A
  1. Minimum wage (Federal & State) FMLA OSHA
  2. Regulations for government data
  3. Building codes
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

Policies

A
  1. Should be useful & simple without overloading employees
  2. Should be developed closely with managers
  3. should provide details of operations & the efforts of policy changes
  4. Should create management buy-in through collaboration in development
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

Security Policies

A
  1. Establish strategic security objectives & priorities
  2. Identify those accountable for physical security
  3. Set forth responsibilities & expectations for managers, employees & others
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

Procedures

A
  1. Instruct employees how to react to various issues
  2. Are clearly articulated to prevent confusion
  3. Address a wide variety of topics including all topics important for daily functions
  4. Are widely promulgated & refreshed with employees regularly
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q

Procedures

A
  1. Reflect the ideal functionality of the organizations
  2. Support proper staff behavior & facilitate a hospitable safe workplace
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q

Security Procedures

A
  1. Are detailed implementation instructions for staff to carry out security policies
  2. Are often overlooked as an asset protection tools

revised procedures can enhance security while improving bottom-line

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
48
Q

What has been extended into streets and other public areas?

A

Premises Liability of Owners

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
49
Q

ASIS facilities Physical Security Measures guideline defines risk management as a business discipline consisting of what three major functions?

A
  1. Loss prevention
  2. Loss control
  3. Loss indemnificaiton
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
50
Q

Risk Assessment

A

A proactive strategy for security/risk mitigation supports sustainable, healthy, productive organizations and is a critical responsibility of senior leadership & governing boards

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
51
Q

What was developed in the insurance industry?

A

Risk Assessment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
52
Q

Who should be responsible for all of the organization’s security/risk strategy

A

Senior Executive

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
53
Q

An uncertain situation with a number of possible outcomes, one or more of which is undesirable

A

Risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
54
Q

What does risk include?

A

all negative events for an organization their impact likelihood & how soon they may occur (imminence)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
55
Q

Two things that risk assessment does with all risks

A

Defines & Quantifies

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
56
Q

3 things risk assessment techniques may be

A
  1. Heuristic (ad hoc)
  2. Inductive (qualitative) (bottom-up approach)
  3. Deductive (quantitative) (top-down approach)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
57
Q

Inductive

(qualitative - bottom-up approach)

A

1. risks identified at the beginning of the analysis

2. Identified risks are the starting point not the result

3. This method may produce incomplete results

4. This method makes use of “event trees” that trace an initiating event through a sequence with different possible outcomes

5. Does not readily lend itself to feedback loops in the event trees

6. This method focuses on scenarios which may fail to account for concurrent attacks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
58
Q

Deductive

quantitative - top-down approach

A
  1. Risks result from a systemic deductive top-down approach
  2. Uses “logic diagrams” & “fault trees” along with event trees
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
59
Q

When an entire population is at risk

A

Societal Risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
60
Q

Risk assessments attempt to find answers to three primary questions

A
  1. What can go wrong?
  2. What is the likelihood of it going wrong?
  3. What is the impact if it goes wrong?
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
61
Q

Risk management attempts to answer four primary questions:

A
  1. What can be done about identified risks?
  2. What options are available?
  3. What are the associated trade-offs of the options?
  4. What are the impacts of current management decisions on future options?
62
Q

5 things that risk assessments include

A

1. Identifying internal & external threats & vulnerabilities

2. Identifying the probability and impact of an event arising from such threats or vulnerabilities

3. Defining critical functions necessary to continue the organization’s operations

4. Defining the controls in place exposure

5. Evaluating the cost of such controls

63
Q

Risk Formula

R = T x A x V

A

R = Residual risk

T = Threat a combination of threat definition & likelihood of an attack

A = Asset to be protected

V = Vulnerability represented by system effectiveness

64
Q

Coordinated activities to direct & control an organization with regard to risk

A

Risk Management (ISO)

65
Q

Although definitions of risk management vary, they generally agree that it relies on

A
  1. Risk assessment (which relies on a vulnerability assessment)
  2. Threats
  3. Asset value
  4. Vulnerability
66
Q

Major types of risk assessment

A
  1. Quantitative (hard numbers, history statistics)
  2. Qualitative (“feel” predictions experience etc.)
67
Q

Security typically relies on qualitative not quantitative assessment

A
68
Q

Risk is expressed in:

A
  1. Threat
  2. Consequence (impact)
  3. Vulnerability (likelihood probability)
69
Q

Risk Analysis Includes

A
  1. Risk assessment
  2. Risk evaluation
  3. Risk management alternatives
70
Q

A recommended approach for conducting a general risk assessment

A
  1. Understand the organization & identify the people & assets at risk
  2. Specify loss risk events/vulnerabilities
  3. Establish the probability of loss risk & frequency of events
  4. Determine the impact of the events
  5. Develop options to mitigate risks
  6. Study the feasibility of implementation of options
  7. Perform a cost/benefit analysis
71
Q

The value of a risk analysis depends upon…

A

The skill of the analysis

72
Q

Higher risk in high-rise buildings

A

1. More people = more property & more property = more opportunity for crime

2. More people = more chances of internal crime

3. More people = more anonymity

4. Easy access to the public in CBO’s - easy access to mass transit

5. Elevators & stairwells can be risky places

73
Q

Higher risk in high-rise buildings…ctd

A
  1. Risky, neighboring tenants
  2. Tough to control threats & respond to incidents (too many people & environment is complex)
  3. Evacuations are difficult
  4. More critical threats in high-rise include fire, explosion & contamination
  5. The ability to mitigate threats for high-rise depends on structural design & use of technology to:
    - Deter & detect a threat
    - Communicate a threat’s nature & location
    - Initiate automatic or Org. responders
74
Q

3 General types of assets

A
  1. People
  2. Property
  3. Information
75
Q

Tangible assets can be seen, touched or directly measured in physical form

A
  1. Facilities/buildings
  2. Inventory
  3. Cash
  4. Supplies / Consumables

Equipment, raw, materials, accounts payable, telecom systems, other capital assets

76
Q

Intangible assets can include

A
  1. Reputation & image
  2. Brand recognition & loyalty
  3. Vendor diversity
  4. Past performance
  5. Quality assurance processes
  6. Workforce retention
  7. Human capital development
77
Q

The amount of protection require by an enterprise is a function of:

A
  1. Value of the asset
  2. Risk tolerance of the enterprise
78
Q

Three general methods of valuing assets

A
  1. Dollars (most important measures)
  2. Consequence criteria
  3. Policy (prescribed protection levels)
79
Q

Asset value may be expressed in…

A
  1. Criticality
  2. Consequences of loss
  3. Severity
80
Q

Cost-of-loss Formula

K = (Cp + Ct + Cr + Ci) - I

A

K = Criticality, the total cost of loss

Cp = Cost of permanent replacement

Ct = Cost of temporary substitute

Ci = Lost income

I = Insurance

81
Q

A loss isn’t measured just by replacement it also includes:

A

Lost income

Sales

Downtime

(Indirect Costs)

82
Q

Security losses are:

A
  1. Direct (money, negotiable instruments, property, information..)
  2. Indirect (harm to reputation, loss of goodwill, loss of employers, harm to employees morale…)
83
Q

Threats & Less Events

Pure Risks

A

Crime

Conflicts of Interest

Natural disaster

Civil disturbance

War/insurrection

Terrorism

Accident

Maliciously willful or negligent personal conduct

84
Q

Less risk event (threat) categories

A

Crimes

Non-Crime (human or natural)

Consequential

85
Q

Threat classes

A
  1. Insiders
  2. Outsiders
  3. Collusion
86
Q

Threat Tactic Categories

A

Deceit

Force

Stealth

Combination

87
Q

A detailed list of threats; key to determining the Design Basis Threat (DBT)

A

Threat Spectrum

88
Q

The threat against which countermeasures are designed to protect

A

Design Basis Threat (DBT)

89
Q

Motivation

Tools

Competence

Knowledge

A

Threat Considerations

90
Q

A risk analysis that considers the entire threat spectrum must be performed because…

A

As the threat increases, performance of individual security elements or the system as a whole will decrease

91
Q

Cost Abatement

Coverage of losses by Insurance

A
  1. Insurance pay-off should be subtracted from the total loss of an asset
  2. Insurance payments & premiums should reduce the insurance pay-off
92
Q

Nine probability factors for threats & loss events

A
  1. Physical environment (neighborhood & vicinity)
  2. Overall geographical location
  3. Social environment
  4. Political environment
  5. Economic environment
  6. Historical experience for the organization
  7. Historical experience for the industry
  8. Procedures & processes
  9. Criminal state-of-the-art
93
Q

Threat likelihood may be expressed in

A

Frequency

Probability

Qualitative estimate

94
Q

A weakness that can be exploited by an adversary

A

Vulnerability

95
Q

The process of identifying & quantifying vulnerabilities

A

Vulnerability Assessment

96
Q

A method of identifying the weak points of a facility, entity, venue or person

A

Vulnerability Analysis

97
Q

A vulnerability assessment is used to…

A

Determine PPS effectiveness

98
Q

What determines system requirements before design & implementation

A

Vulnerability Assessment

99
Q

A frequency of vulnerability assessments

A
  1. Before system implementation
  2. Upon upgrades
  3. Periodic system effectiveness tests
100
Q

A vulnerability assessment should include

A
  1. Facility & operations description (facility characterization)
  2. Threats & assets
  3. Constraints related to the VA or the site
  4. Existing countermeasures
  5. Vulnerabilities in countermeasures
  6. Baseline analysis of system effectiveness
  7. Recommendations for countermeasures improvement
  8. Analysis of expected improvements
101
Q

A site survey is part of the vulnerability assessment

A
102
Q

Types of Testing

A
  1. Functional test (components are performing as expected)
  2. Operability testing (components are being used properly)
  3. Performance testing (repeats tests to determine component effectiveness against different threats)
103
Q

Testing Approaches

A
  1. Compliance - based
    - conformance to specified policies or regulations
    - “Feature-based” approach
    - Effective only for low threats, low less impacts, and CBA - supported cost decisions
    - Easier to perform
    - The metric for this analysis is the presence of the specified equipment & procedures
104
Q

Testing Approaches

A
  1. Performance-based
    - Evaluates how much element of the PPS operations
105
Q

What is the biggest mistake made when conducting a Vulnerability Assessment?

A

Concentrate on individual PPS components & address upgrades only at that level, not at the level of the overall system

106
Q

Three primary functions of a PPS to be tested

A
  1. Detection measures
  2. Delay measures
  3. Response measures
107
Q

Detection Measures

A
  1. Probability of detection
  2. The time required to report & assess alarms
  3. Includes entry controls
108
Q

Delay Measures

A
  • Layers of security sum up to total delay time
  • Delay time considered after detection
109
Q

Response Measures

A
  • Time to interruptions of the adversary
  • Accuracy of deployment
110
Q

An effective assessment system provides two types of information

A
  1. Whether the alarm is valid or nuisance
  2. Key details about the cause of the alarm (what, where, how many)
111
Q

Containment Strategy

A
  1. Detect - prompt detection & reliable notification
  2. Delay - extend adversary task time
  3. Respond - timely, aware, equipped, and trained responses
112
Q

Carver & Stock vulnerability assessment

A
  1. Developed by US government during WW2 as targeting process
  2. Declassified in 2003
  3. Criticality (impact of the attack)
  4. Accessibility (ability to get in & out)
  5. Recoverability (ability of target to recover)
  6. Vulnerability (ease of compromising target)
  7. Effect (direct loss)
  8. Recognizability (target identifiability)
  9. Shock
113
Q

Risk Management Options

A

Mitigation

Acceptance

Transfer

Spreading

Avoidance

* Risk Financing = Insurance

114
Q

Risk can be reduced in 3 ways

A
  1. Prevent the attack
  2. Protecting against attack
  3. Mitigating consequences of an attack
115
Q

Mitigation means reducing consequences

A
  1. Mitigation focuses solely on reducing consequences
  2. It may be implemented before during and after the attack
116
Q

General categories of risk reduction

A
  1. Equipment & hardware
  2. Policies & procedures management
  3. Staffing
117
Q

Mitigation strategies must be evaluated by…

A
  1. Availability
  2. Affordability
  3. Feasibility
  4. Application to operations
118
Q

Except for certain high-value irreplaceable items an organization should base its protection strategies on a realistic cost-effective rationale

A
119
Q

What are the least expensive counter-measures one can employ for asset protection tools?

A

Procedural Controls

* Revised procedures can enhance security while improving the bottom line for the enterprise

120
Q

A phrase that defines a call-to-order for assistance against a crime similar to “observe & report” of today

A

Hue & Cry

121
Q

“Shire-Reeve was later shortened to?

A

Sheriff

122
Q

What was first described as “the king’s peace”

A

Government Policing

* Civil torts became crimes against the king’s peace; the “state” collected penalties instead of the people obtaining civil judgments

123
Q

Name of the first police department organized by Sir Robert Peel in London, 1829?

A

The Peelers

124
Q

Arrangements of public safety policing

A
  1. Private environment supplement
  2. Public Environment Replacement
  3. Public Environment Supplement
125
Q

Public safety policing model structure

A
  1. Tactical operations
  2. Technological systems
  3. Order maintenance provisions
126
Q

When do “private police” have arrest powers?

A

Only when they are on duty

(may include qualified immunity)

127
Q

7 Distinctions between public & private policing

A
  1. Public police - duty sworn
  2. Public police - monopolized service is less efficient even complacent
  3. Public police - constitutional protections apply
  4. Private police - employed by private firms
  5. Private police - a perception of lacking the same authority as public police
  6. Private police - tends to focus on loss reduction or asset protection
  7. Private police - provider competition drives better service & value
128
Q

The success of privatized police requires

A

Competition

Accountability

Standards

129
Q

Private Policing

A

Low priority call handling like residential alarms: 20% = crimes, 80% = non-emergencies

130
Q

Community policing efforts are expensive & resource-intensive

A
131
Q

Fear of crime is exacerbated by signs of criminal activity

A
132
Q

What 2 activities represent chaotic conditions that result in more serious criminal activity?

A

Incivility & Disorder

* If incivility is not perceived to be a problem resident may be able to cope with higher rates of crime

133
Q

Order Maintenance

A
  1. Used in community policing, may reduce crime (lack of order can lead to high crime or fear)
  2. A core goal of community policing is to focus on fear reductions through order maintenance techniques
  3. A disorder is characterized by reduced social controls, such as panhandling, loitering, youth taking over parks & street corners, public drinking, prostitution, graffiti, and other disorderly behaviors
134
Q

Order Maintenance (ctd…)

A
  1. Disorder tends to cause a greater sense of risk & loss of control
  2. The disorder causes more awareness of the consequences of a criminal attack
  3. As disorder causes crime to increase the community sinks further with conditions that lead to even more crime
  4. An alternative theory to socioeconomic impact of crime is that the completion of a crime simply requires the convergence in time & space of an offender a suitable target, and the absence of guardians
135
Q

3 Categories of consultants

A
  1. Security management consultants
  2. Technical security consultants
  3. Security forensic consultants
136
Q

Security Consultants

Which roles may undertake forensic assignments

A

Security management consultants & technical security consultants

137
Q

Security Consultants

The decision to retain security consulting services is typically driven by a specific…

A

Problem

Need

Challenge

Goal

138
Q

Security Consultants

Security consultants might be retained because…

A
  1. lack of in-house time or specialized knowledge
  2. Need for objective assessment particularly for liability or due diligence situations
  3. Need for fresh ideas, or independence from internal politics
  4. Need for flexibility of contracted personnel
  5. Recognition that management may be more amenable to a consultant’s ideas because of broader experience industry knowledge
139
Q

Security Consultants

Resistance to the use of security consultant usually reflects concerns

A
  1. Asking for outside help suggests the security staff is incompetent
  2. A negative report from an outsider reflects unfavorably on the security program
  3. The organization’s policies & procedures could be compromised by an outsider who would become intimately familiar with the enterprise
140
Q

Effective security programs typically include a well-thought-out array of security measures

A
141
Q

Finding a security consultant

A
  1. Best source: Referral from a colleague
  2. Industry associations with consultants as mentors
  3. Industry - specific associations
142
Q

Professional consultants are restrictive in the assignments they will accept

A
  1. Most consultants specialize & may not see themselves as suited for every need
  2. Clients should be cautious of a consultant claiming to be able to address all aspects of security
143
Q

Security Advisory Committee (SAC)

Comprised of members from key corporate functions

A
  1. Chaired by a project coordinator
  2. Members should have stature & creditability
  3. Members should be able to offer useful opinions about security
144
Q

SAC Purposes

A
  1. Determine adequacy of security measures determine if a consultant is necessary
  2. Critically examine the security program
  3. Maintain general oversight of security program
  4. Assist in meeting corporate & government requirements
145
Q

SAC Objectives

A
  1. Review the corporate security program at least quarterly
  2. Determine if additional protective measures are needed
  3. Advise of any needed changes to security policies or procedures
  4. Review new program suggestions
  5. Field criticism or suggestions
146
Q

Security Awareness

A
  1. “An asset’s protection program will not succeed unless it cultivates the willing cooperation of those affected by it & meshes its goal with the personal goals of the workforce
  2. Means consciousness of the program its relevance and individual risk responsibility
  3. Is a continuing attitude that encourages actions in support of security
  4. Solicits conscious attention and is embraced by senior personnel
147
Q

Security Awareness (cntd…)

A
  1. Causes all personnel to become force multipliers
  2. Highlights the program’s contribution to financial goals
  3. Conveys the program’s benefits & ROI
  4. Conveys to middle management support of business goals
  5. Conveys to supervision the program’s value
  6. Is refreshed more often than just at new hire orientation
  7. Is explained in depth to non-employees
148
Q

One of the most cost-effective assets protection tools is…

A

Security Training & Awareness

149
Q

One of the most important missions of security awareness is…

A

To familiarize employees with the organization’s policies & procedures

150
Q

Two categories of employees fail to follow policies

A

Uneducated Employees

Arrogant Employees

151
Q

Security Awareness Potential Obstacles

A

A cooperative employee is less likely to circumvent security