Security Management Test - The Winning Edge

Security Management

1 / 25

What are the two key objectives established by the Board from the adoption of ESRM?

Assist the security professional to become an integral part of enterprise business leadership.

Transition the security practice from managing programs to risk management.

B only

Both A & B

2 / 25

Why is ethics a concern for security professionals?

A security professional is an employee (or an agent or representative) of the organization for which he or she provides protective services and therefore is bound by the same ethical standards that apply to other organizational employees and representatives.

A security professional's concern for ethics is that he or she may be tasked with developing a company's ethics program and code or monitoring compliance with the existing program and code.

Both A & B

A only

3 / 25

Make a list of tangible assets.

" •Proprietary processes •Information technology capabilities •Safety posture ••Brand recognition •Relationships •Vendor diversity"

"•People •Land and real estate •Infrastructure •Customer data •Accounts receivable •Supplies and consumables •Telecommunications systems "

"•Reputation and image •Brand recognition •Vendor diversity •Workforce retention •Human capital development"

"•Intellectual property •Proprietary processes •Information technology capabilities •Safety posture •Reputation and image •Relationships •Longevity and history •Expertise"

4 / 25

Which element of Comprehensive Model of Theft and Fraud Prevention, Investigation, and Program Testing directs that investigations are more successful when investigative roles and responsibilities are clearly defined?

PREVENTION PROGRAMS

INCIDENT

INCIDENT REPORTING

INVESTIGATION

5 / 25

What identifies options and alternatives to the proposed project?

The alternatives and analysis section

The justification section

An aim of the business case

The project description

6 / 25

What are the dangers of undetected fraud and theft?

Organizations may become complacent to ongoing losses and even build them into their standards or expectations.

Financial losses due to specific incidents are only consequence of detected theft and fraud.

Organizations may become alert of ongoing losses and build them into their standards or expectations.

Organizations may become complacent to ongoing losses and take mitigation measures to prevent them

7 / 25

What are the four ways to manage risks?

" 1.Eliminate 2.Reduce 3.Transfer 4.Accept"

" 1.Estimate 2.Reduce 3.Transfer 4.Accept"

" 1.Eliminate 2.Replace 3.Transfer 4.Accept"

" 1.Eliminate 2.Reduce 3.Transfer 4.Anticipate"

8 / 25

Explain the first process of ESRM cycle.

The first process in the ESRM Cycle is to identify and prioritize assets.

The first process in the ESRM Cycle is to prioritize risks

The first process in the ESRM Cycle is to identify risks

The first process in the ESRM Cycle is to identify assets and put a value to it

9 / 25

How criticality can be measured?

Effect on employee morale

Effect on community relations

Financial cost

All of the above

10 / 25

Why must Asset protection be cost effective?

An organization should spend any amount to protect assets

An organization should not spend $1,000 to protect a $10 asset.

Organisaitons must have Zero tolerance to loss of assets

All high-value assets of an organization must be protected.

11 / 25

Explain the four D's.

" Deter. The first objective is to deter any type of attack. Deny. The second objective is to deny the adversary access to the asset."

Detect. The third objective, if the first two fail, is to detect the attack or situation, often using surveillance and intrusion detection systems, human observation, or a management system that identifies shortages or inconsistencies.

Delay. Once an attack or attempt is in progress, the fourth objective is to delay the perpetrator using physical security and target hardening methods.

All of the above

12 / 25

What is risk prioritization based on?

Risk prioritization is based on each risk's potential to impact an asset of the organization

Risk prioritization is based on each risk's potential to undermine the organization's ability to execute its mission and overall strategy.

Risk prioritization is based on the frequency of its occurance

Risk prioritization is based on shareholder's apetite to absorb each risk

13 / 25

“The possibility of loss resulting from a threat, security incident, or event” refers to:

Risk

Threat

Risk Analysis

Loss Event

14 / 25

What is the process of assessing security‐related risks from internal and external threats to an entity, its assets, or personnel?

Risk assessment

Risk analysis

Vulnerability

Probability

15 / 25

What is the output of a system design phase?

The output of the design phase is systems hardware, software identification and placement

The output of the design phase is integration, and performance documentation that is sufficiently clear and complete to ensure consistency

The output of the design phase is accurate interpretation by suppliers and installers for systems procurement and implementation.

All of the above

16 / 25

Explain the concept of ESRM.

The concept of enterprise security risk management was developed to approach risk management as the process for managing security, with a focus on using risk principles and coordinating the process with senior management whose operations incur the risk

ESRM is now considered the foundation for security management, with outcomes focusing on making security professionals an integral part of enterprise business leadership and transitioning the security practice from managing programs to risk management.

Both A & B

B Only

17 / 25

Name the categories of security consultants.

•Security management consultants,

•Technical security consultants, and

•Security forensic consultants.

All of the above

18 / 25

What should the policies of a formal intelligence management program be based on?

"1. Defining general and specific objectives; 2. Gathering intelligence information; 3. Integrating and analyzing information ;"

"1. Organizing and storing information; 2. Sharing information internally and externally as appropriate; 3. Retrieving information;"

"1. Access to the data itself; 2. Controlling access to information on methods and sources; 3. Periodically evaluating and enhancing the program."

All of the above

19 / 25

How is an undercover investigation different from other types?

The chief distinction between undercover and other types of investigations is that the undercover investigator conceals his or her presence & attempts to operate unnoticed.

The chief distinction between undercover and other types of investigations is that the undercover investigator neither conceals his or her presence nor attempts to operate unnoticed.

The chief distinction between undercover and other types of investigations is that the undercover investigator conceals his or her presence but attempts to operate unnoticed.

The chief distinction between undercover and other types of investigations is that the undercover investigator conceals his or her presence nor attempts to operate noticed.

20 / 25

Who are the overarching strategic command of the crisis response and recovery and most often exist at the management or executive level of a firm

Operational teams

Tactical crisis teams

Strategic crisis teams

None of the above

21 / 25

What must a company strategy provide?

A company's strategy should provide direction and guidance as to what a company should and should not do.

A company's strategy prevents making the wrong strategic moves which could lead to operational distraction, organizational confusion, and wasted time and resources.

A company's strategy should provide guidance as to what a company should and should not do.

A company's strategy should provide direction of making the wrong strategic moves could lead to operational distraction, organizational confusion, and wasted time and resources.

22 / 25

What are the concepts that are considered while developing a code of conduct.

"1. Must be support from the top of the organization. Without active support from the top, an ethics code and ethics program will not be successful. 2. Sufficient examination and consideration must be given to the known issues of greatest importance to the company. "

"1. Other organizations' codes can provide useful models. 2. A code of conduct should provide the behavioral guidance needed to ensure compliance with the ethics code."

"1. The ethics code should be field tested to ensure that it is as complete, thorough, and understandable as possible prior to organization-wide dissemination. 2. Once finalized, the ethics code should be widely announced and distributed to persons associated with the organization. "

All of the above

23 / 25

What are the steps to reduce risk of loss of information while attending on/ off site meetings?

"1.Obtain an annual schedule of the organization's strategic and critical business meetings and develop an IAP strategy for each meeting as necessary, based on risk assessment. 2.Before a venue is confirmed, obtain floor plans and details concerning the site's telecommunications and audiovisual infrastructure. 3.Encourage meeting planners to select sites and rooms based on information protection concerns. 4.Arrange for a low-profile event when appropriate, minimizing signage and electronic postings of events, sponsors, room locations, and schedules. "

"1.Use meeting names that do not suggest the subject matter or identify attendees. 2.Perform a technical surveillance countermeasures (TSCM) inspection before and during meetings. 3.Determine the need for secure shipment and storage before, during, and after the event. 4.Maintain security of printed materials and computer media during reproduction, transportation, and storage."

"1.Minimize the distribution of hard copy information. 2.Ensure that electronic presentations are protected during creation, editing, transmission, and presentation. 3.Ensure that suppliers follow appropriate information security practices. 4.Make arrangements for limiting access to meetings rooms. 5.Collect information and notes left behind by attendees. Arrange for secure disposal."

All of the above

24 / 25

List noteworthy threats.

"1. Information Theft 2. Insiders 3. Counterfeiting and Piracy"

"1. Data mining 2. External agencies 3. Counterfeiting and Piracy"

"1. Data mining 2. Insiders 3. Corruption"

"1. Data mining 2. Insiders 3. Counterfeiting and Piracy"

25 / 25

What introduces the reader to the details of the project and helps define or shape everything else in the case?

The project description

The executive summary

An aim of the business case

An introduction

Your score is

The average score is 23%