Security Principles Flashcards by Robert Harkort

What is the difference between asset protection and security?

A. Asset protection’s main aim is to reduce losses, whereas security may also fulfill a compliance function.
B. Asset protection is defined at corporate level, whereas security is more often organized at local (site) level.
C. Asset protection includes all security risks, as well as related functions, such as investigations, risk management, safety, compliance, etc.
D. Asset protection relies on the whole organization whereas security is limited to a dedicated department.

How well did you know this?

Not at all

Perfectly

ESRM is a strategic approach to security management that ties an organization’s security practice to its overall strategy using globally accepted, established risk management principles.

When following the ESRM strategic approach, who has the responsibility for final security decisions?

A. The departmental head.
B. The asset owner.
C. The Chief Executive Officer.
D. The Chief Security Officer.

How well did you know this?

Not at all

Perfectly

A standard is a set of criteria, guidelines, and best practices that can be used to enhance the quality and reliability of products, services, or processes.

Which statement is true regarding standards?

A. Standards must be complied to.
B. Standards are voluntary.
C. Standards are regulated by government.
D. Standards are compulsory.

How well did you know this?

Not at all

Perfectly

A management system provides the framework for continual improvement to increase the likelihood of achieving strategic, operational, tactical, and reputational objectives while enhancing the resilience of an organization.

What is not a term used for the operating principle of ISO’s management systems standards?

A. Assess-Protect-Confirm-Improve model.
B. Standard Operating Procedures (SOP).
C. Deming circle.
D. Plan-Do-Check-Act cycle (PDCA).

How well did you know this?

Not at all

Perfectly

A framework for viewing the underlying principles of asset protection states that three concepts form a foundation for any asset protection strategy. One of those concepts is known as the Four Ds.

What is the first objective in protecting assets in the Four Ds security approach?

A. To deter any type of attack.
B. To reduce losses.
C. To delay any attack.
D. To detect adversaries on the outside.

How well did you know this?

Not at all

Perfectly

Management system standards are designed to help organizations improve the ways in which they provide services and perform processes; they are widely accepted and used in many fields and disciplines.

Which stakeholder group drives the (ANSI/ISO/etc.) standards development process?

A. Corporations.
B. Standards users.
C. Governments.
D. Certifying bodies.

How well did you know this?

Not at all

Perfectly

Risk assessments should identify risks, quantify them, and prioritize them according to the organization’s criteria for risk acceptance. The results of the assessment should help in selecting and prioritizing actions for managing risks.

Loosely formulated, what three questions should a risk assessment attempt to answer?

A. Which risks are low? Which risks are medium? Which risks are high?
B. What can go wrong? What is the likelihood it would go wrong? What are the consequences if it would go wrong?
C. What risk can be transferred? What risk can be reduced? What risk can be avoided?
D. What is the risk? What is the likelihood? What is the impact?

How well did you know this?

Not at all

Perfectly

Protection occurs with an appropriate mix of physical, procedural, or electronic security in relation to the assets protected. What is most correct?

A. This will provide complete protection.
B. This creates an effective defense-in-depth asset protection program.
C. This is known as convergence.
D. This will be the most cost-effective mix of protection measures.

How well did you know this?

Not at all

Perfectly

Which (risk) approach relies on probabilities and statistics using mathematical formulas and calculations to interpret numbers, data, and estimates?

A. Inductive approach.
B. Qualitative approach.
C. Deductive approach.
D. Quantitative approach.

How well did you know this?

Not at all

Perfectly

What is described below?

A physical examination of a facility and its systems & procedures to assess the current security level and the required protection level is a ………. Physical security professionals should be intimately familiar with ………. because these form the basis for any physical security project, are the largest portion of field work used to collect data and accumulate evidence to support countermeasures.

A. Loss Event Survey.
B. Vulnerability Analysis.
C. Risk Analysis.
D. Security Survey.

How well did you know this?

Not at all

Perfectly

Which type of insurance is described by: “provides coverage against losses that are caused by your employees’ fraudulent or dishonest actions”?

A. Indemnification bond.
B. Surety bond.
C. Fidelity bond.
D. Liability bond.

How well did you know this?

Not at all

Perfectly

To senior management, cost-effectiveness is a primary strategic factor. Anecdotal evidence of the efficiency of asset protection in a given business line is interesting, but in the final analysis the activity must be measurable in financial terms.

Loosely formulated, what is the goal of a cost-benefit analysis?

A. To calculate the value, amount or numbers of losses recovered.
B. To establish a baseline for budgeting.
C. To identify the optimal level of risk reduction at the best value available.
D. To calculate the cost of the security program.

How well did you know this?

Not at all

Perfectly

There are several ways that security and protection professionals can manage risks. One of those concepts is known as the four ways to manage risk or the risk mitigation strategy.

Which of the following is not one of those risk mitigation strategies?

A. Reduction.
B. Assessment.
C. Avoidance.
D. Transfer.

How well did you know this?

Not at all

Perfectly

What is an important, but often overlooked, feature of an effective security awareness training program?

A. They engage staff and let them have fun.
B. They are always a mix of an online, offline, and practical method of training.
C. They start with outlining the obligations of staff according to the security policy.
D. They should be conducted by experienced security staff.

How well did you know this?

Not at all

Perfectly

In some places, security officers may take on a community protection role in high-crime housing developments. In other instances, private security officers fill traditional policing roles. This is also known as private policing.

What is usually the reason behind the use of private policing?

A. Private firms can deliver more efficient services at a lower cost than public forces.
B. They are not perceived as threatening.
C. They may not be armed.
D. Private firms have more funds available than public forces.

How well did you know this?

Not at all

Perfectly

What is the principal value of security awareness to executive management?

A. A reduction in liability in case of losses or other security incidents.
B. Awareness of the program’s financial contribution to the bottom line, i.e., what would the cost of loss be without implementing the security program.
C. Easier execution of security policies, procedures, and instructions.
D. The reduction of the number of potential losses or security incidents.

How well did you know this?

Not at all

Perfectly

The security consulting profession bases fees on several factors, including the subject matter, level of expertise required, and geographic region. Time and quality must be considered when analyzing a range of consulting fees.

What is the emerging trend in consultant fees?

A. Stiff competition leading to fee-inflation.
B. Project-based pricing rather than hourly fees.
C. Lumpsum pricing rather than hourly fees.
D. Hourly fees with a maximum cap.

A step in the ESRM cycle is to identify and prioritize risks. Risk prioritization is based on each risk’s potential to undermine the organization’s ability to execute its mission and overall strategy.

It is advisable to categorize risks according to:

A. The major categories of assets of the organization.
B. The cost of asset replacement of the organization.
C. The headcount of the organization.
D. The locations of offices of the organization.

What term is most commonly used for the process of measuring an asset protection program’s costs and benefits as well as its successes and failures.

A. Security metrics.
B. Failure analysis.
C. Profit and loss.
D. Cost-benefit analysis.

Asset protection is increasingly based on what principle?

A. Return on investment.
B. Risk management.
C. Compliance based principles.
D. Threat basis design.

When implementing ESRM, security professionals should have a comprehensive understanding of four elements regarding the context in which the organization operates:

Mission and vision; (2) Core values; (3) Operating environment. Whatis the fourth one?

A. Risk appetite.
B. Stakeholders.
C. Governance.
D. Mitigation.

Adoption of ESRM propels the security program towards …

A. … lower risk levels.
B. … reduced security costs.
C. … a higher level of risk awareness.
D. … constant improvement.

Which approach means that an adversary must avoid or defeat several protective devices or features in sequence?

A. Security convergence.
B. The complete protection approach.
C. Layered security (or security in depth).
D. The four Ds principle.

What are the two basic analytical approaches to many types of assessments?

A. Costs based & Impact based.
B. Compliance based & Performance based.
C. Compliance based & Quality based.
D. Quantitative based & Qualitative based.

How can applied ethics best be described? A. This is a discipline or system of moral principles governing human action and interaction. B. This form of ethics makes specific judgements about right or wrong and prescribe types of behavior as ethical in the context of the activity. C. This form of ethics attempts to explain or describe ethical events. D. This is the "Golden Rule” as prescribed in the code of conduct.

The issuance of weapons to guards is usually not justified: A. In a situation where deterrence is needed in handling a large amount of cash. B. In situations where terrorism is a real threat. C. In a situation where there would be a greater danger to life without weapons than with them. D. In a situation where there seems to be no danger to life without weapons.

Among the factors to consider in determining which security measure to apply, security managers must consider direct and indirect costs. What are examples of indirect losses or costs as a result of an incident, interruption, or a theft? A. Harm to reputation, loss of goodwill, and loss to employee morale. B. Efforts to improve cross functional collaboration. C. Capital expenses for physical protection systems. D. Response to an intruder alert by an outsourced security provider.

Business losses are direct or indirect; measured in lost assets or income. CSO’s should consider what type of cost when assessing security vulnerabilities? Select the most correct answer. A. Cost of security measures to reduce the vulnerability. B. Cost of permanent substitutes. C. Cost of downtime and consequent cost. D. Cost of security personnel.

What should be considered/assessed as one of the first steps before developing the security plan for an organization? A. Staffing. B. Budget. C. Culture of the organization. D. History.

Insurance is one of the risk management tools, where the insurer agrees to indemnify or compensate the insured for specified losses from specified perils. What type of insurance policy offers these five basic coverages? - Employee dishonesty bond - Money and securities coverage - Money order and counterfeit paper currency coverage - Depositor’s forgery coverage - Dispositors' forgery coverage A. Liability insurance policy. B. Theft insurance policy. C. Crime insurance policy. D. Burglary insurance policy.

A set of criteria, guidelines, best practices that can be used to enhance the quality and reliability of products, services, or processes, is called a ... A. Standard. B. Guideline. C. Guarantee. D. PDCA cycle

The PDCA cycle is an approach to structured problem solving focused on continual improvement. In which step of the Plan – Do – Check – Act (PDCA) cycle does change management or opportunities for improvement as part of continual improvement occur? A. Plan. B. Do. C. Check. D. Act.

What would be the level of maturity in an organization, if security management flows from organizational strategy, organization-wide risk management policy and employees receive regular training or education? A. Managed. B. Defined. C. Repeatable. D. Optimized.

The ……. is performed to establish a baseline of a Physical Protection System (PPS) effectiveness in meeting goals and objectives. The process is a method of identifying the weak points of a facility. A. Risk assessment. B. Risk analysis. C. Penetration test. D. Vulnerability assessment.

When applying risk mitigation techniques, it’s often not practical to address all risks. Which statement BEST explains how to mitigate risks? A. Priority should be given to the threats/vulnerabilities that have the most likelihood to occur. B. Priority should be given to the threats to assets/vulnerabilities that have the potential to cause significant impact. C. Priority should be given to the assets with the highest vulnerability. D. Priority should be given to the threats with highest likelihood.

Which of the following processes places more focus on evaluating vulnerabilities? A. Risk Assessment. B. Security Survey. C. Loss Event Likelihood Profile. D. Loss Event Impact Profile.

A Director of Security (i.e., CSO or Senior Security Executive) should be a full partner in the strategic, operational, and tactical infrastructure and overall governance of the organization. Therefore, a Director of Security should - ideally - have a direct reporting line to which executive? A. Risk & Compliance. B. Legal. C. HR. D. CEO

An important part of (security) management is the delegation of work. What is the reason that security responsibilities can only be delegated one level down, and not more? The reason is to maintain integrity of … A. … staff responsibilities. B. … the line organization. C. … liability risks. D. … supervisor / manager appraisal.

Threats can be characterized by the formula: A. Threat = Capability x Intent. B. Threat = Frequency x Probability. C. Threat = Impact x Criticality. D. Threat = Risk x Impact.

The Risk Assessment ______________ the risk and __________ the likelihood of occurrence and the extent of the impact the risk could have. A. illustrates & qualifies B. reviews & analyzes C. validates & measures D. measures & mitigates

The process of identifying and quantifying something that creates susceptibility to a source of risk that can lead to a consequence, is called a … A. Quantitative risk assessment. B. Qualitative risk assessment. C. Risk profile. D. Vulnerability analysis.