Chapter 1: Domain One: Security Fundamentals

Question 1

Access Control

Answer 1

The control of persons, vehicles and materials through the implenmentation of security measures for a protected area.

Question 2

Alarm System

Answer 2

Combination of sensors, controls, and annunciators (devices that announce an alarm via sound, light, or other means) arranded to detect and report an intrustion or other emergency.

Question 3

Asset

Answer 3

Anything that has tangible or intangible value to the organziation.

Question 4

Auditor

Answer 4

Person with competence to conduct an audit. (ISO 9001:2011)

Question 5

Closed-Circuit Television

Answer 5

(CCTV) See Video Surveillance.

Question 6

Color Rendition Index

Answer 6

(CRI) A quantitative measure of 0 to 100 that indicates a light’s ablity to show a true color when compared to a reference source. A higher CRI number indicates a light’s ability to render a truer rendition of the color.

Question 7

Conformity

Answer 7

Fulfillment of a requirement.

Question 8

Consequence

Answer 8

Outcome of an event affecting objectives. (ISO Guide 73:2009)

NOTE 1: An event can lead to a range of consequences.

NOTE 2: A consequence an be certain or uncertain and can have postive or negative effects on objectives.

NOTE 3: Consequences can be expressed qualitatively or quantitatively.

NOTE 4: Initial consequences can escalate through knock-on effects.

Question 9

Continual Improvement

Answer 9

Recurring process of enchancing the physical assest protection management system (PAPMS) to achieve improvements in overall physical access protection (PAP) management performance consistent with the organizations’s PAP management policy.

NOTE: The process need not take place in all areas of activity simultaneously.

Question 10

Continuity

Answer 10

Strategic and tactical capability, pre approved by management, of an organziation to plan for and respond to conditions, situations, and events to continue operations at an acceptable predefined level.

Question 11

Corrective Action

Answer 11

Action to eliminate the cause of a detected nonconformity (ISO 14001:2004)

Question 12

Crime

Answer 12

An act or omission that isin violation of a law forbidding or commanding it for which the possible penalties for an adult upon conviction include incarceration; for which a corporation can be penalized by a fine or forfeit; or for which a juvenile can be adjudged delinquient or transferred to criminal court for prosecution. The basic legal definition of cime is all punishable acts whatever the nature of the penalty.

Question 13

Crime Prevention Through Enviromental Design

Answer 13

(CPTED) An approach to reducing Crime or Security incidents through the strategic design of the built enviroment typically employing organizational, mechanical, and natural methods to control access, enhance natural surveillance and territoriality, and support legitmate activity.

Question 14

Crisis

Answer 14

An unstable condition involving an impending aburpt or significant change that requires urgent attention and action to proect life, assets, property or the enviroment.

Question 15

Critical Activity

Answer 15

Any function or process that is essential for the organization to deliver its products and/or services. (ISO/PAS 22399:2007)

Question 16

Criticality Analysis

Answer 16

A process designed to systematically identify and evaluate an organizations’s assets based on the importance of its mission or function, the group of people at risk, or the significance of a disruption on the continuity of the organization.

Question 17

Denial

Answer 17

Frustration of an adversary’s attempt to engage in behavior that would constitute an incident.

Question 18

Detection

Answer 18

The act of discovering an attempt (successful or unsuccessful) to breach a secured perimeter (such as scaling a fence, opening a locked window, or entering an area without authorization).

Question 19

Disruption

Answer 19

An intentional, unintentional, natural event that interrupts normal business functions, operations, or processes, whether anticipated or unanticipated.

NOTE: A disruption can be caused by either positive or negative factors that will disrupt normal functions, operations, or processes.

Question 20

Document

Answer 20

Information and supporting medium. (ISO 9000:2000)

NOTE: The medium can be paper, magnetic, electronic, or optical computer disc; phtography or master sample; or a combination thereof.

Question 21

Due Diligence

Answer 21

The care that a prudent person might be expected to exercise in the exmination and evaluation of risks.

Question 22

Evacuation

Answer 22

Organized, phased, and supervised dispersal of people from dangerous or potentially dangerous areas. (ASIS International Business Continuity Guideline: 2005)

Question 23

Event

Answer 23

Occurrence or change in a particular set of circumstances. (ISO Guide 73:2009)

NOTE 1: Nature, likelihood, and consequence of an event cannot be fully knowable.

NOTE 2: An even can be one or more occurrences and can have several causes.

NOTE 3: Likehood associated with the event can be determined.

NOTE 4: An event can consist of a non-concurrence of one or more circumstances.

NOTE 5: An event with a consequence is sometimes referred to as an “incident.”

Question 24

Executive Protection

Answer 24

Executive, or Personnel, Prorection (EP) is the process of safeguarding key people from harm.

Question 25

Exercises

Answer 25

Evauluating physical asset protection (PAP) management programs, rehearsing the roles of team members and staff, and testing the recovery or continuity of an organization’s systems (such as technology, telephony, administration) to demonstrate PAP management competence and capablity.

NOTE 1: Exercises include activities performed for the purprose of training and conditioning team members and personnel in appropriate responses with the goal of achieving maximum performance.

NOTE 2: An exercise can involve invoking response and operational continuity procedures but is more likely to invovle the simulation of a response and/or operational continuity incident, announced or unannounced, in which participants role-play to assess what issues might arise prior to a real invocation.

Question 26

External Context

Answer 26

External enviroment in which the organization seeks to achieve its objectives. (ISO Guide 73:2009)

NOTE: External context can include:

The cultural, social, political, legal, regulatory, financial, technological, economic, natural, and competitive enviroment whether international, national, regional, or local;

Key driver and trends having impact on the objectives of the organization; and

Relationships with, and perceptions and values of, external stakeholders.

Question 27

Facility Infrastructure

Answer 27

Plant, machinery, equipment, property, buildings, vehicles, information systems, transportation facilities, and other items of infrastructure or plant and related systems that have a distinct and quantifiable function or service.

Question 28

Hazard

Answer 28

Possible source of danager or conditions (physical or operational) that have a capacity to produce a particular type of adverse effect.

Question 29

Impact

Answer 29

Evaluated consequence of a particular outcome.

Question 30

Incident

Answer 30

Event that has the capacity to lead to human, intangible, or physical loss or a disruption of an organization’s operations, services, or functions. If not managed, an incident can escalate into an emergency, crisis, or disaster.

Question 31

Intangible Asset

Answer 31

Assets that do have a physical from to protect (such as reputation, relationships, creditworthiness).

Question 32

Intergrity

Answer 32

The property of safeguarding the accuracy and completeness of assets. (ISO/IEC 13335-1:2004)

Question 33

Interested Party

Answer 33

Person or group having an interest in the performance or success of an organization. (ISO/PAS 22399:2007)

NOTE: The term includes people and groups with an interest in an organizatio, its activities, and its achievements, such as customers, clients, partners, employees, shareholders, owners, vendors, the local community, first responders, government agencies, and regulators.

Question 34

Internal Audit

Answer 34

Systematic, independent, and documented process for obtaining audit evidence and evauluating it objectively to determine the extent to which the management system audit crieria set by the organization are fulfilled.

NOTE: In many cases, particulary in smaller organizations, independence can be demonstrated by the freedom from responsiblitity for the activity being audited.

Question 35

Internal Context

Answer 35

Internal environment in which the organization seeks to achieve its objectives (ISO Guide 73:2009)

NOTE: Internal context can include:

Governance, organizational structure, roles, and accountabilities;

Policies, objectives, and the strategies that are in place to achieve them;

The capablities understood in terms of resources and knowledge (such as capital, time, people, processes, systems, and technologies);

Perceptions and values of internal stakesholders;

Information systems, informatoin flows and decision-making processes (both forma and informal);

Relationships with, and perceptions and values of, internal stakeholders;

The organizations’s culture;

Standards, guidelines, and models adopted by the organization; and

Form and extent of contractual relationships.

Question 36

Intrusion Detection System

Answer 36

(IDS) A system that uses sensors to detect an impending or actual security breach and to initiate an alarm or notification of the event.

Question 37

Investigation

Answer 37

A systematic and thorough examination or inquriy into something or someone and the recording of that examination in a report.

Question 38

Investigation Team Lead

Answer 38

(ITL) The person directly responsible for the team of personnel assigned to investigate an incident and has overall responsiblity for ensureing that an investigation is thorough, complete, and well documented in teh final report.

Question 39

Investigation Unit Manager

Answer 39

The person directly respobible for the investigative function in an organization, sometimes referred to as the project manager or case manager, who may hold the title of chief security officer, security director, director of investigations, director of human resources, or something similar.

Question 40

Lighting

Answer 40

Degree of illumination; also, the equipment, used indoors and outdoors, for increasing illumination - usually measued in lumens, lux, or foot-candle units.

Question 41

Likelihood

Answer 41

Chance of something happening. (ISO GUide 73:2009)

NOTE 1: In risk mamagement terminology, the word “likelihood” is suded to refer to the chance of something happening, whether defined, measured, or determined objectively or subjectiviely, qualitatively, or quantitatively, and described using general terms or mathematically (such as a probability or a frequency over a given time period).

NOTE 2: The English term “likelihood” does not have a direct equivalent in some languages: instead, the equivalent of the term “probability” is often used. HOwever, in English, “probability” is often narrowly interpreted as a mathematical term. THerefor, in risk management terminology, “likelihood” is used with the intent that is should have the same broad interpretation as the term “probability” has in many languages other than English.

Question 42

Lock

Answer 42

A piece of equiment used to prevent undesired opening, typically of an aperture (gate, window, byilding door, or vault door, for example), while still allowing opening by authrorized users.

Question 43

Management Plan

Answer 43

Cleraly defined and documented plan of action, typically covering the key personnel, resources, services, and actions needed to implement the incident management process.

Question 44

Mitigation

Answer 44

Limitation of any negative consequices of a particular incident.

Question 45

Nonconformity

Answer 45

Non-fulfillment of a requirement (ISO 9000:2005)

Question 46

Objective

Answer 46

Overall goal consisten with teh policy that an organization sets itself to achieve. (ISO 14001:2004)

Question 47

Organization

Answer 47

Group of people and facilities with an arrangement of responsibilities, authorities, and relationships.

NOTE: An organization can be a government or public entity, company, corporation, firm, enterprise, institution, charity, sole trade or association, or parts or combinations thereof.

Question 48

Organizational Resilience

Answer 48

Ongoing management and governance process supported by top management resourced to ensure that the neccesaary steps are taken to identify the root causes of potential disruptions and the likelihood and impact of potential losses; maintain viable adaptive, proactive, and reactive strategies and plans; and ensure stability and sustaainablity of activities/functions/products/services through planning, exercising, rehearsal, testing, training, maintenance, and assurance.

Question 49

PAP

Answer 49

Physical asset protection.

Question 50

PAPM

Answer 50

Physical asset protection management.

Question 51

PAPMS

Answer 51

Physical asset protection management system.

Question 52

PEST

Answer 52

See STEP

Question 53

Physical Security

Answer 53

That part of security concerned with physical measures designed to safeguard people; to prevent unauthorized access to equipment, facilities, material, and documents; and to safeguard them against a security incident.

Question 54

Policy

Answer 54

Overall intentions and direction of an organization as formally expressed by top management.

Question 55

PPS

Answer 55

Physical protection system.

Question 56

Preparedness

Answer 56

Activities, Programs, And systems developed and implemented prior to an incident that may be used to support and enchance mitigation of, response to, and recovery from disuptions, disasters, or emergencies.

Question 57

Prevention

Answer 57

Measures that enable an organization to avoid, preclude, or limit the likelihood and consequences of an event.

Question 58

Prevention Action

Answer 58

Action to eleminate the cause of a potential nonformity. (ISO 14001:2004)

Question 59

Procedure

Answer 59

Specified way to carry out an activity. (ISO 9000: 2008)

NOTE: Procedures

Question 60

Proprietary Security

Answer 60

Typically, a department within a company that procides security services for that company.

Question 61

Protection in Depth

Answer 61

The strategy of forming layers of protection for an asset.

Question 62

Protection Systems

Answer 62

The intergration of people, procesdures, equiment, and technology for the protection of assets.

Question 63

Record

Answer 63

Document stating results achieved or providing evidence of activities performed. (ISO 9000:2008)

Question 64

Residual Risk

Answer 64

Risk remaining after risk treatment. (ISO Guide 73:2009)

NOTE 1: Residual risk can contain unidentified risk.

NOTE 2: Residual risk can also be known as “retained risk.”

Question 65

Resilience

Answer 65

The adaptive capacity of an organization in a complex and changing evniroment.

NOTE 1: Resilience is the ability of an orgainzation to resist being affected by an event or the ability to return to an acceptable level of performance in an acceptable period of time after being affected by an event.

NOTE 2: Resilience is the capability of a system to maintain its functions and structure in the face of internal external change.

Question 66

Resilience Management

Answer 66

Systematic and coordinated activities and practices through which an orgainzation manages its operational risks and the associated potential threats and impacts therein.

Question 67

Resources

Answer 67

Any asset (human, physical, informatoin, or intangible), facilities, equipment, materials, products, or waste that has ptoential value and can be used.

Question 68

Response Plan

Answer 68

Documented collection of procedures and information tat is developed, complied, and maintained in readiness for use in an incident.

Question 69

Risk

Answer 69

Effect of uncertainty on objectivies. (ISO Guide 73:2009)

NOTE 1: An effect is a deviation from the expected either postive or negative.

NOTE 2: Objectives can have different aspects such as financial, health, safety, and environmental goals and can apply at different levels such as strategic, organization-wide, project, product, and process.

NOTE 3: Risk is often characterized by reference to potential events, consequiences, or a combination of these and how they can affect the achievement of objectives.

NOTE 4: Risk is often expressed in terms of a combination of the consequences of an event or a change in circumstances and the associated likelihood of occurrence.

Question 70

Risk Acceptance

Answer 70

Informed decision to take a particular risk. (ISO Guide 73: 2009)

NOTE 1: Risk acceptance can occur without risk treatment or during the process of risk treatment.

NOTE 2: Risk acceptance can also be a process.

NOTE 3: Risks accepted are subject to monitoring and review.

Question 71

Risk Analysis

Answer 71

Process to comprehend the nature of rsi and to determine the level of risk. (ISO Guide 73:2009)

NOTE: Risk analysi provides the basis for risk evaluation and decisions about risk treatment.

Question 72

Risk Appetite

Answer 72

Amount and type of rsik that an organization is prepared to pursue, retian, or take. (ISO Guide 73:2009)

Question 73

Risk Assessment

Answer 73

Overall process of risk identification, risk analysis, and risk evaluation. (ISO Guide 73:2009)

NOTE: Risk assessment involves the process of indentifying internal and external threats and vulnerablities, indentifying the probality and impact of an event arising from such threats or vulnerablities, defining ciritical funuctions necessary to continue the organizations’s operations, defining the controls in place necessary to educe exposure, and evaluating the cost of such control.

Question 74

Risk Criteria

Answer 74

Terms of refernce by which the significance of risk is assessed. (ISO Guide 73:2009)

NOTE: Risk Criteria can inlude associated cost and benefits, legal statutory requirements, socio-economic and evnironmental aspects, the concerns of statke holders, priorites, and other imputs to the assessment.

Question 75

Risk Management

Answer 75

Coordinated activities to direct and control an organization with regard to risk. (ISO Guide 73:2009)

NOTE: Risk management generally inculdes risk assessment, risk treatment, risk acceptance, and risk communication.

Question 76

Risk Reduction

Answer 76

Actions taken to lessen the probability, negative consqequiences, or both, associated with a risk. (ISO Guide 73:2009)

Question 77

Risk Tolerance

Answer 77

Organization’s readiness to bear the risk after risk treatments in order to achieve its objectives. (ISO Guide 73:2009)

NOTE: Risk tolerance can be limited by legal or reulatory requirements.

Question 78

Risk Transfer

Answer 78

Sharing with another party the burden of loss or benefit or gain for a risk. (ISO Guide 73:2009)

NOTE 1: Legal or statutory requirements can limit, prohibit, or mandate the transfer of certain risk.

NOTE 2: Risk transfer can be carried ot through insurance or other agreements.

NOTE 3: Risk transfer can create new risks or modify existing risks.

NOTE 4: Relocation of the osurce is not risk transfer.

Question 79

Risk Treatment

Answer 79

Process to modify risk (ISO Guide 73:2009)

NOTE 1: Risk treatment can invovle avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk; taking or increasing risk in order to pursue an opportunity; removing the risk source; changing the likelihood; changing the consequences; sharing risk with another party or parties; and retaining the risk by informed choice.

NOTE 2: Risk treatments that deal with negative consequiences are sometines referred to as risk mitigation, risk elimination, risk prevention, and risk reduction.

NOTE: 3: Risk treatment can create new risks or modify existing risks.

Question 80

Security

Answer 80

The condition of being protected agaisnt hazards, threats, risks, or loss.

Question 81

Security Aspects

Answer 81

Those characteristics, elements, or properties that reduce the risk of unintentionally, intentionally, and naturally caused crisies and disasters that disrupt and have consequences on the products and services, orperation, critical assets, and continuity of the organization and its stakeholders.

Question 82

Security Manager

Answer 82

An employee or controactor with management-level responsbility for the security program of an organization or facility.

Question 83

Security Measure

Answer 83

A practice or device designed to protect people and prevent damage to, lost of, or unauthorized access to equipment, facilities, material, and information.

Question 84

Security Officer

Answer 84

An invdividual, in uniform or plain clothes, employee to protect assets.

Question 85

Security Survey

Answer 85

A thorough physical examination of a facility and its systems and procedures conducted to assess the current level of security, locate deficiencies, and guage the degree of protection needed.

Question 86

Site Hardening

Answer 86

Implementation of enchancement measures to make a site more difficult to penetrate.

Question 87

Source

Answer 87

Element which alone or in combination has the intrinsic potential to give rise to risk. (ISO Guide 73:2009)

NOTE: A risk source can be tangible or intangible.

Question 88

Stakeholder

Answer 88

Person or group having an interest in the performance or success of an orgainziation. (ISO/PAS 22399:2007)

NOTE: THe term includes persons and groups with an interest in an organization, its activities, and its achievements, such as customers, clients, partners, employees, shareolders, owners, vendors, the local community, first responders, government agencies, and regulators.

Question 89

Standard

Answer 89

Set of criteria, guidelines, and best practies that can be used to enhance the quality and reliability of products, services, or processes.

Question 90

Stand-off Distance

Answer 90

The distance bewtween the asset and the trehat; typically regarding an explosive threat.

Question 91

Social, Technological, Environmental, and Political Model

Answer 91

(STEP) Points out potential sources of threats. The security manager can then conduct an analysis to determine whether such threats are likely and where they may orginate.

Question 92

Strengths, Weakness, Opportuninties, and Threats

Answer 92

(SWOT) A model for Analyzing proposed organizational projects. The concept is to analyze an issue or proposal from each of the four points of view, thereby giving security management a profile of potential issues to address.

Question 93

Supply Chain

Answer 93

The linked set of resources and processes that begins the acquisition of raw material and extended through the delivery of products or services to the end user across modes of transport. The supply chain may include suppliers, vendors, manufacturing faciltiies, logistics provides, internal distribution centers, distributors, wholesalers, and other entities that lead to teh end user.

Question 94

Surveillance

Answer 94

Observation of a location, activity, or person.

Question 95

Tangible Assets

Answer 95

Generally, assets that can be seen, touched, or directly mesasured in physical form (such as people and property).

Question 96

Target

Answer 96

Detailed performance requirement applicable to the organization (or parts thereof) that arises from the objective and the needs to be set and met to achieve those objectives. (ISO 14001:2004)

Question 97

Testing

Answer 97

Activivies performed to evaluate the effectiveness or capabilities of a plan relative to specified objectives or measurement criteria. Testing usually involves exercises designed to keep teams and employees effective in thier duties and to reveal weaknessses in the prepardeness and response/continuity/recovery plans. (ASIS International Business Continuity Guideline: 2005)

Question 98

Threat

Answer 98

Potential cause of an unwanted incident whic may results in harm to individuals, assets, a system or organization, the environment, or the community.

Question 99

Throughput

Answer 99

The average rate of flow of people or vehicles through an access point.

Question 100

Top Management

Answer 100

Persons or group of people who directs and controls an organization at the highest level. (ISO 9000:2008)

NOTE: For example, directors, managers, and officers of an organization who can ensure that effective management systems, including financial monitoring and control systems, have been put in place to protect assets. earning capacity, and the reputation of the organization. (ANSI/ASIS SPC.1-2009)

Question 101

Video Survellance

Answer 101

A surveillance system in which a signal is transmitted to monitors/recording and control equipment. Includes closed-circuit television (CCTV) and netword-based video systems.

Question 102

Vulnerablity

Answer 102

Intrinsic properties of somethign that create susceptibility to a source of risk that can lead to a consequence. (ISO Guide 73:2009)

Question 103

Vulnerability Analysis

Answer 103

The process of identifying and quantifying vulnerabilities.

Question 104

Waste, Accidents, Error, Crime, Unethical Practices

Answer 104

(WAECUP) Can be used as a blueprint for developing security objectives.