CPP Domain 1 Shepp

CERTIFIED PROTECTION PROFESSIONAL
(CPP)
Certification Examination Review
October 2017 Dennis Shepp, CPP

CERTIFIED PROTECTION PROFESSIONAL (CPP)
Your Instructor/Facilitator:
Dennis Shepp, MBA, CPP, CFE, PCI

Email 1: dennisshepp@shaw.ca
Email 2: dennisshepp@gmail.com
Telephone: +1.587.989.1511
Skype: dennisshepp

(DOMAINS)
SUBJECTS
Security Principles
& Practices
DOMAIN 1 – Security Principles & Practices (21%)

– InvestigationsPrinciples &
DOMAIN 2 – Business Principles & Practices (13%)

Practices
Business
DOMAIN 3 – Investigations (10%)

Personnel Security
DOMAIN 4 – Personnel Security (12%)

Physical Security
DOMAIN 5 – Physical Security (25%)

DOMAIN 6 – Information Security (9%)
Information
Management Security
DOMAIN 7 – Crisis Management (10%)

Crisis
ASIS International Certification Exam Review
(DOMAINS)
SUBJECTS
CPP Examination Subjects Examination Review
Certification
Security Principles
& Practices
Crisis Management
Information Security 10%
9%
Security Principles &
Practices
Practices
Business
21%
Personnel Security
Business Principles &

Practices
13%
Physical Security
25%
Physical Security
Investigations
Information
10%
Management Security
Personnel Security
12%
Crisis

(DOMAINS)
SUBJECTS
CERTIFIED PROTECTION (CPP) (CPP)
PROFESSIONAL
Certification
Certification ExaminationExamination
Review Review
Security Principles
& Practices
DOMAIN 1 – Security Principles & Practices (21%)

DOMAIN 2 – Business Principles & Practices (13%)
Practices
Business
DOMAIN 3 – Investigations (10%)

Personnel Security
DOMAIN 4 – Personnel Security (12%)

DOMAIN 5 – Physical Security (25%)
Physical Security
DOMAIN 6 – Information Security (9%)

Information
Management Security
DOMAIN 7 – Crisis Management (10%)

Crisis

ASIS Board Certification
The worldwide standard for professional competency.
Offering three security certifications, including two specialty certifications.

• Certified Protection Professional (CPP)
• Physical Security Professional (PSP)
Focus of this review
• Professional Certified Investigator (PCI)
ASIS board-certified security practitioners are

employed by more than 3,500 organizations in 77
countries around the globe.
Certified Protection Professional (CPP)
Board Certification in Security Management
Awarded to practitioners who have demonstrated knowledge and experience in:
• Security Principles and Practices
• Business Principles and Practices
• Investigations
• Personnel Security Established in 1977.
• Physical Security
• Information Security
• Crisis Management
CPP EXAM CONTENTS

• Candidate must pass a comprehensive examination
• Approximately 225 multiple-choice questions
o 200 “live” scoreable questions
o Up to 25 pre-test questions
ALL CPP EXAM QUESTIONS ARE FROM THE REVIEW MATERIALS
• Protection of Assets (POA) Manuals (ASIS International)
o Available in printed version, online access or Kindle
o Printed & online versions: https://www.asisonline.org/ASIS-
Store/Certification/Pages/CPP%20Reference%20Material.aspx
o Kindle version (2-parts):
1. POA: Physical Security; Applications; Information Security & Investigations
2. POA: Security Management; Legal Issues; Security Officer Operations; &
Crisis Management:
https://www.amazon.com/POA-Security-Management-Officer-Operations-
ebook/dp/B00BXS2W8Q/ref=sr_1_10?s=digital-text&ie=UTF8&qid=1500934889&sr=1-
10&keywords=protection+of+assets+asis
• Protection of Assets (POA) Manuals Kindle version (2-parts):
1. POA: Physical Security; Applications; Information Security &
Investigations: https://www.amazon.com/POA-Physical-Applications-
Information-Investigation-ebook/dp/B00BXRHT6W/ref=sr_1_4?s=digital-
text&ie=UTF8&qid=1500934889&sr=1-
2. POA: Security Management; Legal Issues; Security Officer Operations; &
Crisis Management: https://www.amazon.com/POA-Security-
Management-Officer-Operations-
ebook/dp/B00BXS2W8Q/ref=sr_1_10?s=digital-
text&ie=UTF8&qid=1500934889&sr=1-
• ASIS International Standards & Guidelines
o Free download for ASIS members
o Standards:
 Chief Security Officer—An Organizational Model
 Security and Resilience in Organizations and Their Supply Chains—
Requirements with Guidance
 Workplace Violence Prevention and Intervention
o Guidelines:
 Facilities Physical Security Measures Guideline
 General Security Risk Assessment Guideline
 Information Asset Protection Guideline
 Pre-employment Background Screening Guideline
REMEMBER:
• ALL CPP EXAM QUESTIONS ARE FROM THE REVIEW MATERIALS
• ALL QUESTIONS ARE BASED ON THE DOMAINS, TASKS & REQUIRED
KNOWLEDGE
• The specific subject areas (Domains – Tasks – Knowledge subjects)
can be found here: https://www.asisonline.org/Certification/Board-
Certifications/CPP/Pages/CPP-Exam-Domains.aspx
• ALL 200 “scoreable” exam questions are divided based on the
following breakdown:
ALL 200 “scoreable” exam questions are divided based on the following
breakdown: Crisis Management % of # of
10%
Domains (Subjects) Questions Questions
Information Security
9% Practices 21% 42
Practices Business Principles &
21%
Practices 13% 26
Investigations 10% 20
Business
Principles & Personnel Security 12% 24
Physical Security Practices
13%
Physical Security 25% 50
25%
Information Security 9% 18
Crisis Management 10% 20
Personnel Total 100% 200
Security
Investigations
12%
10%
Application for the Exam:
• Apply online (if you can pay with a credit card online)
• Cost:
o ASIS Members: US$300
o Non-ASIS Members: US$450
• Are you eligible to be approved to take the exam?
• Qualifications to be accepted for the CPP:
• A high level of English comprehension both written and oral.
• An earned Bachelor's degree or higher from an accredited institution of
higher education, and;
• Seven (7) years of security experience, including at least three (3) years
in a team leadership, supervisory or management role.
OR
• A high level of English comprehension both written and oral.
• If the candidate has not obtained a Bachelor’s degree, they must have
nine (9) years of security experience, including at least three (3) years
in a team leadership, supervisory or management role.
• NOTE: The requirement “…including at least three (3) years in a team leadership,
supervisory or management role.” is defined by ASIS Int’l as “Responsible Charge”
• “Responsible Charge: Responsible charge is defined as the charge exercised by an
individual in a management position who makes decisions for the successful
completion of objectives without reliance upon directions from a superior as to
specific methods. However, an applicant need not have held a supervisory position, as
long as the positions on which the application relies have specifically included
responsibility for independent decisions or actions. If "responsible charge" is not based
on supervisory responsibilities, then security program management responsibilities
and duties must be clearly shown. Generally, this excludes such positions as patrol
officer or the equivalent.”
Application for the Exam – Defining Experience:
• Experience is defined as having:
o Experience as a security professional in the protection of assets, in the public or
private sector, criminal justice system, government intelligence, or investigative
agencies.
o Experience with companies, associations, government, or other organizations
providing services or products, including consulting firms, provided the duties and
responsibilities substantively relate to the design, evaluation, and application of
systems, programs, or equipment, or development and operation of services, for
protection of assets in the private or public sectors.
o Experience as a full-time educator on the faculty of an accredited educational
institution, provided the responsibilities for courses and other duties relate primarily
to knowledge areas pertinent to the management and operation of protection of
assets programs in the public or private sectors.
• Apply online but print off a paper application first, complete it, then apply online.
(Recommend allowing the Review Instructor to assess the application before submitting)
• Apply ASAP – Once approved a candidate has up to 90-days to schedule a test.
• Once approved, the exam is conducted at a Prometric Testing Center
• Prometric (www.prometric.com/ASIS) has testing centers in Dammam, Manama (Bahrain)
& Doha (Qatar)
• Testing rules - https://www.asisonline.org/Certification/Resources/Documents/CBT-Fact-
Sheet.pdf
What is the Passing Grade:
• Each question is pretested to determine a level of difficulty.
• Since each question has a different difficulty level – questions are not
scored based on a percentage correct our of a total (example:
100/200 = 50%)
• Scaled Scoring is the method used to measure the passing score.
• Candidates must achieve 650 to successfully pass the exam.
• To learn more about scaled scoring – search on Google.
• THERE IS NO RELATIONSHIP TO A PERCENTAGE SCORE!
Physical Security Professional (PSP)
Board Certification in Physical Security
MUST READ RESOURCE:

• The Professional Certification Guide
• file:///Users/dennisshepp/Documents/ASIS%20Saudi%20CPP&PSP%2
0Review/Certification%20Handbook_final.pdf
(CPP)
SECURITY PRINCIPLES & PRACTICES (21%)

Task 01/01 Plan, develop, implement, and manage the organization’s

security program to protect the organization’s assets
Task 01/02 Develop, manage, or conduct the security risk
assessment process
Task 01/03 Evaluate methods to improve the security program on a
continuous basis through the use of auditing, review, and assessment
Task 01/04 Develop and manage external relations programs with
public sector law enforcement or other external organizations to
achieve security objectives
Task 01/05 Develop, implement, and manage employee security
awareness programs to achieve organizational goals and objectives

Task 01/01 Plan, develop, implement, and manage the

organization’s security program to protect the
organization’s assets

Knowledge of:
01/01/01 Principles of planning, organization, and control
01/01/02 Security theory, techniques, and processes
01/01/03 Security industry standards
01/01/04 Continuous assessment and improvement
processes
01/01/05 Cross-functional organizational collaboration

Knowledge of:
01/01/01 Principles of planning, organization, and control
• The organizational strategy (strategic plan)
o In writing by organization’s top leadership.
o No focus on day-to-day operations.
o Provides a general direction.
o Fundamental template (direction that defines &
supports long-term goals.
POA: Security Management; (Kindle Locations 1192-1194). ASIS International. Kindle
Edition.
• The organizational strategy (strategic plan) continued:

o Foundation for developing business processes.
o Processes support overall business structure required
to meet the organizational strategy.
o Key metrics and performance indicators studied to
determine if processes accurately reflect strategy.
o Essential for developing company-specific
management practices.
POA: Security Management; Chapter 1.2 (Kindle Locations 1194-1199).


o SWOT essential part of planning strategy
POA: Security Management; Chapter 1.2 (Kindle Locations 1208). ASIS International. Kindle
Edition.
SWOT Matrix

Enhanced SWOT Matrix


o Strategy is management’s effort to focus resources on
specific targets.
o Enhance business success through proper planning.
o Budgets are part of the planning process (money
allocated for the year)
o All levels of employees & stakeholders should
participate in planning.
POA: Security Management; Chapter 2.1 (Kindle Locations 1403-1404, 1629, 1989). ASIS
International. Kindle Edition

o Plan-Do-Check-Act (PDCA) cycle - operating principle
of ISO’s management systems standards.
o Also called Assess-Protect-Confirm-Improve model.
o Approach to structured problem solving focused on
continual improvement.
o PLAN: Most critical stage identifying & analyzing the
organization’s problems that could disrupt
operations— and assets.
o ID root causes of problems & rank importance.
POA: Security Management; Chapter 3.4.3 (Kindle Locations 2023-2024). ASIS International.
Kindle Edition.
• Organizational Resilience Standard (ASIS Int’l):

o Uses Plan-Do-Check-Act (PDCA) cycle.
o PLANNING is step to conduct risk assessment &
impact analysis - Organization MUST have defined &
documented method.
Security and Resilience in Organizations and their Supply Chains – 2017 (ORM.1)

• Concepts in Organizational Management:

o Managing consists of:
 Planning
 Organizing
 Directing
 Coordinating
POA: Security Management; Chapter 4.4.1 (Kindle Locations 2743). ASIS International.
Kindle Edition.
• Organizational Management applied to asset protection:

o Planning, management, and evaluation are important
tools in crime prevention programs
o Planning:
 Developing strategic goals & objectives
 Aligning assets protection objectives with the
organizational vision
 Organizing the assets protection function to meet
objectives & determining how accomplish mission.
POA: Security Management; Chapter 4.4.2 (Kindle Locations 2773-2775). ASIS
International. Kindle Edition.
• Organizational Management applied to asset protection:

o Planning may entail:
 Developing company’s QA/ QC program
 Obtaining executive buy-in
 Preparing documentation
 Training supervisors
 Establishing procedures
Kindle Edition.
• Operational Management applied to asset protection:

o Planning may entail:
 Project planning for systems, training, other
security projects
 Developing:
–Emergency plans
–Contingency plans
–Crisis plans

• Organization (organizing):
o Security managers must understand business
principles.
o Helps organize efforts to best support the overall
vision and mission of the organization.
o Better able to collaborate with executive management
to obtain resources to enable success in asset
protection.
o Need to be recognized as “business partners”.
Kindle Edition.
3 Managerial Dimensions
TECHNICAL EXPERTISE
Knowledge of protective MANAGEMENT ABILITY
disciplines, and practices Operating effectively with
and the ability to apply it. and within organizations &
programs.
ABILITY TO DEAL WITH PEOPLE

The interpersonal skills to interact with people at all levels
POA: Security Management; Chapter 4.4 Figure 4-6 (Kindle Locations 2739). ASIS
• Organization (controlling):
o “Span of control” principle - a single person can
supervise only a limited number of staff members
effectively.
o Specific number depends on:
 Nature of the work
 Type of organization
o General rule - one manager can effectively supervise
up to 10 people
POA: Security Management; Chapter 4.4.3 (Kindle Locations 2807 - 2809). ASIS
o Have IT infrastructures, current telecommunications
technology, & flattening of organizational pyramids
enabled an expanded span-of-control?
o Can a single person supervise 100 people?
o Where settings emphasize self-directed, cross-
functional teams and very flat structures, span of
control is less relevant.
o Span-of-control more relevant in traditional, hierarchica
organizations.
Kindle Edition.
o Unity of command - an individual should report to
only one supervisor.
o Concept: “a person cannot effectively serve the
interests two or more managers.
o Supervisor’s responsibility to ensure the best
performance from the unit he or she manages.
o Most employees need clear understanding of which
policies they need to adhere to, who provides day-to-
day direction, quality control, and conflict resolution.
Kindle Edition.
o Senior security or assets protection professionals
should be placed high as possible in the structure of
an organization & report directly to senior or executive
management.
o Lines of authority, responsibility, and communications
should be as clear and direct as possible.
o Individual and organizational responsibility should
come with an appropriate level of authority.
Kindle Edition.
o Organizational alignments and structures should
consider the interrelationships among functions,
roles, and responsibilities (eye the overall mission).
o Communications channels should be structured to
allow effective mission accomplishment and
interaction.
Kindle Edition.

• Asset protection programs will not succeed unless
cultivates willing cooperation of workforce
• Mesh goals with personal goals of workforce – apply
motivational theories & behavior sciences.
• Cooperate with internal & external
organizations/personnel.
• Follow studies, trends, research.
• Understand people – learning styles, personalities.
• What motivates crime?
POA: Security Management (Kindle Locations 2885-2911). ASIS International. Kindle
Edition.

• Groups – Review POA: Security Management; Security
Officer Operations; and Crisis Management, 4.5.2
APPLICATIONS OF BEHAVIORAL STUDIES IN ASSET
PROTECTION – 30 minutes then class discussion


Discuss how motivational, behavioral theories impact
these security processes:
• Crime prevention & reaction
• Incident management
• Security personnel management
• Employee training & awareness
• Corporate ethics
• Liaison & leveraging other organizations
ASIS. POA: Security Management (Kindle Locations 2885-2911). ASIS International. Kindle
Edition.
Crime Prevention
• CPTED – Opportunity & rationalization reduction
o Maslow and McGregor
o Impact on criminal motivation
• Theft and workplace behavior
o John Clark and Richard Hollinger (1982), researchers
from the University of Minnesota Department of
Sociology.


Incident Management
• Leadership and command – personality profiles
• Motivational theories: Satisfaction / Dissatisfaction
• Myers – Briggs, DiSC, ASSET (leadership in teams)
52
53
ASSESS Leadership in Teams
EARLY
RESOLVER
EVALUATOR TRAILBLAZER
TASK
IDEALS CRAFTER
COMMANDER
INSTINCT
PLAYER
COMMUNITY
MOBILIZER
MAKER
54

Kindle Edition.
Employee Awareness Training:
• Motivating employees to learn
• Personality types

International, ASIS2885-2911). ASIS International. Kindle Edition.

Corporate Ethics:
• Motivating employees and organization leadership to
perform ethically

Kindle Edition.
Liaison & Leveraging other Organizations:
• Motivating others to cooperate and work as a team
01/01/03 Security industry standards

• A standard is a set of criteria, guidelines, and best
practices that can be used to enhance the quality and
reliability of products, services, or processes.
• “Voluntary standards might force security professionals
to conduct their work in a prescribed manner.”
• Security standards exist with more under development.
• Will likely work best if security professionals participate
in their development.
POA: Security Management; Chapter 3 – STANDARDS IN SECURITY (Kindle Locations 1723-
1735). ASIS International. Kindle Edition.

Security industry standards:

• May address a product, service, or process.
• Voluntary (different from a regulation).
• Regulation may require compliance with a standard.
• Standards evolved from a technical to business issue of
strategic importance.
• Customers more easily judge product quality if it
conforms with standards.
ASIS. POA: Security Management; Chapter 3 – STANDARDS IN SECURITY (Kindle Locations

1742-1747). ASIS International. Kindle Edition.

Standards are of nine main types:

• Basic
• Code
• Product
• Management systems
• Design
• Conformity assessment
• Process
• Personnel certification.
• Specification
They require periodic review to remain relevant and state-

of-the-art.

Security industry standards - BENEFITS:

• Officially organizes best practices & processes.
• Shares lessons learned.
• Provides tools to “consistently” assess threats, risks,
vulnerabilities, criticalities, and impacts.
• Defines measurement methods (benchmarks, testing).
• Documents equipment performance requirements to
ensure effectiveness and safety.


Security industry standards – BENEFITS (continued):

• Establishes design requirements for devices, systems, and
infrastructure to withstand threats.
• Define effective (consistent) methods for identification of
individuals.
• Enhance cross-jurisdictional information sharing and
interoperability.
• Provide for consistency of services.



• ASIS International:
o Security and Resilience in Organizations and their Supply Chains -
Requirements with Guidance (ORM.1)
o Auditing Management Systems: Risk, Resilience, Security, and
Continuity - Guidance for Application (SPC.2)
o Chief Security Officer - An Organizational Model (CSO)
o Conformity Assessment and Auditing Management Systems for
Quality of Private Security Company Operations (PSC.2)
o Investigations
o Management System for Quality of Private Security Company
Operations - Requirements with Guidance (PSC.1)

o Maturity Model for the Phased Implementation of a
Quality Assurance Management System for Private
Security Service Providers (SPC.3)
o Maturity Model for the Phased Implementation of the
Organizational Resilience Management System (SPC.4)
o Quality Assurance and Security Management for
Private Security Companies Operating at Sea—
Guidance (PSC.4)
o Risk Assessment (RA)

o Security Management Standard: Physical Asset
Protection (PAP)
o Supply Chain Risk Management: A Compilation of Best
Practices (SCRM)
o Workplace Violence Preventionand Intervention
Standard (WPVI)
o ASTM International (formerly the American Society for
Testing and Materials)


o Standards for high-rise evacuation equipment &
homeland security. (selection of antiterrorism physical
security measures for buildings and hospital
preparedness).
o More than 100 active standards relating to a broad
range of security concerns.
ASIS. POA: Security Management; Legal Issues; Security Officer

Operations; and Crisis Management (Kindle Locations 1803-1806).

Security industry standards (continued):

• National Fire Protection Association (NFPA) (Several
security standards - premises security and installation of
electronic premises security systems.)
• American National Standards Institute (ANSI).
• Deutsches Institut für Normung (Germany).
• Japanese Industrial Standards Committee.
• International Organization for Standardization, ISO
(world’s largest standards developer - 159 member
countries).
• ISO standards address the global business community.


• ISO is non-governmental (stakeholders are private, public
& not-for-profit).
• ISO standards address: products, processes, services &
quality control.
• ISO does not regulate, legislate, or enforce.
• ISO standards often become recognized as industry best
practices and become market requirements.


More on ISO (continued):

o Equal footing of members (each ISO member
(country) has one vote).
o Market need (develops only standards where
identified market need or that facilitate international
or domestic trade).
o Consensus (standards based on consensus among
interested parties.
o Voluntary participation and application.
o Worldwide applicability.

• Standard more likely to be accepted if developed by all
interested parties/stakeholders.
Other standards – you can relate to these:
• Saudi Arabia (High Commission for Industrial Security)
o Physical security standards for organizations deemed
associated to national critical infrastructure
• Saudi Aramco
o Security Engineering Guidelines
• Others?
01/01/04 Continuous assessment and improvement

processes
• Management systems standards: has large impact on
security professionals.
• Designed to help organizations improve the ways in which
they provide services and perform processes.
• Widely accepted & used in many fields/disciplines.
• Developed to be generic – all types of organizations.
POA: Security Management; Chapter 3.4.1 (Kindle Location 1939-1942). ASIS

Management systems standards:

• Provides framework for what an organization should do –
leaving how to do it to them.
• Provides customers, suppliers, stakeholders confidence in
reliability.
• Show compliance with 9001: 2008 Quality Management
Systems— Requirements & ISO 14001: 2004
Environmental Management Systems— Requirements
with guidance for use.

Management systems standards (continued):

• ISO 9000 series very popular internationally.
• Management standards are NOT regulations.
• Tools to help meet goals, in quality, environmental
concerns, safety, security, preparedness or continuity.
• Based on Plan-Do-Check-Act (PDCA) (Deming Cycle).
• Framework for holistic, strategic approach to
management.



• ISO 9000 series:
o Addresses quality management
o Helps organizations meet customer quality expectations
• Advantages to security professionals:
o Learn “Management speak”
o Gain professional advantage.
o Security may be viewed as a strategic business and
operational issue.
POA: Security Management; Chapter 3.4.2 (Kindle Location 1988).


• Benefits:
o Establishing benchmarks (measure progress &
outcomes).
o Forcing the organization to systematically identify risks
and problems as well as potential solutions.
o Including more participants (broad scope stakeholders).
o Provide problem solving & decision making tools.



• Benefits (continued):
o Lead organization to study how standard operating
procedures & controls can enhance performance.
o Protects organization’s brand & reputation.
o Engage processes – PDCA Cycle


PLAN – DO – CHECK – ACT (PDCA) CYCLE

Quality: “Conformance to customer requirements.”

• Providing effective professional services or implementing
a meaningful assets protection program for the customer
within appropriate resource constraints means delivering
the required level of quality.
• Quality program involves tools, measures (metrics),
special processes, and the organization’s culture of
quality integrated into all business practices.
POA: Security Management; Chapter 4.4.1 (Kindle Locations 2763-2767).

01/01/05 Cross-functional organizational collaboration

• Security Managers who understand business are in
BEST position to collaborate with top management.
• Regarded as “business partners”.
• Cross-functional teams (Strike Planning) generally
representatives from the security, legal, human
resources, risk management, communications
departments, & operational line managers.
POA: Security Management; Chapter 1.1 and Chapter 2.3.1 (Kindle Locations 1152-1154,

• Collaboration can create management buy-in that

increases the likelihood that policies will be executed
and maintained.
• Assets protection a broad, complex function, many
departments or elements of an organization may be
involved in it.
• Convergence (integration of traditional and information
[systems] security functions) makes collaboration
important.
POA: Security Management; Chapter 1.3.1 and 4.1.2 (Kindle Locations 1305-1306, 2376-
2377, 2385-2387 ).

• Security management requires effective interaction with

other stakeholders – communication skills key!
• Assets protection’s multidisciplinary nature - liaison and
collaboration with a wide variety of people,
organizations, agencies, specialties, and professions is
essential.
• Behavioral theory helps establish and maintain
relationships (network of professional contacts, inside &
outside the assets protection manager’s organization.)
POA: Security Management; Chapter 4.5.2 (Kindle Locations 2916-2918 ). ASIS International.
Kindle Edition.
• Collaboration especially valuable & challenging in a

global environment that includes a wide range of
cultures, customs, and perspectives.
• Warren Bennis’ motivational theory promotes
collaboration with stakeholders to better manage &
resolve conflicts.
• Collaboration important process in all aspects of assets
protection.
POA: Security Management; Chapter 3.3 (Kindle Locations 17327). ASIS International. Kindle
Edition.

Task 01/02 Develop, manage, or conduct the security

risk assessment process.

Knowledge of:
01/02/01 Quantitative and qualitative risk
assessments
01/02/02 Vulnerability, threat, and impact
assessments
01/02/03 Potential security threats (for example,
all hazards, criminal activity)

01/02/01 Quantitative and qualitative risk assessments

01/02/02 Vulnerability, threat, and impact assessments
• Qualitative performance-based analysis - uses
designators like high, medium, and low to represent
interruption, neutralization, and system effectiveness.
• Often based on lists and depend on how analysts feel
about the solution.
• Qualitative estimates rank attack possibility as very
likely or highly unlikely.
POA: Physical Security; Chapters 1.2; 1.3; 11.3.3; (Kindle Locations 910-911, 1064-
1065, 6846-6847,). ASIS International. Kindle Edition.

Qualitative analysis:
• Terms such as critical, high, medium, low, and
negligible may be used to gauge the asset value &
levels of risk components & risk itself.
• Most suitable when evaluating basic security
applications.
• Qualitative techniques are often based on lists and
depend on how analysts feel about the solution.
POA: Physical Security; Chapter 1.2 (Kindle Locations 910-911). ASIS International.
Kindle Edition.
• Quantitative approach - requires measurable data.

• Easier to correlate security system performance and cost
(return on investment [ROI] can be demonstrated).
• Absence of quantitative evaluations of the security
effort is the chief reason senior executives fail to support
security programs.
• Consequence criteria should be shown in quantitative
terms.
• Assets with unacceptably high consequence of loss,
require a rigorous quantitative analysis, even if the
probability of attack is low.
POA: Physical Security; (Kindle Locations 909-911, 1130, 6725-6726).
Quantitative analysis:
• Used to measure effectiveness of a physical protection
system (PPS) where primary functions are to detect,
delay, and respond.
• Discuss examples of using Qualitative & Quantitative
methods.

• Qualitative & quantitative analysis should be based on

the application of the first principles of physical security
- to verify the effectiveness of installed protection
elements (equipment, people, and procedures).
• EXAMPLE: Calculating PPS Effectiveness (PE):
PE = PI × PN
PI = Probability of Interruption
PN = Probability of Neutralization
• Qualitative performance-based analysis - high, medium,
and low represent interruption, neutralization, &
system effectiveness.
POA: Physical Security; Chapters 11.2 & 11.3.2 (Kindle Locations 6757-6758, 6841-
6842, 6846-6847). ASIS International. Kindle Edition.
This is an example of qualitative
CERTIFIED PROTECTION or quantitative?
PROFESSIONAL (CPP)

This is an example of qualitative
CERTIFIED PROTECTION or quantitative?
PROFESSIONAL (CPP)

• CARVER – Qualitative Analysis

• CARVER acronym for the following used to evaluate target
attractiveness:
o Criticality: measures public health & economic impacts
of an attack
o Accessibility: ability to physically access & egress from
target
o Recuperability: ability to recover from an attack
o Vulnerability: ease of accomplishing attack
o Effect: amount of direct loss from an attack
o Recognizability: ease of identifying target
POA: Physical Security; Chapter 11.3.1 (Kindle Locations 6810-6816). ASIS
• CARVER – Qualitative Analysis (continued)

• Modified CARVER:
o Criticality, Accessibility, Recuperability, Vulnerability,
Effect, Recognizability +
o Combined Health, economic & psychological impacts
of attack (shock effect).
• CARVER evaluates asset as a target of attack by adversary.
• Created by US gov’t – used by military
• Used as part of vulnerability assessment (VA)


• CARVER – Qualitative Analysis (continued)

• BEST: comparing assets that share mission, infrastructure
• POOR: Subjective, scoring issues, inconsistent


Performance-Based Analysis:
• Qualitative or quantitative analysis - Process:
1. Create an adversary sequence diagram (ASD) for all
asset locations.
2. Conduct a path analysis.
3. Perform a scenario analysis.
4. Complete a neutralization analysis, if appropriate.
5. Determine system effectiveness.
6. System effectiveness (or risk) = not acceptable - develop
and analyze upgrades.
POA: Physical Security; Chapter 11.3.2 (Kindle Locations 6810-6816).
• Determining neutralization depends on effective

interruption
• Calculating PPS Effectiveness (PE):
PE = PI × PN
PI = Probability of Interruption
• Qualitative performance-based analysis - high, medium,
and low represent interruption, neutralization, &
system effectiveness.
• Quantitative analysis uses numbers.
POA: Physical Security; Chapter 11.3.2 (Kindle Locations 6757-6758, 6841-6842,
6846-6847)
Analysis Process - Adversary Sequence Diagrams (ASD):

• ASD a functional representation of the PPS at a facility
used to describe the specific protection elements
present.
• Paths adversaries can follow to accomplish sabotage or
theft.
• Done first – because a path analysis determines whether
a system has sufficient detection & delay to result in
interruption.
POA: Physical Security; Chapter 11.3.2 (Kindle Locations 6854-6855, 6855-6856).

Adversary
Adversary completes
starts tasks tasks
TASK TASK TASK 3 TASK 4 TASK 5 TASK 6 TASK 7 TASK 8

1 2
PD1 PD2 PD3 PD4 PD5 PD5 PD5 PD5
0 0 DETECT DELAY DETECT DETECT DELAY & DELAY &

ALARM DELAY DELAY RESPONSE RESPONSE
VERIFY VERIFY CRITICAL CRITICAL
First 2nd Sensing 3rd Sensing
Sensing & &
verification verification
PPS RESPONSE TIME
Guard Force Response (Adequate Response)
RFT
Probability of Interruption PA = PD x PC
UNIVERSITY OF MARYLAND, Soroush Bassam, Researcher, 2015
https://pt.slideshare.net/SSoroushBassam/paper-35using-sysml-for-modelbased-vulnerability-
assessmentsoroushbassam03161522-46597784/2
Adversary Sequence Diagrams (ASD) continued:

• Path with the lowest probability of interruption (PI) can
be determined.
• Calculating PPS Effectiveness (PE):
PE = PI × PN
PI = Probability of Interruption (measure of path
vulnerability)
• Multiple paths compared = estimate of overall PPS
vulnerability can be made.
• ASD done manually or electronically (software tools).
POA: Physical Security; Chapter 11.3.2 (Kindle Locations 6858-6861)

• 3-basic steps in creating ASD:
o Describing the facility by separating it into adjacent
physical areas
o Defining protection layers & path elements between
the adjacent areas
o Recording detection & delay values for each path
element
• Biggest mistake – only follow a single path from off-site
to the target location & not analysis on other paths.
POA: Physical Security; Chapter 11.3.2 (Kindle Locations 6861-6865, 6869).

• Assess layers (outer to middle to inner then out)
• Key - ASD must be created for each asset (target
location) unless located together – same location.
• Complex facilities where several critical assets need
protection – ASD developed for each unique location.

Risk assessment models and considerations

Risk Assessment: The process of assessing
security-related risks from from internal and
external threats to an entity, its assets and
personnel.
(Facilities Physical Security Guideline, ASIS International, Page 3 &

ASIS General Security Risk Assessment Guideline (2003), page 7)

ASIS General
October 2017
Security Risk Assessment Guideline (2003), page 7 Dennis Shepp, CPP
Risk Assessments:
• Developed in the insurance industry.
• Defined risk in terms of annualized loss expectancy,
which is the product of the potential loss from an event
and the likelihood of the event.
Risk = (Threat × Vulnerability × Impact)
• Risk assessment techniques:
o May be heuristic (ad hoc)
o Inductive
o Deductive.
• Methods are quantitative or qualitative.
POA: Physical Security; Chapter 1.2 (Kindle Locations 900-907, 908-909).
Risk Assessments (continued):

• Risk = uncertain situation where a number of possible
outcomes might occur, one or more of which is
undesirable.
(the adverse outcomes (threats/hazards) an organization
wants to avoid * probability of consequences * impact
(magnitude).
POA: Physical Security; Chapter 1.2 (Kindle Locations 900-907).


• Inductive techniques = a bottom-up approach.
• Risks are identified at the beginning of the analysis
rather than as a result of a systematic, deductive, top-
down approach.
• Deductive risk assessment uses logic diagrams to
determine how a particular undesired event may occur.
• Fault trees often used with event trees to determine the
basic causes of the event.
• Also use influence diagrams.
ATTACK FACILITY
TO STEAL ASSET
OR
ATTACK
ATTACK ATTACK ATTACK ATTACK
ROOF
MAIN EMPLOYEE WALL REAR
ACCESS
DOOR DOOR I ROLLER
I
P P DOOR
P
OR
ATTACK
DEFEAT
USE KEY DOOR
LOCK
ON LOCK WITH
(PICKING)
I TOOLS
I
P
ATTACK REAR
ROLLER DOOR
DRIVE CHEAT DOOR

VEHICLE ATTACK DOOR ENTER DOOR
LOCK &
THROUGH WITH TOOLS WITH KEY
HINDGES
DOOR
GET RIGHT
GET RIGHT GET KEY
TOOLS
VEHICLE FROM
COLLEAGUE
VEHICLE FIT
DOORWAY? STEAL KEY

• Risk assessment examines outcome of successful
adversary attack + likelihood it will occur + how it will
occur + how many people will be affected.
• When entire population at risk = societal risk.
• Answer:
o What can go wrong?
o What is the likelihood that it would go wrong?
o What are the consequences?
• The process of identifying, measuring, quantifying, and
evaluating risks.
Vulnerability Assessments:
• Performed to establish a baseline of PPS effectiveness in
meeting goals and objectives.
• Process of identifying and quantifying vulnerabilities.
• Vulnerability analysis is a method of identifying the
weak points of a facility, entity, venue, or person.
• A weakness that can be exploited by an adversary.
• Team must have broad experience.
• Don’t focus on individual PPS components – focus on
system.
POA: Physical Security; Chapter 1.3 and 1.7 (Kindle Locations 980, 1214-1220 ).
Vulnerability Assessments (continued):

• Key to thoroughly evaluate the site PPS so that all paths
to the assets are equally protected.
• Consider what vulnerabilities exist given the defined
threats, considering their motivation, tools,
competence, and knowledge.
• The evaluation of the facility’s PPS is facility
characterization – using a site survey.
• Evaluate PPS effectiveness: detection, delay, and
response performance against threats.
Primary PPS Functions:

• Detection, delay, and response are the three primary
functions of a PPS.
• Detection is the discovery of covert or overt action by
an adversary.
• Key measures of effectiveness for the detection
function:
o The probability of sensing adversary action
o The time required for reporting and assessing the
alarm.

Primary PPS Functions (continued):

• Delay refers to the slowing down of adversary progress.
• Response force personnel considered elements of delay
if deployed in fixed, well-protected positions.
• Delay effectiveness is measured by the time required by
the adversary (after detection) to bypass each delay
element.
• If adversary delayed before detection, provides little
value - does not provide additional time for response.
• Delay before detection is a deterrent.
Primary PPS Functions (continued):

• Response consists of actions by security officers to
prevent adversary success.
• Interruption requires security officers arrive quickly at
the right place to stop the adversary’s progress.
• Response requires communication to the security
officers of accurate information about adversary actions.
and officer.
• Deployment - the actions of the response force from the
time it receives a communication until it is in position to
interrupt the adversary.
POA Physical Security, Chapter 1.7.3 (Kindle Locations 1288-1295).
Security Survey:
“A thorough physical examination of a facility and its
systems and procedures, conducted to assess the current
level of security, locate deficiencies, and gauge the degree
of protection required.”
ASIS Facilities Physical Security Measures Guideline, 2009, Pg 4

01/02/03 Potential security threats (for example, all

hazards, criminal activity)
Threat Definition (determining the threats/hazards):
• Threat – An action or an event that could result in a loss;
an indication that such an action or event might take
place. ASIS Facilities Physical Security Measures Guideline, 2009, Pg 4
• Threat definition occurs during risk assessment.
• 3 Adversary classes: outsiders, insiders, and outsiders in
collusion with insiders.
• For each class of adversary – define the full range of
tactics (deceit, force, stealth, or any combination).
ASIS POA: Physical Security; Chapter 1.3 (Kindle Locations 986-987).
Threat Definition (continued):

• Design Basis Threat (DBT) - “the adversary against which
the utility (site) must be protected”.
• DBT requires consideration of:
o Threat type
o Tactics
o Mode of operations
o Capabilities
o Threat level
o Likelihood of occurrence.

• Design Basis Threat (DBT) - “the threat is human, not
accidental, natural or safety hazards”.
• PPS designed to stop attacks.
• Security refers to the measures used to protect people,
property, or the enterprise from malevolent human
threats
• The DBT includes threat characteristics such as vehicles,
weapons, tools, or explosives, & the threat’s
motivation.
POA: Physical Security Chapter 1.3 (Kindle Locations 998-1005).
• DBT - The threat spectrum uses categories or labels to

describe the specific threat characteristics for various
levels of threats. EXAMPLE:
“Vandals. This threat would consists of a small group of 2-5 unarmed
people, whose intent is to deface low-value company assets or
employee vehicles parked on-site. Attacks are most likely at night, but
daytime attacks have occurred. The vandals may be under the
influence of drugs or alcohol. They may carry a few basic hand tools,
such as pliers, wire cutters, screwdrivers, or hammers, as well as cans
of spray paint, paintball guns, or similar items. They do not have
insider assistance. They are not highly motivated and will flee or
surrender if they perceive that they are about to be caught.”


• Hazard - “possible source of danger or conditions
(physical or operational) that have a capacity to produce
a particular type of adverse effect.”
ASIS Int’l, “Security and Resilience in Organizations and Their Supply Chains (2017),
Page 5.
• Emergencies or contingencies (3 – categories):
o Natural
o Human (either internal or external)
o Accidental.
POA: Crisis Management (Kindle Locations 19833-19834). ASIS International.
Types of Emergencies (continued):

• Fire • Civil disorder
• Explosion • Armed attack barricade/
• Water outage hostage incident
• Power outage • Severe weather (tornado,
• Computer system failure hurricane, thunderstorms,
• Telecommunications failure flood)
• Fuel leak • Other natural occurrences
• Hazmat (hazardous materials)
• (earthquakes, volcanoes)
incident
• Bomb incident
POA: Crisis Management (Kindle Locations 19846-19849). ASIS International. Kindle Edition.
Task 01/03 Evaluate methods to improve the security program

on a continuous basis through the use of auditing, review, and
assessment

Knowledge of:
01/03/01 Cost-benefit analysis methods
01/03/02 Risk management strategies (for example,
avoid, assume/accept, transfer, spread)
01/03/03 Risk mitigation techniques (for example,
technology, personnel, process, facility design)
01/03/04 Data collection and trend analysis techniques

Task 1.3.1 Evaluate methods to improve the security program
assessment using cost-benefit analysis methods.
ASIS POA: Physical Security Chapter 12.3 INITIAL PHASES

(Kindle Locations 7153-7157)
• Level of protection for a group of assets must meet the
protection needs of the most critical asset in the group.
• Analysis and definition process is designed to:
o Ensure that the selected solutions will mitigate real
and specific vulnerabilities.
o Provide a cost/ benefit justification for each
solution.
o Identify all elements (technology, staffing, and
procedures) and resources required for each solution.
o Provide a basis for the accurate and complete system
specification that will be used to procure and
implement the solutions.
ASIS POA: Security Management, Chapter 5.2 WHAT COST
EFFECTIVENESS MEANS (Kindle Locations 3259-3261).
• Cost-effectiveness means producing good results for
the money spent.
• Senior management - cost-effectiveness the primary
factor determining size or existence of the asset
protection program.
• The program must be measurable in financial terms.
• To maximize cost-effectiveness, a security manager
should do the following:
o Ensure operations are conducted in the least
expensive, but cost effective way.
o Maintain the lowest costs consistent with required
operational results.
o Ensure that the amount of money spent generates
the highest return.
• Cost-effectiveness in asset protection requires
balancing expenditures against results and revising
the plan as needed.
• Problem is the inability to justify the cost of an asset
protection.
• The question that senior management wants
answered is this: Does the asset protection function
accomplish anything that can be quantified and that
justifies its cost?
• The security manager must consider whether a given
resource is the most effective one available at the
stated cost.
• Can the security organization be a profit center?
ASIS. POA: Security Management; 5.3.1 RETURN ON
INVESTMENT, (Kindle Locations 3296-3297)
• How much net income is earned by investment.
• Also called return on equity.
• ROI gauges management’s overall effectiveness in
generating profits.
• ROI can be measured in time saved, improved
efficiency, reduced manpower, reduced losses, lower
liability or insurance payments, or greater customer
satisfaction.
• Translates into an improved bottom line over time.
• The expectation is that security measures should not
merely be efficient but should provide a positive
return on investment.
• ROI = AL + R AL = AVOIDED LOSS
R = RECOVERIES
CSP
CSP = SECURITY PROGRAM COSTS
on a continuous basis through the use of auditing, review,
and assessment using risk management strategies (for
example, avoid, assume/accept, transfer, spread)
ANSI/ASIS ORM1-2007: Read & review:
Chapter 0.2 “Proactive Management of Risk to Build
Resilience”, pages xvi - xix
Chapters 4 and 5, pages 10 - 14.
Chapter 7.4, page 20.
Chapter 9, pages 23 – 32.
APPENDIX A-7: Pages 50 – 54.
APPENDIX C-2 “Prevention and Risk Mitigation
Procedures”, page 92.
ASIS POA: Physical Security, Chapter 1.2 RISK
ASSESSMENT/MANAGEMENT, (Kindle Locations 956-957)
• Risk Elimination: complete removal of the threat or risk
exposure
• Risk Reduction: modify activities, processes, equipment
or materials.
• Risk Transfer (Financing): Insurance.
• Risk Avoidance: Spread the risk – eliminate cause or
move the asset. (some cost)
• Risk Acceptance (Assumption): accepting the potential
risk and continuing existing security operations or
implementing some no-cost procedures to reduce the
risk to an acceptable level. (No cost)
• Risk Limitation (Reduction): implementing preventive,
detective, and response controls (the “D’s”). (Some cost)
on a continuous basis through the use of auditing, review,
and assessment using risk mitigation techniques (for
example, technology, personnel, process, facility design).
ASIS POA: Security Management; Chapter 4.1.2

RELATION TO SECURITY AND OTHER DISCIPLINES, (Kindle
Location 2384).
• Countermeasures need to include people, hardware,
and software.
• Technology:
o Protection-in-depth (Read & review - POA Physical
Security PPS FUNCTION DETECTION, Chapters 4.1;
4.3; 4.4; 4.5)
o Video and Alarm Assessment (Protection-in-depth
(Read & review - POA Physical Security; Chapter 5:
Video and Alarm Assessment
• Process:
o Business continuity Plans (POA Crisis Management;
Chapter 1)
• Personnel:
o Background investigations (POA Investigations)
o Training and awareness (Security Officer Guidelines)
• Facility:
o PPS applications (Facilities Physical Security
Guideline & POA Physical Security; Chapter 9)
assessment using data collection and trend analysis
techniques.
ASIS POA: Security Management, Chapter 3.4
MANAGEMENT SYSTEM STANDARDS, (Kindle Locations
1938-1939)
• Management system (MS) - the organization’s method of
managing its processes, functions, or activities.
• MS standards designed to help organizations improve
how they provide services and perform processes.
• Investigation – data collection using resume, application
form (POA Investigations, pges 167-169)
POA: Security Management Chapter 5.5 DATA CAPTURE,–
pges 116 – 118; 119-121
• Data capture – Collecting information is of paramount
importance to security management, and the easier it is
to create security reports.
ASIS. POA: Security Management 2.8.1 DATA CAPTURE AND
TREND ANALYSIS, (Kindle Locations 17167-17168).
• Data capture and trend analysis help the security
manager determine the effectiveness of the program.
• Shows what is working and what is not working.
• Justify department’s existence by detailing security
incidents and security responses.
• Trend analysis based on data.
Task 01/04 Develop and manage external relations

programs with public sector law enforcement or other
external organizations to achieve security objectives.

Knowledge of:
01/04/01 Roles and responsibilities of external
organization and agencies
01/04/02 Methods for creating effective working
relationships
01/04/03 Techniques and protocols of liaison
01/04/04 Local and national Public/Private
Partnerships

Task 1.4.1 Develop and manage external relations programs with public
sector law enforcement or other external organizations to achieve
security objectives explaining the roles and responsibilities of external
organization and agencies.
ASIS POA: Security Management Chapter 7.4 PRIVATE

POLICING ENVIRONMENTS, (Kindle Locations 4900-
4903).pages 190-198
• Police are responsible for managing crime and its effects.
• No other government agency regards itself as specifically
responsible for crime.
• If the police cannot prevent crime, one logical response is
to hire private security firms to do so.
• Private police can be viewed as an additional layer of
security for the community.
• Carlson 1995;
o Operational Roles – police serve public – enforce laws
– security broader and more general – asset
protection
o Financial (police budgets limited)
o Philosophy – same as operational roles – governed by
law
o Legal (security limited powers depend on police
powers)
o Security/political - police are restricted – security
broader – augment police
• Chaiken & Chaiken – Figure 7.2 page 198 –
Responsibilities of police and security – distinctions
outlined
POA, Security Management, CHAPTER 3: STANDARDS IN
SECURITY,
• ANSI and ISO Standards organizations (how they function)
READ & REVIEW:
• POA: Security Officer Operations; Chapter 1.10
PROPRIETARY VS CONTRACT SECURITY and
• CHAPTER 5: SELECTING AND ADMINISTERING THE
SECURITY SERVICES CONTRACT
ANSI/ASIS ORM.1-2017, Chapter 5.2.2 External Context,
page 12/13
• The organization shall identify relevant external
stakeholders, that may impact or be impacted by its
activities, functions, goods and services, that could
contribute to the risk profile.
security objectives explaining methods for creating effective working
relationships.
ASIS. POA: Security Management; Chapter 4.5.2 Liaison and

Leveraging Other Organizations, (Kindle Location 2915)
• Liaison and collaboration with a wide variety of people,
organizations, agencies, specialties, and professions is
essential.
• Behavioral theory can help establish and maintain
internal and external relationships.
• Collaboration is especially valuable and challenging in a
global environment that includes a wide range of
cultures, customs, and perspectives.
POA: Security Management Chapter 7.1.3 PUBLIC/ PRIVATE
PARTNERSHIPS AND STATISTICS, ASIS. (Kindle Locations
4479-4480)
• Formal relationships – ASIS International Law
Enforcement Liaison Council (LELC); Private Security
Services Council; and Private Sector Liaison Committee
of the International Association of Chiefs of Police (IACP)
• Innovations like Operation Cooperation program –
models where police work together with security to
combat crime and deliver public safety services.
• Published a document, “Operation Cooperation”-
outlines the history of public/private partnerships and
advocates future cooperative work.
security objectives explaining techniques and protocols of liaison.
POA Crisis Management; Chapter 1.7.3 MUTUAL AID (Kindle

Locations 20177-20178)
• Mutual aid association, businesses and other organizations agree
to assist each other by providing materials, equipment, and
personnel for disaster control during emergencies.
POA: Crisis Management Chapter 1.7.4 PUBLIC AFFAIRS/ MEDIA
RELATIONS (Kindle Locations 20191-20192).
• Single source in organization liaise with media.
POA: Security Management Chapter 7.1.3 PUBLIC/ PRIVATE
PARTNERSHIPS AND STATISTICS, (Kindle Locations 4479-4480) pages
183-184
• Police and security partnerships encouraged through meetings
such as ASIS and also having joint training exercises
security objectives explaining local and national Public/Private
Partnerships.
POA: Security Management; Chapter 7.1.3 PUBLIC/ PRIVATE PARTNERSHIPS AND

STATISTICS, (Kindle Locations 4479-4480) pages 183-184; 188;
• Issues: Alarm response by police - became a burden, especially with false alarms
(95% or more responses were false alarms (Benson & Olick 1990; Cunningham
1994
• Solution: Private security encouraged by police to handle responses - relieves
financial strain from police
• Example: S. Africa (450 registered alarm companies with 500,000 clients)
• After developing relationships - more information sharing between police &
security.
• Conducting drills & exercises between police and security enhances liaison and
provides valuable data
• Security conducting own internal investigations help police (POA Investigations,
pges 7-9)
Task 01/05 Develop, implement, and manage

employee security awareness programs to achieve
organizational goals and objectives

Knowledge of:
01/05/01 Training methodologies
01/05/02 Communication strategies, techniques,
and methods
01/05/03 Awareness program objectives and
program metrics
01/05/04 Elements of a security awareness
program (for example, roles and responsibilities,
physical risk, communication risk, privacy)
Task 1.5.1 Develop, implement, and manage employee security
describing training methodologies.
ASIS POA: Security Management, CHAPTER 10, SECURITY

AWARENESS, (Kindle Locations 6771-6772). Pages 296-299
• Consciousness (awareness) of an existing security
program, its relevance, and the effect of one’s behavior
on reducing security risks.
POA Chapter 10.3.1 TECHNIQUES, MATERIALS, RESOURCES,
(Kindle Locations 6886-6888).
• Unlike security training, security awareness material may
not contain specific security task information.
• Directs recipients to security content available elsewhere
and focus on generating support for the security
program.
• It should be enjoyable and interesting.
• Resources:
o Written materials
o AV equipment
o Formal Security Briefings
o Integration into line operations
o Inside experts
o Outside experts
o CBT (computer-based training)
describing communication strategies, techniques, and methods.
NOTE:
CHAPTER 10, SECURITY AWARENESS, ASIS POA: Security
Management, (Kindle Locations 6771-6772). Pages 296-299
describing awareness program objectives and program metrics.
POA Security Management, Chapter 10.3.3 MEASURING

THE PROGRAM, (Kindle Location 6953)
• Company losses before and after the security
awareness program was implemented.
• # of persons briefed and # of briefings conducted in
specific periods
• Topics covered, projected or actual briefing completion
date, and method of delivery
• Cost of briefings per employee
describing the elements of a security awareness program (for example,
roles and responsibilities, physical risk, communication risk, privacy).
ASIS POA, Security Management, Chapter 10 SECURITY

AWARENESS, pages 294 – 295) 10.1.1 EXECUTIVE
MANAGEMENT (Kindle Locations 6781-6782)
• Chief executives, chief operating officers, and other senior
personnel must be aware of the security program
because they are an enterprise’s top decision makers
regarding risk and resources.
• They need to perceive security programs positively.
• Security awareness means awareness of the security
program’s financial contribution to the bottom line.
POA Security Management, Chapter 10.1.2 MIDDLE
MANAGEMENT (Kindle Locations 6789-6792)
• Middle managers tend to be held accountable for the
success of their individual departments, so they view the
security program in terms of its contribution toward that
goal.
• If manager thinks the security program does not support
the business goals or program initiatives of the business
unit, he or she may not support the program.
• he result may be dislocations and strains that cause
failures elsewhere in the enterprise.
POA Security Management, Chapter 10.1.3 FIRST LINE
SUPERVISION (Kindle Locations 6799-6801)
• Security awareness focuses on how the security program
aids or detracts from specific performance objectives.
• Most complaints from employees about security first
raised with supervisor.
• Efforts should show supervisors that the time and
attention required to comply with security rules are
worthwhile in terms of supporting the supervisor’s main
tasks and protecting the employees and the business.
POA Security Management, Chapter 10.1.4 INDIVIDUAL
EMPLOYEES (Kindle Locations 6809-6811)
• If supervisors and managers are interested in and
supportive of security, employees may gain a favorable
view of the program and support it by observing its rules.
• If supervisors and managers disapprove of the security
program or show no interest in it, employees may feel
little motivation to support it.
POA Security Management, Chapter 10.1.5 NONEMPLOYEES
(Kindle Locations 6814-)
• Have less opportunity than employees to learn the
applicable security requirements.
• Some cases must be supported using a formal
confidentiality agreement.
PRACTISE EXAM QUESTIONS

A business unit’s top leadership will develop a
plan that provides a general direction for the
organization. This plan is the fundamental
template for direction that defines and supports
the organization’s long-term goals.
a. SWOT plan
b. Strategic plan
c. STEP plan
d. PEST plan
A business unit’s top leadership will develop a
plan that provides a general direction for the
organization. This plan is the fundamental
template for direction that defines and supports
the organization’s long-term goals.
a. SWOT plan
b. Strategic plan
c. STEP plan
d. PEST plan
POA: Security Management Kindle Edition.

This defines why the business exists, is essential
for developing organization-specific
management practices and how it will maintain
itself as a profitable, viable entity not only in the
moment but also three to five years out. This is
called a:
a. Organizational strategy
b. PEST plan
c. STEP strategy
d. SWOT plan
This defines why the business exists, is essential
for developing organization-specific
management practices and how it will maintain
itself as a profitable, viable entity not only in the
moment but also three to five years out. This is
called a:
a. Organizational strategy
b. PEST plan
c. STEP strategy
d. SWOT plan
POA: Security Management; (Kindle Locations
1199-1201). Kindle Edition.
Security professionals can most effectively
convince management of the need for security
by quantifying and prioritizing the loss potential
with presenting which of the following?
a. A strategic plan that applies to the entire
organization
b. A strategic plan that applies to the security
organization
c. A cost-benefit analysis and return-on-
investment assessment
d. A cost-benefit analysis with business unit
endorsement
Security professionals can most effectively convince
management of the need for security by quantifying
and prioritizing the loss potential with presenting
which of the following?
a. A strategic plan that applies to the entire
organization
b. A strategic plan that applies to the security
organization
c. A cost-benefit analysis and return-on-investment
assessment
d. A cost-benefit analysis with business unit
endorsement
POA: Security Management (Kindle Locations 16372-
16373). ASIS International.
WAECUP can be used as a blueprint for
developing security objectives. WAECUP stands
for which of the following?
a. Waste, Accidents, Environment,
Catastrophes, Unethical Practices
b. Waste, Accidents, Environment, Crisis,
Unethical Practices
c. Waste, Accidents, Error, Crime, Unethical
Practices
d. Waster, Accidents, Error, Crisis, Unethical
practices
WAECUP can be used as a blueprint for
developing security objectives. WAECUP stands
for which of the following?
a. Waste, Accidents, Environment,
Catastrophes, Unethical Practices
b. Waste, Accidents, Environment, Crisis,
Unethical Practices
c. Waste, Accidents, Error, Crime, Unethical
Practices
d. Waster, Accidents, Error, Crisis, Unethical
practices
POA: Security Management (Kindle Locations
A model that includes “Environmental, and
Political” analysis and points out potential
sources of threats. The security manager can
then conduct an analysis to determine whether
such threats are likely and where they could
come from. This analysis is called a:
a. SWOT
b. STEP
c. PEST
d. TRA
A model that includes “Environmental, and
Political” analysis and points out potential
sources of threats. The security manager can
then conduct an analysis to determine whether
such threats are likely and where they could
come from. This analysis is called a:
a. SWOT
b. STEP
c. PEST
d. TRA
A metric which measures how an organization
or individual is performing against defined goals
and objectives are called:
a. Defined Target Measures
b. Competence Based Metrics
c. Balanced Scorecard Metric
d. Key Performance Indicators
A metric which measures how an organization
or individual is performing against defined goals
and objectives are called:
a. Defined Target Measures
b. Competence Based Metrics
c. Balanced Scorecard Metric
d. Key Performance Indicators
ANSI/ASIS ORM.1-27, 3.33, definition of KPI,

page 5
The following is a clearly defined and
documented plan of action, typically covering
the key personnel, resources, services, and
actions needed to implement the incident
management process. It is referred to as a:
a. Management plan
b. Organizational plan
c. Strategic plan
d. Operational Plan
The following is a clearly defined and
documented plan of action, typically covering
the key personnel, resources, services, and
actions needed to implement the incident
management process. It is referred to as a:
a. Management plan
b. Organizational plan
c. Strategic plan
d. Operational Plan
ANSI/ASIS ORM.1-27, 3.33, definition of KPI,

page 5
The Plan-Do-Check-Act (PDCA) cycle is an
operating principle of ISO’s management
systems standards. It is also referred to as the:
a. Assess-Protect-Check-Action model
b. Assess-Protect-Confirm-Action model
c. Assess-Protect-Confirm-Improve model
d. Assess-Protect-Check-Improve model
The Plan-Do-Check-Act (PDCA) cycle is an
operating principle of ISO’s management
systems standards. It is also referred to as the:
a. Assess-Protect-Check-Action model
b. Assess-Protect-Confirm-Action model
c. Assess-Protect-Confirm-Improve model
d. Assess-Protect-Check-Improve model
POA: Security Management (Kindle Location

The Plan-Do-Check-Act (PDCA) cycle has a step
which looks at the planning analysis, then
devises a solution, prioritizes the next steps, and
develops a detailed action plan. This step is
referred to as which part of the cycle?
a. Plan
b. Do
c. Check
d. Act
which looks at the planning analysis, then
devises a solution, prioritizes the next steps, and
develops a detailed action plan. This step is
a. Plan
b. Do
c. Check
d. Act

where, one examines the solutions devised to
address the problems. The point is to check
whether the solutions are producing outcomes
that are consistent with the plan. This step is
a. Plan
b. Do
c. Check
d. Act
where, one examines the solutions devised to
address the problems. The point is to check
whether the solutions are producing outcomes
that are consistent with the plan. This step is
a. Plan
b. Do
c. Check
d. Act
In the Plan-Do-Check-Act (PDCA) cycle, this is
the most critical stage and calls for identifying
and analyzing the organization’s problems and
events that could disrupt operations and assets.
This step is referred to as which part of the
cycle?
a. Plan
b. Do
c. Check
d. Act
In the Plan-Do-Check-Act (PDCA) cycle, this is
the most critical stage and calls for identifying
and analyzing the organization’s problems and
events that could disrupt operations and assets.
This step is referred to as which part of the
cycle?
a. Plan
b. Do
c. Check
d. Act
Managing involves five (5) basic functions.
Which of the following BEST describes the
functions?
a. Planning, Organizing, Directing, Coordinating,
Controlling
b. Planning, Organizing, Managing,
Coordinating, Leading
c. Planning, Leading, Managing, Coordinating,
Controlling
d. Planning, Leading, Directing, Acting,
Controlling
Managing involves five (5) basic functions. Which
of the following BEST describes the functions?
a. Planning, Organizing, Directing, Coordinating,
Controlling
b. Planning, Organizing, Managing, Coordinating,
Leading
c. Planning, Leading, Managing, Coordinating,
Controlling
d. Planning, Leading, Directing, Acting,
Controlling
In addition to the five (5) functions of
management, managers should be guided by
two (2) other principles, which are:
a. “Continuous improvement” and “Customer
service.”
b. “Quality” and “Who is the customer?”
c. “Continuous improvement” and
“Performance metrics.”
d. “Quality” and “Performance metrics.”
In addition to the five (5) functions of
management, managers should be guided by
two (2) other principles, which are:
a. “Continuous improvement” and “Customer
service.”
b. “Quality” and “Who is the customer?”
c. “Continuous improvement” and
“Performance metrics.”
d. “Quality” and “Performance metrics.”

There are three (3) dimensions to managing the
security of assets. Which of the following BEST
describes the dimensions?
a. Security expertise, Leadership ability and
Ability to deal with people.
b. Security expertise, Leadership ability and
Ability to deal with employees.
c. Technical expertise, Leadership ability and
d. Technical expertise, Management ability and
There are three (3) dimensions to managing the
security of assets. Which of the following BEST
describes the dimensions?
a. Security expertise, Leadership ability and
b. Security expertise, Leadership ability and
c. Technical expertise, Leadership ability and
d. Technical expertise, Management ability and
ASIS. POA: Security Management (Kindle Locations 2738-
The “span of control” principle suggests that a
single person can supervise only a limited
number of staff members effectively. The
specific number depends on such factors as the
nature of the work and type of organization, but
as a general rule one manager can effectively
supervise up to how many persons?
a. Up to five (5) persons
b. Up to eight (8) persons
c. Up to ten (10) persons
d. Up to fifteen (15) persons
The “span of control” principle suggests that a
single person can supervise only a limited number
of staff members effectively. The specific number
depends on such factors as the nature of the work
and type of organization, but as a general rule one
manager can effectively supervise up to how
many persons?
a. Up to five (5) persons
b. Up to eight (8) persons
c. Up to ten (10) persons
d. Up to fifteen (15) persons
The following theory asserts that a person’s
behavior is driven by basic needs at different
levels and is still widely recommended to analyze
individual employee motivation. It is referred to
a. Maslow’s Theory
b. McGregor’s Theory
c. Hertzberg’s Theory
d. Motivation-Hygiene Theory
The following theory asserts that a person’s
behavior is driven by basic needs at different
levels and is still widely recommended to analyze
individual employee motivation. It is referred to
d. Motivation-Hygiene Theory

The following theory asserts is based on the
premise that the opposite of satisfaction is not
dissatisfaction but simply no satisfaction. The
theory maintains that two sets of factors
determine a worker’s motivation, attitude, and
success. It is referred to which of the following?
d. Hierarchy of Needs Theory
The following theory asserts is based on the
premise that the opposite of satisfaction is not
dissatisfaction but simply no satisfaction. The
theory maintains that two sets of factors
determine a worker’s motivation, attitude, and
success. It is referred to which of the following?
The following theory asserts job content
(motivators), such as achievement, recognition,
responsibility, and satisfaction are derived from
work itself, is BEST described as part of which of
the following theories?
The following theory asserts job content
(motivators), such as achievement, recognition,
responsibility, and satisfaction are derived from
work itself, is BEST described as part of which of
the following theories?
The following theory asserts that managers should
avoid quick fixes. Manipulating hygiene factors
may alleviate dissatisfaction but will not result in a
state of satisfaction. Allowing an individual to
reach a state of satisfaction requires changes in
the work content itself, such as increased
autonomy or responsibility. This is BEST described
as part of which of the following theories?
The following theory asserts that managers should
avoid quick fixes. Manipulating hygiene factors may
alleviate dissatisfaction but will not result in a state
of satisfaction. Allowing an individual to reach a
state of satisfaction requires changes in the work
content itself, such as increased autonomy or
responsibility. This is BEST described as part of
which of the following theories?
POA: Security Management (Kindle Locations 2873-2874).
ASIS International. Kindle Edition.
The following theory contends that workers are
inherently lazy and tend to avoid work. They lack
creative ambition, require constant supervision,
and are motivated by fear. This is BEST described
The following theory contends that workers are
inherently lazy and tend to avoid work. They lack
creative ambition, require constant supervision,
and are motivated by fear. This is BEST described

A set of criteria, guidelines, and best practices that
can be used to enhance the quality and reliability
of products, services, or processes, is the
definition for which of the following?
a. Guideline
b. Standard
c. Regulation
d. Code
A set of criteria, guidelines, and best practices that
can be used to enhance the quality and reliability
of products, services, or processes, is the
definition for which of the following?
a. Guideline
b. Standard
c. Regulation
d. Code
POA: Security Management Chapter 3 –

STANDARDS IN SECURITY (Kindle Locations 1723-
Which of the following statements concerning
security industry standards is NOT TRUE?
a. Standard addresses a product, service, or
process.
b. Standards are mandatory and require
compliance.
c. Regulation may require compliance with a
standard.
d. Customers more easily judge product quality if
it conforms with standards.
Which of the following statements concerning
security industry standards is NOT TRUE?
a. Standard addresses a product, service, or
process.
b. Standards are mandatory and require
compliance.
c. Regulation may require compliance with a
standard.
d. Customers more easily judge product quality if it
conforms with standards.
POA: Security Management, Chapter 3 – STANDARDS IN
SECURITY (Kindle Locations 1742-1747). ASIS International.
Kindle Edition.
Which of the following statements concerning ISO
industry standards is TRUE?
a. ISO is governmental organization.
b. ISO standards address: training, employee
competencies, products, processes, services
& quality control.
c. ISO regulates, legislates, and enforces
compliance to standards.
d. ISO standards often become recognized as
industry best practices and become market
requirements.
Which of the following statements concerning ISO
industry standards is TRUE?
a. ISO is governmental organization.
b. ISO standards address: training, employee
competencies, products, processes, services
& quality control.
c. ISO regulates, legislates, and enforces
d. ISO standards often become recognized as
industry best practices and become market
requirements.
Which one of the following statements, BEST
describes ISO management systems standards?
a. ISO 9000 is a standard which requires
mandatory compliance, noncompliance may
net a financial penalty.
b. ISO 9000 regulates environmental
management systems.
c. ISO management systems are based on the
PDCA Cycle.
d. ISO regulates, legislates, and enforces
Which one of the following statements, BEST
describes ISO management systems standards?
a. ISO 9000 is a standard which requires
mandatory compliance, noncompliance may
net a financial penalty.
b. ISO 9000 regulates environmental
management systems.
c. ISO management systems are based on the
PDCA Cycle.
d. ISO regulates, legislates, and enforces
POA: Security Management (Kindle Location 1947-1955).
The “integration of traditional security functions
and information [systems], IT security functions”
is known as:
a. Security Organization Integration

b. Security Management Systems
c. IT and Security Merger
d. IT and Security Convergence
The “integration of traditional security functions
and information [systems], IT security functions”
is known as:
a. Security Organization Integration

b. Security Management Systems
c. IT and Security Merger
d. IT and Security Convergence
“An organization can be an adaptive, problem-
solving, innovative system operating in and coping
with rapidly changing environments. Bureaucracy
and the “organization man” will have no place in
future organizations.” This is a theory known as
a. Warren Bennis’ Theory

b. Crime Prevention Through Environmental
Design
c. Herzberg’s Theory
d. Maslow’s Theory
“An organization can be an adaptive, problem-
solving, innovative system operating in and coping
with rapidly changing environments. Bureaucracy
and the “organization man” will have no place in
future organizations.” This is a theory known as
a. Warren Bennis’ Theory
b. Crime Prevention Through Environmental
Design
c. Herzberg’s Theory
d. Maslow’s Theory
To monitor and measure an organization’s risk
management performance, a set of performance
indicators should be developed to measure both
the management systems and its outcomes.
Measurements should meet which of the
following metrics?
a. Quantitative and PDCA
b. Qualitative and SMART
c. Quantitative or Qualitative
d. Quantitative and SMART
To monitor and measure an organization’s risk
management performance, a set of performance
indicators should be developed to measure both
the management systems and its outcomes.
Measurements should meet which of the
following metrics?
a. Quantitative
b. Qualitative
c. Quantitative or Qualitative
d. Quantitative and SMART
ANSI/ASIS ORM.1-2017, A.10 PERFORMANCE EVALUATION, A.10.1
“Monitoring and Measurement”, page 78
An analysis approach that does not use numbers
or numeric values to describe the risk
components. The approach uses terms such as
critical, high, medium, low, and negligible to
gauge the asset value & levels of risk components
& risk itself. This approach is BEST described as:
a. Quantitative
b. Qualitative
c. Metrics
d. SMART
An analysis approach that does not use numbers
or numeric values to describe the risk
components. The approach uses terms such as
critical, high, medium, low, and negligible to
gauge the asset value & levels of risk components
& risk itself. This approach is BEST described as:
a. Quantitative
b. Qualitative
c. Metrics
d. SMART
POA: Physical Security; Applications; Information Security; and
Investigation (Kindle Locations 909-911, 1130, 6725-6726). ASIS
In the following formula:
PE = PI x PN
What does PE represent?
a. PPS effectiveness
b. Probability of interruption
c. Probability of neutralization
d. Probability of event
In the following formula:
PE = PI x PN
What does PE represent?
a. PPS effectiveness
b. Probability of interruption
c. Probability of neutralization
d. Probability of event
POA: Physical Security; Applications; Information

Security; and Investigation (Kindle Locations 6757-6758,
6841-6842, 6846-6847). ASIS International. Kindle
Edition.
An assessment approach that is used to evaluate
target attractiveness. The approach includes
criticality, accessibility, recuperability,
vulnerability, effect and recoverability. This
approach is BEST described as the:
a. Vulnerability assessment
b. Risk assessment
c. CARVER assessment
d. Security survey
An assessment approach that is used to evaluate
target attractiveness. The approach includes
criticality, accessibility, recuperability,
vulnerability, effect and recoverability. This
approach is BEST described as the:
a. Vulnerability assessment
b. Risk assessment
d. Security survey
Investigation (Kindle Locations 6810-6816). ASIS International.
Kindle Edition.
Describing the facility by separating it into
adjacent physical areas, defining protection layers
& path elements between the adjacent areas and
recording detection & delay values for each path
element tests the existing PPS at a facility. This
approach is BEST described as:
a. A vulnerability assessment
b. A risk assessment
c. An Adversarial Path Diagram
d. A Threat Event Profile
Describing the facility by separating it into
adjacent physical areas, defining protection layers
& path elements between the adjacent areas and
recording detection & delay values for each path
element tests the existing PPS at a facility. This
approach is BEST described as:
a. A vulnerability assessment
b. A risk assessment
c. An Adversarial Path Diagram
d. A Threat Event Profile
Security; and Investigation (Kindle Locations 6861-6865,
The process of assessing security-related risks
from from internal and external threats to an
entity, its assets and personnel, is BEST described
as:
a. Risk assessment
b. Vulnerability assessment
d. Security survey
The process of assessing security-related risks
from from internal and external threats to an
entity, its assets and personnel, is BEST described
as:
a. Risk assessment
b. Vulnerability assessment
d. Security survey
Facilities Physical Security Guideline, ASIS International,

Page 3
The product of the potential loss from an event
and the likelihood of the event, is BEST described
as:
a. Risk Profile
b. Annual Loss Expectancy
c. Vulnerability Exposure
d. Loss event Profile
The product of the potential loss from an event
and the likelihood of the event, is BEST described
as:
a. Risk Profile
b. Annual Loss Expectancy
c. Vulnerability Exposure
d. Loss event Profile

Investigation (Kindle Locations 900-907, 908-909). ASIS
An uncertain situation where a number of
possible outcomes might occur, one or more of
which is undesirable, BEST describes which of the
following?
a. Risk
b. Threats
c. Loss
d. Targets
An uncertain situation where a number of
possible outcomes might occur, one or more of
which is undesirable, BEST describes which of the
following?
a. Risk
b. Threats
c. Loss
d. Targets
Investigation (Kindle Locations 900-907). ASIS International. Kindle
Edition.
A risk assessment process that is a bottom-up
approach where risks are identified at the
beginning of the analysis rather than as a result
of a systematic, top-down approach, is BEST
described as the following:
a. Deductive risk assessment
b. Inductive risk assessment
c. Deductive risk analysis
d. Inductive risk analysis
A risk assessment process that is a bottom-up
approach where risks are identified at the
beginning of the analysis rather than as a result
of a systematic, top-down approach, is BEST
described as the following:
a. Deductive risk assessment
b. Inductive risk assessment
c. Deductive risk analysis
d. Inductive risk analysis

Security; and Investigation (Kindle Locations 912-917).
This assessment is performed to establish a
baseline of PPS effectiveness in meeting goals
and objectives. The process is a method of
identifying the weak points of a facility, entity,
venue, or person. This is BEST described as a:
a. Risk assessment
b. Risk analysis
c. Security survey
d. Vulnerability assessment
This assessment is performed to establish a
baseline of PPS effectiveness in meeting goals and
objectives. The process is a method of identifying
the weak points of a facility, entity, venue, or
person. This is BEST described as a:
a. Risk assessment
b. Risk analysis
c. Security survey
d. Vulnerability assessment
POA: Physical Security; Applications; Information Security;

and Investigation (Kindle Locations 980, 1214-1220 ). ASIS
The three (3) primary functions of a PPS are:
a. Detect, delay and response
b. Deter, detect and response
c. Deter, delay and response
d. Detect, deter and response
The three (3) primary functions of a PPS are:
a. Detect, delay and response
b. Deter, detect and response
c. Deter, delay and response
d. Detect, deter and response

Security; and Investigation (Kindle Locations 1278-1280).
This process requires consideration of the threat
type, tactics, mode of operations, capabilities,
threat level, and likelihood of occurrence. The
definition can be modified to include all sites,
not only utilities. Threats come from malevolent
humans, not accidental (safety-related) events.
This process is BEST defined as which of the
following?
a. Design Basis Threats
b. Loss Event Profiles
c. Adversarial Sequence Diagrams
d. Threat Risk Assessment
This process requires consideration of the threat
type, tactics, mode of operations, capabilities,
threat level, and likelihood of occurrence. The
definition can be modified to include all sites, not
only utilities. Threats come from malevolent
humans, not accidental (safety-related) events.
This process is BEST defined as which of the
following?
a. Design Basis Threats
b. Loss Event Profiles
c. Adversarial Sequence Diagrams
d. Threat Risk Assessment
POA: Physical Security (Kindle Locations 991-994). ASIS International.
Kindle Edition.
Which of the following definitions, BEST describes
a “Hazard”?
a. “Possible source of danger or conditions
(physical or operational) that have a capacity to
produce a particular type of adverse effect.”
b. “Possible risk (physical or operational) that can
cause a workplace accident.”
c. “Possible source of danger (adversary) that can
produce an adverse effect.”
d. “Confirmed source of danger (adversary) that
can produce an adverse effect.”
Which of the following definitions, BEST describes
a “Hazard”?
a. “Possible source of danger or conditions
(physical or operational) that have a capacity
to produce a particular type of adverse effect.”
b. “Possible risk (physical or operational) that can
cause a workplace accident.”
c. “Possible source of danger (adversary) that can
produce an adverse effect.”
d. “Confirmed source of danger (adversary) that
can produce an adverse effect.”
ANSI/ASIS ORM.1-2017, page 5

The annual costs of nuisance alarms in Y1 were compared to
the costs in Y2, after nuisance alarms were reduced. Nuisance
fire alarms cost the organization $ 50,000 in Y1, alarm costs
dropped to $ 10,000 in Y2, resulting in an avoided loss of $
40,000. The annual cost of the nuisance alarm reduction
initiative is $ 10,000. Determine the ROI using the formula
below.
ROI = AL + R
CSP
The organization saves _______.?
a. $10,000
b. $20,000
c. $30,000
d. $40,000
The annual costs of nuisance alarms in Y1 were compared to
the costs in Y2, after nuisance alarms were reduced. Nuisance
fire alarms cost the organization $ 50,000 in Y1, alarm costs
dropped to $ 10,000 in Y2, resulting in an avoided loss of $
40,000. The annual cost of the nuisance alarm reduction
initiative is $ 10,000. Determine the ROI using the formula
below.
ROI = AL + R
CSP
The organization saves _______.?
a. $10,000
b. $20,000
c. $30,000
d. $40,000
POA: Security Management (Kindle Locations 3327-3330). ASIS
Insurance coverage on an asset is considered the
most common form of what type of risk
management?
a. Risk Spreading
b. Risk Reduction
c. Risk Transfer
d. Risk Acceptance
Insurance coverage on an asset is considered the
most common form of what type of risk
management?
a. Risk Spreading
b. Risk Reduction
c. Risk Transfer
d. Risk Acceptance

Which of the following BEST describes “Unity of
Command”?
a. Dictates that an individual is accountable for
more than one (1) employee.
b. Dictates that an individual report to only one
(1) supervisor.
c. States how many persons a supervisor may
effectively supervise.
d. States the number of security personnel.
required to function when guided by incident
management situations.
Which of the following BEST describes “Unity of
Command”?
a. Dictates that an individual is accountable for
more than one (1) employee.
b. Dictates that an individual report to only one
(1) supervisor.
c. States how many persons a supervisor may
effectively supervise.
d. States the number of security personnel.
required to function when guided by incident
management situations.
(CPP)
SECURITY PRINCIPLES & PRACTICES (21%)

CPP Domain 1 Shepp

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

CPP Domain 1 Shepp

Hochgeladen von

Copyright:

Verfügbare Formate

CERTIFIED PROTECTION PROFESSIONAL

October 2017 Dennis Shepp, CPP

Dennis Shepp, MBA, CPP, CFE, PCI

October 2017 Dennis Shepp, CPP

DOMAIN 1 – Security Principles & Practices (21%)

DOMAIN 2 – Business Principles & Practices (13%)

DOMAIN 3 – Investigations (10%)

DOMAIN 4 – Personnel Security (12%)

DOMAIN 5 – Physical Security (25%)

DOMAIN 7 – Crisis Management (10%)

Business Principles &

October 2017 Dennis Shepp, CPP

DOMAIN 1 – Security Principles & Practices (21%)

DOMAIN 3 – Investigations (10%)

DOMAIN 4 – Personnel Security (12%)

DOMAIN 6 – Information Security (9%)

DOMAIN 7 – Crisis Management (10%)

October 2017 Dennis Shepp, CPP

Offering three security certifications, including two specialty certifications.

ASIS board-certified security practitioners are

CPP EXAM CONTENTS

MUST READ RESOURCE:

SECURITY PRINCIPLES & PRACTICES (21%)

October 2017 Dennis Shepp, CPP

Task 01/01 Plan, develop, implement, and manage the organization’s

October 2017 Dennis Shepp, CPP

Task 01/01 Plan, develop, implement, and manage the

October 2017 Dennis Shepp, CPP

October 2017 Dennis Shepp, CPP

• The organizational strategy (strategic plan) continued:

October 2017 Dennis Shepp, CPP

• The organizational strategy (strategic plan) continued:

October 2017 Dennis Shepp, CPP

Enhanced SWOT Matrix

October 2017 Dennis Shepp, CPP

• The organizational strategy (strategic plan) continued:

• The organizational strategy (strategic plan) continued:

• Organizational Resilience Standard (ASIS Int’l):

October 2017 Dennis Shepp, CPP

• Concepts in Organizational Management:

• Organizational Management applied to asset protection:

• Organizational Management applied to asset protection:

• Operational Management applied to asset protection:

October 2017 Dennis Shepp, CPP

ABILITY TO DEAL WITH PEOPLE

01/01/02 Security theory, techniques, and processes

01/01/02 Security theory, techniques, and processes

October 2017 Dennis Shepp, CPP

01/01/02 Security theory, techniques, and processes

01/01/02 Security theory, techniques, and processes

POA: Security Management; Chapter 4.5.2 (Kindle Locations 2885-2911). ASIS

01/01/02 Security theory, techniques, and processes

01/01/02 Security theory, techniques, and processes

International, ASIS2885-2911). ASIS International. Kindle Edition.

October 2017 Dennis Shepp, CPP

01/01/02 Security theory, techniques, and processes

01/01/03 Security industry standards

October 2017 Dennis Shepp, CPP

Security industry standards:

ASIS. POA: Security Management; Chapter 3 – STANDARDS IN SECURITY (Kindle Locations

October 2017 Dennis Shepp, CPP

Standards are of nine main types:

They require periodic review to remain relevant and state-