CPP 2012 Domain 1 Security Principles and Practices Flashcards
What are indirect costs of security?
Harm to reputation, Loss of goodwill, Loss of employees, Harm to employee morale. Source: POA: Physical Security, 1.6, page 16
What members should comprise a vulnerability assessment team?
Security specialist (leader),
Security systems engineer,
Response expert,
Data analyst,
Operations representatives,
Subject matter experts (e.g. locksmiths, technical writers, legal experts).
Source: POA: Physical Security, 1.7.1, page 20
What is the goal of a vulnerability assessment?
To identify physical protection system (PPS) components in the functional areas of detection, delay, and response and to gather data to estimate their performance against particular threats.
Source: POA: Physical Security, 1.7.3, page 22
What are the three primary functions of a physical protection system (PPS)?
Detection,
Delay,
Response.
Source: POA: Physical Security, 1.7.3, page 23
What are the two key measurements for the effectiveness of the detection function of a physical protection system (PPS)?
Probability of sensing adversary action,
Time required for reporting and assessing the alarm.
Source: POA: Physical Security, 1.7.3, page 23
How is the response function of a physical protection system (PPS) measured?
The response function of a PPS is measured by the time between receipt of a communication of adversary action and the interruption of the adversary action.
Source: POA: Physical Security, 1.7.3, page 23
What is the vulnerability assessment team’s primary job as it pertains to a physical protection system (PPS)?
To determine security system effectiveness.
Source: POA: Physical Security, 1..7.3, page 24
What are the two basic analytical approaches to a risk assessment?
Compliance based,
Performance based.
Source: POA: Physical Security, 1.7.4, page 25
What is the formula for residual risk?
R = T x A x V, where R = residual risk, T = threat, A = asset to be protected, V = vulnerability. Source: POA: Physical Security, 1.7.4, page 26
A well-engineered physical protection system (PPS) exhibits which three characteristics?
Protection in depth,
Minimum consequence of component failure (redundancy),
Balanced protection.
Source: POA: Physical Security, 2.1, page 31
What are the three contributors to cost of replacement?
Purchase price or manufacturing cost,
Freight and shipping charges,
Make-ready or preparation cost to install it or make it functional.
Source: POA: Physical Security, 1.6, page 16
What is the formula for lost income cost?
I = i/365 x P x t,
where
I = income earned,
i = annual percent rate of return,
P = principal amount (in dollars) available for investment,
t = time (in days) during which P is available for investment.
Source: POA: Physical Security, 1.6, page 17
What is the cost of loss formula?
K = (Cp + Ct + Cr + Ci) – (I-a), where K = criticality, total cost of loss, Cp = cost of permanent replacement, Ct = cost of temporary substitute, Cr = total related costs, Ci = lost income cost, I = available insurance or indemnity, a = allocable insurance premium amount. Source: POA: Physical Security, 1.6, page 18
What are the elements of a systems approach to developing a physical protection system (PPS)?
Assessment of vulnerability,
Implementation of countermeasures,
Evaluation of effectiveness.
Source: POA: Physical Security, 1.1, page 6
What three questions does a risk assessment attempt to answer?
What can go wrong?
What is the likelihood it would go wrong?
What are the consequences?
Source: POA: Physical Security, 1.2, page 7
What four questions does risk management attempt to answer?
What can be done?
What options are available?
What are the associated tradeoffs in terms of costs, benefits, and risks?
What are the impacts of current management decisions on future options?
Source: POA: Physical Security, 1.2, page 8
What is the design-basis threat?
The adversary against which the utility must be protected. It is used to help design and evaluate a physical protection system (PPS).
Source: POA: Physical Security, 1.3, page 10
What are the three general measures of valuing assets?
Cost,
Consequence criteria,
Policy.
Source: POA: Physical Security, 1.5, page 15
What is the difference between assets protection and security?
Assets protection includes all security functions, as well as related functions such as investigations, risk management, safety, compliance, and emergency management.
Source: POA: Security Management, 4.1.2, page 65
Assets protection is increasingly based on what principle?
Risk management.
Source: POA: Security Management, 4.1.3, page 69
What are the five avenues of addressing risk?
Avoidance, Transfer, Spreading, Reduction, Acceptance. Source: POA: Security Management, 4.2.1, page 70
What are the five Ds of security?
Deter, Deny, Detect, Delay, Destroy. Source: POA: Security Management, 4.2.1, pages 70-71
What four major areas does assets protection cover in the telecommunications sector?
Information security Network/computer security, Fraud prevention, Physical security. Source: POA: Security Management, 4.2.2, page 74
What are the five forces shaping assets protection globally?
Technology and touch,
Globalization in business,
Standards and regulation,
Convergence of security solutions,
Homeland security and the international security environment.
Source: POA: Security Management, 4.3, page 76
According to Davidow and Malone, what is the centerpiece of the new global economy?
The virtual product, where major business functions are outsourced with hardly any internal departmentalization.
Source: POA: Security Management, 4.3.2, page 79
What are the three managerial dimensions of assets protection?
Technical expertise,
Management ability,
Ability to deal with people.
Source: POA: Security Management, Figure 4-6, page 84
What are the two general types of insurance?
Property,
Liability.
Source: POA: Security Management, 4, Appendix A, page 94
What are the three classifications of loss in insurance policies?
Direct loss,
Loss of use,
Extra-expense loss (e.g. cost of defending a liability suit or paying a judgment).
Source: POA: Security Management, 4, Appendix A, page 96
What are the five basic coverages of a crime insurance policy?
Employee dishonesty bond,
Money and securities coverage inside the premises,
Money and securities coverage outside the premises,
Money order and counterfeit paper currency coverage,
Depositors’ forgery coverage.
Source: POA: Security Management, 4, Appendix A, page 99
For insurance against business interruption, what are the two types of valuation methods?
Actual loss sustained,
Valued loss.
Source: POA: Security Management, 4, Appendix A, page 100
In Pastor’s public/private, substitute/supplement model of policing, which cell represents the rarest scenario?
Public/Substitute.
Source: POA: Security Management, 7.1.2, pages 181-182
What three factors are driving the growth of private policing?
Economic and operational issues,
(Fear of) crime and violence,
Order maintenance.
Source: POA: Security Management, 7.1.2, page 182.
What is the optimal relationship between police and private security?
Institutionalized coordination and cooperation through structural and contractual relationships.
Source: POA: Security Management, 7.1.3, page 184
What was the purpose of the Hallcrest reports?
To compare the U.S. security industry to public law enforcement quantitatively.
Source: POA: Security Management, 7.1.3, page 185
What is the most significant distinction between public and private policing?
Cost.
Source: POA: Security Management, 7.2.1, page 187
What are the main costs that make public policing more expensive than private security?
Police officer salaries and benefits,
911 calls,
Alarm response,
Alternative services such as traffic control.
Source: POA: Security Management, 7.2.1, pages 187-190
What are the four explanations for cost savings when using private security versus public police?
More flexible labor,
Richer incentives and penalties,
More precise allocation of accountability,
Less constraint on process, more focus on results.
Source: POA: Security Management, 7.3, page 196
What five categories of distinction between public and private policing were identified by Carlson?
Philosophical (public police have more moral authority),
Legal (private police have limited power of arrest),
Financial (private police cost less),
Operational (private police are more flexible),
Security/political (private police give citizens more control over their safety by augmenting public police efforts).
Source: POA: Security Management, 7.3.1, page 197
What is the most important distinction between public and private police?
The delivery system (government versus corporations).
Source: POA: Security Management, 7.3.1, page 199
Where is it common for private security to supplement police in a public environment?
Business improvement districts.
Source: POA: Security Management, 7.4.3, page 201
What is likely to be the key component for alternative security providers in the future?
Order maintenance operations.
Source: POA: Security Management, 7.5.2, page 214
What is the best practice for security officer training?
Develop a training curriculum that focuses on the particular role or function to be performed.
Source: POA: Security Management, 7.5.3, page 216
What are the types of security consultants?
Security management consultants (largest group),
Technical security consultants,
Forensic security consultants.
Source: POA: Security Management, 8.2, pages 229-231
What are the best sources for finding security consultants?
Colleagues,
Security associations,
Industry-specific associations.
Source: POA: Security Management, 8.4, page 233
As a rule of thumb, what kind of travel allowances should a consultant receive?
The same as those given to members of the client’s senior management.
Source: POA: Security Management, 8.6, page 239
Who does a company typically assign to serve as project coordinator for a security consultant?
The CSO or vice president of security.
Source: POA: Security Management, 8.7.1, page 240
What is the emerging trend in consultant fees?
Project-based pricing rather than hourly fees.
Source: POA: Security Management, 8.8, page 246
In all industries, what are the most consistent predictors of theft?
The employee’s access to property and the perceived chances of being detected.
Source: POA: Security Management, 6.2.4, pages 142-143
To what three issues should an organizational resilience management policy reflect senior management’s commitment?
Compliance with legal requirements;
Prevention, preparedness, and mitigation of disruptive incidents; Continual improvement.
Source: Security and Resilience in Organizations and their Supply Chains - Requirements with Guidance, Annex A, 6.1, page 46
With which four ISO standards is ASIS’s Organizational Resilience standard aligned?
ISO 9000, ISO 14001, ISO 27001, ISO 28000. Source: Security and Resilience in Organizations and their Supply Chains - Requirements with Guidance, E.1, page 108
According to ASIS’s CSO standard, how many years of direct experience at a senior level should a CSO applicant have?
Three to five years.
Source: Chief Security Officer - An Organizational Model, A.4, page 12
What workers are most likely to steal electronics components in manufacturing environments?
Engineers.
Source: POA: Security Management, 6.2.4, page 143
What is a surety bond?
Insurance that protects an organization if there is a failure to perform specific tasks within a certain time period.
Source: POA: Security Management, 4, Appendix A , page 98
Turnover costs run to what percentage of a security officer’s salary?
25 percent or more.
Source: POA: Security Officer Operations, 2.2, page 25
What are the seven key skills of a CSO?
Relationship leader, Executive leader, Subject matter expert, Governance team leader, Risk executive, Strategist, Creative problem solver. Source: Chief Security Officer - An Organizational Model, page 5
According to Donald Cressey, what are the three factors leading to fraud?
Perceived non-sharable financial problem,
Perceived opportunity for a trust violation,
Series of rationalizations to justify behavior.
Source: POA: Security Management, 6.3, page 145
What is Edwin Sutherland’s theory of crime?
Criminal behavior is most often correlated with a person’s association with a criminal environment, according to Sutherland.
Source: POA: Security Management, 6.3, page 145
Which two characteristics must a loss event have before security countermeasures can be planned?
A measurable loss,
A loss that did not result from speculative risk.
Source: General Security Risk Assessment Guideline, page 16
What is the formula for loss event probability?
P = f/n
where
P = the probability that a given event will occur,
f = the number of actual occurrences of that event,
n = the total number of experiments seeking that event.
Source: General Security Risk Assessment Guideline, page 16
What is the first step in a qualitative general security risk assessment?
Understand the organization.
Source: General Security Risk Assessment Guideline, page 11
What are useful categories for security data analysis?
Claims avoided, Proofs of loss, Recovered physical assets, Uninsured claims or causes of action. Source: POA: Security Management, 5.6, pages 119-120
What types of incidents should an asset protection program consider?
Major incidents and events, as well as incidental cost avoidances and asset or value recoveries that occur in the course of operations.
Source: POA: Security Management, 5.9.2, page 130
What percentage of business failures result from employee theft?
The U.S. Chamber of Commerce estimates that 30 percent of business failure result from employee theft.
Source: POA: Security Management, 6.1, page 138
What percentage of revenues do U.S. businesses lose to fraud?
U.S. organizations lose 6 percent of their annual revenues to fraud.
Source: POA: Security Management, 6.1, page 138
In the retail industry, how much greater in dollars is employee theft than shoplifting?
Employees steal 15 times as much as shoplifters.
Source: POA: Security Management, 6.1, page 139
In food service, employee theft imposes how much of a tax on every dollar spent?
Employee theft in food service is equal to a 4 percent tax.
Source: POA: Security Management, 6.1, page 139
What items are most frequently stolen by employees?
Time, Finished goods, Scrap and waste, Intellectual property. Source: POA: Security Management, 6.1, page 140
What hypotheses did Clark and Hollinger posit to explain employee theft?
External economic pressures, Youth, Opportunity, Job dissatisfaction, Social control. Source: POA: Security Management, 6.2, pages 141-142
According to Clark and Hollinger, what fraction of employees admitted to stealing from their employer?
One-third of employees reported stealing from their employer.
Source: POA: Security Management, 6.2.1, page 142.
Who commits most workplace property theft?
Employees with the greatest access to the property and least perceived chance of detection.
Source: POA: Security Management, 6.2.4, page 143
Who commits the most theft in hospitals?
Nurses.
Source: POA: Security Management, 6.2.4, page 144
What is the most consistent predictor of theft in all industries?
The employee’s perceived chance of being detected.
Source: POA: Security Management, 6.2.4, page 144
According to Joseph Wells, what three factors are present in every fraud?
Financial pressure,
Opportunity,
Justification.
Source: POA: Security Management, 6.3.1, page 146
What is “lapping?”
Lapping is pocketing small amounts from incoming invoices payments and then applying subsequent payment to cover the missing cash from the previous invoice, and so on.
Source: POA: Security Management, Figure 6-2, page 149
Which of the three “shuns” (termination, prosecution, restitution) does the victim most good?
Restitution.
Source: POA: Security Management, 6, Appendix B, page 173
According to Lewis and Maxwell, levels of fear are the greatest when there is a concern about which two factors?
Crime,
Incivility.
Source: POA: Security Management, 7.2.3, page 194
What is the principal value of security awareness to executive management?
Awareness of the security program’s financial contribution to the bottom line.
Source: POA: Security Management, 10.1.1, page 292
What is the primary purpose of a security awareness program?
To educate employees on how to protect company assets and reduce losses.
Source: POA: Security Management, 10.2, page 294
What are the features of the most effective security awareness training programs?
They engage staff and let them have fun.
Source: POA: Security Management, 10.3, page 296
What are the six main obstacles to an effective security awareness program?
Low credibility of security department, Organizational culture, Naiveté, Perception of a minimal threat, Departmental/employee indifference, Lack of reporting capability. Source: POA: Security Management, 103.2, pages 298-299
Through what measures can security departments create positive contacts with staff to promote security awareness?
Conducting home protection clinics,
Lending property marking devices,
Offering group purchases of alarms,
Conducting personal protection programs,
Conducting cybersecurity awareness programs,
Conducting children’s fire prevention campaigns.
Source: POA: Security Management, 10.4.1, page 300
What are the three organizational models for security forces?
Vertical or hierarchical,
Shamrock,
Network.
Source: POA: Security Officer Operations, 1.9, pages 17-19
What is the hierarchical model of organizational structure?
In the hierarchical model, authority comes from the top and flows down through a series of managers to the front-line staff.
Source: POA: Security Officer Operations, 1.9.1, page 18
What is the shamrock model of organizational structure?
In the shamrock model, leaf one represents a small core of professionals and managers whose skills are critical to the organization.
Significantly larger, the second leaf consists of third-party suppliers with special expertise.
The third leaf consists of part-time and temporary workers who are employed as needed.
Source: POA: Security Officer Operations, 1.9.2, page 18
What is the network model of organizational structure?
In the network model, employees are connected not just to their immediate supervisor and their direct reports, but to many others in the organization; people come together for particular tasks and disband or reorganize as needed.
Source: POA: Security Officer Operations, 1.9.3, page 19
