Cards 1-40

Question 1

Risk is measured by:

Answer 1

Determining the value of the asset in relation to the threats and vulnerabilities associated with it….

Question 2

Security risk rating =

Answer 2

Security risk rating =

asset value x threat likelihood x Severity of incident x Vulnerability

Question 3

Categories of assets exposed to risk?

Answer 3

Physical - facilities; operational & industrial control systems & on-site processes and assets.

Non-physical - geo-political landscape; culture, speed of decision making and intensity of competition;

Logical - information & digital assets and the network or digital space that connects them.

Question 4

The risk assessment process should be revisited?

Answer 4

cyclically and continuously because of the elements that are constantly subject to change.

Question 5

The purpose of a security survey?

Answer 5

-determine current seurity posture
-IDentify deficiencies and excesses,
-compare current SP with what would be appropriate; and
-recommend improvements.

Question 6

When considering vulnerabilities, what 8 factors should be addressed?

Answer 6

-lack of backup for critical functions;
-single points of failure;
-co-location of critical systems, organizations and components;
-inadequate preparedness for attacks;
-too easy for an aggressor to attack the facility;
-inadequate security;
-presence of hazardous material
-potential for collateral damage from nearby companies

Question 7

A security survey focuses more on vulnerabilities than a…..

Answer 7

Physical Security assessment

Question 8

A cost benefit analysis should be used in both a…….

Answer 8

Physical security assessment and a risk assessment.

Question 9

The five functions included in a functional approach to a physical security assessment include:

Answer 9

• Security architecture and engineering;
• Structural security measures;
• C, P, T, E, D
• Electronic Security Systems;
• Security officers and the
  Human element

Question 10

Typical areas assessed in a physical security assessment include:

Answer 10

Barriers, doors, windows, openings;
-locks, safes and containers;
-signage; lighting; alarm and electronic systems;
-vehicle traffic and parking controls;
-visitor management;
-package handling

Question 11

Automated assessment tools should only assist in completing surveys because they…..

Answer 11

• may give a false sense of knowledge;
  -may have a high cost;
  -may have complex software; and
• they can’t capture unquantifiable characteristics.

Question 12

Defense in depth?

Answer 12

An adversary must overcome a number of protective features in Sequence

Question 13

Why does each layer of security require a separate act by the adversary?

Answer 13

-causes Uncertainty in the perp’s mind;
-increases attack preparation time;
- adds steps to the intrusion and
-allows for more police or guard force response time.

Question 14

Layered security should have i______ at each of the layers?

Answer 14

Interdependencies

Question 15

Purposely left blank

Answer 15

Purposely left blank

Question 16

What is the principle of balanced protection?

Answer 16

-the protection system’s individual applications and components will be integrated and converged so that they provide an equal level of protection.

Question 17

The appraisal component of the security survey involves…?

Answer 17

Developing and communicating recommendations for enhancements.

Question 18

What is the focus of a physical security assessment?

Answer 18

The risks to the physical assets and property of an organization and the protection measures (against any risk) that constitute the realm of physical security.

Question 19

The physical security assessment could provide the basis for …what?

Answer 19

A comprehensive & integrated security analysis and risk assessment;
-identifying security gaps;
-identifying a range of Solutions and their pros and cons; and
-assisting in the development of the org’s security risk management
continuity, response and recovery programs.

Question 20

What costs are considered in a cost-benefit analysis?

Answer 20

Technology;
Time
Opportunity;
Process;
Personnel; and
-Overall capability costs

Question 21

The 3 most common approaches to a physical security assessment?

Answer 21

Outside-inward approach;
Inside-Outward approach; and
Functional approach

Question 22

What is it called when the assessment team acts as the aggressor and moves from outside the facility through successive layers of security toward the asset?

Answer 22

Outside-inward physical security assessment approach

Question 23

When the assessment team acts as the defender and works from the asset out towards the outer perimeter it’s called….?

Answer 23

The inside-outward physical security assessment approach

Question 24

When the security assessment team evaluates security functions/disciplines and collates the findings from the assessment component it’s called?

Answer 24

The functional (security discipline) physical security assessment approach

Question 25

The five criteria of a good security survey report?

Answer 25

Accurate
Clear
Concise
Timely and
Slant or pitch

Question 26

The six objectives of physical access control include:

Answer 26

-deter intruders and deny covert/overt action;
-distinguish authorized from unauthorized;
-delay and prevent intrusion;
-detect and monitor actual intrusions;
-trigger incident response from security/police;

Question 27

An asset is anything with:

Answer 27

Tangible or intangible value

Question 28

Risk-analysis is a process for

Answer 28

identifying asset values, threats and vulnerabilities to determine risks.

Question 29

Two ways an asset’s criticality is determined?

Answer 29

-based on the org’s mission/goals and ;
-how the org would recover if the asset was no longer available.

Question 30

Three steps to identify an org’s assets are:

Answer 30

-Define Primary business functions;
-ID site/bldg infrastructure and systems; and;
-ID the org’s tangible & intangible assets.

Question 31

The two types of costs considered when valuing an asset are?

Answer 31

Direct and indirect costs

Question 32

Factors to consider in valuing assets:

Answer 32

-injuries related to facility damage
-Asset replacement costs;
-revenue loss BC of lost functions;
-whether there are backup systems
-availability of replacements;
- critical information value;
-impact on revenue and reputation

Question 33

When determining asset values, some direct costs are?

Answer 33

-Financial losses/value of goods;;
-insurance costs rise;
-insurance deductibles increase;
-lost business;
-higher labor costs;
-mgmnt time dealing with event;
- punitive court judgements not covered by insurance

Question 34

Indirect costs of asset value determination include:

Answer 34

-neg media coverage
-neg consumer perception;
- PR costs to improve image;
-insurance costs rise bc placed in a higher risk category;
-Have to pay higher wages to get workers;
-shareholder lawsuits for mismanagement;
-poor employee morale; higher turnover/ work stoppages.

Question 35

What legal & regulatory procedures should be part of a physical asset protection program?

Answer 35

-identify the legal and regulatory schemes the org uses with its assets/activities/functions/products/services/stakeholders/supply chain;
-determine how these schemes apply to its risks;
-ensure these schemes are taken into account in establishing, implementing & maintaining its physical asset protection program.

Question 36

Two types of assets include:

Answer 36

Tangible and intangible assets

Question 37

Assets can be valued in two ways:

Answer 37

-assigned a relative value based on Priority and
-apply a cost of loss formula;

Question 38

What is the cost of loss formula to calculate an asset value:

Answer 38

K=(cp + ct + cr + ci) - i

K= ttl cost of loss;
Cp-cost of permanent replacement
Ct-cost of temporary substitute;
Cr - total related costs (removal and installation)
Ci- lost income costs
I- available insurance or indemnity

Question 39

Two types of adversaries:

Answer 39

-one uses intrusion to get at an asset, and
-one who attacks from outside

Question 40

Two common physical security compliance metrics used in the public sector are:

Answer 40

-compliance of facilities and
-compliance of systems