Prueba 1 > ASIS CPP - Security Principles & Practices > Flashcards

ASIS CPP - Security Principles & Practices Flashcards

(151 cards)

Study These Flashcards
1
Q

Who is accountable for protecting the organization?

A

Leaders of Each Operating Unit

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

The Organization’s Security Function

A

Risk assessment, Policy & Supporting Infrastructure

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Who reports to a senior-level executive to ensure a strong liaison with leadership, demonstrate commitment and support and highlight the importance of security?

A

CSD

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Security department placement in the organization impacts its ability to:

A
  1. Expert influence
  2. Remain informed
  3. Garner resources to support programs and strategies
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Key competencies of the CSO

A
  1. Staff developer
  2. More strategies than tactical
  3. Highly ethical
  4. Responsible & dedicated
  5. Risk and crisis handler
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Security Managers

A
  1. Security managers are security specialists and business managers
  2. Effective security managers are the business partner
  3. Security managers should be in Senior management
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Ratio of direct reports to a single supervisor

A

Span of Control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

A limited number of direct reports

A

Effective Management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

The number depends on:

A
  1. Mature of work
  2. Type of organization
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Generally 1 ; 10 is best, but…

A

1 to 100 is possible with technology & flattened organization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Management is less important in team environments and flat organizations

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

And individual reports to only one supervisor

A

Unity of Command

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Three tools of a strategically-managed assets protection program

A
  1. Planning
  2. Management
  3. Evaluation
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Assets Protection Program Management

A

A single office (or person) should be the assets protection focal point

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Convergence

A
  1. 2005 definition (ASIS): the integration of traditional & IT security
  2. Contemporary definition: the merging of various fields to protect critical assets
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Factors that change the understanding of and approach to assets protection:

A
  1. Threats mutate
  2. Technology advances
  3. Management evolves
  4. Business transforms
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Five avenues to address risk:

A
  1. Acceptance
  2. Avoidance
  3. Reduction (mitigation)
  4. Spreading
  5. Transfer
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Balancing security and legal considerations:

A
  1. Strong security alleviates the need for legal protection
  2. Strong legal protections alleviate the need for security
  3. Finding the appropriate mix of both solutions is the key
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Five D’s (used to be 3 D’s)

A

Deter

Deny

Detect

Delay

Destroy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Five forces shaping assets protection:

A
  1. Technology and touch
  2. Globalization in business (increases risks to)
  3. Standards & regulation
  4. Convergence of security solutions
  5. Homeland Security & the international security environment
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Globalization in business (increases risks to)

A
  1. Business transactions
  2. Information assets
  3. Product integrity
  4. Corporate ethics
  5. Liability
  6. Far-flung people and facilitiates
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

The most effective defense-in-depth program mixes

A
  1. Physical measures
  2. Procedural measures
  3. Electronic measures
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Defense - in - Depth

A

Effective Security measures are not oppressive or burdensome

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Sarbanes-Oxley Act of 2002

A
  1. Formerly known as the Public Company Accounting Reform & Investor Protection Acts of 2002
  2. Became Law on July 30, 2002
  3. Passed in response to accounting Scandals at public companies in the late 1990’s and 2000’s
  4. Established new accounting standards and business practices for US public companies, their beards, and the public accounting firms that serve them
  5. Requires CEO to certify, the accuracy of their organization’s financial statements
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Surbanes-Oxley Act of 2002 (Ctd..)
6. Compliance (particularly w/ Section 404) significantly burdens companies' officers and boards and imposes both civil a criminal penalties on violators who commit fraud 7. Established the Public Company Accounting Oversight Board
26
Sarbanes - Oxley Acts of 2002 (Ctd...)
8. Requires all publicly traded companies to have anonymous reporting methods for questionable accounting or auditing activities 9. Limits an organization's ability to provide strictly internal reporting mechanisms
27
Standards in General
Address specific needs (like technical issues) health, safety, or environmental concerns, quality or compatibility require
28
Compliance with a standard is voluntary but a regulation may require compliance with a standard
29
Nine main types of standards
1. Basic 2. Product 3. Design 4. Process 5. Specification 6. Code 7. Managment systems 8. Conformity assessment 9. Personal certification
30
International Organization for Standardization (ISO)
1. ISO is not an acronym "ISO's" Greek for "equal" 2. The world's largest standards developer, based in Geneva, Switzerland 3. Non-governmental organizations; participants are volunteers 4. Does not regulate legislate or enforce
31
ISO (cntd...)
5. A network of national standards institutes from 159 member countries; each has one vote - the US representatives is the American National Standards Institute (ANSI) 6. ISO standards often become recognized as industry best practices and defacto market requirements
32
ISO (cntd...)
7. Based on international consensus, ISO standards address the global business community & are developed only when there is an identified market need or to facilitate international or domestic trade; ISO standards are designed to be globally relevant 8. Employs a transparent process for developing standards based on consensus among the interested parties, not by majority vote: all major concerns & objections must be addressed
33
ISO (cntd...)
9. Approximately 1000 technical groups in which more than 50,000 experts participate annually
34
Forged in 1916 as "clearing house" for Standards Developing Organizations (SDO's) in the U.S.
ANSI
35
An organization's, company, agency or group that develops standards
SDO
36
Administrator & coordinator of the U.S. private sector voluntary standardization system
ANSI
37
ANSI
Decentralized & partitioned into industrial sectors and supported by hundreds of private sector SDO's
38
The only creditor of US Voluntary Consensus SDO's 1. 600 SDO's in the US 2. 200 SDO's accredited by ANSI to develop American National Standards including ASIS NFPA & SIA
ANSI
39
The sole US representative to the two major non-treaty international standards Organizations: ISO & IEC (International Electrotechnical Commission)
ANSI
40
Represents more than 125,000 companies and organizations & 3.5 million, professionals worldwide
ANSI
41
Provide broad descriptions of how operations will be conducted
Policies
42
May be affected by different regulations for different businesses such as:
1. Minimum wage (Federal & State) FMLA OSHA 2. Regulations for government data 3. Building codes
43
Policies
1. Should be useful & simple without overloading employees 2. Should be developed closely with managers 3. should provide details of operations & the efforts of policy changes 4. Should create management buy-in through collaboration in development
44
Security Policies
1. Establish strategic security objectives & priorities 2. Identify those accountable for physical security 3. Set forth responsibilities & expectations for managers, employees & others
45
Procedures
1. Instruct employees how to react to various issues 2. Are clearly articulated to prevent confusion 3. Address a wide variety of topics including all topics important for daily functions 4. Are widely promulgated & refreshed with employees regularly
46
Procedures
5. Reflect the ideal functionality of the organizations 6. Support proper staff behavior & facilitate a hospitable safe workplace
47
Security Procedures
1. Are detailed implementation instructions for staff to carry out security policies 2. Are often overlooked as an asset protection tools revised procedures can enhance security while improving bottom-line
48
What has been extended into streets and other public areas?
Premises Liability of Owners
49
ASIS facilities Physical Security Measures guideline defines risk management as a business discipline consisting of what three major functions?
1. Loss prevention 2. Loss control 3. Loss indemnificaiton
50
Risk Assessment
A proactive strategy for security/risk mitigation supports sustainable, healthy, productive organizations and is a critical responsibility of senior leadership & governing boards
51
What was developed in the insurance industry?
Risk Assessment
52
Who should be responsible for all of the organization's security/risk strategy
Senior Executive
53
An uncertain situation with a number of possible outcomes, one or more of which is undesirable
Risk
54
What does risk include?
all negative events for an organization their impact likelihood & how soon they may occur (imminence)
55
Two things that risk assessment does with all risks
Defines & Quantifies
56
3 things risk assessment techniques may be
1. Heuristic (ad hoc) 2. Inductive (qualitative) (bottom-up approach) 3. Deductive (quantitative) (top-down approach)
57
Inductive (qualitative - bottom-up approach)
**1.** risks identified at the beginning of the analysis **2.** Identified risks are the starting point not the result **3.** This method may produce incomplete results **4.** This method makes use of "event trees" that trace an initiating event through a sequence with different possible outcomes **5.** Does not readily lend itself to feedback loops in the event trees **6.** This method focuses on scenarios which may fail to account for concurrent attacks
58
Deductive quantitative - top-down approach
1. Risks result from a systemic deductive top-down approach 2. Uses "logic diagrams" & "fault trees" along with event trees
59
When an entire population is at risk
Societal Risk
60
Risk assessments attempt to find answers to three primary questions
1. What can go wrong? 2. What is the likelihood of it going wrong? 3. What is the impact if it goes wrong?
61
Risk management attempts to answer four primary questions:
1. What can be done about identified risks? 2. What options are available? 3. What are the associated trade-offs of the options? 4. What are the impacts of current management decisions on future options?
62
5 things that risk assessments include
**1.** Identifying internal & external threats & vulnerabilities **2.** Identifying the probability and impact of an event arising from such threats or vulnerabilities **3.** Defining critical functions necessary to continue the organization's operations **4**. Defining the controls in place exposure **5.** Evaluating the cost of such controls
63
Risk Formula R = T x A x V
R = Residual risk T = Threat a combination of threat definition & likelihood of an attack A = Asset to be protected V = Vulnerability represented by system effectiveness
64
Coordinated activities to direct & control an organization with regard to risk
Risk Management (ISO)
65
Although definitions of risk management vary, they generally agree that it relies on
1. Risk assessment (which relies on a vulnerability assessment) 2. Threats 3. Asset value 4. Vulnerability
66
Major types of risk assessment
1. Quantitative (hard numbers, history statistics) 2. Qualitative ("feel" predictions experience etc.)
67
**Security typically relies on qualitative not quantitative assessment**
68
Risk is expressed in:
1. Threat 2. Consequence (impact) 3. Vulnerability (likelihood probability)
69
Risk Analysis Includes
1. Risk assessment 2. Risk evaluation 3. Risk management alternatives
70
A recommended approach for conducting a general risk assessment
1. Understand the organization & identify the people & assets at risk 2. Specify loss risk events/vulnerabilities 3. Establish the probability of loss risk & frequency of events 4. Determine the impact of the events 5. Develop options to mitigate risks 6. Study the feasibility of implementation of options 7. Perform a cost/benefit analysis
71
The value of a risk analysis depends upon...
The skill of the analysis
72
Higher risk in high-rise buildings
**1.** More people = more property & more property = more opportunity for crime **2.** More people = more chances of internal crime **3**. More people = more anonymity **4**. Easy access to the public in CBO's - easy access to mass transit **5**. Elevators & stairwells can be risky places
73
Higher risk in high-rise buildings...ctd
6. Risky, neighboring tenants 7. Tough to control threats & respond to incidents (too many people & environment is complex) 8. Evacuations are difficult 9. More critical threats in high-rise include fire, explosion & contamination 10. The ability to mitigate threats for high-rise depends on structural design & use of technology to: - Deter & detect a threat - Communicate a threat's nature & location - Initiate automatic or Org. responders
74
3 General types of assets
1. People 2. Property 3. Information
75
Tangible assets can be seen, touched or directly measured in physical form
1. Facilities/buildings 2. Inventory 3. Cash 4. Supplies / Consumables Equipment, raw, materials, accounts payable, telecom systems, other capital assets
76
Intangible assets can include
1. Reputation & image 2. Brand recognition & loyalty 3. Vendor diversity 4. Past performance 5. Quality assurance processes 6. Workforce retention 7. Human capital development
77
The amount of protection require by an enterprise is a function of:
1. Value of the asset 2. Risk tolerance of the enterprise
78
Three general methods of valuing assets
1. Dollars (most important measures) 2. Consequence criteria 3. Policy (prescribed protection levels)
79
Asset value may be expressed in...
1. Criticality 2. Consequences of loss 3. Severity
80
Cost-of-loss Formula K = (Cp + Ct + Cr + Ci) - I
K = Criticality, the total cost of loss Cp = Cost of permanent replacement Ct = Cost of temporary substitute Ci = Lost income I = Insurance
81
A loss isn't measured just by replacement it also includes:
**Lost income** **Sales** **Downtime** (Indirect Costs)
82
Security losses are:
1. Direct (money, negotiable instruments, property, information..) 2. Indirect (harm to reputation, loss of goodwill, loss of employers, harm to employees morale...)
83
Threats & Less Events Pure Risks
Crime Conflicts of Interest Natural disaster Civil disturbance War/insurrection Terrorism Accident Maliciously willful or negligent personal conduct
84
Less risk event (threat) categories
Crimes Non-Crime (human or natural) Consequential
85
Threat classes
1. Insiders 2. Outsiders 3. Collusion
86
Threat Tactic Categories
Deceit Force Stealth Combination
87
A detailed list of threats; key to determining the Design Basis Threat (DBT)
Threat Spectrum
88
The threat against which countermeasures are designed to protect
Design Basis Threat (DBT)
89
Motivation Tools Competence Knowledge
Threat Considerations
90
A risk analysis that considers the entire threat spectrum must be performed because...
As the threat increases, performance of individual security elements or the system as a whole will decrease
91
Cost Abatement Coverage of losses by Insurance
1. Insurance pay-off should be subtracted from the total loss of an asset 2. Insurance payments & premiums should reduce the insurance pay-off
92
Nine probability factors for threats & loss events
1. Physical environment (neighborhood & vicinity) 2. Overall geographical location 3. Social environment 4. Political environment 5. Economic environment 6. Historical experience for the organization 7. Historical experience for the industry 8. Procedures & processes 9. Criminal state-of-the-art
93
Threat likelihood may be expressed in
Frequency Probability Qualitative estimate
94
A weakness that can be exploited by an adversary
Vulnerability
95
The process of identifying & quantifying vulnerabilities
Vulnerability Assessment
96
A method of identifying the weak points of a facility, entity, venue or person
Vulnerability Analysis
97
A vulnerability assessment is used to...
Determine PPS effectiveness
98
What determines system requirements before design & implementation
Vulnerability Assessment
99
A frequency of vulnerability assessments
1. Before system implementation 2. Upon upgrades 3. Periodic system effectiveness tests
100
A vulnerability assessment should include
1. Facility & operations description (facility characterization) 2. Threats & assets 3. Constraints related to the VA or the site 4. Existing countermeasures 5. Vulnerabilities in countermeasures 6. Baseline analysis of system effectiveness 7. Recommendations for countermeasures improvement 8. Analysis of expected improvements
101
A site survey is part of the vulnerability assessment
102
Types of Testing
1. Functional test (components are performing as expected) 2. Operability testing (components are being used properly) 3. Performance testing (repeats tests to determine component effectiveness against different threats)
103
Testing Approaches
1. Compliance - based - conformance to specified policies or regulations - "Feature-based" approach - Effective only for low threats, low less impacts, and CBA - supported cost decisions - Easier to perform - The metric for this analysis is the presence of the specified equipment & procedures
104
Testing Approaches
2. Performance-based - Evaluates how much element of the PPS operations
105
What is the biggest mistake made when conducting a Vulnerability Assessment?
Concentrate on individual PPS components & address upgrades only at that level, not at the level of the overall system
106
Three primary functions of a PPS to be tested
1. Detection measures 2. Delay measures 3. Response measures
107
Detection Measures
1. Probability of detection 2. The time required to report & assess alarms 3. Includes entry controls
108
Delay Measures
- Layers of security sum up to total delay time - Delay time considered after detection
109
Response Measures
- Time to interruptions of the adversary - Accuracy of deployment
110
An effective assessment system provides two types of information
1. Whether the alarm is valid or nuisance 2. Key details about the cause of the alarm (what, where, how many)
111
Containment Strategy
1. Detect - prompt detection & reliable notification 2. Delay - extend adversary task time 3. Respond - timely, aware, equipped, and trained responses
112
Carver & Stock vulnerability assessment
1. Developed by US government during WW2 as targeting process 2. Declassified in 2003 3. **C**riticality (impact of the attack) 4. **A**ccessibility (ability to get in & out) 5. **R**ecoverability (ability of target to recover) 6. **V**ulnerability (ease of compromising target) 7. **E**ffect (direct loss) 8. **R**ecognizability (target identifiability) 9. Shock
113
Risk Management Options
Mitigation Acceptance Transfer Spreading Avoidance \* Risk Financing = Insurance
114
Risk can be reduced in 3 ways
1. Prevent the attack 2. Protecting against attack 3. Mitigating consequences of an attack
115
Mitigation means reducing consequences
1. Mitigation focuses solely on reducing consequences 2. It may be implemented before during and after the attack
116
General categories of risk reduction
1. Equipment & hardware 2. Policies & procedures management 3. Staffing
117
Mitigation strategies must be evaluated by...
1. Availability 2. Affordability 3. Feasibility 4. Application to operations
118
Except for certain high-value irreplaceable items an organization should base its protection strategies on a realistic cost-effective rationale
119
What are the least expensive counter-measures one can employ for asset protection tools?
Procedural Controls \* Revised procedures can enhance security while improving the bottom line for the enterprise
120
A phrase that defines a call-to-order for assistance against a crime similar to "observe & report" of today
Hue & Cry
121
"Shire-Reeve was later shortened to?
Sheriff
122
What was first described as "the king's peace"
Government Policing \* Civil torts became crimes against the king's peace; the "state" collected penalties instead of the people obtaining civil judgments
123
Name of the first police department organized by Sir Robert Peel in London, 1829?
The Peelers
124
Arrangements of public safety policing
1. Private environment supplement 2. Public Environment Replacement 3. Public Environment Supplement
125
Public safety policing model structure
1. Tactical operations 2. Technological systems 3. Order maintenance provisions
126
When do "private police" have arrest powers?
Only when they are on duty (may include qualified immunity)
127
7 Distinctions between public & private policing
1. Public police - duty sworn 2. Public police - monopolized service is less efficient even complacent 3. Public police - constitutional protections apply 4. Private police - employed by private firms 5. Private police - a perception of lacking the same authority as public police 6. Private police - tends to focus on loss reduction or asset protection 7. Private police - provider competition drives better service & value
128
The success of privatized police requires
Competition Accountability Standards
129
Private Policing
Low priority call handling like residential alarms: 20% = crimes, 80% = non-emergencies
130
Community policing efforts are expensive & resource-intensive
131
Fear of crime is exacerbated by signs of criminal activity
132
What 2 activities represent chaotic conditions that result in more serious criminal activity?
Incivility & Disorder \* If incivility is not perceived to be a problem resident may be able to cope with higher rates of crime
133
Order Maintenance
1. Used in community policing, may reduce crime (lack of order can lead to high crime or fear) 2. A core goal of community policing is to focus on fear reductions through order maintenance techniques 3. A disorder is characterized by reduced social controls, such as panhandling, loitering, youth taking over parks & street corners, public drinking, prostitution, graffiti, and other disorderly behaviors
134
Order Maintenance (ctd...)
4. Disorder tends to cause a greater sense of risk & loss of control 5. The disorder causes more awareness of the consequences of a criminal attack 6. As disorder causes crime to increase the community sinks further with conditions that lead to even more crime 7. An alternative theory to socioeconomic impact of crime is that the completion of a crime simply requires the convergence in time & space of an offender a suitable target, and the absence of guardians
135
3 Categories of consultants
1. Security management consultants 2. Technical security consultants 3. Security forensic consultants
136
Security Consultants Which roles may undertake forensic assignments
Security management consultants & technical security consultants
137
Security Consultants The decision to retain security consulting services is typically driven by a specific...
Problem Need Challenge Goal
138
Security Consultants Security consultants might be retained because...
1. lack of in-house time or specialized knowledge 2. Need for objective assessment particularly for liability or due diligence situations 3. Need for fresh ideas, or independence from internal politics 4. Need for flexibility of contracted personnel 5. Recognition that management may be more amenable to a consultant's ideas because of broader experience industry knowledge
139
Security Consultants Resistance to the use of security consultant usually reflects concerns
1. Asking for outside help suggests the security staff is incompetent 2. A negative report from an outsider reflects unfavorably on the security program 3. The organization's policies & procedures could be compromised by an outsider who would become intimately familiar with the enterprise
140
Effective security programs typically include a well-thought-out array of security measures
141
Finding a security consultant
1. Best source: Referral from a colleague 2. Industry associations with consultants as mentors 3. Industry - specific associations
142
Professional consultants are restrictive in the assignments they will accept
1. Most consultants specialize & may not see themselves as suited for every need 2. Clients should be cautious of a consultant claiming to be able to address all aspects of security
143
Security Advisory Committee (SAC) Comprised of members from key corporate functions
1. Chaired by a project coordinator 2. Members should have stature & creditability 3. Members should be able to offer useful opinions about security
144
SAC Purposes
1. Determine adequacy of security measures determine if a consultant is necessary 2. Critically examine the security program 3. Maintain general oversight of security program 4. Assist in meeting corporate & government requirements
145
SAC Objectives
1. Review the corporate security program at least quarterly 2. Determine if additional protective measures are needed 3. Advise of any needed changes to security policies or procedures 4. Review new program suggestions 5. Field criticism or suggestions
146
Security Awareness
1. "An asset's protection program will not succeed unless it cultivates the willing cooperation of those affected by it & meshes its goal with the personal goals of the workforce 2. Means consciousness of the program its relevance and individual risk responsibility 3. Is a continuing attitude that encourages actions in support of security 4. Solicits conscious attention and is embraced by senior personnel
147
Security Awareness (cntd...)
5. Causes all personnel to become force multipliers 6. Highlights the program's contribution to financial goals 7. Conveys the program's benefits & ROI 8. Conveys to middle management support of business goals 9. Conveys to supervision the program's value 10. Is refreshed more often than just at new hire orientation 11. Is explained in depth to non-employees
148
One of the most cost-effective assets protection tools is...
Security Training & Awareness
149
One of the most important missions of security awareness is...
To familiarize employees with the organization's policies & procedures
150
Two categories of employees fail to follow policies
Uneducated Employees Arrogant Employees
151
Security Awareness Potential Obstacles
A cooperative employee is less likely to circumvent security
Prueba 1
flashcards
Decks in class (19)
# Cards
Brainscape helps you reach your goals faster, through stronger study habits.
© 2026 Bold Learning Solutions. Terms and Conditions