Chapter 3: Planning and Conducting Physical Security Assessments

Question 1

What is the first step when conducting a security risk assessment?

Answer 1

identify the assets the company is trying to protect, the threats against those assets, and how vulnerable the assets are to the various threats.

Question 2

What are the 5 steps of a comprehensive risk assessment?

Answer 2

1. Identify and place value on the organizations assets.
2. Evaluate relevant risks to the assets
3. Conduct a vulnerability assessment
4. consider the potential impact to the organization if the asset is lost.
5. recommend risk mitigation measures.

Question 3

Name three categories that tend to increase assets exposure to the risk of loss?

Answer 3

1. Physical
2. Non Physical
3. Logical

Question 4

What are some examples of physical factors that can increase an assets exposure to the risk of loss?

Answer 4

1. Types and locations of facilities or campuses
2. surroundings
3. amount of pedestrian or vehicular traffic
4. the amount of non-employee access needed.
5. the operational tech or industrial control systems needed for the organization to operate
6. the sensitivity and criticality of on-site processes and assets.

Question 5

What are some examples of nonphysical factors that can increase an assets exposure to the risk of loss?

Answer 5

1. geo political landscape
2. culture
3. industry pressures
4. legal, regulatory and compliance requirements
5. intensity of competition
6. organizational growth mode
7. speed of decision making
8. willingness to adopt technology.

Question 6

What are some examples of logical factors that can increase an assets exposure to the risk of loss?

Answer 6

1. network infrastructure
2. network connectivity
3. servers
4. workstations
5. network devices and endpoints.

Question 7

True or False. The risk assessment process is meant to be a cyclical and continuous effort.

Answer 7

True

Question 8

What is the definition of Qualitative Analysis?

Answer 8

any approach that does not use numbers or numeric values to describe the risk components.

Question 9

What is the definition of Quantitative Analysis

Answer 9

any approach that uses numeric measures to describe the value of assets or the level if threats, vulnerabilities impact, or loss events.

Question 10

What is the Qaulitative Analysis method best suited for?

Answer 10

Evaluating basic security applications.

Question 11

What is the Quantitative Analysis method best suited for?

Answer 11

to measure the effectiveness of a physical protection system whose primary functions are to detect, delay, and respond.

Question 12

What is an asset?

Answer 12

Anything that has tangible or intangible value to an enterprise.

Question 13

What factors can asset value be based on?

Answer 13

1. The cost of purchasing the asset or its replacement cost.
2. operational impact of unavailability of the asset.
3. The effects of harm to the asset
4. The length of time required to replace the asset
5. The reputational impact from unavailability of the asset.

Question 14

What process determines the operational impact of the unavailability of an asset?

Answer 14

business impact analysis.

Question 15

What are some factors to consider in determining asset value?

Answer 15

1. immediate response and recovery costs
2. Investigation Costs
3. replacement costs
4. indirect costs

Question 16

What are some examples of indirect costs?

Answer 16

1. temporary leased facilities
2. equipment rental/purchase
3. alternative suppliers/vendors
4. alternative shippers/logistic support
5. temporary warehousing facilities
6. special employee benefits
7. counseling/employee assistance
8. loss of market share (temporary or permanent)
9. decreased employee productivity
10. increased insurance premiums
11. temporary workforce/ staffing
12. recruiting/staffing costs for the permanent workforce
13. increased security costs (temporary or permanent)
14. increased communications capabilities
15. data recovery/ IT system restart and/ or reconfiguration
16. administrative support
17. increased travel
18. marketing/ public relations efforts
19. emergency/continuity plan revamps

Question 17

What is the cost-of-loss-formula?

Answer 17

K=Cp+Ct+Cr+Ci-I

K= total cost of loss

Cp= cost of permanent replacement

Ct= cost of temporary substitute

Cr= total related costs (remove asset, install new, etc. )

Ci= lost income cost

I= available insurance or indemnity

Question 18

What is a threat?

Answer 18

any verbal or physical conduct that conveys an intent or is reasonably perceived to convey an intent to cause physical harm or to place someone in fear of physical harm.

Question 19

What are the different types of threats?

Answer 19

1. Man Made
2. Natural

Question 20

Who should adversaries be judged when assessing manmade threats?

Answer 20

on their ability to cause a loss event and their intentions to do so.

Question 21

What is the definition of vulnerability?

Answer 21

The state of being susceptible to harm or injury.

Question 22

What two factors are considered when evaluating vulnerability?

Answer 22

Observability and Exploitability

Question 23

What is the definition of observability?

Answer 23

the ability of an adversary to see and identify a vulnerability.

Question 24

What is the definition of Exploitability?

Answer 24

The ability of the adversary to take advantage of the vulnerability once aware of it.

Question 25

What is the risk analysis formula?

Answer 25

Risk= (Threat x Vulnerability x Impact)1/3

Question 26

What is the ASIS definition of a security survey?

Answer 26

A thorough physical examination of a facility and its systems and procedures, conducted to assess the current level of security, locate deficiencies, and gauge the degree of protection needed.

Question 27

What is the purpose of a security survey?

Answer 27

1. Determine and document the current security posture.
2. Identify deficiencies and excesses in existing security measures.
3. compare the current posture with a determination of the appropriate level of security or protection needed.
4. recommend improvements in the overall situation.

Question 28

What does a security survey place more emphasis on?

Answer 28

Vulnerabilities.

Question 29

What are 8 factors to address when considering vulnerabilities?

Answer 29

1. lack of redundancy or backups for critical functions or systems.
2. single points of failure.
3. collocation of critical systems organizations, or components.
4. inadequate response capability to recover from an attack.
5. ease of aggressor access to a facility.
6. inadequate security measures in place.
7. presence of hazardous materials.
8. potential for collateral damage from other companies in the area.

Question 30

What is the Outside-Inward Methodology?

Answer 30

An assessment team takes on the role of an adversary (perpetrator) attempting to penetrate the physical defenses of a facility (penetration test). The team begins outside the facility where the public has free reign and then works their way into the center of the organization.

Question 31

What is the Inside-Outward Methodology?

Answer 31

When the assessment team takes on the role of the security professional (defender). They work from the asset or target out toward the outer perimeter.

Question 32

What are some examples of the different types of security layers?

Answer 32

1. asset/target (sensors, alarms, surveillance)
2. container, safe, or vault (walls/side, locks, sensors, alarms)
3. controlled/restricted area (walls, doors, locks, surveillance, sensors)
4. security desk/entry control point (security office, turnstile, access control)
5. building perimeter (walls, doors, locks, surveillance, sensors)
6. secure compound/ campus (surveillance, distance, lighting, patrol)
7. property perimeter/ fence line (sensors, entry control, patrols, barriers)
8. neighborhood/ surrounding area (police patrols, neighborhood watch, observation).