CPP 2022 Domain 1 Security Principles and Practices Flashcards
What is Enterprise Security Risk Management (ESRM)?
ESRM is a strategic approach to security management that ties an organization’s security practice to its overall strategy using globally accepted and established risk management principles.
Source: POA, Security Management, 1.1.2, page 2
What are the three primary components of ESRM?
The context,The foundation,The ESRM cycle.
Source: POA, Security Management, 1.2, page 6
This component of ESRM includes organizational aspects that security professionals must understand to successfully adopt ESRM.
The context.
Source: POA, Security Management, 1.2, page 6
This component of ESRM includes organizational concepts that support the ESRM approach and maximize its impact.
The foundation.
Source: POA, Security Management, 1.2, page 6
This component of ESRM is the actual process of security risk management that emphasizes the importance of understanding assets.
The ESRM cycle.
Source: POA, Security Management, 1.2, page 6
What organizational aspects are included in the context of ESRM?
Mission and vision, Core values, Operating Environment, Stakeholders.
Source: POA, Security Management, 1.2.1, pages 6-10
What three things comprise the operating environment of an organization?
Physical, Non physical, Logical.
Source: POA, Security Management, 1.2.1, page 8
This operating environment includes much of what influences traditional security factors, such as the type and location of buildings, industrial control systems, and products on hand.
Physical.
Source: POA, Security Management, 1.2.1, page 8
These factors are sources of risk, and include things such as the geopolitical environment, intensity of competition, and speed required for decision making.
Non physical factors.
Source: POA, Security Management, 1.2.1, page 9
These factors focus on information types such as servers, workstations, and network infrastructure.
Logical factors.
Source: POA, Security Management, 1.2.1, page 9
What are the four processes in the ESRM cycle?
Identify and prioritize assets, Identify and prioritize risks, Mitigate prioritized risks, Continuous improvement.
Source: POA, Security Management, 1.2.2, page 12
What is an asset owner?
The person most directly responsible for successful operation of the asset. In ESRM, the asset owner is assigned responsibility for the risk to an asset.
Source: POA, Security Management, 1.2.2, page 13
What four concepts comprise the foundation of ESRM?
Holistic risk management, Partnership with stakeholders, Transparency, Governance.
Source: POA, Security Management, 1.2.3, page 14
What are two types of assets?
Tangible, Intangible.
Source: POA, Security Management, 2.1.1, page 22
What are four ways to manage risk?
Eliminate, Reduce, Transfer, Accept.
Source: POA, Security Management, 2.2.1, page 26
This risk mitigation strategy involves removing the risk entirely.
Eliminate.
Source: POA, Security Management, 2.2.1, page 26
This risk mitigation strategy attempts to minimize risk through protective measures.
Reduce.
Source: POA, Security Management, 2.2.1, page 26
This risk mitigation strategy is typically achieved when another entity takes the risk on the organization’s behalf.
Transfer.
Source: POA, Security Management, 2.2.1, page 26
This risk mitigation strategy allows risk if the costs of reducing, eliminating, or transferring the risk outweigh the potential losses associated with it.
Accept.
Source: POA, Security Management, 2.2.1, page 26
What is a risk assessment?
Risk assessment is the identification, analysis, and evaluation of uncertainties to objectives and outcomes. It provides a comparison between the desired/undesired outcomes and expected rewards/losses of organizational objectives. The risk assessment analyzes whether the uncertainty is within acceptable boundaries and within the organization’s capacity to manage risk.
Source: Risk Assessment Standard, 0.2, page xvi
What do the results of a risk assessment inform?
The choices available to effectively manage risk to achieve the organization’s outcomes.
Source: Risk Assessment Standard, 0.2, page xvi
What are the deciding factors between a qualitative or quantitative approach to a risk assessment?
The reliability and validity of the available data, The nature of the risk factors and if they are quantifiable, The target audience for the outputs.
Source: Risk Assessment Standard, 0.3, page xvii
What is risk appetite?
The total exposed amount that an organization wishes to undertake on the basis of risk-return trade-offs for one of more desired and expected outcomes.
Source: Risk Assessment Standard, 3.41, page 5
What tasks take place at the start of the risk assessment?
Setting objectives, Identification of stakeholders, Identification of internal context and variables, documenting assumptions, Defining scope and statement of work, Policy and management commitment, Commitment of resources.
Source: Risk Assessment Standard, 6.2, pages 40-45
What is a gap analysis?
A technique to determine what steps might need to be taken to improve from a current state to a desired, future state.
Source: Risk Assessment Standard, 6.3.1, page 45
A gap analysis consists of what three steps?
Noting currently available factors, listing success factors needed to achieve future, desired objectives, Highlighting the gaps that exist and what gaps may need to be filled to be successful.
Source: Risk Assessment Standard, 6.3.1, page 46
What four components should be in any risk identification process, regardless of risk discipline?
Asset and service identification, valuation, and characterization, Threat and opportunity analysis, Vulnerability and capability analysis, Criticality and impact analysis.
Source: Risk Assessment Standard, 6.4.4.1, page 60
What is risk tolerance?
The amount of uncertainty an organization is prepared to accept in total or more narrowly within a certain business unity, a particular risk category, or for a specific initiative.
Source: Risk Assessment Standard, 3.51, page 6
What comprises assessor competence?
Personal traits and interpersonal skills, Assessment skills, Communication skills, Education, training, and knowledge, Work experience.
Source: Risk Assessment Standard, 7.1, page 82
Documented criteria of an assessor’s knowledge and skills provide the basis for what three things?
Selection of assessment team members, ascertain competence enhancement required for continuous improvement, Determine performance indicators for assessors.
Source: Risk Assessment Standard, 7.2.2, page 83
What are two types of interactions between a risk assessment team and an organization?
Human interaction, Minimal human interactions.
Source: Risk Assessment Standard, A.2, page 88
This type of interaction includes activities such as conducting interviews, document reviews with stakeholders, exercises, and undercover investigations.
Human interaction.
Source: Risk Assessment Standard, A.2, page 88
This type of interaction includes activities such as conducting a document review, physical examination, observation, and sampling.
Minimal human interaction.
Source: Risk Assessment Standard, A.2, pages 88-89
What are two examples of assessment paths?
Tracing, Process method.
Source: Risk Assessment Standard, A.3, page 89
This assessment path tracks a process or risk event chronologically, following a path forward or backward through a process or sequence.
Tracing.
Source: Risk Assessment Standard, A.3, page 89
This assessment path tests a sequence of steps and evaluates process controls, interactions, effectiveness, and opportunities for improvement.
Process method.
Source: Risk Assessment Standard, A.3, page 89
What are some examples of the process method?
Objectives method, Risk source method, Department method, Requirement method, Discovery method.
Source: Risk Assessment Standard, A.3, page 89
What is sampling?
The process or technique of selecting a representative part of a population for the purpose.
Source: Risk Assessment Standard, A.4.1, page 89
When is it beneficial to use a sampling method?
When it is not practical in time or cost terms to evaluate all available information.
Source: Risk Assessment Standard, A.4.1, page 89
What are two types of sampling methods?
Non-statistical, Statistical.
Source: Risk Assessment Standard, A.4.2, page 91
This sampling method includes judgmental sampling, convenience sampling, and haphazard sampling.
Non-statistical.
Source: Risk Assessment Standard, A.4.3, page 91
This sampling method includes random sampling, systematic sampling, stratified sampling, and cluster/block sampling.
Statistical sampling.
Source: Risk Assessment Standard, A.4.2, pages 91-92
What is terrorism?
An act of violence designed to achieve a political end.
Source: POA, Security Management, 12.3.1, page 195
What is domestic terrorism?
Violent, criminal acts committed by individuals and/or groups to further ideological goals stemming from domestic influences, such as those of a political, religious, social, racial, or environmental nature.
Source: POA, Security Management, 12.3.1, page 196
What is the primary attack vector of terrorism?
To target the public’s sense of security in the location that they reside or work.
Source: POA, Security Management, 12.3.2, page 196
What is a cost-benefit analysis?
A method for evaluating and comparing the value and cost of risk treatment options.
Source: Risk Assessment Standard, 6.4.4.4, page 77
A cost-benefit analysis should consider what two types of costs and benefits?
Direct, Indirect.
Source: Risk Assessment Standard, 6.4.4.4, page 77
What are examples of direct and indirect benefits?
Direct benefits - arising from reduction in the likelihood or harmful consequences of the risk. Indirect benefits - arising from collateral effects of the treatment such as reduced insurance premiums, improved management and staff confidence, and enhanced reputation.
Source: Risk Assessment Standard, 6.4.4.4, page 77
What are some examples of direct and indirect costs?
Direct costs - of implementing the proposed treatment and/or that could arise if the risk eventuates. Indirect costs - arising from the loss of productivity, business disruption, diversion of management attention, loss of reputation or brand value.
Source: Risk Assessment Standard, 6.4.4.4, page 77
What are the goals of risk treatments?
Remove the risk source, where possible; Remove or reduce the likelihood of the risk event occurring; Remove or reduce the negative consequences; Share the risk with other parties; Accept risk through informed decision or to exploit an opportunity; Avoid activities that give rise to risk.
Source: Risk Assessment Standard, 6.4.4.5, pages 77-78
What is the purpose of a prevention and mitigation procedure?
Define the measures to be taken by the organization to minimize the likelihood of a disruptive event or to minimize the potential for the severity of the consequence of the event.
Source: ORM Standard, C.2, page 92
What are prevention procedures?
Prevention procedures describe how the organization will take proactive steps to protect its assets by establishing architectural, administrative, design, operational, and technological approaches to avoid, eliminate, or reduce the likelihood of risks materializing.
Source: ORM Standard, C.2, page 92
What are mitigation procedures?
Mitigation procedures describe how the organization will take proactive steps to protect its assets by establishing immediate, interim, and long-term approaches to reduce the consequences of risks before they materialize.
Source: ORM Standard, C.2, page 92
What four steps are included in the risk assessment process?
Asset identification, valuation, and characterization,Risk identification,Risk analysis, Risk evaluation.
Source: ORM Standard, 7.2.3, page 18
What happens in the asset identification, valuation and characterization step of the risk assessment process?
Identify people, assets and services that provide tangible and intangible value giving consideration to financial, operational, temporal, and reputational characteristics of assets, activities, functions and services.
Source: ORM Standard, 7.2.3, page 18
What happens in the risk identification step of the risk assessment process?
Identify sources of strategic, operational, tactical, and reputational risk to assess threats and opportunities; vulnerabilities and capabilities; and consequence and criticalities that have a potential for direct or indirect consequences on the organization’s activities, assets, operations, functions and impacted stakeholders.
Source: ORM Standard, 7.2.3, page 18
What happens in the risk analysis step of the risk assessment process?
Systematically analyze risk to determine those risks that have significant impact on activities, functions, services, products, supply chain, subcontractors, stakeholder relationships, local populations and the environment.
Source: ORM Standard, 7.2.3, page 18
What happens in the risk evaluation step of the risk assessment process?
Systematically evaluate and prioritize risk controls and treatments, and their related costs to determine how to bring risk within an acceptable level consistent with risk criteria.
Source: ORM Standard, 7.2.3, page 18
What are some outputs of a risk assessment?
A prioritized risk register identifying treatments to manage risk,Justification for risk acceptance,Identification of critical control points, Requirements for supplier, distributor, outsourcing and subcontractor controls.
Source: ORM Standard, 7.2.3, page 19
What six things should be considered when assessing consequences?
Human cost,Financial cost,Image cost, Human rights impacts, Indirect impacts, Environmental impacts.
Source: ORM Standard, A.7.3, page 52
What changes may prompt an update to a risk assessment?
Changes in: Risk landscape,Leadership and partnerships, Contractual and industry trends, Regulatory requirements, Political environment, Conditions due to an event, Performance based test/exercise results.
Source: ORM Standard, A.7.3, pages 53-54
What are five benefits of liaison?
Leverage the resources of others,Share best practices and lessons learned,Collaborate on specific cases or incidents, More effectively address common issues, Share information, equipment, and facilities.
Source: POA, Security Management, 9.8.1, page 152
What is cost-effectiveness?
Producing good results for the money spent.
Source: POA, Security Management, 4.2, page 49
What three things maximize cost-effectiveness?
Ensure that the operations are conducted in the least expensive but cost effective way,Maintain the lowest costs consistent with required operational results,Ensure that the amount of money spent generates the highest return.
Source: POA, Security Management, 4.2, pages 49-50
What is security awareness?
Consciousness of an existing security program, its relevance, and the effect of one’s behavior on reducing security risks.
Source: POA, Security Management, 10.7, page 174
What is the purpose of a security awareness program?
To communicate to all individuals, including those working on behalf of the organization, risks within the organization’s unique internal and external environments, and the technical and administrative controls implemented to effectively manage those risks.
Source: Security Awareness Standard, 4.0, page 3
When is an effective security culture established?
When people’s behaviors align with the defined risk management processes and where the security technologies and methods deployed are policy based and well communicated through security awareness and training activities.
Source: Security Awareness Standard, 4.0, pages 3-4
What is the goal of a security awareness program?
To promote compliance with security policies and procedures, as well as provide timely communications and training to guide individual and organizational attitudes and behaviors.
Source: Security Awareness Standard, 4.1, page 4
What should every awareness program be structured to reflect?
The organization’s unique culture, risk environment, lifecycle management, and change control process.
Source: Security Awareness Standard, 4.1, page 4
How does clear top management support for security awareness set the tone?
By actively supporting awareness communication, training, and associated activities. Top management should also be involved in strengthening the culture that ensures individuals understand their security roles and take ownership of their personal safety and security.
Source: Security Awareness Standard, 4.2, page 5
What three program principles should be established for security awareness programs?
Encourage enterprisewide ownership,Develop a unified approach for security awareness communication and training,Leverage existing programs/infrastructure.
Source: Security Awareness Standard, 4.3, page 5
What can be done to encourage enterprisewide ownership of security awareness programs?
Establishing an oversight, advisory, or steering group comprised of security stakeholders to influence/generate program content and to help communicate risk appetite, strategy, and content relevance.Establishing security champions or influencers to solicit and provide input to program content.
Source: Security Awareness Standard, 4.3.1, page 6
What is a benefit of a unified, holistic approach to security awareness program content?
Using ‘one voice’ simplifies the message and increases the impact to stakeholders and the organization.
Source: Security Awareness Standard, 4.3.2, page 6
What types of benefits may be realized by leveraging existing organizational programs for security awareness?
Timing, Resource,Budget, Logistical.
Source: Security Awareness Standard, 4.3.3, page 6
What six factors are planning considerations when designing an effective security awareness program?
Security policies and procedures,Internal and external considerations,Security risks, Resources, Roles, responsibility, and authorities, Human resources context.
Source: Security Awareness Standard, 5.2, pages 6-9
Effective security policies contain what important characteristics?
Protecting individuals and organizational assets from security risks;Organizational relevance and maintaining compliance with legal, regulatory, and contractual obligations are clearly explained;Measurements for continual improvement metrics; Content is written to help build an engaged and alert security community; Instructions should help individuals reflect on the policy, consider how to respond in a situation, and take risk-based, informed, and appropriate action; Policy cross-references.
Source: Security Awareness Standard, 5.2.1, page 7
Which department plays a pivotal role as collaborator with security personnel in an organization’s security awareness program?
Human resources.
Source: Security Awareness Standard, 5.2.6, page 9
Security awareness program content should align with what three things?
Program goals and objectives,Security policies and procedures,Key performance indicators..
Source: Security Awareness Standard, 6.2, pages 10-11
What factors should be considered when determining how security awareness program content should be delivered?
Location-specific needs and requirements,Existing training culture and processes to be leveraged,Training topics needed, Types of training formats available and relevant, Levels of training required based on security access or employment status.
Source: Security Awareness Standard, 6.4, page 12
What should be included in a security awareness program evaluation?
Appropriateness of program goals and objectives,Consistency with the organization’s security policies and procedures,Volume and frequency of security awareness and training content, Effectiveness of content and delivery methods, Level of resources allocated to the program.
Source: Security Awareness Standard, 8, page 14
What should security awareness program improvements be based on?
Individual feedback,Program evaluations,Evolving threat landscapes, Changes in the organization’s culture, Audit findings, New or changes to legal, regulatory, or contractual obligations, Top management input and direction.
Source: Security Awareness Standard, 9, page 14
What are some benefits of using a security consultant?
They do not promote or sell a specific product,Objectivity,Out-of-the-box thinking, Can be less expensive than hiring additional staff.
Source: POA, Personnel, 4.1, pages 143-144
What are three categories of security consultants?
Security management consultants,Technical security consultants,Security forensic consultants.
Source: POA, Personnel, 4.2, page 144
This type of security consultant usually specializes in a certain discipline, which comprises the foundation of their expertise.
Security management consultants.
Source: POA, Personnel, 4.2.1, page 144
This type of security consultant has specialized subject matter expertise and specializes in translating security concepts and functionality into blueprints and equipment specifications.
Technical security consultant.
Source: POA, Personnel, 4.2.2, pages 145-146
This type of security consultant deals with investigation, identification and collection of evidence, identification of vulnerabilities, mitigation strategies, and litigation.
Forensic security consultants.
Source: POA, Personnel, 4.2.3, page 146
In what situation are technical security consultants likely to be used?
New construction or renovation projects.
Source: POA, Personnel, 4.2.2, page 146
What are three ways technical security consultants can support construction and renovation projects?
Work with the architects and design engineers to ensure the needed security systems are integrated into the initial designs,Uncover security concerns in the plans before they are finalized,Recommend security hardware and software that is compatible with other building systems.
Source: POA, Personnel, 4.2.2, page 146
What is a security advisory committee?
An internal resources formed to assist corporate executives and chief security officers in their efforts to ensure that current security measures are adequate.
Source: POA, Personnel, 4.2.4, page 147
Who should serve on a security advisory committee?
Representatives of key corporate functions with stature and credibility within the organization and sufficient information about the company’s operation to enable them to offer useful opinions about actions that should be taken.
Source: POA, Personnel, 4.2.4, page 147
What typically drives the decision to use a security consultant?
A specific problem, need, challenge, or goal.,
Source:POA Personnel, 4.3, page 148
What are five steps to use when selecting a security consultant?
Identify candidates,Invite candidates to submit an application,Evaluate the application, Interview the top two or three candidates, Negotiate an agreement and finalize the selection.
Source: POA, Personnel, 4.5, page 150
How can consultant candidates be identified?
Suggestions from colleagues and peers,Industry associations,Online.
Source: POA, Personnel, 4.5, page 150
What three things should be submitted by prospective security consultants looking to be hired for a project?
Custom application,Resume,Proof of license, in jurisdictions with this requirement.
Source: POA, Personnel, 4.5, page 150
How can consultant applications be evaluated?
Compare the quality of documents and candidates’ credentials,References from prior clients,Background investigations of top candidates.
Source: POA, Personnel, 4.5, pages 150-151
What types of questions should be asked during a consultant interview?
Questions that probe the candidate’s security philosophy.
Source: POA, Personnel, 4.5, page 151
What subjects should be negotiated with a security consultant prior to hiring?
Scope of work,Product to be delivered,Methodology, Timing, Related expenses.
Source: POA, Personnel, 4.5, page 151
What are five types of fee structures for consultants?
Hourly fees,Daily fees,Fixed fees, Not-to-exceed fees, Retainers.
Source: POA, Personnel, 4.6, page 152
When is paying a consultant an hourly fee applicable?
When the assignment is expected to last less than a day, but the exact amount of time needed is unclear.
Source: POA, Personnel, 4.6.1, page 153
When are fixed fee structures used with consultants?
When the number of days required to accomplish the work can be estimated accurately and controlled by the consultant.
Source: POA, Personnel, 4.6.3, page 153
What is a not-to-exceed fee?
The consultant’s guarantee that the total cost or time will be limited to the parameters agreed to in the contract.
Source: POA, Personnel, 4.6.4, page 154
What is a consultant retainer agreement?
The consultant agrees to work a specified number of days each year for the client, and the client is guaranteed access to the consultant when needed.
Source: POA, Personnel, 4.6.5, page 154
What should be covered during a consultant’s organizational orientation?
Backgrounds and responsibilities of key personnel,Organizational chart,Operating environment, Key assets and functions, Internal and external relationships relevant to the project, Specific legislative or regulatory controls, History of the enterprise, Philosophy of top management, Competitive position.
Source: POA, Personnel, 4.7.2, page 157
What should be outlined in a consultant’s work plan?
Scope,Tasks and priorities,Assignments, Completion schedules.
Source: POA, Personnel, 4.7.5, page 159
What should be included in a consultant’s final report?
Executive summary,Results achieved,Recommendations.
Source: POA, Personnel, 4.7.7, page 160
How should the recommendations section of the consultant’s final report be structured?
The recommendations should be numbered for future reference and should define any additional work that needs to be done, together with suggestions on how to accomplish it.
Source: POA, Personnel, 4.7.7, page 160
What is a chief security officer?
A senior executive level function responsible for providing comprehensive integrated risk strategies to help protect an organization from a wide spectrum of threats.
Source: CSO Standard, Annex B, page 13
What seven categories of skills is required by a chief security officer?
Relationship leader,Executive management and leadership,Subject matter expertise, Governance team member, Risk executive, Strategist, Creative problem solver.
Source: CSO Standard, Table 2, page 5
Why is it recommended that the chief security officer report to a key senior-level executive?
To ensure a strong liaison with designated leadership bodies.
Source: SO Standard, 4, page 2
A chief security officer is expected to have what level of education?
Advanced education and degrees should be highly valued.
Source: CSO Standard, 8, page 9