Cards 1-40 Flashcards
Risk is measured by:
Determining the value of the asset in relation to the threats and vulnerabilities associated with it….
Security risk rating =
Security risk rating =
asset value x threat likelihood x Severity of incident x Vulnerability
Categories of assets exposed to risk?
Physical, non-physical and logical….
Physical:
- facilities;
- operational & industrial control systems &
- on-site processes and assets.
Non-physical:
- geo-political landscape;
- culture,
- speed of decision making and
- intensity of competition;
Logical:
- information & digital assets and
- the network or digital space that connects them.
The risk assessment process should be revisited?
cyclically and continuously because of the elements that are constantly subject to change.
The purpose of a security survey?
-determine current seurity posture
-IDentify deficiencies and excesses,
-compare current SP with what would be appropriate; and
-recommend improvements.
When considering vulnerabilities, what 8 factors should be addressed?
-lack of backup for critical functions;
-single points of failure;
-co-location of critical systems, organizations and components;
-inadequate preparedness for attacks;
- inadequate security
-too easy for an aggressor to attack the facility;
-presence of hazardous material
-potential for collateral damage from nearby companies
A security survey focuses more on vulnerabilities than a…..
Physical Security assessment
A cost benefit analysis should be used in both a…….
Physical security assessment and a risk assessment.
The five functions included in a functional approach to a physical security assessment include:
- Security architecture and engineering;
- Structural security measures;
- C, P, T, E, D
- Electronic Security Systems;
- Security officers and the
Human element
Typical areas assessed in a physical security assessment include:
Barriers, doors, windows, openings;
-locks, safes and containers;
-signage; lighting; alarm and electronic systems;
-vehicle traffic and parking controls;
-visitor management;
-package handling
Automated assessment tools should only assist in completing surveys because they…..
- may give a false sense of knowledge;
-may have a high cost;
-may have complex software; and - they can’t capture unquantifiable characteristics.
Defense in depth?
An adversary must overcome a number of protective features in Sequence
Why does each layer of security require a separate act by the adversary?
-causes Uncertainty in the perp’s mind;
-increases attack preparation time;
- adds steps to the intrusion and
-allows for more police or guard force response time.
Layered security should have i______ at each of the layers?
Interdependencies
Purposely left blank
Purposely left blank
What is the principle of balanced protection?
-the protection system’s individual applications and components will be integrated and converged so that they provide an equal level of protection.
The appraisal component of the security survey involves…?
Developing and communicating recommendations for enhancements.
What is the focus of a physical security assessment?
The risks to the physical assets and property of an organization and the protection measures (against any risk) that constitute the realm of physical security.
The physical security assessment could provide the basis for …what?
A comprehensive & integrated security analysis and risk assessment;
-identifying security gaps;
-identifying a range of Solutions and their pros and cons; and
-assisting in the development of the org’s security risk management
continuity, response and recovery programs.
What costs are considered in a cost-benefit analysis?
- Technology and time;
- Process and personnel; and
- Opportunity and Overall capability costs
The 3 most common approaches to a physical security assessment?
Outside-inward approach;
Inside-Outward approach; and
Functional approach
What is it called when the assessment team acts as the aggressor and moves from outside the facility through successive layers of security toward the asset?
Outside-inward physical security assessment approach
When the assessment team acts as the defender and works from the asset out towards the outer perimeter it’s called….?
The inside-outward physical security assessment approach
When the security assessment team evaluates security functions/disciplines and collates the findings from the assessment component it’s called?
The functional (security discipline) physical security assessment approach
The five criteria of a good security survey report?
Accurate
Clear
Concise
Timely and
Slant or pitch
The 6 objectives of physical access control include:
-deny covert/overt action;
-distinguish authorized from unauthorized;
-deter intruders and prevent intrusion;
-detect and monitor actual intrusions;
-trigger incident response from security/police;
An asset is anything with:
Tangible or intangible value
Risk-analysis is a process for
identifying asset values, threats and vulnerabilities to determine risks.
Two ways an asset’s criticality is determined?
-based on the org’s mission/goals and ;
-how the org would recover if the asset was no longer available.
Three steps to identify an org’s assets are:
-Define Primary business functions;
-ID site/bldg infrastructure and systems; and;
-ID the org’s tangible & intangible assets.
The two types of costs considered when valuing an asset are?
Direct and indirect costs
Seven (7) factors to consider in valuing assets:
- injuries related to facility damage
- impact on revenue and reputation
- Asset replacement costs and availability of replacements;
- revenue loss BC of lost functions;
- whether there are backup systems
- critical information value;
When determining asset values, six direct costs are?
-Lost business, financial losses, value of goods;
-higher labor and insurance costs
-mgmnt time dealing with event;
-punitive court judgements not covered by insurance
Indirect costs (9) of asset value determination include:
-neg media coverage and consumer perception;
- higher PR costs to improve image, insurance costs bc placed in a higher risk category and higher wages to get workers;
-shareholder lawsuits for mismanagement;
-poor employee morale; higher turnover/ work stoppages.
What legal & regulatory procedures should be part of a physical asset protection program?
-identify the legal and regulatory schemes the org uses with its assets/activities/functions/products/services/stakeholders/supply chain;
-determine how these schemes apply to its risks;
-ensure these schemes are taken into account in establishing, implementing & maintaining its physical asset protection program.
Two types of assets include:
Tangible and intangible assets
Assets can be valued in two ways:
-assigned a relative value based on Priority and
-apply a cost of loss formula;
What is the cost of loss formula to calculate an asset value:
K=(cp + ct + cr + ci) - i
K= ttl cost of loss;
Cp-cost of permanent replacement
Ct-cost of temporary substitute;
Cr - total related costs (removal and installation)
Ci- lost income costs
I- available insurance or indemnity
Two types of adversaries:
-one uses intrusion to get at an asset, and
-one who attacks from outside
Two common physical security compliance metrics used in the public sector are:
-compliance of facilities and
-compliance of systems
