Chapter 1: Domain One: Security Fundamentals Flashcards
Access Control
The control of persons, vehicles and materials through the implenmentation of security measures for a protected area.
Alarm System
Combination of sensors, controls, and annunciators (devices that announce an alarm via sound, light, or other means) arranded to detect and report an intrustion or other emergency.
Asset
Anything that has tangible or intangible value to the organziation.
Auditor
Person with competence to conduct an audit. (ISO 9001:2011)
Closed-Circuit Television
(CCTV) See Video Surveillance.
Color Rendition Index
(CRI) A quantitative measure of 0 to 100 that indicates a light’s ablity to show a true color when compared to a reference source. A higher CRI number indicates a light’s ability to render a truer rendition of the color.
Conformity
Fulfillment of a requirement.
Consequence
Outcome of an event affecting objectives. (ISO Guide 73:2009)
NOTE 1: An event can lead to a range of consequences.
NOTE 2: A consequence an be certain or uncertain and can have postive or negative effects on objectives.
NOTE 3: Consequences can be expressed qualitatively or quantitatively.
NOTE 4: Initial consequences can escalate through knock-on effects.
Continual Improvement
Recurring process of enchancing the physical assest protection management system (PAPMS) to achieve improvements in overall physical access protection (PAP) management performance consistent with the organizations’s PAP management policy.
NOTE: The process need not take place in all areas of activity simultaneously.
Continuity
Strategic and tactical capability, pre approved by management, of an organziation to plan for and respond to conditions, situations, and events to continue operations at an acceptable predefined level.
Corrective Action
Action to eliminate the cause of a detected nonconformity (ISO 14001:2004)
Crime
An act or omission that isin violation of a law forbidding or commanding it for which the possible penalties for an adult upon conviction include incarceration; for which a corporation can be penalized by a fine or forfeit; or for which a juvenile can be adjudged delinquient or transferred to criminal court for prosecution. The basic legal definition of cime is all punishable acts whatever the nature of the penalty.
Crime Prevention Through Enviromental Design
(CPTED) An approach to reducing Crime or Security incidents through the strategic design of the built enviroment typically employing organizational, mechanical, and natural methods to control access, enhance natural surveillance and territoriality, and support legitmate activity.
Crisis
An unstable condition involving an impending aburpt or significant change that requires urgent attention and action to proect life, assets, property or the enviroment.
Critical Activity
Any function or process that is essential for the organization to deliver its products and/or services. (ISO/PAS 22399:2007)
Criticality Analysis
A process designed to systematically identify and evaluate an organizations’s assets based on the importance of its mission or function, the group of people at risk, or the significance of a disruption on the continuity of the organization.
Denial
Frustration of an adversary’s attempt to engage in behavior that would constitute an incident.
Detection
The act of discovering an attempt (successful or unsuccessful) to breach a secured perimeter (such as scaling a fence, opening a locked window, or entering an area without authorization).
Disruption
An intentional, unintentional, natural event that interrupts normal business functions, operations, or processes, whether anticipated or unanticipated.
NOTE: A disruption can be caused by either positive or negative factors that will disrupt normal functions, operations, or processes.
Document
Information and supporting medium. (ISO 9000:2000)
NOTE: The medium can be paper, magnetic, electronic, or optical computer disc; phtography or master sample; or a combination thereof.
Due Diligence
The care that a prudent person might be expected to exercise in the exmination and evaluation of risks.
Evacuation
Organized, phased, and supervised dispersal of people from dangerous or potentially dangerous areas. (ASIS International Business Continuity Guideline: 2005)
Event
Occurrence or change in a particular set of circumstances. (ISO Guide 73:2009)
NOTE 1: Nature, likelihood, and consequence of an event cannot be fully knowable.
NOTE 2: An even can be one or more occurrences and can have several causes.
NOTE 3: Likehood associated with the event can be determined.
NOTE 4: An event can consist of a non-concurrence of one or more circumstances.
NOTE 5: An event with a consequence is sometimes referred to as an “incident.”
Executive Protection
Executive, or Personnel, Prorection (EP) is the process of safeguarding key people from harm.
Exercises
Evauluating physical asset protection (PAP) management programs, rehearsing the roles of team members and staff, and testing the recovery or continuity of an organization’s systems (such as technology, telephony, administration) to demonstrate PAP management competence and capablity.
NOTE 1: Exercises include activities performed for the purprose of training and conditioning team members and personnel in appropriate responses with the goal of achieving maximum performance.
NOTE 2: An exercise can involve invoking response and operational continuity procedures but is more likely to invovle the simulation of a response and/or operational continuity incident, announced or unannounced, in which participants role-play to assess what issues might arise prior to a real invocation.
External Context
External enviroment in which the organization seeks to achieve its objectives. (ISO Guide 73:2009)
NOTE: External context can include:
The cultural, social, political, legal, regulatory, financial, technological, economic, natural, and competitive enviroment whether international, national, regional, or local;
Key driver and trends having impact on the objectives of the organization; and
Relationships with, and perceptions and values of, external stakeholders.
Facility Infrastructure
Plant, machinery, equipment, property, buildings, vehicles, information systems, transportation facilities, and other items of infrastructure or plant and related systems that have a distinct and quantifiable function or service.
Hazard
Possible source of danager or conditions (physical or operational) that have a capacity to produce a particular type of adverse effect.
Impact
Evaluated consequence of a particular outcome.
Incident
Event that has the capacity to lead to human, intangible, or physical loss or a disruption of an organization’s operations, services, or functions. If not managed, an incident can escalate into an emergency, crisis, or disaster.
Intangible Asset
Assets that do have a physical from to protect (such as reputation, relationships, creditworthiness).
Intergrity
The property of safeguarding the accuracy and completeness of assets. (ISO/IEC 13335-1:2004)
Interested Party
Person or group having an interest in the performance or success of an organization. (ISO/PAS 22399:2007)
NOTE: The term includes people and groups with an interest in an organizatio, its activities, and its achievements, such as customers, clients, partners, employees, shareholders, owners, vendors, the local community, first responders, government agencies, and regulators.
Internal Audit
Systematic, independent, and documented process for obtaining audit evidence and evauluating it objectively to determine the extent to which the management system audit crieria set by the organization are fulfilled.
NOTE: In many cases, particulary in smaller organizations, independence can be demonstrated by the freedom from responsiblitity for the activity being audited.
Internal Context
Internal environment in which the organization seeks to achieve its objectives (ISO Guide 73:2009)
NOTE: Internal context can include:
Governance, organizational structure, roles, and accountabilities;
Policies, objectives, and the strategies that are in place to achieve them;
The capablities understood in terms of resources and knowledge (such as capital, time, people, processes, systems, and technologies);
Perceptions and values of internal stakesholders;
Information systems, informatoin flows and decision-making processes (both forma and informal);
Relationships with, and perceptions and values of, internal stakeholders;
The organizations’s culture;
Standards, guidelines, and models adopted by the organization; and
Form and extent of contractual relationships.
Intrusion Detection System
(IDS) A system that uses sensors to detect an impending or actual security breach and to initiate an alarm or notification of the event.
Investigation
A systematic and thorough examination or inquriy into something or someone and the recording of that examination in a report.
Investigation Team Lead
(ITL) The person directly responsible for the team of personnel assigned to investigate an incident and has overall responsiblity for ensureing that an investigation is thorough, complete, and well documented in teh final report.
Investigation Unit Manager
The person directly respobible for the investigative function in an organization, sometimes referred to as the project manager or case manager, who may hold the title of chief security officer, security director, director of investigations, director of human resources, or something similar.
Lighting
Degree of illumination; also, the equipment, used indoors and outdoors, for increasing illumination - usually measued in lumens, lux, or foot-candle units.
Likelihood
Chance of something happening. (ISO GUide 73:2009)
NOTE 1: In risk mamagement terminology, the word “likelihood” is suded to refer to the chance of something happening, whether defined, measured, or determined objectively or subjectiviely, qualitatively, or quantitatively, and described using general terms or mathematically (such as a probability or a frequency over a given time period).
NOTE 2: The English term “likelihood” does not have a direct equivalent in some languages: instead, the equivalent of the term “probability” is often used. HOwever, in English, “probability” is often narrowly interpreted as a mathematical term. THerefor, in risk management terminology, “likelihood” is used with the intent that is should have the same broad interpretation as the term “probability” has in many languages other than English.
Lock
A piece of equiment used to prevent undesired opening, typically of an aperture (gate, window, byilding door, or vault door, for example), while still allowing opening by authrorized users.
Management Plan
Cleraly defined and documented plan of action, typically covering the key personnel, resources, services, and actions needed to implement the incident management process.
Mitigation
Limitation of any negative consequices of a particular incident.
Nonconformity
Non-fulfillment of a requirement (ISO 9000:2005)
Objective
Overall goal consisten with teh policy that an organization sets itself to achieve. (ISO 14001:2004)
Organization
Group of people and facilities with an arrangement of responsibilities, authorities, and relationships.
NOTE: An organization can be a government or public entity, company, corporation, firm, enterprise, institution, charity, sole trade or association, or parts or combinations thereof.
Organizational Resilience
Ongoing management and governance process supported by top management resourced to ensure that the neccesaary steps are taken to identify the root causes of potential disruptions and the likelihood and impact of potential losses; maintain viable adaptive, proactive, and reactive strategies and plans; and ensure stability and sustaainablity of activities/functions/products/services through planning, exercising, rehearsal, testing, training, maintenance, and assurance.
PAP
Physical asset protection.
PAPM
Physical asset protection management.
PAPMS
Physical asset protection management system.
PEST
See STEP
Physical Security
That part of security concerned with physical measures designed to safeguard people; to prevent unauthorized access to equipment, facilities, material, and documents; and to safeguard them against a security incident.
Policy
Overall intentions and direction of an organization as formally expressed by top management.
PPS
Physical protection system.
Preparedness
Activities, Programs, And systems developed and implemented prior to an incident that may be used to support and enchance mitigation of, response to, and recovery from disuptions, disasters, or emergencies.
Prevention
Measures that enable an organization to avoid, preclude, or limit the likelihood and consequences of an event.
Prevention Action
Action to eleminate the cause of a potential nonformity. (ISO 14001:2004)
Procedure
Specified way to carry out an activity. (ISO 9000: 2008)
NOTE: Procedures
Proprietary Security
Typically, a department within a company that procides security services for that company.
Protection in Depth
The strategy of forming layers of protection for an asset.
Protection Systems
The intergration of people, procesdures, equiment, and technology for the protection of assets.
Record
Document stating results achieved or providing evidence of activities performed. (ISO 9000:2008)
Residual Risk
Risk remaining after risk treatment. (ISO Guide 73:2009)
NOTE 1: Residual risk can contain unidentified risk.
NOTE 2: Residual risk can also be known as “retained risk.”
Resilience
The adaptive capacity of an organization in a complex and changing evniroment.
NOTE 1: Resilience is the ability of an orgainzation to resist being affected by an event or the ability to return to an acceptable level of performance in an acceptable period of time after being affected by an event.
NOTE 2: Resilience is the capability of a system to maintain its functions and structure in the face of internal external change.
Resilience Management
Systematic and coordinated activities and practices through which an orgainzation manages its operational risks and the associated potential threats and impacts therein.
Resources
Any asset (human, physical, informatoin, or intangible), facilities, equipment, materials, products, or waste that has ptoential value and can be used.
Response Plan
Documented collection of procedures and information tat is developed, complied, and maintained in readiness for use in an incident.
Risk
Effect of uncertainty on objectivies. (ISO Guide 73:2009)
NOTE 1: An effect is a deviation from the expected either postive or negative.
NOTE 2: Objectives can have different aspects such as financial, health, safety, and environmental goals and can apply at different levels such as strategic, organization-wide, project, product, and process.
NOTE 3: Risk is often characterized by reference to potential events, consequiences, or a combination of these and how they can affect the achievement of objectives.
NOTE 4: Risk is often expressed in terms of a combination of the consequences of an event or a change in circumstances and the associated likelihood of occurrence.
Risk Acceptance
Informed decision to take a particular risk. (ISO Guide 73: 2009)
NOTE 1: Risk acceptance can occur without risk treatment or during the process of risk treatment.
NOTE 2: Risk acceptance can also be a process.
NOTE 3: Risks accepted are subject to monitoring and review.
Risk Analysis
Process to comprehend the nature of rsi and to determine the level of risk. (ISO Guide 73:2009)
NOTE: Risk analysi provides the basis for risk evaluation and decisions about risk treatment.
Risk Appetite
Amount and type of rsik that an organization is prepared to pursue, retian, or take. (ISO Guide 73:2009)
Risk Assessment
Overall process of risk identification, risk analysis, and risk evaluation. (ISO Guide 73:2009)
NOTE: Risk assessment involves the process of indentifying internal and external threats and vulnerablities, indentifying the probality and impact of an event arising from such threats or vulnerablities, defining ciritical funuctions necessary to continue the organizations’s operations, defining the controls in place necessary to educe exposure, and evaluating the cost of such control.
Risk Criteria
Terms of refernce by which the significance of risk is assessed. (ISO Guide 73:2009)
NOTE: Risk Criteria can inlude associated cost and benefits, legal statutory requirements, socio-economic and evnironmental aspects, the concerns of statke holders, priorites, and other imputs to the assessment.
Risk Management
Coordinated activities to direct and control an organization with regard to risk. (ISO Guide 73:2009)
NOTE: Risk management generally inculdes risk assessment, risk treatment, risk acceptance, and risk communication.
Risk Reduction
Actions taken to lessen the probability, negative consqequiences, or both, associated with a risk. (ISO Guide 73:2009)
Risk Tolerance
Organization’s readiness to bear the risk after risk treatments in order to achieve its objectives. (ISO Guide 73:2009)
NOTE: Risk tolerance can be limited by legal or reulatory requirements.
Risk Transfer
Sharing with another party the burden of loss or benefit or gain for a risk. (ISO Guide 73:2009)
NOTE 1: Legal or statutory requirements can limit, prohibit, or mandate the transfer of certain risk.
NOTE 2: Risk transfer can be carried ot through insurance or other agreements.
NOTE 3: Risk transfer can create new risks or modify existing risks.
NOTE 4: Relocation of the osurce is not risk transfer.
Risk Treatment
Process to modify risk (ISO Guide 73:2009)
NOTE 1: Risk treatment can invovle avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk; taking or increasing risk in order to pursue an opportunity; removing the risk source; changing the likelihood; changing the consequences; sharing risk with another party or parties; and retaining the risk by informed choice.
NOTE 2: Risk treatments that deal with negative consequiences are sometines referred to as risk mitigation, risk elimination, risk prevention, and risk reduction.
NOTE: 3: Risk treatment can create new risks or modify existing risks.
Security
The condition of being protected agaisnt hazards, threats, risks, or loss.
Security Aspects
Those characteristics, elements, or properties that reduce the risk of unintentionally, intentionally, and naturally caused crisies and disasters that disrupt and have consequences on the products and services, orperation, critical assets, and continuity of the organization and its stakeholders.
Security Manager
An employee or controactor with management-level responsbility for the security program of an organization or facility.
Security Measure
A practice or device designed to protect people and prevent damage to, lost of, or unauthorized access to equipment, facilities, material, and information.
Security Officer
An invdividual, in uniform or plain clothes, employee to protect assets.
Security Survey
A thorough physical examination of a facility and its systems and procedures conducted to assess the current level of security, locate deficiencies, and guage the degree of protection needed.
Site Hardening
Implementation of enchancement measures to make a site more difficult to penetrate.
Source
Element which alone or in combination has the intrinsic potential to give rise to risk. (ISO Guide 73:2009)
NOTE: A risk source can be tangible or intangible.
Stakeholder
Person or group having an interest in the performance or success of an orgainziation. (ISO/PAS 22399:2007)
NOTE: THe term includes persons and groups with an interest in an organization, its activities, and its achievements, such as customers, clients, partners, employees, shareolders, owners, vendors, the local community, first responders, government agencies, and regulators.
Standard
Set of criteria, guidelines, and best practies that can be used to enhance the quality and reliability of products, services, or processes.
Stand-off Distance
The distance bewtween the asset and the trehat; typically regarding an explosive threat.
Social, Technological, Environmental, and Political Model
(STEP) Points out potential sources of threats. The security manager can then conduct an analysis to determine whether such threats are likely and where they may orginate.
Strengths, Weakness, Opportuninties, and Threats
(SWOT) A model for Analyzing proposed organizational projects. The concept is to analyze an issue or proposal from each of the four points of view, thereby giving security management a profile of potential issues to address.
Supply Chain
The linked set of resources and processes that begins the acquisition of raw material and extended through the delivery of products or services to the end user across modes of transport. The supply chain may include suppliers, vendors, manufacturing faciltiies, logistics provides, internal distribution centers, distributors, wholesalers, and other entities that lead to teh end user.
Surveillance
Observation of a location, activity, or person.
Tangible Assets
Generally, assets that can be seen, touched, or directly mesasured in physical form (such as people and property).
Target
Detailed performance requirement applicable to the organization (or parts thereof) that arises from the objective and the needs to be set and met to achieve those objectives. (ISO 14001:2004)
Testing
Activivies performed to evaluate the effectiveness or capabilities of a plan relative to specified objectives or measurement criteria. Testing usually involves exercises designed to keep teams and employees effective in thier duties and to reveal weaknessses in the prepardeness and response/continuity/recovery plans. (ASIS International Business Continuity Guideline: 2005)
Threat
Potential cause of an unwanted incident whic may results in harm to individuals, assets, a system or organization, the environment, or the community.
Throughput
The average rate of flow of people or vehicles through an access point.
Top Management
Persons or group of people who directs and controls an organization at the highest level. (ISO 9000:2008)
NOTE: For example, directors, managers, and officers of an organization who can ensure that effective management systems, including financial monitoring and control systems, have been put in place to protect assets. earning capacity, and the reputation of the organization. (ANSI/ASIS SPC.1-2009)
Video Survellance
A surveillance system in which a signal is transmitted to monitors/recording and control equipment. Includes closed-circuit television (CCTV) and netword-based video systems.
Vulnerablity
Intrinsic properties of somethign that create susceptibility to a source of risk that can lead to a consequence. (ISO Guide 73:2009)
Vulnerability Analysis
The process of identifying and quantifying vulnerabilities.
Waste, Accidents, Error, Crime, Unethical Practices
(WAECUP) Can be used as a blueprint for developing security objectives.
