Physical Security Assessment

Question 1

How is risk measured?

Answer 1

The value of the asset in relation to the threats and vulnerabilities associated with it.

Question 2

How is a security risk rating calculated?

Answer 2

Asset value rating
X
Threat likelihood rating
X
Severity of incident rating
X
Vulnerability rating
=
Security risk rating

Question 3

Conditions that tend to increase assets’ exposure to the risk of loss can be divided into which categories?

Answer 3

Physical – Includes factors such as the organization’s types and location of facilities, the operational technology or industrial control systems, and the criticality of on-site processes and assets.

Nonphysical – Includes factors such as geo-political landscape, culture, speed of decision-making, and intensity of competition.

Logical – Includes information and digital assets and the network or digital space that connects them.

Question 4

How often should the risk assessment process be revisited?

Answer 4

It should be a cyclical and continuous effort since the elements are constantly subject to change over time.

Question 5

What is the purpose of a security survey?

Answer 5

Determine and document the current security posture,

Identify deficiencies and excesses in existing security measures,

Compare the current posture with a determination of the appropriate level of security of protection needed,

Recommend improvements in the overall situation.

Question 6

What factors should be addressed with considering vulnerabilities?

Answer 6

Lack of redundancy or backups for critical functions,
Single points of failures,
Collocation of critical systems, organizations, or components,
Inadequate response capability to recover from an attack,
Ease of aggressor access to a facility,
Inadequate security measures in place,
Presence of hazardous materials,
Potential for collateral damage from other companies in the area.

Question 7

What is the difference between a physical security assessment and a security survey?

Answer 7

A security survey focuses more on vulnerabilities.

Question 8

Is a cost-benefit analysis used in a physical security assessment or in a risk assessment?

Answer 8

A cost-benefit analysis should be used in both.

Question 9

What are the functions included in a functional approach to a physical security assessment?

Answer 9

Security architecture and engineering,
Structural security measures,
CPTED,
Electronic security systems,
Security officers and the human element.

Question 10

What are typical areas to assess in a physical security assessment?

Answer 10

Barriers, doors, windows/other openings, locks, safes and other containers, signage, lighting, alarm systems, electronic systems, security services, vehicle/traffic/parking controls, utilities protection, visitor management, and package handling.

Question 11

Why should automated assessment tools only be used to ASSIST in completing an assessment?

Answer 11

May give a false sense of knowledge in security assessment,
High cost,
Complexity of software
Computers cannot factor in unquantifiable characteristics.

Question 12

What is asset prioritization based on?

Answer 12

Each asset’s criticality to the organization’s mission and overall strategy.

Question 13

What is the defense-in-depth approach?

Answer 13

An adversary must avoid or defeat a number of protective devices or features in sequence.

Question 14

Why does each layer of security require a separate act by the adversary?

Answer 14

This causes uncertainty in the perpetrator’s mind, increases attack preparation time, adds steps to the intrusion, and allows time for a security or police response.

Question 15

What is an important thing to consider when addressing layered security?

Answer 15

Interdependencies at each layer.

Question 16

What is the principle of balanced protection?

Answer 16

The protection system’s individual applications and components will be integrated and converged so that they provide an equal level of protection.

Question 17

What is involved in the appraisal component of the security survey?

Answer 17

Developing and communicating recommendations for enhancements.

Question 18

What is the focus of a physical security assessment?

Answer 18

The risks to the physical assets and property of an organization, and the protection measures (against any risk) that comprise the realm of physical security.

Question 19

The physical security assessment could provide the basis for what?

Answer 19

A comprehensive and integrated security analysis and risk assessment across the organization,
Identifying security gaps,
Identifying the range of potential solutions and its advantages/disadvantages,
Assisting in the development of organization security risk management, continuity, response, and recovery programs.

Question 20

What costs should be considered in a cost-benefit analysis?

Answer 20

Technology costs,
Opportunity costs,
Process impact costs,
Time costs
Personnel costs
Overall capability costs.

Question 21

What are three common approaches to a physical security assessment?

Answer 21

Outside-Inward approach,
Inside-Outward approach,
Functional approach.

Question 22

This physical security assessment approach occurs when an assessment team takes the role of perpetrator and begins outside the facility focusing on the successive layers of Security.

Answer 22

Outside-Inward approach.

Question 23

This physical assessment approach occurs when an assessment team takes the role of defender and works their way from the asset out toward the outer perimeter.

Answer 23

Inside-Outward approach.

Question 24

This physical security assessment approach occurs when an assessment team evaluates security functions/disciplines and correlates the findings from the assessment component.

Answer 24

Functional (security discipline) approach.

Question 25

What are five criteria of a good security survey report?

Answer 25

Accuracy, Clarity, Conciseness, Timeliness, Slant or pitch

Question 26

What are the objectives of physical access control?

Answer 26

Deter potential intruders, Distinguish authorized from unauthorized people, Delay and prevent intrusion attempts, Detect intrusions and monitor intruders, Trigger appropriate incident response by communicating to security officers and police, Deny by opposing or negating the effects of an overt or covert action.

Question 27

What is an asset?

Answer 27

Anything that has tangible or intangible value to an enterprise.

Question 28

What is risk analysis?

Answer 28

A process for identifying asset values, threats, and vulnerabilities to ascertain risks.

Question 29

How is an asset’s criticality determined?

Answer 29

Based on the mission/goals of the organization and how the company would recover in the event that the asset was no longer available.

Question 30

What are the three steps to identifying a company’s assets?

Answer 30

Define company’s primary business functions, Identify site/building infrastructure and systems, Identify company’s tangible, and intangible assets .

Question 31

What two types of cost should be considered when valuing an asset?

Answer 31

Direct costs and indirect costs.

Question 32

What are some factors to consider in valuing assets?

Answer 32

Injuries or deaths related to facility damage, Asset replacement costs, Revenue loss due to lost functions, Backup/system redundancy existence, Availability of replacements, Critical/Sensitive information value, Impact on revenue and reputation.

Question 33

When determining asset values, what are some direct costs?

Answer 33

Financial losses (value of goods), Increased insurance premiums Insurance, deductibles, Lost business, Labor expenses incurred as a result of the event, Management time dealing with the event, Punitive damage awards not covered by insurance.

Question 34

When determining an asset values, what are some indirect costs?

Answer 34

Negative media coverage, Long-term negative consumer perception, Public relations cost to overcome image, problems, Lack of insurance coverage due to higher risk category, Higher wages needed to attract future employees, Shareholder suits for mismanagement, Poor employee morale leading to work stoppages and higher turnover.

Question 35

What legal and regulatory requirement procedures should be established as part of a physical asset protection program?

Answer 35

Identify the legal, regulatory, and other requirements, to which the organization subscribes related to the risks to its assets, activities, functions, products, services, stakeholders, environment, and supply chain; Determine how these requirements applied to its risks; Ensure that these requirements are taken into account in establishing, implementing, and maintaining its physical asset protection program.

Question 36

What are two types of assets?

Answer 36

Tangible and intangible.

Question 37

What are two ways assets can be valued?

Answer 37

They can be assigned a relative value, such as a number from 1 (low) to 5 (high), based on priority. Apply a cost-of-loss formula.

Question 38

What is the cost-of-loss formula to calculate an asset value?

Answer 38

K = Cp + Ct + Cr + Ci - I K = total cost of loss Cp = cost of permanent replacement Ct = cost of temporary substitute Cr = total related costs (remove old asset, install new, etc.) Ci = lost income cost I = available insurance or indemnity

Question 39

What are the two types of adversaries?

Answer 39

Adversary who uses intrusion to gain access to the target asset, and an adversary who plans to attack the site from outside.

Question 40

What are two common physical security compliance metrics in the public sector?

Answer 40

Compliance of facilities and compliance of systems.

Question 41

What are two objectives of collecting physical security program metrics?

Answer 41

To provide insurance to the organization on the effectiveness of the program and to facilitate improvement.

Question 42

This is commonly used to provide management with a snapshot of the effectiveness and efficiency of a physical security program.

Answer 42

Metrics summary chart.

Question 43

What is the purpose of a Business Impact Analysis?

Answer 43

To assess and prioritize, organizational activities, and resources required to deliver its products and services.

Question 44

What is the purpose of a business continuity management system (BCMS)?

Answer 44

To enable an organization to identify, develop, and implement policies, objectives, capabilities, processes, and programs – taking into account legal and other requirements – to address disruptive events that might impact the organization and its stakeholders.

Question 45

What is considered the foundation for establishing the business continuity objectives, targets, programs, and plans?

Answer 45

The Business Impact Analysis (BIA) and Risk Assessment.

Question 46

What are the 4 phases of business continuity?

Answer 46

Readiness, Prevention, Response, Recovery/Resumption.

Question 47

A group of individuals responsible for developing and implementing a comprehensive plan for responding to a disruptive incident, consisting of a core group of decision-makers trained in incident management and prepared to respond to an event is known as…

Answer 47

…the Crisis Management Team.

Question 48

Activities, programs, and systems developed and implemented prior to an incident that may be used to support and enhance mitigation of, response to, and recovery from disruptions is known as what?

Answer 48

Preparedness (readiness).

Question 49

What is a threat?

Answer 49

Potential cause of an unwanted incident which may result in harm to individuals, assets, a system or organization, the environment, or the community.

Question 50

What is a lost event profile?

Answer 50

A list of the kind of threats affecting the assets to be safeguarded.

Question 51

What is a hazard?

Answer 51

A source of potential danger or adverse condition. Hazards are generally associated with nature.

Question 52

Threats or loss risk events can fall into which three distinct categories?

Answer 52

Crimes Noncriminal events such as man-made incidents or natural disasters, Consequential events caused by an enterprise’s relationship with another organization.

Question 53

What are some examples of non-criminal threats?

Answer 53

Natural threats/disasters: hurricanes, tornadoes, major storms, etc. Man-made threats or disasters: labor strikes, airplane crashes, electrical power failures.

Question 54

What are examples of peripheral system and interfaces?

Answer 54

Life safety systems, building controls, IT infrastructure, liaison relationships, outsourced services, and policies and procedures.

Question 55

What is a consequential event?

Answer 55

An event that occurs because of a relationship between events or between two different organizations – the company suffers a loss as a consequence of that event or affiliation.

Question 56

How is the probability of a threat occurring decided?

Answer 56

By considering the likelihood that a loss risk event may occur in the future.

Question 57

What factors are used in determining the probability of a threat?

Answer 57

Historical data at the site, The history of like events at similar companies, The make up of the neighborhood and immediate vicinity, Overall geographical location, Political and social conditions, Changes in the economy, And other factors.

Question 58

What is vulnerability?

Answer 58

Any weakness that can be exploited by an aggressor (terrorist or criminal) or that makes an asset susceptible to damage from natural hazards or consequential events.

Question 59

What are some factors to consider in assessing asset vulnerability?

Answer 59

Lack of redundancy or backups for critical systems, Single points of failure, Collocation of critical systems/organizations, Inadequate response capability to recover from attack, Ease of aggressor access to a facility, Inadequate security measures in place, Presence of hazardous materials, Potential for collateral damage from other companies in the area.

Question 60

What are examples of four levels of risk?

Answer 60

Catastrophic, High, Moderate, Low.

Question 61

What level of risk requires treatment at any cost for activities and functions to continue?

Answer 61

Catastrophic.

Question 62

What level of risk cannot be further reduced without expenditure of costs disproportionate to benefits?

Answer 62

High.

Question 63

What level of risk is negligible or can be managed with routine procedures?

Answer 63

Moderate.

Question 64

What is the level of risk where in organization is prepared to pursue, retain, or take based on informed decisions?

Answer 64

Low.

Question 65

What should accompany the regular review of the physical security assessment report?

Answer 65

Monitor and follow up on the assessment findings, observations, and recommendations.

Question 66

What are two categories of threats?

Answer 66

Man-made threats, Natural threats.

Question 67

This metric measures time responsiveness of external dependencies in meeting a security department request.

Answer 67

External dependency responsiveness.

Question 68

What are some physical security design attributes?

Answer 68

Type of adversary, Amount of time the adversary requires getting to the assets inside, Number and type of detectors inside and out of the site, Delays that slow down the attack, Size, strength, and equipage of the response force.

Question 69

The process of identifying threats and vulnerabilities, identifying the likelihood of an event arising from such threats or vulnerabilities, defining critical functions for operations, defining controls to reduce exposure, and evaluating cost of controls is called what?

Answer 69

Risk assessment.

Question 70

What is the goal of a cost-benefit analysis?

Answer 70

To identify the optimal level of risk reduction at the best value available.

Question 71

Which analysis method does not use number, but instead uses comparative terms?

Answer 71

Qualitative analysis.

Question 72

Which analysis method utilizes numeric measures to describe value of assets or the level of threats, vulnerabilities, impact, or loss events?

Answer 72

Quantitative analysis.

Question 73

When is it most suitable to use qualitative analysis?

Answer 73

When evaluating basic security applications.

Question 74

What is a SWOT analysis?

Answer 74

A situational business analysis that involves strategic evaluation of key internal and external factors.

Question 75

What does SWOT stand for?

Answer 75

Strengths, Weaknesses, Opportunities, Threats.

Question 76

In a swot analysis, what are the external factors?

Answer 76

Opportunities and threats.

Question 77

In a swot analysis, what are the internal factors?

Answer 77

Strengths and weaknesses.

Question 78

What is the annual loss expectancy

Answer 78

The product of the cost of incident impact and the frequency of occurrence.

Question 79

What are some state and local requirements that should be considered for projects?

Answer 79

Code regulations, Trade or industry guidelines, or best practices, Standards, Permitting requirements, Contractual requirements.

Question 80

What conditions affect the likelihood of occurrence?

Answer 80

Physical environment, Social environment, Political environment, Historical experience, Procedures and processes, Criminal capabilities.

Question 81

What data may be included in an incident management system?

Answer 81

Loss event history, Threat frequency analysis, Single and annual loss expectancy, Impact assessment.

Question 82

What tests should be considered as part of a security survey?

Answer 82

Shipping and receiving, Alarms, Computer/server room, security, General access controls.

Question 83

With whom should you be coordinating when performing security system and procedure tests during a security survey?

Answer 83

The building owner or manager, and, if applicable, any outside agencies, that may be involved.

Question 84

What is checked during a security survey test on shipping and receiving?

Answer 84

Controls are checked by physical observation of selected shipments (incoming and outgoing) against bills of lading of inventory records.

Question 85

What is evaluated during a security survey test on alarms?

Answer 85

The response as well as the reaction of facility occupants and security officers.

Question 86

What is tested during a security survey test on a computer room or server room?

Answer 86

The security and access controls of computer/data processing areas during both working and nonworking hours.

Question 87

How are general access controls tested during a security survey?

Answer 87

Attempt to gain access to the facility and selected internal areas during working and non-working hours. Determine whether access is possible and, if so, whether employees challenge, the “intruders” after the fact.

Question 88

How should areas, items and issues be a valuated during a security survey?

Answer 88

In terms of appropriateness for the situation, age, operability, maintenance, interoperability, aesthetics, and consistency with the current use of the space.

Question 89

What should be reviewed when assessing key/card security during a security survey?

Answer 89

Accountability and policy, Recordkeeping and inventory, Recovery procedures (for keys), Changed when appropriate (turnover of key personnel, after a theft/burglary, etc.).

Question 90

What are some examples of other (not windows and doors) openings that should be assessed during a security survey?

Answer 90

Manholes, Skylights, Roof hatches, Ventilator/air conditioning, vents, shafts, Penthouses and penthouse/roof/veranda access, Sidewalk grates.

Question 91

What should be examined when assessing the protection of utilities during a security survey?

Answer 91

Location and physical protection, Access control, Back up/emergency sources, Protection of telecommunications and data lines.

Question 92

What is the first step in a risk assessment?

Answer 92

Identification and valuation of assets.

Question 93

What are the four Ds?

Answer 93

Deter, Detect, Delay, Deny.

Question 94

What are the five risk treatments?

Answer 94

Accepting the risk, Transferring the risk, Spreading the risk Avoiding the risk, Mitigating the risk.

Question 95

What are the seven functions of physical security?

Answer 95

Access control, Deterrence, Detection, Assessment, Delay, Response, Evidence gathering.

Question 96

What factors should be considered when selecting a risk mitigation strategy?

Answer 96

Availability, Affordability, Feasibility.

Question 97

The effectiveness of individual countermeasures and the security system depends on what?

Answer 97

The adversary and the threat.

Question 98

What must happen as a threat increases in sophistication?

Answer 98

The effectiveness of the countermeasures must also increase, or the additional risk must be managed by some other means.

Question 99

What four criteria can be used to rank assets based on criticality?

Answer 99

Workforce, Service delivery, Dependencies, Mission/objectives.

Question 100

Which risks should be prioritized?

Answer 100

Those risks that have the potential to cause significant mission impact or harm.

Question 101

What conditions tend to increase an asset’s exposure to the risk of loss?

Answer 101

Physical environment – includes factors such as types and locations of facilities, operational technology, and criticality of on-site assets. Non-physical environment – includes factors, such as Geo-political landscape, culture, speed of decision making and compliance requirements. Logical environment – includes information and digital assets and the network or digital space that connects them.

Question 102

What are two common approaches to measure vulnerability?

Answer 102

Observability and exploitability.

Question 103

The ability of an adversary to see and identify a vulnerability is known as what?

Answer 103

Observability.

Question 104

The ability of an adversary to take advantage of the vulnerability is known as what?

Answer 104

Exploitability.

Question 105

When is observability reversed?

Answer 105

In assessing natural threats.

Question 106

How is risk calculated?

Answer 106

Risk = (Theat X Vulnerability X Impact) / 3

Question 107

The determination of the actual cost of a security program against the impact in terms of loss reduction, financial savings, acquisition, lifecycle, replacement, or other measures is known as what?

Answer 107

Cost-benefit analysis.

Question 108

A measure based on a reference that involves at least two points is known as what?

Answer 108

Metrics.

Question 109

What are the technical criteria of a Security Metrics Evaluation Tool (MET)?

Answer 109

Reliability, Validity, Generalizability.

Question 110

What are the operational criteria of a Security Metrics Evaluation Tool (capital MET)?

Answer 110

Cost, Timeliness, Manipulation.

Question 111

What are the strategic criteria of a Security Metrics Evaluation Tool (MET)?

Answer 111

ROI, Organizational relevance, Communications.

Question 112

What are the high-level evaluation criteria for a Security Metrics Evaluation Tool (MET)?

Answer 112

Technical criteria, Operational criteria, Strategic criteria.

Question 113

What are the three major physical security metrics?

Answer 113

Systems, Personnel, Compliance.

Question 114

What are some common physical security systems metrics?

Answer 114

Forced door, Door held open, Unauthorized access attempts, User-defined actions/alarms, Communications failure.

Question 115

What are two measurable physical security personnel metrics?

Answer 115

Response and training.

Question 116

What is the first step in asset protection?

Answer 116

Perform a threat and vulnerability analysis.

Question 117

What is one potential pitfall in choosing security technology?

Answer 117

In ability to thoroughly evaluate product claims prior to installation.

Question 118

What is the primary challenge for security system designers?

Answer 118

Balance the need for public access against ensuring public safety.