The flashcards below were created by user
on FreezingBlue Flashcards.
TERM: Risk Management
A method to identify precisely, the risks and all probably effects that those risks will have on the person/organization being protected...
Risk cannot be eliminated but it can be ______________.
Three Categories of Risk:
- Personnel (Human Assets)
- Property (Material Assets)
- Liabililty (Legalities)
Common risks for the business industry include:
- Natural Catastrophe
- Industrial Disasters
- Civil Disturbances
- International and Domestic Terrorism
- Conflict of Interests
- Major Plant Disasters
Types of Risk Management:
*Any combination of above risks
- Rick avoidance (elimination of risks)
- Risk Assumption (organization liable for loss)
- Risk Reduction (Taking action to reduce loss)
- Risk Spreading (Multiple Sites/Asset Distribution)
- Risk Transfer (Insurance)
Steps to follow in Risk Management:
- Identification of risk and vulnerabitilities
- Analysis and Study of risks (degree of danger)
- Optimizing risk management alternatives
- Ongoing study of security programs
TERM: Risk Analysis
Management tool used to proceed logically through a process that allows management to identiy what it will accept in terms of actual loss.
The Six steps of Risk Analysis (in specific order):
- Identify Assets
- Identify Threats and Risks
- Quantify Probablities of an Event
- Determine Impact of an Event
- Mitigation Measures
- Repeat Process
- Uses a Rational and Orderly approach
- Provides comprehensive solutions to problem identification/probability determination
- Estimates potential loss
- Must be peformed periodically
- Should be incorporated into the design of the facility
- Is typically more costly the first time conducted
- Must have resources availabe to accomplish the task (on notice)
Role of Management on Risk Analysis
- Must support and communicate support
- Must delineate purpose and define scope
- Must select a qualified team
- Review findings
- Prioritize recommendations for implementation
- Determine when risk analysis should be repeated (in the future)
Two components when measuring risk must include:
- 1- Expressing frequency of occurrence or probability
- 2- Expressing potential cost
Study of the possibility of occurence
Sources to determine probability:
- Historical Data
- Intelligence analysis and sharing
- News media
- Industry associations and societies
- Observation and personal experience
- Commercial tools
Crimes requiring a specific measurement of risk:
- Aggravated Assault
- Car Theft
- R= Risk to the facility of an adversary gaining access to assets
- PA= Probability of an Adversary attack during a period of time
- PE= Probability of System Effectiveness
Countermeasures VS Threats
Countermeasures determined by adversary and threat
- More often expressed in Qualitative" manners such as HIGH, MEDIUM and LOW ratehr than Quantitative terms.
- (1-3 Low, 4-6 Medium, 7-10 High)
During a cost analysis, "criticality" must be assessed. Three methods to assess criticality include:
Cost Benefit Summary:
- Cost (Aquisition, Operational and Replacement Cost)
- Reliability (Demonstration, Inspection, Installation, Final Payment)
- Delay (How long to take before full operational readiness)
- Simplified technique using high, medium and low calculations
- Considers frequency and severity
- Provides a general picture (not detailed)
Vulnerability Self Assessment Tool
The Vulnerability Self Assessment Tool (VSAT) has 11 Steps:
- 1- Identify Assets
- 2- Identify Threats
- 3- Determin criticality
- 4- Identify existing countermeasures
- 5- Determine risk levels
- 6- Determine probability of failure
- 7- Assign vulnerability
- 8- Determine if risk is acceptable
- 9- Develop new countermeasures
- 10- Perform risk-cost analysis
- 11- Develope a business continuity plan
TERM: CARVER Method
(Attackers point of view)
TERM: CARVER + Shock Method
(Attackers point of view)
- PSychological Effects
The Goal of RISK MANAGEMENT
Spend the least amount of money possible
The goal of RISK MANAGEMENT is:
To help decision makers spend the available funds most effectively.
What is a "Security Survey"?
Documents used to identify risk.
What are the purposes for a "Security Survey"?
- 1- Identify factors affecting premises/operations
- 2- Provide recommendations to mitigate risk or improve security
What are come benefits with conducting a "Security Survey"?
- Access Control policies and procedures
- Lock and Key Control
- Guard or Response Force capabilities
- Security technology review
- Workplace violence policies
- Personnel security controls
- Emergency disaster and recovery plans
What is checked during a "Preliminary Security Survey"?
- What is the operation?
- Who/What is responsible for the operation?
- Why is it done?
- How is the operation accomplished?
The initial interview in a "Security Survey" should include:
Major Problem Areas
What will the survey accomplish in regards to these Major Problem Areas
What does "Field Work" determine?
"Field Work" normally takes the form of:
Security surveys should not include...?