PSP Domain 1: Physical Security Assessment Flashcards
What are two types of assets?
Tangible and intangible.
Sources: PSP, 1.2.1, page 5 POA, Physical Security, 2.1, page 17
What are two objectives of collecting physical security program metrics?
To provide assurance to the organization on the effectiveness of the program and to facilitate improvement.
Sources: PSP, 4.2.4, page 65 POA, Physical Security, 4.2.4, page 71
What is commonly used to provide management with a snapshot of the effectiveness and efficiency of a physical security program?
Metrics summary chart.
Sources: PSP, 4.2.4, page 65 POA, Physical Security, 4.2.4, pages 71-72
What is the purpose of a business impact analysis (BIA)?
To assess and prioritize organizational activities, and resources required to deliver its products and services.
Source: Guideline BC, 11.1.3, pages 12-13
What is the purpose of a business continuity management system (BCMS)?
To enable an organization to identify, develop, and implement policies, objectives, capabilities, processes, and programs - taking into account legal and other requirements - to address disruptive events that might impact the organization and its stakeholders.
Source: Guideline BC, 8.0, pages 6-7
What is considered the foundation for establishing the business continuity objectives, targets, programs, and plans?
The business impact analysis (BIA) and risk assessment.
Source: Guideline BC, 11.1.3.d, page 13
What group of individuals is responsible for developing and implementing a comprehensive plan for responding to a disruptive incident?
The crisis management team (CMT). It consists of a core group of decision makers trained in incident management and prepared to respond to an event.
Source: Guideline BC, 11.1.5, page 14
What is the term for activities, programs, and systems developed and implemented prior to an incident that may be used to support and enhance mitigation of, response to, and recovery from disruptions?
Preparedness (readiness).
Source: Guideline BC, 10.0, page 9
What is a threat?
Potential cause of an unwanted incident which may result in harm to individuals, assets, a system or organization, the environment, or the community.
Source: PSP Standard, 3.72, page 8
What is a loss event profile?
A list of the kind of threats affecting the assets to be safeguarded.
Source: IPPS, Chapter 4, page 56
What is a hazard?
A source of potential danger or adverse condition. Hazards are generally associated with nature.
Source: IPPS, Chapter 4, page 56
Threats or loss risk events can fall into which three distinct categories?
Crimes, Noncriminal events such as man-made incidents or natural disasters, Consequential events caused by an enterprise’s relationship with another organization.
Source: IPPS, Chapter 4, page 56
What are some examples of noncriminal threats?
Natural threats/disasters: hurricanes, tornadoes, major storms, etc. Man-made threats or disasters: labor strikes, airplane crashes, electrical power failures.
Source: IPPS, Chapter 4, page 57
What are examples of peripheral systems and interfaces?
Life safety systems, building controls, IT infrastructure, liaison relationships, outsourced services, and policies and procedures.
Source: POA, Physical Security, 2.3, page 25
What is a consequential event?
An event that occurs because of a relationship between events or between two different organizations— the company suffers a loss as a consequence of that event or affiliation.
Source: IPPS, Chapter 4, page 57
How is the probability that a threat will occur decided?
By considering the likelihood that a loss risk event may occur in the future.
Source: IPPS, Chapter 4, page 57
What are some factors that are used in determining the probability that a threat will occur?
Historical data at the site, The history of like events at similar companies, The makeup of the neighborhood and immediate vicinity, overall geographical location, Political and social conditions, Changes in the economy.
Source: IPPS, Chapter 4, page 57
What is vulnerability?
Any weakness that can be exploited by an aggressor (terrorist or criminal) or that makes an asset susceptible to damage from natural hazards or consequential events.
Source: IPPS, Chapter 4, page 59
What are some factors to consider in assessing asset vulnerability?
Lack of redundancy or backups for critical systems, Single points of failure, Collocation of critical systems/organizations, Inadequate response capability to recover from attack, Ease of aggressor access to a facility, Inadequate security measures in place, Presence of hazardous materials, Potential for collateral damage from other companies in area.
Source: IPPS, Chapter 4, page 59
What legal and regulatory requirement procedures should be established as part of a physical asset protection program?
Identify the legal, regulatory, and other requirements to which the organization subscribes related to the risks to its assets, activities, functions, products, services, stakeholders, environment, and supply chain; Determine how these requirements apply to its risks; Ensure that these requirements are taken into account in establishing, implementing, and maintaining its physical asset protection program.
Source: PAP Standard, 5.4, page 13
What should accompany the regular review of the physical security assessment report?
Monitor and follow up on the assessment findings, observations, and recommendations.
Source: PAP Standard, 7.2.1, page 19
What are the seven functions of physical security?
Access control, Deterrence, Detection, Assessment, Delay, Response, Evidence gathering.
Source: POA, Physical Security, 2.2, pages 18-19
What factors should be considered when selecting a risk mitigation strategy?
Availability, Affordability, Feasibility.
Source: POA, Physical Security, 3.2.5, page 35
The effectiveness of individual countermeasures and the security system depends on what?
The adversary and the threat.
Source: POA, Physical Security, 3.2.5, page 36
What must happen as a threat increases in sophistication?
The effectiveness of the countermeasures must also increase, or the additional risk must be managed by some other means.
Source: POA, Physical Security, 3.2.5, page 36
What are two categories of threats?
Manmade threats, Natural threats.
Source: POA, Physical Security, 3.2.2, page 33
What metric measures time responsiveness of external dependencies in meeting a security department request?
External dependency responsiveness.
Sources: PSP, 4.3, page 66 POA, Physical Security, 4.3, page 72
What are some physical security design attributes?
Type of adversary, Amount of time the adversary requires getting to the assets inside, Number and type of detectors inside and out of the site, Delays that slows down the attack, Size, strength, and equipage of the response force.
Source: IPPS, Chapter 1, pages 2-3
The process of identifying threats and vulnerabilities, identifying the likelihood of an event arising from such threats or vulnerabilities, defining critical functions for operations, defining controls to reduce exposure, and evaluating cost of controls is called what?
Risk assessment.
Source: Guideline BC, 10.0, page 9
What four criteria can be used to rank assets based on criticality?
Workforce, Service delivery, Dependencies, Mission/objectives.
Source: POA Physical Security, 3.2.1, pages 32-33
Which analysis method does not use number, but instead uses comparative terms?
Qualitative analysis.
Sources: PSP, 3.2, page 27 POA, Physical Security, 3.2, page 29
