Principles & Practices 1

Question 1

What is Enterprise Security Risk Management (ESRM)?

Answer 1

ESRM is a strategic approach to security management that ties an organization’s security practice to its overall strategy using globally accepted and established risk management principles

Question 2

What are the three primary components of Enterprise Security Risk Management (ESRM)?

Answer 2

1. The content
2. The foundation
3. the ESRM cycle

Question 3

This component of Enterprise Security Risk Management (ESRM) includes organizational aspects that security professionals must understand to successfully adopt ESRM.

Answer 3

The content

Question 4

This component of Enterprise Security Risk Management (ESRM) includes organizational concepts that support the ESRM approach and maximize its impact.

Answer 4

The foundation

Question 5

This component ofEnterprise Security Risk Management (ESRM) is the actual process of security risk management that emphasizes the importance of understanding assets.

Answer 5

The ESRM cycle

Question 6

What organizational aspects are included in the context of Enterprise Security Risk Management (ESRM)?

Answer 6

1. Mission and vision
2. Core values
3. Operating Environment
4. Stakeholders

Question 7

What three things comprise the operating environment of an organization?

Answer 7

1. Physical
2. Nonphysical
3. Logic

Question 8

This operating environment includes much of what influences traditional security factors, such as the type and location of buildings, industrial control systems, and products on hand.

Answer 8

Physical

Question 9

These factors are sources of risk, and include things such as the geopolitical environment, intensity of competition, and speed required for decision making.

Answer 9

Nonphysical factors

Question 10

These factors focus on information types such as servers, workstations, and network infrastructure.

Answer 10

Logical factors

Question 11

What are the four processes in the Enterprise Security Risk Management (ESRM) cycle?

Answer 11

1. Identify and prioritize assets
2. Identify and prioritize risks
3. Mitigate prioritized risks
4. Continuous improvement

Question 12

What is an asset owner?

Answer 12

The person most directly responsible for successful operation of the asset. InE nterprise Security Risk Management (ESRM), the asset owner is assigned responsibility for the risk to an asset.

Question 13

What four concepts comprise the foundation of Enterprise Security Risk Management (ESRM)?

Answer 13

1. Holistic risk management
2. Partnership with stakeholders
3. Transparency
4. Governance

Question 14

What are two types of assets?

Answer 14

1. Tangible
2. Intangible

Question 15

What are four ways to manage risk?

Answer 15

1. Eliminate
2. Reduce
3. Transfer
4. Accept

Question 16

This risk mitigation strategy involves removing the risk entirely.

Answer 16

Eliminate

Question 17

This risk mitigation strategy attempts to minimize risk through protective measures.

Answer 17

Reduce

Question 18

This risk mitigation strategy is typically achieved when another entity takes the risk on the organization’s behalf.

Answer 18

Transfer

Question 19

This risk mitigation strategy allows risk if the costs of reducing, eliminating, or transferring the risk outweigh the potential losses associated with it.

Answer 19

Accept

Question 20

What is a risk assessment?

Answer 20

Risk assessment is the identification, analysis, and evaluation of uncertainties to objectives and outcomes
It provides a comparison between the desired/undesired outcomes and expected rewards/losses of organizational objectives
The risk assessment analyzes whether the uncertainty is within acceptable boundaries and within the organization’s capacity to manage risk.

Question 21

What do the results of a risk assessment inform?

Answer 21

The choices available to effectively manage risk to achieve the organization’s outcomes.

Question 22

What are the deciding factors between a qualitative or quantitative approach to a risk assessment?

Answer 22

The reliability and validity of the available data
The nature of the risk factors and if they are quantifiable
The target audience for the outputs

Question 23

What is risk appetite?

Answer 23

The total exposed amount that an organization wishes to undertake on the basis of risk-return trade-offs for one of more desired and expected outcomes.

Question 24

What is risk tolerance?

Answer 24

The amount of uncertainty an organization is prepared to accept in total or more narrowly within a certain business unity, a particular risk category, or for a specific initiative.

Question 25

What tasks take place at the start of the risk assessment?

Answer 25

1. Setting objectives
2. Identification of stakeholders
3. Identification of internal context and variables
4. Documenting assumptions
5. Defining scope and statement of work
6. Policy and management commitment
7. Commitment of resources

Question 26

What is a gap analysis?

Answer 26

A technique to determine what steps might need to be taken to improve from a current state to a desired, future state.

Question 27

A gap analysis consists of what three steps?

Answer 27

1. Noting currently available factors
2. Listing success factors needed to achieve future, desired objectives
3. Highlighting the gaps that exist and what gaps may need to be filled to be successful

Question 28

What four components should be in any risk identification process, regardless of risk discipline?

Answer 28

1. Asset and service identification, valuation, and characterization
2. Threat and opportunity analysis
3. Vulnerability and capability analysis
4. Criticality and impact analysis

Question 29

What comprises assessor competence?

Answer 29

1. Personal traits and interpersonal skills
2. Assessment skills
3. Communication skills
4. Education, training, and knowledge
5. Work experience

Question 30

Documented criteria of an assessor’s knowledge and skills provide the basis for what three things?

Answer 30

1. Selection of assessment team members
2. Ascertain competence enhancement required for continuous improvement
3. Determine performance indicators for assessors

Question 31

What are two types of interactions between a risk assessment team and an organization?

Answer 31

1. Human interaction
2. Minimal human interactions

Question 32

This type of interaction includes activities such as conducting interviews, document reviews with stakeholders, exercises, and undercover investigations.

Answer 32

Human interaction

Question 33

This type of interaction includes activities such as conducting a document review, physical examination, observation, and sampling

Answer 33

Minimal human interaction

Question 34

What are two examples of assessment paths?

Answer 34

1. Tracing
2. Process method

Question 35

This assessment path tracks a process or risk event chronologically, following a path forward or backward through a process or sequence.

Answer 35

Tracing

Question 36

This assessment path tests a sequence of steps and evaluates process controls, interactions, effectiveness, and opportunities for improvement.

Answer 36

Process method

Question 37

What are some examples of the process method?

Answer 37

1. Objectives method
2. Risk source method
3. Department method
4. Requirement method
5. Discovery method

Question 38

What is sampling?

Answer 38

The process or technique of selecting a representative part of a population for the purpose.

Question 39

When is it beneficial to use a sampling method?

Answer 39

When it is not practical in time or cost terms to evaluate all available information.

Question 40

What are two types of sampling methods?

Answer 40

1. Non-statistical
2. Statistical

Question 41

This sampling method includes judgmental sampling, convenience sampling, and haphazard sampling.

Answer 41

Non-statistical

Question 42

This sampling method includes random sampling, systematic sampling, stratified sampling, and cluster/block sampling.

Answer 42

Statistical sampling

Question 43

What is terrorism?

Answer 43

An act of violence designed to achieve a political end

Question 44

What is domestic terrorism?

Answer 44

Violent, criminal acts committed by individuals and/or groups to further ideological goals stemming from domestic influences, such as those of a political, religious, social, racial, or environmental nature.

Question 45

What is the primary attack vector of terrorism?

Answer 45

To target the public’s sense of security in the location that they reside or work.

Question 46

What is cost-benefit analysis?

Answer 46

A method for evaluating and comparing the value and cost of risk treatment options.

Question 47

A cost-benefit analysis should consider what two types of costs and benefits?

Answer 47

1. Direct
2. Indirect

Question 48

What are examples of direct and indirect benefits?

Answer 48

Direct benefits - arising from reduction in the likelihood or harmful consequences of the risk
Indirect benefits - arising from collateral effects of the treatment such as reduced insurance premiums, improved management and staff confidence, and enhanced reputation.

Question 49

What are some examples of direct and indirect costs?

Answer 49

Direct costs - of implementing the proposed treatment and/or that could arise if the risk eventuates.
Indirect costs - arising from the loss of productivity, business disruption, diversion of management attention, loss of reputation or brand value.

Question 50

What are the goals of risk treatments?

Answer 50

1. Remove the risk source, where possible
2. Remove or reduce the likelihood of the risk event occurring
3. Remove or reduce the negative consequences
4. Share the risk with other parties
5. Accept risk through informed decision or to exploit an opportunity
6. Avoid activities that give rise to risk

Question 51

What is the purpose of a prevention and mitigation procedure?

Answer 51

Define the measures to be taken by the organization to minimize the likelihood of a disruptive event or to minimize the potential for the severity of the consequence of the event.

Question 52

What are prevention procedures?

Answer 52

Prevention procedures describe how the organization will take proactive steps to protect its assets by establishing architectural, administrative, design, operational, and technological approaches to avoid, eliminate, or reduce the likelihood of risks materializing.

Question 53

What are mitigation procedures?

Answer 53

Mitigation procedures describe how the organization will take proactive steps to protect its assets by establishing immediate, interim, and long-term approaches to reduce the consequences of risks before they materialize.

Question 54

What four steps are included in the risk assessment process?

Answer 54

1. Asset identification, valuation, and characterization
2. Risk identification
3. Risk analysis
4. Risk evaluation

Question 55

What happens in the asset identification, valuation and characterization step of the risk assessment process?

Answer 55

Identify people, assets and services that provide tangible and intangible value giving consideration to financial, operational, temporal, and reputational characteristics of assets, activities, functions and services.

Question 56

What happens in the risk identification step of the risk assessment process?

Answer 56

Identify sources of strategic, operational, tactical, and reputational risk to assess threats and opportunities; vulnerabilities and capabilities; and consequence and criticalities that have a potential for direct or indirect consequences on the organization’s activities, assets, operations, functions and impacted stakeholdersw

Question 57

What happens in the risk analysis step of the risk assessment process?

Answer 57

Systematically analyze risk to determine those risks that have significant impact on activities, functions, services, products, supply chain, subcontractors, stakeholder relationships, local populations and the environment.

Question 58

What happens in the risk evaluation step of the risk assessment process?

Answer 58

Systematically evaluate and prioritize risk controls and treatments, and their related costs to determine how to bring risk within an acceptable level consistent with risk criteria.

Question 59

What are some outputs of a risk assessment?

Answer 59

1. A prioritized risk register identifying treatments to manage risk
2. Justification for risk acceptance
3. Identification of critical control points
4. Requirements for supplier, distributor, outsourcing and subcontractor controls

Question 60

What six things should be considered when assessing consequences?

Answer 60

1. Human cost
2. Financial cost
3. Image cost
4. Human rights impacts
5. Indirect impacts
6. Environmental impacts

Question 61

What changes may prompt an update to a risk assessment?

Answer 61

Changes in:
1. Risk landscape
2. Leadership and partnerships
3. Contractual and industry trends
4. Regulatory requirements
5. Political environment
6. Conditions due to an event
7. Performance-based test/exercise results

Question 62

What are five benefits of liaison?

Answer 62

1. Leverage the resources of others
2. Share best practices and lessons learned
3. Collaborate on specific cases or incidents
4. More effectively address common issues
5. Share information, equipment, and facilities

Question 63

What is cost-effectiveness?

Answer 63

Producing good results for the money spent.

Question 64

What three things maximize cost-effectiveness?

Answer 64

1. Ensure that the operations are conducted in the least expensive but cost effective way
2. Maintain the lowest costs consistent with required operational results
3. Ensure that the amount of money spent generates the highest return

Question 65

What is security awareness?

Answer 65

Consciousness of an existing security program, its relevance, and the effect of one’s behavior on reducing security risks

Question 66

What is the purpose of a security awareness program?

Answer 66

To communicate to all individuals, including those working on behalf of the organization, risks within the organization’s unique internal and external environments, and the technical and administrative controls implemented to effectively manage those risks.

Question 67

When is an effective security culture established?

Answer 67

When people’s behaviors align with the defined risk management processes and where the security technologies and methods deployed are policy based and well communicated through security awareness and training activities.

Question 68

What is the goal of a security awareness program?

Answer 68

To promote compliance with security policies and procedures, as well as provide timely communications and training to guide individual and organizational attitudes and behaviors.

Question 69

What should every awareness program be structured to reflect?

Answer 69

The organization’s unique culture, risk environment, lifecycle management, and change control process.

Question 70

How does clear top management support for security awareness set the tone?

Answer 70

By actively supporting awareness communication, training, and associated activities. Top management should also be involved in strengthening the culture that ensures individuals understand their security roles and take ownership of their personal safety and security.

Question 71

What three program principles should be established for security awareness programs?

Answer 71

1. Encourage enterprisewide ownership
2. Develop a unified approach for security awareness communication and training
3. Leverage existing programs/infrastructure

Question 72

What can be done to encourage enterprisewide ownership of security awareness programs?

Answer 72

Establishing an oversight, advisory, or steering group comprised of security stakeholders to influence/generate program content and to help communicate risk appetite, strategy, and content relevance.
Establishing security champions or influencers to solicit and provide input to program content

Question 73

What is a benefit of a unified, holistic approach to security awareness program content?

Answer 73

Using ‘one voice’ simplifies the message and increases the impact to stakeholders and the organization.

Question 74

What types of benefits may be realized by leveraging existing organizational programs for security awareness?

Answer 74

1. Timing
2. Resource
3. Budget
4. Logistical

Question 75

What six factors are planning considerations when designing an effective security awareness program?

Answer 75

1. Security policies and procedures
2. Internal and external considerations
3. Security risks
4. Resources
5. Roles, responsibility, and authorities
6. Human resources context

Question 76

Effective security policies contain what important characteristics?

Answer 76

1. Protecting individuals and organizational assets from security risks
2. Organizational relevance and maintaining compliance with legal, regulatory, and contractual obligations are clearly explained
3. Measurements for continual improvement metrics
4. Content is written to help build an engaged and alert security community
5. Instructions should help individuals reflect on the policy, consider how to respond in a situation, and take risk-based, informed, and appropriate actions
6. Policy cross-references

Question 77

Which department plays a pivotal role as collaborator with security personnel in an organization’s security awareness program?

Answer 77

Human resources

Question 78

Security awareness program content should align with what three things?

Answer 78

1. Program goals and objectives
2. Security policies and procedures
3. Key performance indicators

Question 79

What factors should be considered when determining how security awareness program content should be delivered?

Answer 79

1. Location-specific needs and requirements
2. Existing training culture and processes to be leveraged
3. Traning topic needs
4. Types of training formats available and relevant
5. Levels of training required based on security access or employment status

Question 80

What should be included in a security awareness program evaluation?

Answer 80

1. Appropriateness of program goals and objectives
2. Consistency with the organization’s security policies and procedures
3. Volume and frequency fo security awareness and training content
4. Effectiveness of content and delivery methods
5. Level of resources allocated to the program

Question 81

What should security awareness program improvements be based on?

Answer 81

1. Individual feedback
2. Program evaluations
3. Evolving threat landscapes
4. Changes in the organization’s culture
5. Audit findings
6. New or changes to legal, regulatory, or contractual obligations
7. Top management input and direction

Question 82

What are some benefits of using a security consultant?

Answer 82

1. They do not promote or sell a specific product
2. Objectivity
3. Out-of-the-box thinking
4. Can be less expensive than hiring additional staff

Question 83

What are three categories of security consultants?

Answer 83

1. Security management consultants
2. Technical security consultants
3. Security forensic consultants

Question 84

This type of security consultant usually specializes in a certain discipline, which comprises the foundation of their expertise.

Answer 84

Security management consultants

Question 85

This type of security consultant has specialized subject matter expertise and specializes in translating security concepts and functionality into blueprints and equipment specifications.

Answer 85

Technical security consultant

Question 86

This type of security consultant deals with investigation, identification and collection of evidence, identification of vulnerabilities, mitigation strategies, and litigation.

Answer 86

Forensic security consultants

Question 87

In what situation are technical security consultants likely to be used?

Answer 87

New construction or renovation projects

Question 88

What are three ways technical security consultants can support construction and renovation projects?

Answer 88

1. Work with the architects and design engineers to ensure the needed security systems are integrated into the initial designs
2. Uncover security concerns in the plans before they are finalized
3. Recommend security hardware and software that is compatible with other building systems

Question 89

What is a security advisory committee?

Answer 89

An internal rescource formed to assist corporate executives and chief security officers in their efforts to ensure that current security measures are adequate.

Question 90

Who should serve on a security advisory committee?

Answer 90

Representatives of key corporate functions with stature and credibility within the organization and sufficient information about the company’s operation to enable them to offer useful opinions about actions that should be taken.

Question 91

What typically drives the decision to use a security consultant?

Answer 91

A specific problem, need, challenge, or goal.

Question 92

What are five steps to use when selecting a security consultant?

Answer 92

1. Identify candidates
2. Invite candidates to submit an application
3. Evaluate the application
4. Interview the top two or three candidates
5. Negotiate an agreement and finalize the selection

Question 93

How can consultant candidates be identified?

Answer 93

1. Suggestions from colleagues and peers
2. Industry associations
3. Online

Question 94

What three things should be submitted by prospective security consultants looking to be hired for a project?

Answer 94

1. Custom application
2. Resume
3. Proof of license, in jurisdictions with this requirement

Question 95

How can consultant applications be evaluated?

Answer 95

1. Compate the quality of documents and candidates’ credentials
2. References from prior clients
3. Background investigations of top candidates

Question 96

What types of questions should be asked during a consultant interview?

Answer 96

Questions that probe the candidate’s security philosophy

Question 97

What subjects should be negotiated with a security consultant prior to hiring?

Answer 97

1. Scope of work
2. Product to be delivered
3. Methodology
4. Timing
5. Related expenses

Question 98

What are five types of fee structures for consultants?

Answer 98

1. Hourly fees
2. Daily fees
3. Fixed fees
4. Not-to-exceed fees
5. Retainers

Question 99

When is paying a consultant an hourly fee applicable?

Answer 99

When the assignment is expected to last less than a day, but the exact amount of time needed is unclear.

Question 100

When are fixed fee structures used with consultants?

Answer 100

When the number of days required to accomplish he work can be estimated accurately and controlled by the consulant.

Question 101

What is a not-to-exceed fee?

Answer 101

The consultant’s guarantee that the total cost or time will be limited to the parameters agreed to in the contract.

Question 102

What is a consultant retainer agreement?

Answer 102

The consultant agrees to work a specified number of days each year for the client, and the client is guaranteed access to the consultant when needed.

Question 103

What should be covered during a consultant’s organizational orientation?

Answer 103

1. Backgrounds and responsibilities of key personnel
2. Organizational chart
3. Operating environment
4. Key assets and functions
5. Internal and external relationships relevant to the project
6. Specific legislative or regulatory control
7. History of the enterprise
8. Philosophy of top management
9. Competitive position

Question 104

What should be outlined in a consultant’s work plan?

Answer 104

1. Scope
2. Tasks and priorities
3. Assignments
4. Completion schedules

Question 105

What should be included in a consultant’s final report?

Answer 105

1. Executive summary
2. Results achieved
3. Recommendations

Question 106

How should the recommendations section of the consultant’s final report be structured?

Answer 106

The recommendations should be numbered for future reference and should define any additional work that needs to be done, together with suggestions on how to accomplish it.

Question 107

What is a chief security officer?

Answer 107

A senior executive level function responsible for providing comprehensive integrated risk strategies to help protect an organization from wide spectrum of threats.

Question 108

What seven categories or skills is required by a chief security officer?

Answer 108

1. Relationship leader
2. Executive management and leadership
3. Subject matter expertise
4. Governance team member
5. Risk executive
6. Strategist
7. Creative problem solver

Question 109

Why is it recommended that the chief security officer report to a key senior-level executive?

Answer 109

To ensure a strong liaison with designated leadership bodies.

Question 110

A chief security officer is expected to have what level of education?

Answer 110

Advanced education and degrees should be highly valued.