Security Principles & Practices

Question 1

Managers’ technicals skills are better the closer they are to the actual work, true or false?

Answer 1

True.

Question 2

Higher level managers have greater ____ and ______ skills than lower level managers?

Answer 2

interpersonal and conceptual.

Question 3

Conceptual skills are?

Answer 3

The ability to manage more people in more functions toward desired outcomes.

Question 4

Interpersonal skills can be described as?

Answer 4

The ability to communicate effectively, to inspire trust and motivate others. Relationship building.

Question 5

What are policies?

Answer 5

Established rules that define behavior and actions within an organization

Question 6

What are procedures?

Answer 6

Instructions on how to follow policies and rules within an organization.

Question 7

Strategic Management Process

Answer 7

A linear process that involves establishing a vision, objectives, strategy, execution and monitoring to guide the management of an organization.

Question 8

Strategic Vision

Answer 8

The aspirations of management for the future of the company and the course of action to achieve those aspirations.

Question 9

Mission Statement

Answer 9

A statement that defines the long-term purpose and reason for the existence of a company.

Question 10

Core Values

Answer 10

The beliefs, traits, and norms that are expected from personnel in conducting business.

Question 11

Organizational Culture

Answer 11

The expectations, experiences, and values that guide the behavior of members within an organization.

Question 12

Enterprise Assets

Answer 12

Traditionally protected assets such as people, property, and information, as well as reputation, relationships, and creditworthiness.

Question 13

Standards

Answer 13

Criteria, guidelines, and best practices that are used to enhance quality and reliability.

Question 14

Management System Standards

Answer 14

Standards such as ISO 9001 for quality management, ISO 14001 for environmental management, and ISO 31000 for risk management.

Question 15

Plan Do Check Act Cycle

Answer 15

An operating principle of management systems standards that involves planning, implementing, checking, and taking corrective actions to improve performance.

Question 16

Enterprise Security Risk Management (ESRM).

Answer 16

A strategic approach that connects security practices to the overall strategy of an organization using globally accepted and established risk management principles.

Question 17

ESRM Cycle

Answer 17

A process of security risk management that emphasizes understanding and managing the assets of an organization. It describes how security risks are to be mitigated.

Question 18

Asset Prioritization

Answer 18

The ranking of assets based on their criticality to the mission and strategy of an organization.

Question 19

Risk Prioritization

Answer 19

The ranking of risks based on their potential to undermine the mission and strategy of an organization.

Question 20

Risk mitigation

Answer 20

The process of reducing risk through the implementation of security measures, policies, and procedures.

Question 21

Cost-benefit analysis

Answer 21

The evaluation and comparison of the value and cost of different risk treatment options.

Question 22

Risk control

Answer 22

The modification and reduction of risk through the implementation of security measures and strategies.

Question 23

Prevention procedures

Answer 23

Measures taken to minimize the likelihood of a disruptive event.

Question 24

Liaison

Answer 24

The act of leveraging resources, sharing best practices, and collaborating with others. It is one of the most significant force multipliers and is a proactive medium.

Question 25

Security Awareness

Answer 25

The consciousness of a security program and its effect on reducing risks.

Question 26

Security Awareness Program

Answer 26

A program designed to educate employees on protecting assets and reducing losses.

Question 27

Security awareness levels

Answer 27

Different training levels provided to different categories of employees to enhance their security awareness.

Question 28

Developing a security awareness program

Answer 28

The process of tailoring a security awareness program to the specific needs of an organization and providing training to different departments and levels of employees.

Question 29

Security awareness techniques

Answer 29

Various methods used in a security awareness program, including written materials, audiovisuals, briefings, integration into operations, drills, and exercises.

Question 30

Security awareness program evaluation

Answer 30

The measurement of the effectiveness of a security awareness program and the documentation of its value.

Question 31

What is an asset owner?

Answer 31

The person most directly responsible for successful operation of the asset. In ESRM, the asset owner is assigned responsibility for the risk to an asset.

Question 32

What are four ways to manage risk?

Answer 32

Reduce, accept, transfer, eliminate.

Question 33

What are the deciding factors between qualitative or quantitative approaches to a risk assessment?

Answer 33

-Reliability & Validity of data;
-The nature of the risk factors and whether they are quantifiable;
-The target audience for the outputs

Question 34

What is risk tolerance?

Answer 34

The amount of uncertainty an organization is prepared to accept in total or more narrowly within a certain business unit, a particular risk category, or for a specific initiative.

Question 35

What four steps are part of the risk assessment process?

Answer 35

1) asset identification, valuation and characterization;
2) risk identification;
3) risk analysis; and
4) risk evaluation

Question 36

What is terrorism?

Answer 36

An act of violence designed to achieve a political end.

Question 37

What is a cost-benefit analysis?

Answer 37

A method for evaluating and comparing the value and cost of risk-treatment options.

Question 38

What 6 things should be considered when assessing consequences?

Answer 38

• Costs: human, financial and image;
  Impacts: Human Rights, indirect and environmental

Question 39

What are 5 benefits of liaison?

Answer 39

• Leverage the resources of others;
  -share best practices and lessons learned;
  -collaborate on specific case or incidents;
• more effectively address common issues;
  -share information, equipment and facilities

Question 40

What is cost-effectiveness?

Answer 40

Producing good results for the money spent.

Question 41

What is security awareness?

Answer 41

Consciousness of an existing security program, its relevance and the effect of one’s behavior on reducing security risks.

Question 42

What is the goal of a security awareness program?

Answer 42

To promote compliance with security policies and procedures, as well as provide timely communications and training to guide individual and organizational attitudes and behaviors.

Question 43

What drives the need to use a security consultant?

Answer 43

A specific problem, need, challenge or goal.

Question 44

What is a chief security officer?

Answer 44

A senior executive level function responsible for providing comprehensive, integrated risk strategies to help protect an organization from a wide spectrum of threats.

Question 45

All organizations have three common characteristics?

Answer 45

1) Distinct purpose (expressed through a mission statement and goals);
2) People; and
3) Deliberate structure

Question 46

PODSCORB?

Answer 46

Henri Fayols management principles:
Planning, organizing, deciding, staffing,
directing, coordinating, reporting, budgeting.

Question 47

Three common leadership styles, include:?

Answer 47

1) Authoritarian;
2) Democratic;
3) Laissez Faire

Question 47

What is a firm’s vision?

Answer 47

A firm’s aspirations for the future….where we are going.

Question 48

What is a firm’s mission?

Answer 48

Describes the scope and purpose of its present business….”who we are, what we do, and why we are here.”

Question 49

What is a mission statement?

Answer 49

1) Communicates business functionality and operational methods.;
2) Specifies a businesses’ products or services, level of quality and other tangible aspects of the business and its plans.

Question 50

Insurance coverage on an asset is a form of….?

Answer 50

Risk transfer

Question 51

Copyrights do not have to be registered.

Answer 51

But it is best to do so.

Question 52

HR is the first line of defense for……?

Answer 52

To prevent losses by hiring good workers.

Question 53

Procedures can be changed.

Answer 53

Procedures can be changed to meet changing conditions and demands.

Question 54

What is annual loss expectancy?

Answer 54

ALE is a calculation that helps you to determine the expected monetary loss for an asset due to a particular risk over a single year. It can be used in a cost-benefit analysis: If a threat or risk has an ALE of $5,000, then it may not be worth spending $10,000 per year on a security measure which will eliminate it.

Question 55

Interoperability in communications?

Answer 55

The ability of emergency response agencies to talk to one another - wirelessly- via communication systems - to exchange voice and or data.

Question 56

Strategy efficiency?

Answer 56

Measured by time and costs.

Question 57

Strategy effectiveness?

Answer 57

Measured by outcomes.

Question 58

A mission statement should do what 6 things?

Answer 58

1. Identify the firm’s products or services.;
2. Specify the buyer needs it seeks to satisfy;
3. ID the customer groups or markets it hopes to serve;
4. Specify its approach to pleasing customers;
5. Set the firm apart from its rivals; and
6. Clarify the firm’s business intentions to its stakeholders.

Question 59

Explain the “do” part of the plan-do-check-act cycle?

Answer 59

Under “do,” the security manager looks at the planning analysis, then devises a solution, prioritizes the next steps, and develops a detailed action plan.

Question 60

ESRM has three primary components?

Answer 60

1. the context of ESRM - organizational aspects the security manager must understand to adopt ESRM successfully;
2. the ESRM cycle - the actual process of security risk mngment;
3. the foundation of ESRM - including organizational concepts that support the ESRM approach and maximizes its impact.

Question 61

What is the initial ESRM step?

Answer 61

Understanding the organization; this is at least as important as understanding the threats the organization faces.

Question 62

What is the first process in the ESRM cycle?

Answer 62

Identify and prioritize assets. The prioritized list of assets is the basis for the remainder of the ESRM cycle.

Question 63

What are the two types of governance that are relevant from the perspective of ESRM?

Answer 63

Organizational governance

and

ESRM governance

Question 64

Vulnerabilities can be measured in two ways?

Answer 64

Observability and exploitability.

Question 65

The risk that remains after target hardening, security controls, countermeasures and threats have been addressed?

Answer 65

Residual risk

Question 66

Private and personal information pertaining to an organization’s employees, management, business, relationships and customers is often referred to as…?

Answer 66

Personally identifiable information.

Question 67

Packages may be searched for contraband manually or by active interrogation using x-ray. Is that safe for employees?

Answer 67

Advanced backscatter x-ray technology exposure is safe for screening personnel.

Question 68

An organizational strategy is also called?

Answer 68

A strategic plan

Question 69

An organizational strategy defines and supports?

Answer 69

Long-term goals.

Question 70

An organization’s vision can best be described as?

Answer 70

Where the business will be in the long term.

Question 71

ESRM includes?

Answer 71

physical security, brand protection and travel risk

Question 72

In assets protection, convergence generally means?

Answer 72

Integration of traditional physical and IT security

Question 73

The process of assessing security-related risks from internal and external threats to an entity, its assets and personnel is best described as?

Answer 73

Risk assessment

Question 74

What does the K stand for in the cost of loss formula

Answer 74

Criticality, total cost of loss

Question 75

A security weakness or practice that may facilitate or allow a threat to occur is?

Answer 75

A vulnerability

Question 76

In this step, the assessor combines all the information on assets, threats and vulnerabilities and then considers the potential impact?

Answer 76

Risk analysis

Question 77

What are key components of organizational resilience standards?

Answer 77

Risk assessment and management (pg 20)

Question 78

What best describes an organizational resilience management system?

Answer 78

A framework for managing and mitigating risks to ensure business continuity.

Question 79

What is an example of a physical security measure?

Answer 79

Implementing access control systems at entry points (pg 22)

Question 80

What is one of the key principles of Crime Prevention Through Environmental Design?

Answer 80

Enhancing natural surveillance through proper lighting & visibility (pg 23)

Question 81

What is an example of a physical barrier used for site hardening and security?

Answer 81

Erecting a fence or wall around a perimeter (pg 23)

Question 82

What is not an option for the security manager to consider when selecting an intrusion detection system?

Answer 82

Solution reduces liability on the part of the organization (pg 25)

Question 83

What exemplifies the concept of cost benefit analysis in security measures?

Answer 83

Implementing a cost-effective access control system with limited features.

Question 84

What is a consulting hourly fee schedule?

Answer 84

The assignment is expected to last less than a day but the exact amount of time may be unclear.

Question 85

What are the seven key skills of a CSO?

Answer 85

relationship leader
executive leader
subject matter expert
governance team leader
risk executive
strategist
creative problem solver

Question 86

What are indirect costs of security?

Answer 86

Harm to reputation and employee morale
Loss of goodwill and employees

Question 87

What members should comprise a vulnerability assessment team?

Answer 87

Security specialist (leader), 
Security systems engineer, 
Response expert,
Data analyst,
Operations representatives,
Subject matter experts (E.g. locksmiths, technical writers, legal experts).

Question 88

What is the formula for residual risk?

Answer 88

R = T x A x V

where

R = residual risk
T = threat
A = asset to be protected
V = vulnerability.

Question 89

What is the formula for lost income cost?

Answer 89

I = i/365 x P x T

where

I = income earned,
i = annual percent rate of return,
P = principal amount (in dollars) available for investment,
t = time (in days) during which P is available for investment.

Question 90

What is the cost of loss formula?

Answer 90

K = (Cp + Ct + Cr + Ci) - (I-a),

where

K = criticality, total cost of loss,
Cp = cost of permanent replacement,
Ct = cost of temporary substitute,
Cr = total related costs,
Ci = lost income cost,
I = available insurance or indemnity,
a = allocable insurance premium amount.

Question 91

What are the five avenues of addressing risk?

Answer 91

Avoidance,
Transfer,
Spreading,
Reduction,
Acceptance.

Question 92

What are the five D’s of security?

Answer 92

Deter,
Deny,
Detect,
Delay,
Destroy.

Question 93

What are the five forces shaping assets protection globally?

Answer 93

Technology and touch,
Globalization in business,
Standards and regulation,
Convergence of security solutions,
Homeland security and the international security environment.

Question 94

What is the formula for loss event probability?

Answer 94

P = f/n

Where

P = The probability that a given event will occur,
f = The number of actual occurrences of that event,
n = The total number of experiments seeking that event.

Question 95

What hypotheses did Clark and Hollinger posit to explain employee theft?

Answer 95

External economic pressures,
Youth,
Opportunity,
Job dissatisfaction,
Social control.

Question 96

What are the six main obstacles to an effective security awareness program?

Answer 96

Low credibility of security department,
Organizational culture,
Naïveté,
Perception of a minimal threat,
Departmental/employee indifference,
Lack of reporting capability

Question 97

Two types of transparency are particularly relevant from the perspective of ESRM, and they are?

Answer 97

Risk transparency and
Process transparency