Sec Prin and Mgmt Flashcards
What is the difference between resilience and risk
Resilience takes a forward looking view of risk, fully integrating business and risk management into the organization’s system of management. Risk is viewed as inevitable and having the potential for positive outcomes. Risk is the effect of uncertainty on the achievement of strategic, operational, tactical, and reputational objectives
What resilience promotes within an organization and what it requires
Resilience promotes a perspective of enterprise wide agility and adaptability in a dynamic and uncertain environment. Resilient organization fully integrate a holistic and proactive risk management perspective into good business management practice to enhance their buffering and adaptive capacity. Resilience requires both the convergence of risk disciplines as well as the elimination of and/or collaboration among organizational siloes to have coordinated plan for managing risk throughout the enterprise. Resilience is not something that is inherent to an organization but develops as organizations mature, learn from successes and mistakes, improve their management and decision making skills
Write 4 characteristics of resilience organizations
i. Recognize that change is constant
ii. Consider the organization’s dependencies and interdependencies in assessing risk to the organization and its risks on others;
iii. Integrate proactive risk management into all their decision making process;
iv. Promote situational awareness and monitoring with an emphasis on identifying indicators of change
What do you mean by resilient organization
Being a resilient organization means efficiently tapping into its human, tangible and intangible resources
What is essential to building resilience? How risk can be better managed
Improving communication and consultation skills is essential building resilience. Risk is best managed with on going consultation and interactive communication among stakeholders. A resilient organization will build the mechanisms needed to support both a top down and bottom up flow of information
Explain the importance of empowering people at all levels of organization to achieve organizational resilience
Empowering people at all levels of the organization fosters the sense of inclusiveness and ownership that encourage the sharing ideas. It helps to promote a risk culture where risk makers and risk takers understand that they are also risk owners and risk managers
What basically the Organizational Resilience Management System enables
The organizational resilience management system (ORMS) enables an organization to identify, assess and manage risks related to the achievement of its strategic, operational, tactical and reputational objectives in the organization and its supply chains.
How an Organizational Resilience Management System can be achieved
An ORMS is achieved by developing designing, documenting, deploying and evaluating fit for purpose proactive management strategies needed to achieve current objectives and identify indicators for potential needs for changes
What provide foundation for good governance
Enhanced security and resilience
Key Performance Indicators (KPI)are defined to support achievement of objectives? What KPI drive?
Key Performance Indicators (KPI) are defined to support achievement of objectives. KPI drive a culture of management by measurement for continual monitoring and performance improvement
When an organization cannot maximize opportunities and minimize negative outcomes?
Unless risk is managed effectively, organizations cannot maximize opportunities and minimize negative outcomes
What the system approach basically examines and when component parts of a system can be understood?
The systems approach examines the linkage and interactions between the elements that compose the entirely of the system. Component parts of a system can best understood in the context of their interrelationships, rather than in isolation, and must be treated as a whole
Cultivating what kind of skills enhances resilience builds trust and contributes to protecting the image and reputation of the organization?
Leadership skills at all levels
Why all organizations need to be cognizant of their resource constrain
To prioritize allocation of resource when managing risk
What can influence they way in which the organization will manage risk
Internal and external factors
What is the necessary in order to understand the organization’s value chain?
Identification of people, assets and services that provide tangible and intangible value
When identifying stakeholders’ needs and requirements, what the organization shall determine?
When identifying stakeholders needs and requirements, the organization shall determine:
(a) Requirements and obligations specified by stakeholders
(b) Legal regulatory and contractual obligations as well as other voluntary commitments
(c)Human right responsibilities and impacts relevant to its activities (d) Needs of the local and impacted communities and other stakeholders
(e) Risk management requirements including stakeholders risk appetite
Every organization should define and document criteria to evaluate the significance of risk, what are the elements of the organization should be evaluated by the risk criteria?
The risk criteria shall reflect organization’s values, objectives and resources
Explain a “statement of applicability” in relation to the scope of Organizational Resilience Management System (ORSM)?
A “Statement of Applicability” shall define the relevant risks that apply to the organization’s scope, legal, regulatory, and contractual obligations and operating environment based on its risk assessment. The organization shall implement adaptive, proactive and or reactive measures to manage risk that apply to the organization’s scope, legal, and regulatory and contractual obligations and operating environment.
How top management should provide evidence of active leadership for the Organizational Resilience Management System (ORSM)?
By overseeing its establishment and implementation, and motivating individuals to integrate security and resilience as a central part of the mission of the organization and its culture.
The organization shall establish, implement and maintain a formal and documented risk assessment process including its relevant supply chain partners and subcontractors activities. What kind of steps should be included in risk assessment process?
(a) Asset identification
(b) Risk identification
(c) Risk analysis
(d) Risk evaluation
What is the difference between risk analysis and risk evaluation?
Risk analysis is a systematically method to analyze and determine those risks that have a significant impact on activities, function, services, products, supply chain and others while in the other side risk evaluation is a systematically method to evaluate and prioritize risk controls and treatment as well as their related costs to determine how to bring risk within an accountable level consistent with risk criteria.
What organization should consider conducting the BIA as a separate analysis
The organizations’ where major variations in recovery priorities and or complex interdependencies are present, the organization should consider conducting the BIA as a separate analysis
Why organizations consider integrating a business impact analysis (BIA) into its risk assessment process?
Because a criticality analysis includes estimating allowable down times, potential impacts over time and recovery time objectives as a result organization may integrate a BIA into its risk assessment process
The risk assessment should identify activities, operations, and process that need to be managed. What are the elements should be included from the outputs of risk assessment?
a) A prioritized risk register identifying treatments to manage risk
b) Justification for risk acceptance
c) Identification of critical control points (CCP);and
d) Requirements for supplier, distributor, outsourcing and subcontractor controls
When establishing and reviewing the objectives and targets of organization resilience management system (ORSM), what are the factors an organization should consider?
a) Consistency with the ORMS policy
b) Significant risk
c) Brand, reputation and human right impacts
d) Integrity of information e) Financial, operational, and business requirements
g) Legal, regulatory, contractual and other requirements
How an organization should ensure the integrity of documents?
By rendering them securely backed‐up, accessible only to authorized personnel and protected from unauthorized disclosure, modification, deletion, damage, deterioration or loss
What an organization should establish to effectively pursue opportunities and deal with undesirable and disruptive events?
The organization shall establish planning, security incident management, response and or recovery team(s) with defined roles, appropriate authority, adequate resources and rehearsed operational plans and procedures
Write three functions of response structure in relation to organizational resilience management system (ORSM)?
Identify incident indicators and impact thresholds that justify initiation of a formal response; Assess the natural and extent of a potential undesirable or disruptive event and its impacts; Initiate an appropriate response to avoid, protect, mitigate or manage a potential undesirable or disruptive event
Whenever possible and consistent with jurisdiction laws, regulations and contractual requirements, what should include in the screening process?
a) Consistency with legal, regulatory and contractual requirements
b) Education and employment history review
c) Personal references
d) Military and security services records check e) Review of possible criminal records and others
As part of grievance procedures, how an organization should investigate allegations?
An organization shall investigate allegations expeditiously and impartially with due consideration to confidentially and restrictions imposed by jurisdictional law.
In preparing incident prevention and management procedures, what are the actions an organization should consider?
a) Safeguard life and assure the safety of internal and external stakeholders
b)Protect assets
c) Prevent further escalation of the incident
d) Minimize disruption to operations
e) Restore critical operational continuity and others
What kind of protection strategy an organization should develop to deter, detect, delay and response from risks and threats to the organization and its assets?
The organization shall adopt a “protection in depth” or layered protection strategy to develop a cost effective and robust approach to deter, detect, delay and respond from risk and threats to the organization and its assets
What should be considered when existing arrangement are revised and new arrangements introduced in the incident management procedures?
The associated risks before their implementation and the potential to create new or modify existing risks.
What should be ensured by the incident management procedures
(a) Supply and demand requirements (demand signals) are comprehended incapacity planning
(b) Contingencies and appropriate redundancies provide protection in depth and address single point failures
(c) Processes are in place to validate supply chain responses
(d) There is a feedback loop to know if past risk control and countermeasures are changing as part of design, engineering or process changes, or a decision to outsource certain activities
(e) That planned changes are controlled and the unintended charges reviewed and appropriate action is taken
How an organization should assess the performance and effectiveness of the ORSM?
The organization shall assess the performance and effectiveness of the ORMS by evaluating plans, procedures, and capabilities through periodic assessments, testing, posts incident reports, lessons learned, performance evaluations and exercises
A formal report should be written after each exercise, what should be assessed by this report?
The report shall assess the appropriateness and efficacy of the organization’s ORMS plans, processes, and procedures including nonconformities and should propose corrective and preventative action
To confirm what management should review the organization’s ORSM at documented specific intervals (at least annually)?
To confirm its continuing suitability, adequacy and effectiveness
Through the use of what kinds of elements an organization can continually improve the effectiveness of the organizational resilience management systems?
Through use of ORMS policy, objectives, results, analysis of monitored events, corrective and preventive actions and management review
What is gap analysis? What are the five key areas the gap analysis should cover
A gap analysis will enable the organization to compare its actual performance with the potential performance needed to meet its objective. The gap analysis should cover five key areas:
a) Identification of risks
b) The capacity to identify and pursuer opportunities
c) Identification of applicable legal, regulatory, contractual and other requirements to which organization subscribe
d) Evaluation of existing risk management practices and procedures e) Evaluating previous emergency situations and disruptive events.
What kinds of tools and methods may be required for undertaking a gap analysis
Checklists, conducting interviews, direct inspection and measurement, benchmark against best practices, or result of previous audits or other reviews
How the management systems approach is characterized
The management systems approach is characterized by: a) Understanding the context and environment within which the system operates b) Identifying the core elements of system, as well as the system boundary c) Understanding the role or function of each element in the system; and d) Understanding the dynamic interaction between elements of the system
How the value of an asset and service should be considered in the organization
Value of an asset and service should be considered within the context of how the assets contribute the organization’s achievement of its objectives. In addition, to considering the monetary value of assets, valuation should consider how the assets fits within the value chair of the organization and its relative value in achieving strategic, tactical, operational and reputational objectives
What risk assessment provides
The risk assessment provides a basis for evaluating the adequacy and effectiveness of current controls in place, as well as decisions on the most appropriate approaches to be used in managing and treating risks. It identifies those risks that should be addressed as a priority by the organization’s ORMS. The risk assessment provides the foundation for setting objectives, targets and programs within the management system, as well as measuring the efficacy of the ORMS.
The risk management strategies should be dynamic and monitored and when it should be modified
(a) Outcomes of the risk assessment change;
(b) Objectives and targets are modified or added
(c) Relevant legal requirements are introduced or changed;
(d) Substantial progress in achieving the objectives and targets has been made (or has not been made)
(e) Activities, products, services, processes, or facilities change or other issues arise
The most appropriate risk management strategy or strategies depends on what types of factors?
The most appropriate strategy or strategies should depend on a range of factors such as:
(a) Results of the organization’s risk assessment;
(b) Costs of implementing a strategy or strategies; and
(c) Consequences of inaction
What should be considered by the organization when seeking insurance coverage?
a) The policies and limits to be held by the organization should be specified in the contract;
b) The jurisdiction of the policy and in the event of a dispute;
c) The territorial limitations;
d) Limitations of indemnity;
e) Coverage of all activities, including use of weapons;
f) Activities of subcontractors, and g) Contractual obligations
What is the difference between problem assessment and severity assessment
Problem assessment is an evaluative process of decision making that will determine the nature of the issue to be addressed and severity assessment is the process of determining the severity of the disruption and what any associated consequences
What is the difference between functional exercise and full scale exercise
Functional exercise is walk through or specialized exercise simulating a scenario as realistically as possible in a controlled environment and full scale exercise is live or real life exercise simulating a real time, real life scenario
What a business impact analysis generally provides
A business impact analysis provides a structure approach to gaining information about the critical activities, functions, and processes of the organization and associated resources necessary for an organization to mitigate the impacts of undesirable and disruptive events
What is the purpose of business impact analysis
The purpose of BIA is to determine criticality of business function, estimate maximum downtime that can be tolerated while maintaining viability as well as determine resource requirement to resume critical operations
CPTED relies on what?
Crime prevention design solutions should be integrated into the design and function of the buildings, or at least the location where they are being implemented. CPTED relies on an awareness of how people use space for legitimate and illegitimate purpose.
What is important to choose first for the right physical security measures and apply them appropriately?
To choose the right physical security measures and apply them appropriately, it important to first conduct a risk assessment
What is building envelope and what it serve?
Building envelope: The separation between the interior and the exterior environments of a building. It serves as the outer shell to protect the indoor environment as well as to facilitate its climate control
What is risk assessment?
Risk assessment: The process of assessing security‐related risks from internal and external threats‐to an entity, its assets, or personnel
What is risk management?
Risk management: A business discipline consisting of three major functions: loss prevention, loss control and loss indemnificatory
What routine activity theory suggests?
Routinely activity theory suggests that a suitable guardian will prevent criminal activity from occurring. Criminals will generally avoid targets or victims when police, security, door staff, neighbours or others are in position to observe and react
What is CCT rating?
CCT rating: Corrected Colour Temperature (CCT) is a measure of the warmth or coolness of a light. It is measured in degrees Kelvin which is the Centigrade (Celsius) absolute temperature scale where 0OK is approximately 272OC
What is security survey?
Security survey: A thorough physical examination of a facility and its systems and procedures, conducted to assess the current level of security, locate deficiencies and gauge of protection needed.
What is stand‐off distance or set back?
Stand‐off distance/ set back: The distance between the asset and the threat, typically regarding an explosive threat.
What is tailgating?
Tailgating: To follow closely. In access control, the attempt by more than one individual to enter a controlled area by immediately follows an individual with proper access. Also called piggybacking
When a space will naturally have less opportunity for criminal activity
Natural or Architectural measures Designing of space to ensure the overall environment works more effectively for the intended users; while at the same time deterring crime. A space will naturally have less opportunity for criminal activity when it is effectively used. Poor layout reduces the ability of intended users to apply appropriate measures
Explain progressive collapse
Progressive collapse: Occurs when the failure of a primary structural element results in the failure of adjoining structural elements, which in turn causes further structural failure. The resulting damage progresses to other parts of the structure, resulting in a partial or total collapse of the building
What is risk
Risk: The likelihood of loss resulting from a threat, security incident, or event
What is threat
Threat: An action or event that could result in a loss; an indication that such an action or event might take place
What is throughput
Throughput: The average rate of flow of people or vehicles through an access point
What is token
Token: An electronically encoded device (i.e. a card, key‐fob, etc.) that contains information being read by electronic devices placed within or at the entry and exit points of a protected facility
Based on CPTED, explain organizational measures
Organizational measures: Focus on policies activities that encourage observation, reporting and where appropriate intervention this would include education for individuals and groups of strategies they can take to protect themselves and the space they occupy. It would also entail routine patrol and enforcement by security, law enforcement or others.
Explain natural territorial reinforcement boundary definition
Natural territorial reinforcement boundary definition: Establishing a sense of ownership by facility owners or building occupants to define territory to potential aggressors and to assist legitimate occupants or users to increase vigilance in identifying who belongs on the property and who does not. The theory holds that people will pay more attention to and defend a particular space or territory from trespass if they feel a form of “psychological ownership” in the area. Thus, it is possible‐through real or symbolic markers‐to encourage tenants or employees to defend property from incursion
Wooden fences are used for(a)……………………..Wooden fence’s effectiveness can be enhanced by adding(b)………………………… When utilizing a wood enfence to delay entry, the vertical picket sections must be (c)……………………. and the horizontal sections should be (d),……………………..
a) low‐security applications,
(b) barbed wire, razor wire, or metal spikes,
(c) no wider than 1‐3/4 inches,
(d) 50 inches apart (e) protected side of the building.
The width of the clear zone depends on what? When exception can be made in relation to the clear zone. ?
Wherever possible and practical, a clear zone should separate a perimeter barrier from structures inside the protected area. The width of the clear zone will depend upon the threat that is being protected against. An exception can be made when a building wall constitutes part of the perimeter barrier
Explain four design features of chain‐link fence
The following are some design features that enhance security(Chain Link Fence Manufactures Institute, 1997):
1‐Height: The higher the barrier, the more difficult and time‐ consuming it is to breach. For low security requirements, a 5‐6 ft. (1.5‐1.8 meter) fence may be sufficient; for medium security, a 7 ft. (2.1meter) fence may be appropriate; and for high security (such as a prison), an 18‐20 ft. (5.4‐6.0 meter) fence maybe required,
2-Barbed wire: Barbed wires vary in gauge, coating weight, number of barbs, and spacing of barbs. If chain link or expanded metal fences are intended to discourage human trespassing, barbed wire should be installed atop the fence on an outward facing top guard at a45 degree angle,
3‐Bottom rail: Properly anchored, this prevents an intruder from forcing the mesh up to crawl under it,
4‐ Top rail: A horizontal member of a fence top to which fabric is attached with ties or clips at intervals not exceeding two feet. A top rail generally improves the appearance of a fence, but it also offers a handhold to those installed.
What broken windows theory speaks about?
The “broken windows” theory suggests that an abandoned building or car can remain Unmolested indefinitely, but once the first window is broken, the building or car is quickly vandalized. Maintenance of building and its physical elements (such as lighting, landscaping, paint, signage, fencing and walkways) is critical for defining territoriality
In relation to chain‐link fence what prevents an intruder from forcing the mesh up?
Burying / Mow strip: Burying or installing a mow strip (concrete), in addition to a chain‐ link fabric 1 ft. (0.3 meters) or more, prevents an intruder from forcing the mesh up
What fence or wall can do
Fence or wall can do the following:
1‐Give notice of the legal boundary of the premises,
2 Help channel entry through a secured area by deterring entry elsewhere along the boundary,
3‐Provide a zone for installing intrusion detection equipment and video surveillance system,
4‐Deter casual intruders from penetrating a secured area,
5‐’Force an intruder to demonstrate his or her intent to enter the property,
6‐ Cause a delay in access, thereby increasing the possibility of detection,
7‐Create a psychological deterrent,
8‐ Reduce the number of security officers required,
9‐Demonstrate a facility’s concern for security
Explain the concept of compartmentalization?
Compartmentalization: One of the basic CPTED strategies is to design multiple or concentric layers of security measures so that highly protected assets are behind multiple barriers. Layers of security strategies or elements start from the outer perimeter and move inward to the area of the building with the greatest need for protection. Each layer is designed to delay an attacker as much as possible. This strategy is also known as protection‐in‐depth (Fay, 1993, p672). If properly planned, the delay should either discourage a penetration or assist in controlling it by providing time for an adequate response
Explain double fencing
Double fence: An additional line of security fencing a minimum of10 ft. to 20 ft. (3 meters to 6 meters) inside the perimeter fence creates a controlled area and room for sensors or a perimeter patrol road between the fences
Where welded wire fabric is generally used
Welded wire fabric, which is cheaper than expanded metal, is generally used for lower risk applications.
What affects the amount of protection required
The value of an asset being protected affects the amount of protection required.
Which strategy should be used while selecting physical barriers and the barriers designed to address the specific threats?
A threat basis design strategy should be used when selecting physical barriers and the barriers designed to address the specific threats.
What is the most common perimeter barrier?
The most common perimeter barriers are fencing and walls. However, fences and walls usually only deter or delay entry‐they do not prevent it entirely
Against what Chain‐link fence effective?
Chain‐link fences are quick to install, can be effective against pedestrian trespassers and animals and provide visibility to both sides of the fence.
By using which types of tools chain‐link fence can be breached easily?
Chain‐link fence fabric is made from steel or aluminum wire (which may be coated), which is wound and interwoven to provide a continuous mesh. It can be breached easily with a blanket, wire cutter, or bolt cutter.
What types of protection window film can provide?
Window film can be designed, tested, and applied to:
1‐Providevarying degrees of protection from intrusion or “smash and grab”. It can generally be defeated with repeated attacks,
2‐Reduce injury from projectile shards of glass in case of an explosion or blast force,
3‐Reduceinjury form projectile penetration in case of extreme weather (i.e., hurricane or tornado
Electric security fences consist of (a)……………… supported by posts fitted with insulators. These fences can be (b) ………………for wall top security, or (c) ………….. for high security sites. Most industrial applications are 8ft (2.4m) high with (d) ………
(a) a close wire grid,
(b) simple 5 wire systems,
(c) multi‐zoned systems with up to 50 wires,
(d) 20 wires and are fitted to the inside of the chain link perimeter fence.
What is the difference between deterrent fence and monitored fence
Electric security fences come in two forms:
1) the all live wire “deterrent” fence that relies on the human fear of electric shock; or more commonly
2) the “monitored” fence, where in addition to the fear factor, the fence will detect cutting or climbing of the wires and trigger an alarm. Monitored fences are usually integrated with intruder alarm or access control systems and‐increasingly‐with surveillance cameras.
Most building intrusions are effected through which?
Most building intrusions are effected through doors and windows
Annealed or plate glass has been manufactured to control (a) ……………. such that it can be subjected to fabrication. Regular plate, float, sheet, rolled, and some patterned surface glasses are examples of (b)…………………… Annealed glass breaks into large shards that can cause (c)…………………..and building codes may restrict its use in places where (d) ……………………………………….such as door panels and fire exits.
a) residual stresses
(b) annealed glass.
(c) serious injury,
(d) there is a high risk of breakage and injury
What types of measures can be taken to strengthen the doors
Measures can be taken to strengthen the doors by adding steel plate for reinforcement anchoring frames, and adding kick plates, using set screws in hinges or spot welding hinges
(a) ……………. is composed of two sheets of ordinary glass bonded to a middle layer or layers of plastic sheeting material. When laminated glass is stressed or struck, it may crack and break but the pieces of glass tend to adhere to the plastic materials. It is also the preferred glass type (b) …………………………. It will aid in the protection of building occupants from (c) …………………………………. in the event of an explosion.
a) Laminated glass,
(b) for mitigating blast forces,
(c) glass shattering
(a)……………….. or burglar resistant provides stronger resistance to attack. It is laminated and consists of multiple plies of glass, polycarbonate, and other plastic films to provide (b) ……………………
(a) Bullet‐resistant
(b) many levels of ballistic resistance
Describe working principle of credential‐operated locks?
Credential‐operated locks rely on a unique card or other device being presented to a card reader at a location where the access is being controlled. The system electronically checks the information (including the identification of the cardholder and the time period when access is permitted) on the card and compares it with the information already entry or denies access.
What are the key factors to be considered in hardening a facility?
Key factors in hardening a facility include: 1‐ stand‐off distance, 2‐structural integrity of the premises against attack, 3‐ prevention of progressive collapse,4‐ redundancy of operating systems.
………………………. , a single key operates a series of mechanical locks, and each of those locks is also operated with another key specific to that lock. Since the compromise of a master key can compromise an entire facility, the use of any master key must be strictly controlled.
In a master key system
What type of curtains provides protection from flying materials in an explosion?
Blast curtains are made of reinforced fabrics that provide protection from flying materials in an explosion
What are the measures needed to consider to decide whom to let into a facility and whom to keep out, it is necessary to?
Measures such as:
1‐Tokens or other items in the person’s possession(such as a metal key; a proximity, insertion, or swipe card or a photo identification card),
2‐Private information known by the individual (such as a password or personal identification number,
3‐ Biometric features of the person (such as fingerprint, hand geometry, iris and retinal patterns, signatures or speech patterns)
What types of attack an adversary might adopt to defeat an access control point?
An adversary may use several types of attacks to defeat an access control point:
1‐Deceit: employee to permit entry,
2‐ Direct physical attack: The adversary uses tools to force entry into an area,
3‐Technicalattack: The adversary forges a credential, guesses a personal identification number, or obtains another person’s credential.
Typically what are the purposes of security lighting
Typically, the purposes of security lighting‐discouraging unauthorized entry, protecting employees and visitors on site, and detecting intruders‐are served both outdoor and indoor.
Electronic access control systems validate (a) ……………………….. which can be in the form of something you know, (b) ……………………… or something you carry. Components of central database, software, supplementary interfaces to external systems, and (d)…………………………………
(a) one or more credentials
(b) something that is inherent to you,
(c) communication cabling distributed processor,
(d) applications for request‐to‐exit devices for applicable doors.
