Chapter 2 Flashcards
What are the three approaches to performing a security survey?
Outside-In Approach,
Inside-Out Approach,
Functional (Security Discipline) Approach
What is a SWOT Analysis used for in the security survey process?
To focus on Strengths, Weaknesses, Opportunities, and Threats.
How can outside support like consultants benefit the risk assessment process?
By providing a fresh perspective, collective knowledge, and regulatory compliance assistance.
What four tests should be considered during the security survey process?
S and R C
I D A
C L S
A C
• S and R C → Shipping and receiving controls
• I D A → Intrusion detection alarms
• C L S → Computer lab security
• A C → Access controls
What criteria should the security survey report adhere to?
Accurate, clear, concise, timely, considerate of slant or pitch.
What is the goal of a security survey in relation to leadership?
To provide A I for informed D-M R R
To provide actionable intelligence for informed decision-making regarding risk.
How can automated assessment tools assist in security surveys?
By processing, analyzing, comparing, and storing large amounts of data efficiently.
Define risk management.
The S process of id_____, ca_____ and mi_______ risks to an AL
Risk management is the systematic approach of identifying, calculating, and minimizing risks to an acceptable level.
What is the main objective of security?
To m____ risks by b_____ P____ M_____ costs with b______.
To manage risks by balancing protection measure costs with benefits.
What are the three categories in which assets can be divided?
Tangible assets, intangible assets, and mixed assets.
How can assets be valued?
Assets can be valued using 1) relative value based on priority or 2) the Cost-of-Loss Formula.
What does the basic Cost-of-Loss Formula consist of?
The Cost-of-Loss Formula consists of Cp, Ct, Cr, Ci, and I, yielding the total cost of loss.
What is one method to prioritize assets based on security risk?
Security risk can be calculated and used to rank or prioritize each asset.
How many steps are involved in the risk assessment process?
The risk assessment process involves six basic steps.
What are the initial steps in the risk assessment process?
The initial steps include identifying and valuing assets, identifying threats, and determining vulnerabilities.
What is the goal of risk management programs in organizations?
The goal is to develop a comprehensive protection strategy based on sound practices.
What formula is used to determine risk results?
Threat x Vulnerability x Impact /3 = Risk
Why is multiplication used instead of addition in the Risk Formula?
To determine the value; each element is scaled from 0-100.
How is overall risk placed back on a 0 to 100 scale?
By using the cubed root in the risk formula.
What is the goal of risk analysis?
To provide management with decision-making information.
Why is it important to prioritize risk based on criticality?
Because it is not practical to eliminate all risk.
What three things should be considered when determining protective measures?
BC
AR and
AE
Budgetary constraints,
available resources, and
adverse effects.
What 3 things must a physical security professional consider when selecting protective measures?
Ty of th,
Ad’s Soph and
Cap……
The types of threats and
The adversary’s sophistication, and
capabilities.
Why should physical security measures be scalable and agile?
To constantly evolve and improve in a changing environment.
What are the two main types of risk assessments mentioned?
Qualitative and Quantitative assessments.
When should Qualitative assessments be used?
For low-value assets or basic security applications.
When should Quantitative assessments be used?
For high-value assets or to describe specific values.
How many methods are there to address identified risks within an organization?
There are five methods mentioned.
Why must residual risks be analyzed within an organization’s risk management program?
Despite best efforts, some risks always remain.
What approach do some professionals prefer when conducting risk assessments?
A blended approach using both qualitative and quantitative methods.
Why should automated tools not be solely relied upon in conducting a physical security assessment?
Automated tools are not good at assessing intangible factors and are only as good as the program inputs.
Explain the significance of the saying ‘garbage in, garbage out’ in the context of automation of results.
It highlights that the quality of automated results is only as good as the input data.
What are 4 considerations that may affect the effectiveness of automated assessment tools?
Q of the A
C of the T
C of the S
P A of In F
1) Qualification of the assessor,
2) Cost of commercial tools,
3) Complexity of software,
4) Poor assessment of intangible factors.
Define All-Hazards approach in physical security.
A holistic, full-scope, and balanced approach to understanding prevalent threats.
Explain the difference between a hazard and a peril with an example.
A hazard contributes to a peril; e.g., stress (hazard) leading to an active shooter incident (peril).
List the three characterizations of threats.
Na
In (m m)
In (acc, err and om)
Natural, Intentional (man-made), Inadvertent (accidents, errors, and omissions).
What is a vulnerability in the context of security?
A gap or weakness that allows a threat to compromise an asset or function.
Explain the difference between vulnerability and threat.
Vulnerability is controllable by the organization; threat is typically outside the organization’s control.
How can vulnerabilities be calculated?
In terms of O and E
By measuring them in terms of observability and exploitability.
What does ‘impact’ refer to in risk management?
It refers to the severity of the situation when an incident occurs.
What five factors can affect likelihood of occurrence and risk exposure?
Historical events,
physical environment,
political environment,
social environment,
procedures and processes.
What is risk analysis in the context of security?
The process of identifying ____ _____ of ______ and implementing _______.
The process of identifying potential areas of loss and implementing countermeasures.
How can risk analysis be achieved?
By c______ im_____ and PI risks.
By calculating impact and prioritizing identified risks.
Why is it important to analyze high consequence loss events?
Even if they are of low likelihood, they can have a significant impact on security.
What are the five methods of addressing risk?
Risk Avoidance,
Risk Assumption,
Risk Transfer,
Risk Reduction, and
Risk Spreading.
Which method of addressing risk involves the elimination of the risk source?
Risk Avoidance.
What is the most direct way to remove risk?
Risk Avoidance.
What is the aim of risk reduction?
To reduce vulnerability of assets.
How is risk reduction achieved?
Through S-H and
R V of A
Through site-hardening and reducing vulnerability of assets.
What is a security survey also known as?
A physical security assessment.
What does a security survey focus on?
Vulnerability aspects.
What is the purpose of a security survey?
To assess current security level and identify vulnerabilities.
What does a security survey examination entail?
An on-site examination to assess security level and vulnerabilities.
What may be appropriate to conduct alongside a security survey?
Cost-benefit analysis.
What 3 components are typically included in a cost-benefit analysis?
C, R, and D
Cost, Reliability, Delay.
Why may a checklist be helpful during a security survey?
To ensure no important elements are missed and maintain a sequential process.
