Cards 1-40

Question 1

Risk is measured by: Determining the __________ in relation to the ____ and _____ associated with it.

V of the A
T and V

Answer 1

Determining the value of the asset in relation to the threats and vulnerabilities associated with it….

Question 2

Security risk rating = AV X TL X S of I X V

Answer 2

Security risk rating =

asset value x threat likelihood x Severity of incident x Vulnerability

Question 3

What are the three categories of assets that are exposed to risk?

-P
-Np and
-L

Answer 3

Physical, non-physical and logical….

Physical:
- facilities;
- operational & industrial control systems &
- on-site processes and assets.

Non-physical:
- geo-political landscape;
- culture,
- speed of decision making and
- intensity of competition;

Logical:
- information & digital assets and
- the network or digital space that connects them.

Question 4

The risk assessment process should be revisited?

Answer 4

cyclically and continuously because of the elements that are constantly subject to change.

Question 5

The purpose of a security survey?

Answer 5

-determine current seurity posture
-IDentify deficiencies and excesses,
-compare current SP with what would be appropriate; and
-recommend improvements.

Question 6

When considering vulnerabilities, what 8 factors should be addressed?

Answer 6

-lack of backup for critical functions;
-single points of failure;
-co-location of critical systems, organizations and components;
-inadequate preparedness for attacks;
- inadequate security
-too easy for an aggressor to attack the facility;
-presence of hazardous material
-potential for collateral damage from nearby companies

Question 7

A security survey focuses more on vulnerabilities than a…..

Answer 7

Physical Security assessment

Question 8

A cost benefit analysis should be used in both a…….

Answer 8

Physical security assessment and a risk assessment.

Question 9

The five functions included in a functional approach to a physical security assessment include:

S A&E
SSM
CP…
ESS
SO and the HE

Answer 9

• Security architecture and engineering;
• Structural security measures;
• C, P, T, E, D
• Electronic Security Systems;
• Security officers and the
  Human element

Question 10

Typical areas assessed in a physical security assessment include:

B, D, W, O
L, S and C
S, L, A and E systems
VT and PC

Answer 10

Barriers, doors, windows, openings;
-locks, safes and containers;
-signage; lighting; alarm and electronic systems;
-vehicle traffic and parking controls;
-visitor management;
-package handling

Question 11

Automated assessment tools should only assist in completing surveys because they…..

Answer 11

• may give a false sense of knowledge;
  -may have a high cost;
  -may have complex software; and
• they can’t capture unquantifiable characteristics.

Question 12

Defense in depth?

Answer 12

An adversary must overcome a number of protective features in Sequence

Question 13

Why does each layer of security require a separate act by the adversary?

Answer 13

-causes Uncertainty in the perp’s mind;
-increases attack preparation time;
- adds steps to the intrusion and
-allows for more police or guard force response time.

Question 14

Layered security should have i______ at each of the layers?

Answer 14

Interdependencies

Question 15

Purposely left blank

Answer 15

Purposely left blank

Question 16

What is the principle of balanced protection?

Answer 16

-the protection system’s individual applications and components will be integrated and converged so that they provide an equal level of protection.

Question 17

The appraisal component of the security survey involves…?

D_____ and c______ recommendations for e_______

Answer 17

Developing and communicating recommendations for enhancements.

Question 18

What is the focus of a physical security assessment?

Answer 18

The _______to the physical ______and _____of an organization and the _____ ______ (against any risk) that constitute the realm of physical security.

Risks
Assets
Property
Protection
Measures

Question 19

The physical security assessment could provide the basis for …what?

A C & IS analysis and RA
ID SG
ID a range of S and P&C and
Ass in the D of the O’s SRM C, R and RP

Answer 19

A comprehensive & integrated security analysis and risk assessment;
-identifying security gaps;
-identifying a range of Solutions and their pros and cons; and
-assisting in the development of the org’s security risk management
continuity, response and recovery programs.

Question 20

What costs are considered in a cost-benefit analysis?

T and T
P and P
O and O C C

Answer 20

• Technology and time;
• Process and personnel; and
• Opportunity and Overall capability costs

Question 21

The 3 most common approaches to a physical security assessment?

Answer 21

Outside-inward approach;
Inside-Outward approach; and
Functional approach

Question 22

What is it called when the assessment team acts as the aggressor and moves from outside the facility through successive layers of security toward the asset?

Answer 22

Outside-inward physical security assessment approach

Question 23

When the assessment team acts as the defender and works from the asset out towards the outer perimeter it’s called….?

Answer 23

The inside-outward physical security assessment approach

Question 24

When the security assessment team evaluates security functions/disciplines and collates the findings from the assessment component it’s called?

Answer 24

The functional (security discipline) physical security assessment approach

Question 25

The five criteria of a good security survey report?

Answer 25

Accurate Clear Concise Timely and Slant or pitch

Question 26

The 6 objectives of physical access control include: Deny C/O A D A from U D In and P In D and M A In T IR from S/P

Answer 26

-deny covert/overt action; -distinguish authorized from unauthorized; -deter intruders and prevent intrusion; -detect and monitor actual intrusions; -trigger incident response from security/police;

Question 27

An asset is anything with:

Answer 27

Tangible or intangible value

Question 28

Risk-analysis is a process for identifying asset ______, _______ and _______ to determine ______. V, T and v to determine R

Answer 28

identifying asset values, threats and vulnerabilities to determine risks.

Question 29

An asset’s criticality to a business is determined based on 2 things…….?

Answer 29

-based on the org’s mission/goals and ; -how the org would recover if the asset was no longer available.

Question 30

Three steps to identify an org’s assets are: 1) define PBF 2) ID S/B in and s 3) ID the org’s T&IA

Answer 30

-Define Primary business functions; -ID site/bldg infrastructure and systems; and; -ID the org’s tangible & intangible assets.

Question 31

The two types of costs considered when valuing an asset are?

Answer 31

Direct and indirect costs

Question 32

Seven (7) factors to consider in valuing assets: IN related to FD IM on R and R As RC and AV of R R L bc of L F WHETHER there are BS CIV

Answer 32

- injuries related to facility damage - impact on revenue and reputation - Asset replacement costs and availability of replacements; - revenue loss BC of lost functions; - whether there are backup systems - critical information value;

Question 33

When determining asset values, six direct costs are? LB, FL, VofG, H L And I C M T dealing w/Ev P C J Not C by IN

Answer 33

-Lost business, financial losses, value of goods; -higher labor and insurance costs -mgmnt time dealing with event; -punitive court judgements not covered by insurance

Question 34

Indirect costs (9) of asset value determination include: NMC and CP, H PR, IN, and W Sh L for M PEM HT and WS

Answer 34

-neg media coverage and consumer perception; - higher PR costs to improve image, insurance costs bc placed in a higher risk category and higher wages to get workers; -shareholder lawsuits for mismanagement; -poor employee morale; higher turnover/ work stoppages.

Question 35

What legal & regulatory procedures should be part of a physical asset protection program?

Answer 35

-identify the legal and regulatory schemes the org uses with its assets/activities/functions/products/services/stakeholders/supply chain; -determine how these schemes apply to its risks; -ensure these schemes are taken into account in establishing, implementing & maintaining its physical asset protection program.

Question 36

Two types of assets include:

Answer 36

Tangible and intangible assets

Question 37

Assets can be valued in two ways:

Answer 37

-assigned a relative value based on Priority and -apply a cost of loss formula;

Question 38

What is the cost of loss formula to calculate an asset value:

Answer 38

K=(cp + ct + cr + ci) - i K= ttl cost of loss; Cp-cost of permanent replacement Ct-cost of temporary substitute; Cr - total related costs (removal and installation) Ci- lost income costs I- available insurance or indemnity

Question 39

Two types of adversaries:

Answer 39

-one uses intrusion to get at an asset, and -one who attacks from outside

Question 40

Two common physical security compliance metrics used in the public sector are: C of F C of S

Answer 40

-compliance of facilities and -compliance of systems