Chapter 3: Planning and Conducting Physical Security Assessments Flashcards
What is the first step when conducting a security risk assessment?
identify the assets the company is trying to protect, the threats against those assets, and how vulnerable the assets are to the various threats.
What are the 5 steps of a comprehensive risk assessment?
- Identify and place value on the organizations assets.
- Evaluate relevant risks to the assets
- Conduct a vulnerability assessment
- consider the potential impact to the organization if the asset is lost.
- recommend risk mitigation measures.
Name three categories that tend to increase assets exposure to the risk of loss?
- Physical
- Non Physical
- Logical
What are some examples of physical factors that can increase an assets exposure to the risk of loss?
- Types and locations of facilities or campuses
- surroundings
- amount of pedestrian or vehicular traffic
- the amount of non-employee access needed.
- the operational tech or industrial control systems needed for the organization to operate
- the sensitivity and criticality of on-site processes and assets.
What are some examples of nonphysical factors that can increase an assets exposure to the risk of loss?
- geo political landscape
- culture
- industry pressures
- legal, regulatory and compliance requirements
- intensity of competition
- organizational growth mode
- speed of decision making
- willingness to adopt technology.
What are some examples of logical factors that can increase an assets exposure to the risk of loss?
- network infrastructure
- network connectivity
- servers
- workstations
- network devices and endpoints.
True or False. The risk assessment process is meant to be a cyclical and continuous effort.
True
What is the definition of Qualitative Analysis?
any approach that does not use numbers or numeric values to describe the risk components.
What is the definition of Quantitative Analysis
any approach that uses numeric measures to describe the value of assets or the level if threats, vulnerabilities impact, or loss events.
What is the Qaulitative Analysis method best suited for?
Evaluating basic security applications.
What is the Quantitative Analysis method best suited for?
to measure the effectiveness of a physical protection system whose primary functions are to detect, delay, and respond.
What is an asset?
Anything that has tangible or intangible value to an enterprise.
What factors can asset value be based on?
- The cost of purchasing the asset or its replacement cost.
- operational impact of unavailability of the asset.
- The effects of harm to the asset
- The length of time required to replace the asset
- The reputational impact from unavailability of the asset.
What process determines the operational impact of the unavailability of an asset?
business impact analysis.
What are some factors to consider in determining asset value?
- immediate response and recovery costs
- Investigation Costs
- replacement costs
- indirect costs
What are some examples of indirect costs?
- temporary leased facilities
- equipment rental/purchase
- alternative suppliers/vendors
- alternative shippers/logistic support
- temporary warehousing facilities
- special employee benefits
- counseling/employee assistance
- loss of market share (temporary or permanent)
- decreased employee productivity
- increased insurance premiums
- temporary workforce/ staffing
- recruiting/staffing costs for the permanent workforce
- increased security costs (temporary or permanent)
- increased communications capabilities
- data recovery/ IT system restart and/ or reconfiguration
- administrative support
- increased travel
- marketing/ public relations efforts
- emergency/continuity plan revamps
What is the cost-of-loss-formula?
K=Cp+Ct+Cr+Ci-I
K= total cost of loss
Cp= cost of permanent replacement
Ct= cost of temporary substitute
Cr= total related costs (remove asset, install new, etc. )
Ci= lost income cost
I= available insurance or indemnity
What is a threat?
any verbal or physical conduct that conveys an intent or is reasonably perceived to convey an intent to cause physical harm or to place someone in fear of physical harm.
What are the different types of threats?
- Man Made
- Natural
Who should adversaries be judged when assessing manmade threats?
on their ability to cause a loss event and their intentions to do so.
What is the definition of vulnerability?
The state of being susceptible to harm or injury.
What two factors are considered when evaluating vulnerability?
Observability and Exploitability
What is the definition of observability?
the ability of an adversary to see and identify a vulnerability.
What is the definition of Exploitability?
The ability of the adversary to take advantage of the vulnerability once aware of it.