Security Principles & Practices (21%)

Question 1

Who is accountable for protecting the organization?

Answer 1

Leaders of Each Operating Unit

Question 2

The Organization’s Security Function

Answer 2

Risk assessment, Policy & Supporting Infrastructure

Question 3

Who reports to a senior-level executive to ensure a strong liaison with leadership, demonstrate commitment and support and highlight the importance of security?

Answer 3

CSD

Question 4

Security department placement in the organization impacts its ability to:

Answer 4

1. Expert influence
2. Remain informed
3. Garner resources to support programs and strategies

Question 5

Key competencies of the CSO

Answer 5

1. Staff developer
2. More strategies than tactical
3. Highly ethical
4. Responsible & dedicated
5. Risk and crisis handler

Question 6

Security Managers

Answer 6

1. Security managers are security specialists and business managers
2. Effective security managers are the business partner
3. Security managers should be in Senior management

Question 7

Ratio of direct reports to a single supervisor

Answer 7

Span of Control

Question 8

A limited number of direct reports

Answer 8

Effective Management

Question 9

The number depends on:

Answer 9

1. Mature of work
2. Type of organization

Question 10

Generally 1 ; 10 is best, but…

Answer 10

1 to 100 is possible with technology & flattened organization

Question 11

Management is less important in team environments and flat organizations

Question 12

And individual reports to only one supervisor

Answer 12

Unity of Command

Question 13

Three tools of a strategically-managed assets protection program

Answer 13

1. Planning
2. Management
3. Evaluation

Question 14

Assets Protection Program Management

Answer 14

A single office (or person) should be the assets protection focal point

Question 15

Convergence

Answer 15

1. 2005 definition (ASIS): the integration of traditional & IT security
2. Contemporary definition: the merging of various fields to protect critical assets

Question 16

Factors that change the understanding of and approach to assets protection:

Answer 16

1. Threats mutate
2. Technology advances
3. Management evolves
4. Business transforms

Question 17

Five avenues to address risk:

Answer 17

1. Acceptance
2. Avoidance
3. Reduction (mitigation)
4. Spreading
5. Transfer

Question 18

Balancing security and legal considerations:

Answer 18

1. Strong security alleviates the need for legal protection
2. Strong legal protections alleviate the need for security
3. Finding the appropriate mix of both solutions is the key

Question 19

Five D’s (used to be 3 D’s)

Answer 19

Deter

Deny

Detect

Delay

Destroy

Question 20

Five forces shaping assets protection:

Answer 20

1. Technology and touch
2. Globalization in business (increases risks to)
3. Standards & regulation
4. Convergence of security solutions
5. Homeland Security & the international security environment

Question 21

Globalization in business (increases risks to)

Answer 21

1. Business transactions
2. Information assets
3. Product integrity
4. Corporate ethics
5. Liability
6. Far-flung people and facilitiates

Question 22

The most effective defense-in-depth program mixes

Answer 22

1. Physical measures
2. Procedural measures
3. Electronic measures

Question 23

Defense - in - Depth

Answer 23

Effective Security measures are not oppressive or burdensome

Question 24

Sarbanes-Oxley Act of 2002

Answer 24

1. Formerly known as the Public Company Accounting Reform & Investor Protection Acts of 2002
2. Became Law on July 30, 2002
3. Passed in response to accounting Scandals at public companies in the late 1990’s and 2000’s
4. Established new accounting standards and business practices for US public companies, their beards, and the public accounting firms that serve them
5. Requires CEO to certify, the accuracy of their organization’s financial statements

Question 25

Surbanes-Oxley Act of 2002 (Ctd..)

Answer 25

6. Compliance (particularly w/ Section 404) significantly burdens companies’ officers and boards and imposes both civil a criminal penalties on violators who commit fraud
7. Established the Public Company Accounting Oversight Board

Question 26

Sarbanes - Oxley Acts of 2002 (Ctd…)

Answer 26

8. Requires all publicly traded companies to have anonymous reporting methods for questionable accounting or auditing activities
9. Limits an organization’s ability to provide strictly internal reporting mechanisms

Question 27

Standards in General

Answer 27

Address specific needs (like technical issues) health, safety, or environmental concerns, quality or compatibility require

Question 28

Compliance with a standard is voluntary but a regulation may require compliance with a standard

Question 29

Nine main types of standards

Answer 29

1. Basic
2. Product
3. Design
4. Process
5. Specification
6. Code
7. Managment systems
8. Conformity assessment
9. Personal certification

Question 30

International Organization for Standardization (ISO)

Answer 30

1. ISO is not an acronym “ISO’s” Greek for “equal”
2. The world’s largest standards developer, based in Geneva, Switzerland
3. Non-governmental organizations; participants are volunteers
4. Does not regulate legislate or enforce

Question 31

ISO (cntd…)

Answer 31

5. A network of national standards institutes from 159 member countries; each has one vote - the US representatives is the American National Standards Institute (ANSI)
6. ISO standards often become recognized as industry best practices and defacto market requirements

Question 32

ISO (cntd…)

Answer 32

7. Based on international consensus, ISO standards address the global business community & are developed only when there is an identified market need or to facilitate international or domestic trade; ISO standards are designed to be globally relevant
8. Employs a transparent process for developing standards based on consensus among the interested parties, not by majority vote: all major concerns & objections must be addressed

Question 33

ISO (cntd…)

Answer 33

9. Approximately 1000 technical groups in which more than 50,000 experts participate annually

Question 34

Forged in 1916 as “clearing house” for Standards Developing Organizations (SDO’s) in the U.S.

Answer 34

ANSI

Question 35

An organization’s, company, agency or group that develops standards

Answer 35

SDO

Question 36

Administrator & coordinator of the U.S. private sector voluntary standardization system

Answer 36

ANSI

Question 37

ANSI

Answer 37

Decentralized & partitioned into industrial sectors and supported by hundreds of private sector SDO’s

Question 38

The only creditor of US Voluntary Consensus SDO’s

1. 600 SDO’s in the US
2. 200 SDO’s accredited by ANSI to develop American National Standards including ASIS NFPA & SIA

Answer 38

ANSI

Question 39

The sole US representative to the two major non-treaty international standards

Organizations: ISO & IEC (International Electrotechnical Commission)

Answer 39

ANSI

Question 40

Represents more than 125,000 companies and organizations & 3.5 million, professionals worldwide

Answer 40

ANSI

Question 41

Provide broad descriptions of how operations will be conducted

Answer 41

Policies

Question 42

May be affected by different regulations for different businesses such as:

Answer 42

1. Minimum wage (Federal & State) FMLA OSHA
2. Regulations for government data
3. Building codes

Question 43

Policies

Answer 43

1. Should be useful & simple without overloading employees
2. Should be developed closely with managers
3. should provide details of operations & the efforts of policy changes
4. Should create management buy-in through collaboration in development

Question 44

Security Policies

Answer 44

1. Establish strategic security objectives & priorities
2. Identify those accountable for physical security
3. Set forth responsibilities & expectations for managers, employees & others

Question 45

Procedures

Answer 45

1. Instruct employees how to react to various issues
2. Are clearly articulated to prevent confusion
3. Address a wide variety of topics including all topics important for daily functions
4. Are widely promulgated & refreshed with employees regularly

Question 46

Procedures

Answer 46

5. Reflect the ideal functionality of the organizations
6. Support proper staff behavior & facilitate a hospitable safe workplace

Question 47

Security Procedures

Answer 47

1. Are detailed implementation instructions for staff to carry out security policies
2. Are often overlooked as an asset protection tools

revised procedures can enhance security while improving bottom-line

Question 48

What has been extended into streets and other public areas?

Answer 48

Premises Liability of Owners

Question 49

ASIS facilities Physical Security Measures guideline defines risk management as a business discipline consisting of what three major functions?

Answer 49

1. Loss prevention
2. Loss control
3. Loss indemnificaiton

Question 50

Risk Assessment

Answer 50

A proactive strategy for security/risk mitigation supports sustainable, healthy, productive organizations and is a critical responsibility of senior leadership & governing boards

Question 51

What was developed in the insurance industry?

Answer 51

Risk Assessment

Question 52

Who should be responsible for all of the organization’s security/risk strategy

Answer 52

Senior Executive

Question 53

An uncertain situation with a number of possible outcomes, one or more of which is undesirable

Answer 53

Risk

Question 54

What does risk include?

Answer 54

all negative events for an organization their impact likelihood & how soon they may occur (imminence)

Question 55

Two things that risk assessment does with all risks

Answer 55

Defines & Quantifies

Question 56

3 things risk assessment techniques may be

Answer 56

1. Heuristic (ad hoc)
2. Inductive (qualitative) (bottom-up approach)
3. Deductive (quantitative) (top-down approach)

Question 57

Inductive

(qualitative - bottom-up approach)

Answer 57

1. risks identified at the beginning of the analysis

2. Identified risks are the starting point not the result

3. This method may produce incomplete results

4. This method makes use of “event trees” that trace an initiating event through a sequence with different possible outcomes

5. Does not readily lend itself to feedback loops in the event trees

6. This method focuses on scenarios which may fail to account for concurrent attacks

Question 58

Deductive

quantitative - top-down approach

Answer 58

1. Risks result from a systemic deductive top-down approach
2. Uses “logic diagrams” & “fault trees” along with event trees

Question 59

When an entire population is at risk

Answer 59

Societal Risk

Question 60

Risk assessments attempt to find answers to three primary questions

Answer 60

1. What can go wrong?
2. What is the likelihood of it going wrong?
3. What is the impact if it goes wrong?

Question 61

Risk management attempts to answer four primary questions:

Answer 61

1. What can be done about identified risks?
2. What options are available?
3. What are the associated trade-offs of the options?
4. What are the impacts of current management decisions on future options?

Question 62

5 things that risk assessments include

Answer 62

1. Identifying internal & external threats & vulnerabilities

2. Identifying the probability and impact of an event arising from such threats or vulnerabilities

3. Defining critical functions necessary to continue the organization’s operations

4. Defining the controls in place exposure

5. Evaluating the cost of such controls

Question 63

Risk Formula

R = T x A x V

Answer 63

R = Residual risk

T = Threat a combination of threat definition & likelihood of an attack

A = Asset to be protected

V = Vulnerability represented by system effectiveness

Question 64

Coordinated activities to direct & control an organization with regard to risk

Answer 64

Risk Management (ISO)

Question 65

Although definitions of risk management vary, they generally agree that it relies on

Answer 65

1. Risk assessment (which relies on a vulnerability assessment)
2. Threats
3. Asset value
4. Vulnerability

Question 66

Major types of risk assessment

Answer 66

1. Quantitative (hard numbers, history statistics)
2. Qualitative (“feel” predictions experience etc.)

Question 67

Security typically relies on qualitative not quantitative assessment

Question 68

Risk is expressed in:

Answer 68

1. Threat
2. Consequence (impact)
3. Vulnerability (likelihood probability)

Question 69

Risk Analysis Includes

Answer 69

1. Risk assessment
2. Risk evaluation
3. Risk management alternatives

Question 70

A recommended approach for conducting a general risk assessment

Answer 70

1. Understand the organization & identify the people & assets at risk
2. Specify loss risk events/vulnerabilities
3. Establish the probability of loss risk & frequency of events
4. Determine the impact of the events
5. Develop options to mitigate risks
6. Study the feasibility of implementation of options
7. Perform a cost/benefit analysis

Question 71

The value of a risk analysis depends upon…

Answer 71

The skill of the analysis

Question 72

Higher risk in high-rise buildings

Answer 72

1. More people = more property & more property = more opportunity for crime

2. More people = more chances of internal crime

3. More people = more anonymity

4. Easy access to the public in CBO’s - easy access to mass transit

5. Elevators & stairwells can be risky places

Question 73

Higher risk in high-rise buildings…ctd

Answer 73

6. Risky, neighboring tenants
7. Tough to control threats & respond to incidents (too many people & environment is complex)
8. Evacuations are difficult
9. More critical threats in high-rise include fire, explosion & contamination
10. The ability to mitigate threats for high-rise depends on structural design & use of technology to:
    - Deter & detect a threat
    - Communicate a threat’s nature & location
    - Initiate automatic or Org. responders

Question 74

3 General types of assets

Answer 74

1. People
2. Property
3. Information

Question 75

Tangible assets can be seen, touched or directly measured in physical form

Answer 75

1. Facilities/buildings
2. Inventory
3. Cash
4. Supplies / Consumables

Equipment, raw, materials, accounts payable, telecom systems, other capital assets

Question 76

Intangible assets can include

Answer 76

1. Reputation & image
2. Brand recognition & loyalty
3. Vendor diversity
4. Past performance
5. Quality assurance processes
6. Workforce retention
7. Human capital development

Question 77

The amount of protection require by an enterprise is a function of:

Answer 77

1. Value of the asset
2. Risk tolerance of the enterprise

Question 78

Three general methods of valuing assets

Answer 78

1. Dollars (most important measures)
2. Consequence criteria
3. Policy (prescribed protection levels)

Question 79

Asset value may be expressed in…

Answer 79

1. Criticality
2. Consequences of loss
3. Severity

Question 80

Cost-of-loss Formula

K = (Cp + Ct + Cr + Ci) - I

Answer 80

K = Criticality, the total cost of loss

Cp = Cost of permanent replacement

Ct = Cost of temporary substitute

Ci = Lost income

I = Insurance

Question 81

A loss isn’t measured just by replacement it also includes:

Answer 81

Lost income

Sales

Downtime

(Indirect Costs)

Question 82

Security losses are:

Answer 82

1. Direct (money, negotiable instruments, property, information..)
2. Indirect (harm to reputation, loss of goodwill, loss of employers, harm to employees morale…)

Question 83

Threats & Less Events

Pure Risks

Answer 83

Crime

Conflicts of Interest

Natural disaster

Civil disturbance

War/insurrection

Terrorism

Accident

Maliciously willful or negligent personal conduct

Question 84

Less risk event (threat) categories

Answer 84

Crimes

Non-Crime (human or natural)

Consequential

Question 85

Threat classes

Answer 85

1. Insiders
2. Outsiders
3. Collusion

Question 86

Threat Tactic Categories

Answer 86

Deceit

Force

Stealth

Combination

Question 87

A detailed list of threats; key to determining the Design Basis Threat (DBT)

Answer 87

Threat Spectrum

Question 88

The threat against which countermeasures are designed to protect

Answer 88

Design Basis Threat (DBT)

Question 89

Motivation

Tools

Competence

Knowledge

Answer 89

Threat Considerations

Question 90

A risk analysis that considers the entire threat spectrum must be performed because…

Answer 90

As the threat increases, performance of individual security elements or the system as a whole will decrease

Question 91

Cost Abatement

Coverage of losses by Insurance

Answer 91

1. Insurance pay-off should be subtracted from the total loss of an asset
2. Insurance payments & premiums should reduce the insurance pay-off

Question 92

Nine probability factors for threats & loss events

Answer 92

1. Physical environment (neighborhood & vicinity)
2. Overall geographical location
3. Social environment
4. Political environment
5. Economic environment
6. Historical experience for the organization
7. Historical experience for the industry
8. Procedures & processes
9. Criminal state-of-the-art

Question 93

Threat likelihood may be expressed in

Answer 93

Frequency

Probability

Qualitative estimate

Question 94

A weakness that can be exploited by an adversary

Answer 94

Vulnerability

Question 95

The process of identifying & quantifying vulnerabilities

Answer 95

Vulnerability Assessment

Question 96

A method of identifying the weak points of a facility, entity, venue or person

Answer 96

Vulnerability Analysis

Question 97

A vulnerability assessment is used to…

Answer 97

Determine PPS effectiveness

Question 98

What determines system requirements before design & implementation

Answer 98

Vulnerability Assessment

Question 99

A frequency of vulnerability assessments

Answer 99

1. Before system implementation
2. Upon upgrades
3. Periodic system effectiveness tests

Question 100

A vulnerability assessment should include

Answer 100

1. Facility & operations description (facility characterization)
2. Threats & assets
3. Constraints related to the VA or the site
4. Existing countermeasures
5. Vulnerabilities in countermeasures
6. Baseline analysis of system effectiveness
7. Recommendations for countermeasures improvement
8. Analysis of expected improvements

Question 101

A site survey is part of the vulnerability assessment

Question 102

Types of Testing

Answer 102

1. Functional test (components are performing as expected)
2. Operability testing (components are being used properly)
3. Performance testing (repeats tests to determine component effectiveness against different threats)

Question 103

Testing Approaches

Answer 103

1. Compliance - based
   - conformance to specified policies or regulations
   - “Feature-based” approach
   - Effective only for low threats, low less impacts, and CBA - supported cost decisions
   - Easier to perform
   - The metric for this analysis is the presence of the specified equipment & procedures

Question 104

Testing Approaches

Answer 104

2. Performance-based
   - Evaluates how much element of the PPS operations

Question 105

What is the biggest mistake made when conducting a Vulnerability Assessment?

Answer 105

Concentrate on individual PPS components & address upgrades only at that level, not at the level of the overall system

Question 106

Three primary functions of a PPS to be tested

Answer 106

1. Detection measures
2. Delay measures
3. Response measures

Question 107

Detection Measures

Answer 107

1. Probability of detection
2. The time required to report & assess alarms
3. Includes entry controls

Question 108

Delay Measures

Answer 108

• Layers of security sum up to total delay time
• Delay time considered after detection

Question 109

Response Measures

Answer 109

• Time to interruptions of the adversary
• Accuracy of deployment

Question 110

An effective assessment system provides two types of information

Answer 110

1. Whether the alarm is valid or nuisance
2. Key details about the cause of the alarm (what, where, how many)

Question 111

Containment Strategy

Answer 111

1. Detect - prompt detection & reliable notification
2. Delay - extend adversary task time
3. Respond - timely, aware, equipped, and trained responses

Question 112

Carver & Stock vulnerability assessment

Answer 112

1. Developed by US government during WW2 as targeting process
2. Declassified in 2003
3. Criticality (impact of the attack)
4. Accessibility (ability to get in & out)
5. Recoverability (ability of target to recover)
6. Vulnerability (ease of compromising target)
7. Effect (direct loss)
8. Recognizability (target identifiability)
9. Shock

Question 113

Risk Management Options

Answer 113

Mitigation

Acceptance

Transfer

Spreading

Avoidance

* Risk Financing = Insurance

Question 114

Risk can be reduced in 3 ways

Answer 114

1. Prevent the attack
2. Protecting against attack
3. Mitigating consequences of an attack

Question 115

Mitigation means reducing consequences

Answer 115

1. Mitigation focuses solely on reducing consequences
2. It may be implemented before during and after the attack

Question 116

General categories of risk reduction

Answer 116

1. Equipment & hardware
2. Policies & procedures management
3. Staffing

Question 117

Mitigation strategies must be evaluated by…

Answer 117

1. Availability
2. Affordability
3. Feasibility
4. Application to operations

Question 118

Except for certain high-value irreplaceable items an organization should base its protection strategies on a realistic cost-effective rationale

Question 119

What are the least expensive counter-measures one can employ for asset protection tools?

Answer 119

Procedural Controls

* Revised procedures can enhance security while improving the bottom line for the enterprise

Question 120

A phrase that defines a call-to-order for assistance against a crime similar to “observe & report” of today

Answer 120

Hue & Cry

Question 121

“Shire-Reeve was later shortened to?

Answer 121

Sheriff

Question 122

What was first described as “the king’s peace”

Answer 122

Government Policing

* Civil torts became crimes against the king’s peace; the “state” collected penalties instead of the people obtaining civil judgments

Question 123

Name of the first police department organized by Sir Robert Peel in London, 1829?

Answer 123

The Peelers

Question 124

Arrangements of public safety policing

Answer 124

1. Private environment supplement
2. Public Environment Replacement
3. Public Environment Supplement

Question 125

Public safety policing model structure

Answer 125

1. Tactical operations
2. Technological systems
3. Order maintenance provisions

Question 126

When do “private police” have arrest powers?

Answer 126

Only when they are on duty

(may include qualified immunity)

Question 127

7 Distinctions between public & private policing

Answer 127

1. Public police - duty sworn
2. Public police - monopolized service is less efficient even complacent
3. Public police - constitutional protections apply
4. Private police - employed by private firms
5. Private police - a perception of lacking the same authority as public police
6. Private police - tends to focus on loss reduction or asset protection
7. Private police - provider competition drives better service & value

Question 128

The success of privatized police requires

Answer 128

Competition

Accountability

Standards

Question 129

Private Policing

Answer 129

Low priority call handling like residential alarms: 20% = crimes, 80% = non-emergencies

Question 130

Community policing efforts are expensive & resource-intensive

Question 131

Fear of crime is exacerbated by signs of criminal activity

Question 132

What 2 activities represent chaotic conditions that result in more serious criminal activity?

Answer 132

Incivility & Disorder

* If incivility is not perceived to be a problem resident may be able to cope with higher rates of crime

Question 133

Order Maintenance

Answer 133

1. Used in community policing, may reduce crime (lack of order can lead to high crime or fear)
2. A core goal of community policing is to focus on fear reductions through order maintenance techniques
3. A disorder is characterized by reduced social controls, such as panhandling, loitering, youth taking over parks & street corners, public drinking, prostitution, graffiti, and other disorderly behaviors

Question 134

Order Maintenance (ctd…)

Answer 134

4. Disorder tends to cause a greater sense of risk & loss of control
5. The disorder causes more awareness of the consequences of a criminal attack
6. As disorder causes crime to increase the community sinks further with conditions that lead to even more crime
7. An alternative theory to socioeconomic impact of crime is that the completion of a crime simply requires the convergence in time & space of an offender a suitable target, and the absence of guardians

Question 135

3 Categories of consultants

Answer 135

1. Security management consultants
2. Technical security consultants
3. Security forensic consultants

Question 136

Security Consultants

Which roles may undertake forensic assignments

Answer 136

Security management consultants & technical security consultants

Question 137

Security Consultants

The decision to retain security consulting services is typically driven by a specific…

Answer 137

Problem

Need

Challenge

Goal

Question 138

Security Consultants

Security consultants might be retained because…

Answer 138

1. lack of in-house time or specialized knowledge
2. Need for objective assessment particularly for liability or due diligence situations
3. Need for fresh ideas, or independence from internal politics
4. Need for flexibility of contracted personnel
5. Recognition that management may be more amenable to a consultant’s ideas because of broader experience industry knowledge

Question 139

Security Consultants

Resistance to the use of security consultant usually reflects concerns

Answer 139

1. Asking for outside help suggests the security staff is incompetent
2. A negative report from an outsider reflects unfavorably on the security program
3. The organization’s policies & procedures could be compromised by an outsider who would become intimately familiar with the enterprise

Question 140

Effective security programs typically include a well-thought-out array of security measures

Question 141

Finding a security consultant

Answer 141

1. Best source: Referral from a colleague
2. Industry associations with consultants as mentors
3. Industry - specific associations

Question 142

Professional consultants are restrictive in the assignments they will accept

Answer 142

1. Most consultants specialize & may not see themselves as suited for every need
2. Clients should be cautious of a consultant claiming to be able to address all aspects of security

Question 143

Security Advisory Committee (SAC)

Comprised of members from key corporate functions

Answer 143

1. Chaired by a project coordinator
2. Members should have stature & creditability
3. Members should be able to offer useful opinions about security

Question 144

SAC Purposes

Answer 144

1. Determine adequacy of security measures determine if a consultant is necessary
2. Critically examine the security program
3. Maintain general oversight of security program
4. Assist in meeting corporate & government requirements

Question 145

SAC Objectives

Answer 145

1. Review the corporate security program at least quarterly
2. Determine if additional protective measures are needed
3. Advise of any needed changes to security policies or procedures
4. Review new program suggestions
5. Field criticism or suggestions

Question 146

Security Awareness

Answer 146

1. “An asset’s protection program will not succeed unless it cultivates the willing cooperation of those affected by it & meshes its goal with the personal goals of the workforce
2. Means consciousness of the program its relevance and individual risk responsibility
3. Is a continuing attitude that encourages actions in support of security
4. Solicits conscious attention and is embraced by senior personnel

Question 147

Security Awareness (cntd…)

Answer 147

5. Causes all personnel to become force multipliers
6. Highlights the program’s contribution to financial goals
7. Conveys the program’s benefits & ROI
8. Conveys to middle management support of business goals
9. Conveys to supervision the program’s value
10. Is refreshed more often than just at new hire orientation
11. Is explained in depth to non-employees

Question 148

One of the most cost-effective assets protection tools is…

Answer 148

Security Training & Awareness

Question 149

One of the most important missions of security awareness is…

Answer 149

To familiarize employees with the organization’s policies & procedures

Question 150

Two categories of employees fail to follow policies

Answer 150

Uneducated Employees

Arrogant Employees

Question 151

Security Awareness Potential Obstacles

Answer 151

A cooperative employee is less likely to circumvent security