Chapter 1: Domain One: Security Fundamentals Flashcards

Question

Exercises

Answer 1

Evauluating physical asset protection (PAP) management programs, rehearsing the roles of team members and staff, and testing the recovery or continuity of an organization's systems (such as technology, telephony, administration) to demonstrate PAP management competence and capablity. NOTE 1: Exercises include activities performed for the purprose of training and conditioning team members and personnel in appropriate responses with the goal of achieving maximum performance. NOTE 2: An exercise can involve invoking response and operational continuity procedures but is more likely to invovle the simulation of a response and/or operational continuity incident, announced or unannounced, in which participants role-play to assess what issues might arise prior to a real invocation.

Answer 2

External enviroment in which the organization seeks to achieve its objectives. (ISO Guide 73:2009) NOTE: External context can include: The cultural, social, political, legal, regulatory, financial, technological, economic, natural, and competitive enviroment whether international, national, regional, or local; Key driver and trends having impact on the objectives of the organization; and Relationships with, and perceptions and values of, external stakeholders.

Answer 3

Plant, machinery, equipment, property, buildings, vehicles, information systems, transportation facilities, and other items of infrastructure or plant and related systems that have a distinct and quantifiable function or service.

Answer 4

Possible source of danager or conditions (physical or operational) that have a capacity to produce a particular type of adverse effect.

Answer 5

Evaluated consequence of a particular outcome.

Answer 6

Event that has the capacity to lead to human, intangible, or physical loss or a disruption of an organization's operations, services, or functions. If not managed, an incident can escalate into an emergency, crisis, or disaster.

Answer 7

Assets that do have a physical from to protect (such as reputation, relationships, creditworthiness).

Answer 8

The property of safeguarding the accuracy and completeness of assets. (ISO/IEC 13335-1:2004)

Answer 9

Person or group having an interest in the performance or success of an organization. (ISO/PAS 22399:2007) NOTE: The term includes people and groups with an interest in an organizatio, its activities, and its achievements, such as customers, clients, partners, employees, shareholders, owners, vendors, the local community, first responders, government agencies, and regulators.

Answer 10

Systematic, independent, and documented process for obtaining audit evidence and evauluating it objectively to determine the extent to which the management system audit crieria set by the organization are fulfilled. NOTE: In many cases, particulary in smaller organizations, independence can be demonstrated by the freedom from responsiblitity for the activity being audited.

Answer 11

Internal environment in which the organization seeks to achieve its objectives (ISO Guide 73:2009) NOTE: Internal context can include: Governance, organizational structure, roles, and accountabilities; Policies, objectives, and the strategies that are in place to achieve them; The capablities understood in terms of resources and knowledge (such as capital, time, people, processes, systems, and technologies); Perceptions and values of internal stakesholders; Information systems, informatoin flows and decision-making processes (both forma and informal); Relationships with, and perceptions and values of, internal stakeholders; The organizations's culture; Standards, guidelines, and models adopted by the organization; and Form and extent of contractual relationships.

Answer 12

(IDS) A system that uses sensors to detect an impending or actual security breach and to initiate an alarm or notification of the event.

Answer 13

A systematic and thorough examination or inquriy into something or someone and the recording of that examination in a report.

Answer 14

(ITL) The person directly responsible for the team of personnel assigned to investigate an incident and has overall responsiblity for ensureing that an investigation is thorough, complete, and well documented in teh final report.

Answer 15

The person directly respobible for the investigative function in an organization, sometimes referred to as the project manager or case manager, who may hold the title of chief security officer, security director, director of investigations, director of human resources, or something similar.

Answer 16

Degree of illumination; also, the equipment, used indoors and outdoors, for increasing illumination - usually measued in lumens, lux, or foot-candle units.

Answer 17

Chance of something happening. (ISO GUide 73:2009) NOTE 1: In risk mamagement terminology, the word "likelihood" is suded to refer to the chance of something happening, whether defined, measured, or determined objectively or subjectiviely, qualitatively, or quantitatively, and described using general terms or mathematically (such as a probability or a frequency over a given time period). NOTE 2: The English term "likelihood" does not have a direct equivalent in some languages: instead, the equivalent of the term "probability" is often used. HOwever, in English, "probability" is often narrowly interpreted as a mathematical term. THerefor, in risk management terminology, "likelihood" is used with the intent that is should have the same broad interpretation as the term "probability" has in many languages other than English.

Answer 18

A piece of equiment used to prevent undesired opening, typically of an aperture (gate, window, byilding door, or vault door, for example), while still allowing opening by authrorized users.

Answer 19

Cleraly defined and documented plan of action, typically covering the key personnel, resources, services, and actions needed to implement the incident management process.

Answer 20

Limitation of any negative consequices of a particular incident.

Answer 21

Non-fulfillment of a requirement (ISO 9000:2005)

Answer 22

Overall goal consisten with teh policy that an organization sets itself to achieve. (ISO 14001:2004)

Answer 23

Group of people and facilities with an arrangement of responsibilities, authorities, and relationships. NOTE: An organization can be a government or public entity, company, corporation, firm, enterprise, institution, charity, sole trade or association, or parts or combinations thereof.

Answer 24

Ongoing management and governance process supported by top management resourced to ensure that the neccesaary steps are taken to identify the root causes of potential disruptions and the likelihood and impact of potential losses; maintain viable adaptive, proactive, and reactive strategies and plans; and ensure stability and sustaainablity of activities/functions/products/services through planning, exercising, rehearsal, testing, training, maintenance, and assurance.

Answer 25

Physical asset protection.

Answer 26

Physical asset protection management.

Answer 27

Physical asset protection management system.

Answer 28

That part of security concerned with physical measures designed to safeguard people; to prevent unauthorized access to equipment, facilities, material, and documents; and to safeguard them against a security incident.

Answer 29

Overall intentions and direction of an organization as formally expressed by top management.

Answer 30

Physical protection system.

Answer 31

Activities, Programs, And systems developed and implemented prior to an incident that may be used to support and enchance mitigation of, response to, and recovery from disuptions, disasters, or emergencies.

Answer 32

Measures that enable an organization to avoid, preclude, or limit the likelihood and consequences of an event.

Answer 33

Action to eleminate the cause of a potential nonformity. (ISO 14001:2004)

Answer 34

Specified way to carry out an activity. (ISO 9000: 2008) NOTE: Procedures

Answer 35

Typically, a department within a company that procides security services for that company.

Answer 36

The strategy of forming layers of protection for an asset.

Answer 37

The intergration of people, procesdures, equiment, and technology for the protection of assets.

Answer 38

Document stating results achieved or providing evidence of activities performed. (ISO 9000:2008)

Answer 39

Risk remaining after risk treatment. (ISO Guide 73:2009) NOTE 1: Residual risk can contain unidentified risk. NOTE 2: Residual risk can also be known as "retained risk."

Answer 40

The adaptive capacity of an organization in a complex and changing evniroment. NOTE 1: Resilience is the ability of an orgainzation to resist being affected by an event or the ability to return to an acceptable level of performance in an acceptable period of time after being affected by an event. NOTE 2: Resilience is the capability of a system to maintain its functions and structure in the face of internal external change.

Answer 41

Systematic and coordinated activities and practices through which an orgainzation manages its operational risks and the associated potential threats and impacts therein.

Answer 42

Any asset (human, physical, informatoin, or intangible), facilities, equipment, materials, products, or waste that has ptoential value and can be used.

Answer 43

Documented collection of procedures and information tat is developed, complied, and maintained in readiness for use in an incident.

Answer 44

Effect of uncertainty on objectivies. (ISO Guide 73:2009) NOTE 1: An effect is a deviation from the expected either postive or negative. NOTE 2: Objectives can have different aspects such as financial, health, safety, and environmental goals and can apply at different levels such as strategic, organization-wide, project, product, and process. NOTE 3: Risk is often characterized by reference to potential events, consequiences, or a combination of these and how they can affect the achievement of objectives. NOTE 4: Risk is often expressed in terms of a combination of the consequences of an event or a change in circumstances and the associated likelihood of occurrence.

Answer 45

Informed decision to take a particular risk. (ISO Guide 73: 2009) NOTE 1: Risk acceptance can occur without risk treatment or during the process of risk treatment. NOTE 2: Risk acceptance can also be a process. NOTE 3: Risks accepted are subject to monitoring and review.

Answer 46

Process to comprehend the nature of rsi and to determine the level of risk. (ISO Guide 73:2009) NOTE: Risk analysi provides the basis for risk evaluation and decisions about risk treatment.

Answer 47

Amount and type of rsik that an organization is prepared to pursue, retian, or take. (ISO Guide 73:2009)

Answer 48

Overall process of risk identification, risk analysis, and risk evaluation. (ISO Guide 73:2009) NOTE: Risk assessment involves the process of indentifying internal and external threats and vulnerablities, indentifying the probality and impact of an event arising from such threats or vulnerablities, defining ciritical funuctions necessary to continue the organizations's operations, defining the controls in place necessary to educe exposure, and evaluating the cost of such control.

Answer 49

Terms of refernce by which the significance of risk is assessed. (ISO Guide 73:2009) NOTE: Risk Criteria can inlude associated cost and benefits, legal statutory requirements, socio-economic and evnironmental aspects, the concerns of statke holders, priorites, and other imputs to the assessment.

Answer 50

Coordinated activities to direct and control an organization with regard to risk. (ISO Guide 73:2009) NOTE: Risk management generally inculdes risk assessment, risk treatment, risk acceptance, and risk communication.

Answer 51

Actions taken to lessen the probability, negative consqequiences, or both, associated with a risk. (ISO Guide 73:2009)

Answer 52

Organization's readiness to bear the risk after risk treatments in order to achieve its objectives. (ISO Guide 73:2009) NOTE: Risk tolerance can be limited by legal or reulatory requirements.

Answer 53

Sharing with another party the burden of loss or benefit or gain for a risk. (ISO Guide 73:2009) NOTE 1: Legal or statutory requirements can limit, prohibit, or mandate the transfer of certain risk. NOTE 2: Risk transfer can be carried ot through insurance or other agreements. NOTE 3: Risk transfer can create new risks or modify existing risks. NOTE 4: Relocation of the osurce is not risk transfer.

Answer 54

Process to modify risk (ISO Guide 73:2009) NOTE 1: Risk treatment can invovle avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk; taking or increasing risk in order to pursue an opportunity; removing the risk source; changing the likelihood; changing the consequences; sharing risk with another party or parties; and retaining the risk by informed choice. NOTE 2: Risk treatments that deal with negative consequiences are sometines referred to as risk mitigation, risk elimination, risk prevention, and risk reduction. NOTE: 3: Risk treatment can create new risks or modify existing risks.

Answer 55

The condition of being protected agaisnt hazards, threats, risks, or loss.

Answer 56

Those characteristics, elements, or properties that reduce the risk of unintentionally, intentionally, and naturally caused crisies and disasters that disrupt and have consequences on the products and services, orperation, critical assets, and continuity of the organization and its stakeholders.

Answer 57

An employee or controactor with management-level responsbility for the security program of an organization or facility.

Answer 58

A practice or device designed to protect people and prevent damage to, lost of, or unauthorized access to equipment, facilities, material, and information.

Answer 59

An invdividual, in uniform or plain clothes, employee to protect assets.

Answer 60

A thorough physical examination of a facility and its systems and procedures conducted to assess the current level of security, locate deficiencies, and guage the degree of protection needed.

Answer 61

Implementation of enchancement measures to make a site more difficult to penetrate.

Answer 62

Element which alone or in combination has the intrinsic potential to give rise to risk. (ISO Guide 73:2009) NOTE: A risk source can be tangible or intangible.

Answer 63

Person or group having an interest in the performance or success of an orgainziation. (ISO/PAS 22399:2007) NOTE: THe term includes persons and groups with an interest in an organization, its activities, and its achievements, such as customers, clients, partners, employees, shareolders, owners, vendors, the local community, first responders, government agencies, and regulators.

Answer 64

Set of criteria, guidelines, and best practies that can be used to enhance the quality and reliability of products, services, or processes.

Answer 65

The distance bewtween the asset and the trehat; typically regarding an explosive threat.

Answer 66

(STEP) Points out potential sources of threats. The security manager can then conduct an analysis to determine whether such threats are likely and where they may orginate.

Answer 67

(SWOT) A model for Analyzing proposed organizational projects. The concept is to analyze an issue or proposal from each of the four points of view, thereby giving security management a profile of potential issues to address.

Answer 68

The linked set of resources and processes that begins the acquisition of raw material and extended through the delivery of products or services to the end user across modes of transport. The supply chain may include suppliers, vendors, manufacturing faciltiies, logistics provides, internal distribution centers, distributors, wholesalers, and other entities that lead to teh end user.

Answer 69

Observation of a location, activity, or person.

Answer 70

Generally, assets that can be seen, touched, or directly mesasured in physical form (such as people and property).

Answer 71

Detailed performance requirement applicable to the organization (or parts thereof) that arises from the objective and the needs to be set and met to achieve those objectives. (ISO 14001:2004)

Answer 72

Activivies performed to evaluate the effectiveness or capabilities of a plan relative to specified objectives or measurement criteria. Testing usually involves exercises designed to keep teams and employees effective in thier duties and to reveal weaknessses in the prepardeness and response/continuity/recovery plans. (ASIS International Business Continuity Guideline: 2005)

Answer 73

Potential cause of an unwanted incident whic may results in harm to individuals, assets, a system or organization, the environment, or the community.

Answer 74

The average rate of flow of people or vehicles through an access point.

Answer 75

Persons or group of people who directs and controls an organization at the highest level. (ISO 9000:2008) NOTE: For example, directors, managers, and officers of an organization who can ensure that effective management systems, including financial monitoring and control systems, have been put in place to protect assets. earning capacity, and the reputation of the organization. (ANSI/ASIS SPC.1-2009)

Answer 76

A surveillance system in which a signal is transmitted to monitors/recording and control equipment. Includes closed-circuit television (CCTV) and netword-based video systems.

Answer 77

Intrinsic properties of somethign that create susceptibility to a source of risk that can lead to a consequence. (ISO Guide 73:2009)

Answer 78

The process of identifying and quantifying vulnerabilities.

Answer 79

(WAECUP) Can be used as a blueprint for developing security objectives.