Chief Security Officer CSO - Class 1,2,3 Domain 1 Flashcards
- Human Resources and Intellectual Assets
- Ethics and Reputation
- Financial Assets
- Information/ Data
- Transportation, Distribution, and Supply Chain
- Legal, Regulatory, and General Counsel
- Facilities and Premises
- Environmental, Health, and Safety
- Vendor/Outsourcing
Model Profile of a Chief Security Officer Function
- Global Security Policy and Procedures Administration
- Technology and Infrastructure Protection
- Information Risk Management
- Business Continuity, Crisis Management, and Response
- Investigative and Forensic Science
- Safe and Secure Workplace Operations
- Tailored Business-Process Safeguards
- Insurance and Risk Transfer
- Risk Assessment, Analysis, Evaluation , and Testing
- Executive Protection
- Background and Due Diligence Investigation
- Business Conduct and Security Compliance
- External and Government Relations
- Business Intelligence and Counterintelligence Suppor
CSO - Benchmark Processes and Services
Develops, influences, nurture trust-based relationship with business unit leaders, government officials, and professional organization. Act as a Consultant to all organizational clients.
Relationship Manager
Builds, motivates, and leads a professional team attuned to organizational culture,response to business needs, and committed to integrity and excellence.
Executive Management and Leadership
Provides intellectual leadership and active support to the organization’s governance team to ensure risks are made known to senior management and the Board.
Governance Team Member
Provides or sees to the provisions of technical expertise appropriate to knowledge of risk and the cost-effective delivery of essential security services.
Def. - Competencies, experiences, and advanced working knowledge of contemporary tradecraft, practices, and applications related to the topic of interest.
Subject Matter Expert
Identifies, analyzes, and communicates on business and security-related risk to the organization.
Risk Manager
Develops global security strategy keyed to likely risks and collaboration with the organization’s stakeholders.
Strategist
Aids competitiveness and adds value by contributing dynamic, real-time critical thinking and solutions that enable the organization to “prevent” disruptions from occurring and minimize damage when they do occur. Engages in business processes to mitigate risk. Is a positive change agent on behalf of the organizational protection.
Creative Problem Solver
One key responsibility of the CSO is to?
Strategize
True/False:
The CSO is responsible and accountable for systematically gathering, assessing, and synthesizing information related to wide range of security-related events and threats specific to the organization and its various operations, which may adversely affect the security and safety of personnel and the profitability or reputation of the organization.
TRUE
True/False
E
The CSO is responsible and accountable for ensuring that the enterprise is prepared for events or circumstances that potentially disrupts the continuity of business operations.
TRUE
Who should identify and understand the nature of security risk in the business environment, as well as the application of appropriate financial and managerial control to mitigate those risk.
CSO - Chief Security Officer
True/False
Generally, the outlook of the CSO should be more strategic than tactical.
TRUE
True/False
CSO - is a senior executive leadership position?
TRUE
What type of CSO serves as the executive responsible for the identification, development, implementation, and management of the organization’s [global] security strategies and programs?
Incumbent
An individual who can blend “common sense” control with efficient and productive business processes and procedures; requires creative problems solving and business acumen
Business Process Enabler
An individual who is willing to challenge establish business processes and procedures in the pursuit of excellence.
Change Agent
A leadership function responsible for providing comprehensive, integrated risk strategies (policy, procedures, management, training, etc.) to help protect an organization from security threats.
Chief Security Officer (CSO)
In terms of security issues, critical business processes include incident reps phones, and the Management of recovery efforts within the organization to restore critical systems and provide alternative facilities so that the organization can continue to function.
Critical Business Processes
What are such things as facilities, equipment, inventory, and on-hand cash.
Financial and Physical Assets
Includes organization staff (leadership, directors, managers, employees), customers, and any others the organization has a duty to protect.
Human Capital
This term is being used in the context of any person currently functioning in the CSO role, being considered for the CSO role via an external recruitment effort, or any existing management team member who will be assigned the accountabilities recommended for the CSO role within this Standard.
Incumbent
Includes such things as reputation, customer confidence, client confidence, trade secrets, intellectual property, and goodwill.
Intangible Assets
Medical, financial, and emotional resources provided to employees, customers, and others involved in a catastrophic event or an attack on the organization.
Support Assistance
What is an organization-wide process that establishes a fit-for-purpose, strategic, and operational framework that upon implementation by the organization’s leadership?
A Business Continuity Management System (BCMS)
The developer and publisher of international standards.
ISO - International Standard
ISO - is a nongovernmental organization bring together stakeholders from the public, private and not-for-Profit sector.
True/False
ISO, does not regulate,legislate, or enforce.
True
What is the operating principle of the IOS’s management systems standard?
PLAN-DO-CHECK-ACT (PDCA)
Define & Analyze a Problem and Identify the Root Cause.
*Establish
PLAN
Devise a Solution, Develop Detail Action Plan and Implement it Systematically.
- Implements and Operates
DO
Confirm Outcomes Against Plan. Identify Deviation and Issues.
*Monitor & Review
CHECK
Standardize Solution - Review and Define next Issues.
*Maintain and Improve
ACT
Assess-Protect-Confirm Improve model is also called the?
PDCA PLAN-DO-CHECK-ACT
True/False
Assets Protection can be performed by internal entities,external entities, or a combination.
TRUE
Three concept form a foundation for any assets protection strategy.
A. Five Avenues to Address Risk B. Balancing Security and Legal Considerations C. The Five D's D. A & C E. All The Above
What are the Five D’s
Deter, Deny, Detect, Delay, Destroy.
What is the Health Insurance Portability and Accountability Act.
The criteria is set by the : (JCAHO) - Joint Commission on Accreditation of Health Organization.
(HIPPA)
What is (QSR) Industry?
An Industry that features many company-owned restaurants and franchise stores around the world.
Quick-Service Restaurant Industry
True/False
Asset protection in the Telecommunications Sector has changed in the wake of industry deregulation; the boom in wireless, Internet, fiber optics and other telecommunications technologies; and in the United States, the designation of the telecommunications system a national critical Infrastructure.
TRUE
True/False
Asset Protection in the Telecommunications Sector now encompasses four major area?
TRUE
They are: Information Security, Network and Computer Security, Fraud Prevention, and Physical Security.
The sector which includes civil aircraft, military aircraft, missiles, space systems, and aerospace services, is characterized by fierce, global competition, large, complex contracts; international joint venues; and a large network of vendors, all of which factors significantly complicated asset protection strategies is called?
Aerospace Sector
True/false
There are Five forces that shapes the practice of asset protection.
TRUE
What are they: technology and touch, globalization in business, standards and regulation, convergence of security, and homeland security and the international security environment.
Suggests FINANCE.
What is designed as a support tool for security professionals and others with similar responsibilities.
Ref. It provides information on all aspects of security and related functions and helps readers balance costs and results in planning, developing, implementing sound risk management strategies.
Protection of Assets
The greatest protection of corporate assets occur when an appropriate mix of security is in place in relation to the asset being protected, what are they?
Hint - 3 types:
Physical, Procedural, and Electronic Security.
The “integration of traditional and information [systems] security functions”
Convergence
True/False
Human factors must always be considered in the development of security strategies?
TRUE
A strategy approach to managing assets protection programs likewise involve three tools, what are they?
Planning, Management, Evaluation
This principle suggest that a single person can supervise only a limited number of staff members effectively.
Span of Control
What term dictates that an individual report to only one supervisor?
Unit of Command
This theory asserts that people’s behavior is driven by basic needs at different levels?
Abraham Maslow’s theory
*know as the “hierarchy of need”
True/False
Maslow’s theory is still recommended to analyze individual employee motivation and establish tailored rewards, such as pay, recognition, advancement, and time off.
The basic or lower-level needs must be met before a person is motivated by the next high level of need.
TRUE
Self actualization need: self-fulfillment,realizing one’s full potential.
Esteem or recognition needs: respect from others and self
Affiliation or love needs: affectionate social and family relationships
Security or safety needs: protection from perceived harm
Physiological or survival needs: food, drinks, shelter
Maslow’s Hierarchy of Need
Theory X - content that workers are inherently lazy and tend to avoid work, and Theory Y states that workers are naturally motivated and want to work hard and do a good job.
Programs based on Theory Y according to ? Are more successful than those based on Theory X
McGregor’s
The Theory that is based on the premises that the opposite of satisfaction is not dissatisfaction but simply no satisfaction. The theory maintains that two sets of factors determine a worker’s motivation.
Attitude and Success
Herzberg’s Motivation-Hygiene Theory
True/False
Most risk management tools are either proactive or reactive, but insurance is a combination of both?
TRUE
A formal social device for reducing risk by transferring the risk of several individual entities to an insurer.
Insurance
The cause of a possible Loss is called.
Peril
Felonious abstraction of insured property by any individual or individuals gaining entry to the premises by FORCE. There must be visible marks on the exterior of the premises at the place of entry, such as evidence of the use of tools, explosives, electricity, or chemicals.
BURGLARY
Felonious and forcible taking of property by violence inflicted upon a custodial or messenger, either by putting the person in fear of violence or by an overt act committed against the custodian or messenger who was cognizant of the act?
Ex. (Note Robbery) Sneak thievery, pick pocketing,confidence games, and other forms of swindling are not included in robbery coverage.
ROBBERY
Physical loss of or damage to the object concerned
Direct Loss
Such as the reduction of net income due to loss of use of e damaged or destroyed object?
Loss of Use
Such as the costs of defending a liability suit and paying judgement or hospital and medical expenses following a personal accident?
Extra-Expense Losses
Retrospective coverage for events that occurred during a prior policy period but raised during the tail period?
“Tail Coverage”
It is customary to exclude from coverage any person the insured knows to have committed any fraudulent or dishonest act, in the insured service or otherwise. The exclusion usually dates from the time the insured became aware of the fraudulent or dishonest act.
Fidelity Coverage
Insurance that is written to protect the insured against loss by burglary, robbery, theft, forgery, embezzlement, and other dishonest acts?
Crime Coverage
There are two types of bonds that may be used for protection?
Fidelity
Surety
Coverage written to protect the employer from the dishonesty of employees.
Fidelity Bond/Coverage
Coverage that is intended to guarantee the credit or performance of some obligations by an individual.
Surety Bond/Coverage
If a building or machine sustains physical damage, there will be at least an interruption in production or sales, resulting in financial loss
Business Interruption Insurance
- It offers a number of coverage choices.
A separate, wholly or principally owned firm, usually organized offshore, used to write insurance for the owning company. Sometimes a CAPTIVE insurer is owned Bryan association of two or more firms with common insuring interest. When appropriate they can make it easier to insure risks not acceptable to conventional carriers, can help make a more favorable expense ratio, and can open reinsurance resources not otherwise available.
Captive Insurance/Carrier
What is the least Expensive countermeasures one can employ?
Protection tools and Procedural controls
What is the standard profitability ratio that measures how much net income the business earns for each dollar invested by it’s owner?
(ROI) Return on investment
AL + R
———- = ROI
CSP
AL = Avoid Loss R = Recoveries made CSP = Cost of the security program includes personal expenses, admin expenses, and capital cost.
One way to determine ROI
Loss productivity for employees evacuating the building and for employees responding to the alarms, as well as the cost of fire department fines.
Hard Cost
Includes wear and tear on building mechanical systems when alarms activated; the tendency for employees to learn to ignore alarms, thereby placing themselves in jeopardy when legitimate alarms activate; the potential for staff injuries during evacuations; and the frustration of he organization’s staff and fire department personnel due to the high number of alarms?
Soft Cost
Security Related Measurements
Security Metrics
The process of measuring an asset protection program’s cost and benefits as well as its successes and failures?
Security Metrics
What report provided the security manager with data on which to base security decisions
Incident Report
True/False
When submitting “loss report” the following practices are recommended.
- All employees - most notify their immediate supervisor of any incidents or known or suspected asset losses.
- First-line supervisor - should be responsible for completing reports for losses within their areas of responsibility.
- The Security Manager - is responsible for reviewing the report. Correction or modification, if any are required, can then be made
TRUE
True/False
The ultimate value of Incident reporting lies in the opportunities it creates for avoiding future incidents, events, and losses through planning, employee awareness training and security enhancement.
TRUE
A group very familiar with the company’s products, materials, tools and resources.
Asset Protection Committee
The preservation of company assets, both human and material, is the responsibility of every employee of the company.
LOSS REPORTING POLICY
A report sought to compare the U.S. security industry to public law enforcement quantitatively.
Hallcrest Report
Economics and operational issues - What is the distinction between public and private police
Cost
Public Policing (Public Police Officers) are
Duly sworn by the Government.
Private Policing (Private Police) are
Individuals who are employed by private firms or other organizations without Government affiliation.
However this distinction is not always clear. Some jurisdictions license and regulates private security personnel. Some Government units even grant special police status to private security personnel, giving them broad arrest powers.
Carson - Identifies five specific categories of distinction between public and private policing, what are they?
Philosophical Legal Financial Operational Security/Political
Private police may lack the moral authority that government can give to law enforcement.
Philosophical
Private police are hobbled by law, with only limited powers of arrest, usually restricted to the commission of crimes within their presence. However, those with special police status have nearly all powers of public police, including authority to make arrest and carry guns.
Legal
Private police can perform certain task more cheaper
Financial
Private police are more flexible, can be assigned to specific locations, and spend nearly all their tour on the beat. They make fewer arrest, are burdened with little paperwork, and rarely make court appearances.
Operational
Private police give citizens more control over their own safety by augmenting police efforts, helping to maintain order when police are spread thin. Also, private policing encourages citizen to follow community standards in a way that police officers cannot or do not.
Security/Political
Peace Officer arrest powers are only available to what officer when he or she is on duty?
Special Police
Acts as a liability shield to protect the officer (and his or her employer) from civil lawsuits. Although this shield is not available for reckless or malicious conduct, it protects the reasonable and prudent officer who makes a mistake in judgement or behavior.
Qualified immunity act
Types of Security Consultants
- Security Management Consultants
- Technical Security Consultant
- Security Forensic Consultant
Specialize in certain discipline, which comprises the foundation of their expertise (and reputation). Assist the client in managing the protection strategies for the business
Security Management Consultant
Deals with investigation, identification and collection of evidence, identification of vulnerabilities, mitigation strategies and litigation.
Forensic security consultant
Internal resource than can be formed to assist corporate executives and chief security officers in their effort to ensure that current security measures are adequate?
Security Advisory Committee
Consciousness of an existing security program, it’s relevance, and the effects one’s behavior on reducing security risk.
Security Awareness
The field of safeguarding a key person from harm.
This is practiced in the private world.
EP
Executive Protection
Consciousness of an existing security program, it’s relevance, and the effect of one’s behavior on reducing security risk.
Security Awareness
It is a continuing attitude that can move individuals to take specific actions in support. Of enterprise security.
Security Awareness
What Type of supervisor is typically concerned with specific processes or activities. For these employees, security awareness focuses on how the security program aids or distracts from specific performance objectives.
First-Line Supervisor
Tends to be held accountable for the successor their individual department, so they view the security program in terms of contribution towards the goal.
Middle Managment
Personnel that must be aware do the security program because they are an enterprise’s top decision maker regarding risk and recourses.
Executive Management
Most modern management approaches to employee motivation that the employee is willing and interested, and that while information and instruction are needed, coercion and pressure are not. The only formal exposure an employee gets to the security program may be a brief reference to it on the first day of work.
Individual Employee
People who are not employees of the organization may also be effected by the security program.
They include vendors and suppliers, customers, service personnel, representatives of government, and members of the public.
Nonemployees
Which level are standards in security developed on A. Continental, National, International B. National, International, Foreign C. Regional, National, International D. Regional, Federal, National
National, Regional, and International
Suggests FINANCE.
What is designed as a support tool for security professionals and others with similar responsibilities.
Ref. It provides information on all aspects of security and related functions and helps readers balance costs and results in planning, developing, implementing sound risk management strategies.
Protection of Assets
The greatest protection of corporate assets occur when an appropriate mix of security is in place in relation to the asset being protected, what are they?
Hint - 3 types:
Physical, Procedural, and Electronic Security.
The “integration of traditional and information [systems] security functions”
Convergence
True/False
Human factors must always be considered in the development of security strategies?
TRUE
A strategy approach to managing assets protection programs likewise involve three tools, what are they?
Planning, Management, Evaluation
This principle suggest that a single person can supervise only a limited number of staff members effectively.
Span of Control
What term dictates that an individual report to only one supervisor?
Unit of Command
This theory asserts that people’s behavior is driven by basic needs at different levels?
Abraham Maslow’s theory
*know as the “hierarchy of need”
True/False
Maslow’s theory is still recommended to analyze individual employee motivation and establish tailored rewards, such as pay, recognition, advancement, and time off.
The basic or lower-level needs must be met before a person is motivated by the next high level of need.
TRUE
Self actualization need: self-fulfillment,realizing one’s full potential.
Esteem or recognition needs: respect from others and self
Affiliation or love needs: affectionate social and family relationships
Security or safety needs: protection from perceived harm
Physiological or survival needs: food, drinks, shelter
Maslow’s Hierarchy of Need
Theory X - content that workers are inherently lazy and tend to avoid work, and Theory Y states that workers are naturally motivated and want to work hard and do a good job.
Programs based on Theory Y according to ? Are more successful than those based on Theory X
McGregor’s
The Theory that is based on the premises that the opposite of satisfaction is not dissatisfaction but simply no satisfaction. The theory maintains that two sets of factors determine a worker’s motivation.
Attitude and Success
Herzberg’s Motivation-Hygiene Theory
True/False
Most risk management tools are either proactive or reactive, but insurance is a combination of both?
TRUE
A formal social device for reducing risk by transferring the risk of several individual entities to an insurer.
Insurance
The cause of a possible Loss is called.
Peril
Felonious abstraction of insured property by any individual or individuals gaining entry to the premises by FORCE. There must be visible marks on the exterior of the premises at the place of entry, such as evidence of the use of tools, explosives, electricity, or chemicals.
BURGLARY
Felonious and forcible taking of property by violence inflicted upon a custodial or messenger, either by putting the person in fear of violence or by an overt act committed against the custodian or messenger who was cognizant of the act?
Ex. (Note Robbery) Sneak thievery, pick pocketing,confidence games, and other forms of swindling are not included in robbery coverage.
ROBBERY
Physical loss of or damage to the object concerned
Direct Loss
Such as the reduction of net income due to loss of use of e damaged or destroyed object?
Loss of Use
Such as the costs of defending a liability suit and paying judgement or hospital and medical expenses following a personal accident?
Extra-Expense Losses
Retrospective coverage for events that occurred during a prior policy period but raised during the tail period?
“Tail Coverage”
It is customary to exclude from coverage any person the insured knows to have committed any fraudulent or dishonest act, in the insured service or otherwise. The exclusion usually dates from the time the insured became aware of the fraudulent or dishonest act.
Fidelity Coverage
Insurance that is written to protect the insured against loss by burglary, robbery, theft, forgery, embezzlement, and other dishonest acts?
Crime Coverage
There are two types of bonds that may be used for protection?
Fidelity
Surety
Coverage written to protect the employer from the dishonesty of employees.
Fidelity Bond/Coverage
Coverage that is intended to guarantee the credit or performance of some obligations by an individual.
Surety Bond/Coverage
If a building or machine sustains physical damage, there will be at least an interruption in production or sales, resulting in financial loss
Business Interruption Insurance
- It offers a number of coverage choices.
A separate, wholly or principally owned firm, usually organized offshore, used to write insurance for the owning company. Sometimes a CAPTIVE insurer is owned Bryan association of two or more firms with common insuring interest. When appropriate they can make it easier to insure risks not acceptable to conventional carriers, can help make a more favorable expense ratio, and can open reinsurance resources not otherwise available.
Captive Insurance/Carrier
What is the least Expensive countermeasures one can employ?
Protection tools and Procedural controls
What is the standard profitability ratio that measures how much net income the business earns for each dollar invested by it’s owner?
(ROI) Return on investment
AL + R
———- = ROI
CSP
AL = Avoid Loss R = Recoveries made CSP = Cost of the security program includes personal expenses, admin expenses, and capital cost.
One way to determine ROI
Loss productivity for employees evacuating the building and for employees responding to the alarms, as well as the cost of fire department fines.
Hard Cost
Includes wear and tear on building mechanical systems when alarms activated; the tendency for employees to learn to ignore alarms, thereby placing themselves in jeopardy when legitimate alarms activate; the potential for staff injuries during evacuations; and the frustration of he organization’s staff and fire department personnel due to the high number of alarms?
Soft Cost
Security Related Measurements
Security Metrics
The process of measuring an asset protection program’s cost and benefits as well as its successes and failures?
Security Metrics
What report provided the security manager with data on which to base security decisions
Incident Report
True/False
When submitting “loss report” the following practices are recommended.
- All employees - most notify their immediate supervisor of any incidents or known or suspected asset losses.
- First-line supervisor - should be responsible for completing reports for losses within their areas of responsibility.
- The Security Manager - is responsible for reviewing the report. Correction or modification, if any are required, can then be made
TRUE
True/False
The ultimate value of Incident reporting lies in the opportunities it creates for avoiding future incidents, events, and losses through planning, employee awareness training and security enhancement.
TRUE
A group very familiar with the company’s products, materials, tools and resources.
Asset Protection Committee
The preservation of company assets, both human and material, is the responsibility of every employee of the company.
LOSS REPORTING POLICY
A report sought to compare the U.S. security industry to public law enforcement quantitatively.
Hallcrest Report
Economics and operational issues - What is the distinction between public and private police
Cost
Public Policing (Public Police Officers) are
Duly sworn by the Government.
Private Policing (Private Police) are
Individuals who are employed by private firms or other organizations without Government affiliation.
However this distinction is not always clear. Some jurisdictions license and regulates private security personnel. Some Government units even grant special police status to private security personnel, giving them broad arrest powers.
Carson - Identifies five specific categories of distinction between public and private policing, what are they?
Philosophical Legal Financial Operational Security/Political
Private police may lack the moral authority that government can give to law enforcement.
Philosophical
Private police are hobbled by law, with only limited powers of arrest, usually restricted to the commission of crimes within their presence. However, those with special police status have nearly all powers of public police, including authority to make arrest and carry guns.
Legal
Private police can perform certain task more cheaper
Financial
Private police are more flexible, can be assigned to specific locations, and spend nearly all their tour on the beat. They make fewer arrest, are burdened with little paperwork, and rarely make court appearances.
Operational
Private police give citizens more control over their own safety by augmenting police efforts, helping to maintain order when police are spread thin. Also, private policing encourages citizen to follow community standards in a way that police officers cannot or do not.
Security/Political
Peace Officer arrest powers are only available to what officer when he or she is on duty?
Special Police
Acts as a liability shield to protect the officer (and his or her employer) from civil lawsuits. Although this shield is not available for reckless or malicious conduct, it protects the reasonable and prudent officer who makes a mistake in judgement or behavior.
Qualified immunity act
Types of Security Consultants
- Security Management Consultants
- Technical Security Consultant
- Security Forensic Consultant
Specialize in certain discipline, which comprises the foundation of their expertise (and reputation). Assist the client in managing the protection strategies for the business
Security Management Consultant
Deals with investigation, identification and collection of evidence, identification of vulnerabilities, mitigation strategies and litigation.
Forensic security consultant
Internal resource than can be formed to assist corporate executives and chief security officers in their effort to ensure that current security measures are adequate?
Security Advisory Committee
Consciousness of an existing security program, it’s relevance, and the effects one’s behavior on reducing security risk.
Security Awareness
The field of safeguarding a key person from harm.
This is practiced in the private world.
EP
Executive Protection
