Cards 81-118 Flashcards
- What data goes into an incident management system?
Loss event history
Threat frequency analysis
single and Annual loss expectancy and;
Impact assessment
- What tests should be part of a security survey?
Shipping and receiving;
Alarms;
Computer/server room security
general access controls
- When performing security system and procedure tests as part of a security survey, you should coordinate with:
building Owner/manager/landlord;
Any involved Outside agencies
- During a security survey test on shipping and receiving, these should be checked:
-Controls are checked by physical observation of selected shipments (incoming and outgoing) against bills of lading of inventory records.
- During a security survey test on alarms, what is evaluated?
the Response as well as the reaction of building occupants and security officers
- During a security survey test on a computer room or server room, these should be tested:
Security;
Access controls during both working and off hours.
- How are general access controls tested during a security survey?
“intruders” should test if they get access to the facility or internal areas during business and off hours;
-do employees challenge the intruders
- How should areas, items and issues be evaluated during a security survey?
In terms of the appropriateness for the
Situation, Age, Operability, Maintenance, Interoperability, Aesthetics and Consistency with the current use or space.
- What four things should be reviewed when assessing key/card security during a security survey?
Accountability and policy;
record Keeping and inventory;
Recovery procedures (for keys); and
whether changed when Appropriate, ie people leave, thefts, burglary
- Besides windows and doors, what other openings should be assessed during a security survey?
Manholes;
Skylights;
Roof hatches;
Ventilator, air conditioning vents/shafts;
-Penthouse; veranda access;
-sidewalk grates
- When assessing the protection of utilities during a security survey, what 4 things should be examined?
Location and physical protection;
Access control;
Backup and emergency
Protection of telecommunications and data lines.
- The first step in a risk assessment is:
Identification and valuation of assets
- What are the four D’s?
Deter
Detect
Delay
Deny
- What are the five risk treatments:
Acceptance;
Avoiding
Mitigating
Transferring;
Spreading;
- The seven functions of physical security?
Access control
Assessment
Deterrence
Detection
Delay
Response and
Evidence gathering
- Three factors to consider when selecting a risk mitigation strategy?
Availability;
Affordability; and
Feasibility
- The effectiveness of countermeasures and the security system depends on?
The adversary and the threat
- As a threat increases in sophistication, what must happen?
-the effectiveness of the countermeasures must also increase, or the additional risk that must be managed by other means.
- What four criteria can be used to rank assets based on criticality?
Workforce;
Dependencies
Service delivery; and
Mission/objectives
- Which risks should be prioritized?
-Those with the potential to cause significant mission impact or harm.
- Repeat
Repeat
- Two common measures of vulnerability?
Observability and
Exploitability
- Observability is:
The ability of an adversary to see and identify a vulnerability
- Exploitability is:
The ability of an adversary to take advantage of a vulnerability
- When is Observability reversed?
In assessing natural threats
- How is risk calculated?
Risk equals threats x vulnerabilities x impact 1/3
- The cost benefit analysis is…?
-the cost of a security program measured against:
the impact in loss reduction,
financial savings,
acquisition costs,
life cycle replacement costs or
other costs
- Metrics are?
-A measure based on a reference that involves at least two points.
- What are the three technical criteria of a security metrics evaluation tool (M E T) ?
Reliability
Validity and
Generalizability
- What are the three operational criteria of the security metrics evaluation tool (MET) ?
Cost;
Timeliness; and
Manipulation
- What are the strategic criteria of a security metrics evaluation tool (MET)?
ROI
Organizational relevance and
Communications
- What are the high-level evaluation criteria for a security metrics evaluation tool (MET)?
Technical criteria
Operational criteria and
Strategic criteria
BONUS - Summary MET criteria:
Technical - r v g
Operational - c t m
Strategic - ROI/ or/ c
High-level - tc/ oc / sc
Technical - reliability/validity/generalizability
Operational - cost/timeliness/manipulation
Strategic - ROI/organizational relevance/communications
High-level - technical criteria/operational criteria/ strategic criteria
- Three major physical security metrics?
Systems, personnel, compliance
- Common physical security systems metrics include:
Forced door;
Door held open;
Unauthorized access attempts
User-defined actions/alarms
Communications failures
- Two measurable physical security personnel metrics include:
Response and training
- What is the first step in asset protection?
Perform a threat and vulnerability analysis
- One potential pitfall in choosing security technology?
An inability to thoroughly evaluate product claims prior to installation.
- What is the primary challenge for security system designers?
-Balance the need for public access against the need to ensure public safety.
