PSP FLASHCARDS

Question 1

A management process that ties an organization’s security practice to its overall protection strategy using globally established risk management principles to manage risk where asset owners own decisions for the risks to assets they manage. (POA PS, page 1).

Answer 1

Enterprise security risk management (ESRM).

Question 2

Who in ESRM is responsible for identifying, prioritizing, and developing remediation efforts for assets at risk? (POA PS, page 2).

Answer 2

Asset owners in partnership with the security professional.

Question 3

An enterprise risk program that typically focuses on all aspects of organizational risk such as financial, operational, and strategic. (POA PS, page 2).

Answer 3

Enterprise risk management (ERM).

Question 4

What are the three components of ESRM?
(POA PS, page 5).

Answer 4

1. The context.
2. The Foundation.
3. The ESRM cycle

Question 5

What component of the ESRM is critical for the security professional to not only understand the various threats that may impact the organization but to also understand the organization itself? (POA PS, page 5).

Answer 5

Context

Question 6

A critical requirement for the successful ESRM adoption strategy in the risk management process of an organization. (POA PS, page 5).

Answer 6

Align the security strategy and the organization’s overall strategy.

Question 7

What are the two elements that are considered to be the pinnacle of organizational strategy? (POA PS, page 5).

Answer 7

1. Mission
2. Vision

Question 8

What are the five core values of an organization? (POA PS, page 6).

Answer 8

1. Environmental stewardship
2. The community
3. Employee safety and security
4. Product quality; &
5. Brand and image protection

Question 9

What often defines and organization’s culture? (POA PS, page 7).

Answer 9

Core values

Question 10

For the security professional to effectively assess risk and build relationships, he/she must understand the operating environment in which the organization functions. What are the three elements that form the operating environment?

Answer 10

1. Physical.
2. Non-physical.
3. Logical.

Question 11

What are some of the physical environment key factors a security professional should understand to effectively evaluate and prioritize risk and partner with asset owners?

Answer 11

1. Type of location.
2. Building and surrounding environment.
3. Pedestrian/ vehicle traffic in the area.
4. Non-employees who require access.
5. Industrial control systems.
6. Criticality and sensitivity of processes and assets on site.
7. Products on hand and warehoused.

Question 12

What are some of the nonphysical key factors that asset owners and security professionals must understand to effectively evaluate and prioritize risks and develop risk mitigation measures for an organization? (POA PS, page 7).

Answer 12

1. Geo-political environment.
2. External pressures on the industry.
3. Legal/regulatory/compliance requirements.
4. Intensity of the competition.
5. Growth mode of the organization.
6. Speed required for decision-making.
7. Impact of technology.
8. Ongoing change including leadership

Question 13

What are some of the logical factors that asset owners and security professionals must understand to effectively evaluate and prioritize risks and develop mitigation measures for an organization? (POA PS, page 8).

Answer 13

Digital assets and networks that connect them to each other and other stakeholders

Question 14

Businesses and industries heavily rely on digital connections and data for all phases of their operations. Provide examples of these logical factors. (POA PS, page 8).

Answer 14

1. Servers.
2. Workstations.
3. Network infrastructure.
4. Connectivity

Question 15

Why do stakeholders matter in the ESRM risk management process and what role does the security professional play? (POA PS, page 8).

Answer 15

1. They are essentially the risk decision-makers.
2. The security professional must know what is important to the stakeholders and assist them in formulating mitigation strategies for security-related risks.

Question 16

Under the ESRM concept, give examples of intangible asset owners who should partner with the security professional in identifying and mitigating risk in an organization. (POA PS, page 9).

Answer 16

1. Events
2. Procurement.
3. Human resources.
4. Legal.
5. Marketing

Question 17

Under the ESRM concept, provide a list of stakeholders who may contribute knowledge to the organization on specific risks to assets or resources for mitigation plans. (POA PS, page 9).

Answer 17

1. Suppliers.
2. Distributors.
3. Consultants.
4. Audit firms

Question 18

Identify four important parts of the ESRM approach that describes how security risks are mitigated. (POA PS, page 10).

Answer 18

1. Identify & prioritize risk.
2. Identify and prioritize risks.
3. Mitigate and prioritized risks.
4. Continuous process

Question 19

Who plays the role of a security risk subject matter expert and a trusted advisor to top management, asset owners, and other stakeholders in the ESRM process? (POA PS, page 10).

Answer 19

The security professional

Question 20

In the ESRM approach, who is the risk owner? (POA PS, page 10).

Answer 20

Asset owner

Question 21

Name some of the types of risks to be considered in the ESRM approach. (POA PS, page 11).

Answer 21

1. Physical assets.
2. Information security risks.
3. Cybersecurity risks.
4. Personnel security risks.

Question 22

In the ESRM approach, how are risks mitigated and how? (POA PS, page 11).

Answer 22

1. In order of priority.
2. Using security controls recommended by the security professional and approved by the asset owner.