CERTIFIED PROTECTION PROFESSIONAL

(CPP)
Certification Examination Review

October 2017 Dennis Shepp, CPP

 CERTIFIED PROTECTION PROFESSIONAL (CPP)
Certification Examination Review

Your Instructor/Facilitator:

Dennis Shepp, MBA, CPP, CFE, PCI

Email 1: [email protected]
Email 2: [email protected]
Telephone: +1.587.989.1511
Skype: dennisshepp

October 2017 Dennis Shepp, CPP

(DOMAINS)
SUBJECTS
CERTIFIED PROTECTION PROFESSIONAL (CPP)
Certification Examination Review
Security Principles
& Practices

DOMAIN 1 – Security Principles & Practices (21%)

– InvestigationsPrinciples &

DOMAIN 2 – Business Principles & Practices (13%)

Practices
Business

DOMAIN 3 – Investigations (10%)

Personnel Security

DOMAIN 4 – Personnel Security (12%)

Physical Security

DOMAIN 5 – Physical Security (25%)

DOMAIN 6 – Information Security (9%)
Information
Management Security

DOMAIN 7 – Crisis Management (10%)

Crisis
 ASIS International Certification Exam Review
(DOMAINS)
SUBJECTS
CERTIFIED PROTECTION PROFESSIONAL (CPP)
CPP Examination Subjects Examination Review
Certification
Security Principles
& Practices

Crisis Management
Information Security 10%
9%
Security Principles &
Practices
– InvestigationsPrinciples &
Practices
Business

21%
Personnel Security

Business Principles &

Practices
13%
Physical Security
25%
Physical Security

Investigations
Information

10%
Management Security

Personnel Security
12%
Crisis

October 2017 Dennis Shepp, CPP

(DOMAINS)
SUBJECTS
CERTIFIED PROTECTION PROFESSIONAL
CERTIFIED PROTECTION (CPP) (CPP)
PROFESSIONAL
Certification
Certification ExaminationExamination
Review Review
Security Principles
& Practices

DOMAIN 1 – Security Principles & Practices (21%)

DOMAIN 2 – Business Principles & Practices (13%)
– InvestigationsPrinciples &
Practices
Business

DOMAIN 3 – Investigations (10%)

Personnel Security

DOMAIN 4 – Personnel Security (12%)

DOMAIN 5 – Physical Security (25%)
Physical Security

DOMAIN 6 – Information Security (9%)

Information
Management Security

DOMAIN 7 – Crisis Management (10%)

Crisis

October 2017 Dennis Shepp, CPP

 ASIS Board Certification
The worldwide standard for professional competency.

Offering three security certifications, including two specialty certifications.

• Certified Protection Professional (CPP)
• Physical Security Professional (PSP)
Focus of this review
• Professional Certified Investigator (PCI)

ASIS board-certified security practitioners are

employed by more than 3,500 organizations in 77
countries around the globe.
Certified Protection Professional (CPP)
Board Certification in Security Management
Awarded to practitioners who have demonstrated knowledge and experience in:
• Security Principles and Practices
• Business Principles and Practices
• Investigations
• Personnel Security Established in 1977.
• Physical Security
• Information Security
• Crisis Management
Certified Protection Professional (CPP)
Board Certification in Security Management

CPP EXAM CONTENTS

• Candidate must pass a comprehensive examination
• Approximately 225 multiple-choice questions
o 200 “live” scoreable questions
o Up to 25 pre-test questions
Certified Protection Professional (CPP)
Board Certification in Security Management
ALL CPP EXAM QUESTIONS ARE FROM THE REVIEW MATERIALS
• Protection of Assets (POA) Manuals (ASIS International)
o Available in printed version, online access or Kindle
o Printed & online versions: https://www.asisonline.org/ASIS-
Store/Certification/Pages/CPP%20Reference%20Material.aspx
o Kindle version (2-parts):
1. POA: Physical Security; Applications; Information Security & Investigations
2. POA: Security Management; Legal Issues; Security Officer Operations; &
Crisis Management:
https://www.amazon.com/POA-Security-Management-Officer-Operations-
ebook/dp/B00BXS2W8Q/ref=sr_1_10?s=digital-text&ie=UTF8&qid=1500934889&sr=1-
10&keywords=protection+of+assets+asis
Certified Protection Professional (CPP)
• Protection of Assets (POA) Manuals Kindle version (2-parts):
1. POA: Physical Security; Applications; Information Security &
Investigations: https://www.amazon.com/POA-Physical-Applications-
Information-Investigation-ebook/dp/B00BXRHT6W/ref=sr_1_4?s=digital-
text&ie=UTF8&qid=1500934889&sr=1-
4&keywords=protection+of+assets+asis
2. POA: Security Management; Legal Issues; Security Officer Operations; &
Crisis Management: https://www.amazon.com/POA-Security-
Management-Officer-Operations-
ebook/dp/B00BXS2W8Q/ref=sr_1_10?s=digital-
text&ie=UTF8&qid=1500934889&sr=1-
10&keywords=protection+of+assets+asis
Certified Protection Professional (CPP)
• ASIS International Standards & Guidelines
o Free download for ASIS members
o Standards:
 Chief Security Officer—An Organizational Model
 Security and Resilience in Organizations and Their Supply Chains—
Requirements with Guidance
 Workplace Violence Prevention and Intervention
o Guidelines:
 Facilities Physical Security Measures Guideline
 General Security Risk Assessment Guideline
 Information Asset Protection Guideline
 Pre-employment Background Screening Guideline
Certified Protection Professional (CPP)
Board Certification in Security Management
REMEMBER:
• ALL CPP EXAM QUESTIONS ARE FROM THE REVIEW MATERIALS
• ALL QUESTIONS ARE BASED ON THE DOMAINS, TASKS & REQUIRED
KNOWLEDGE
• The specific subject areas (Domains – Tasks – Knowledge subjects)
can be found here: https://www.asisonline.org/Certification/Board-
Certifications/CPP/Pages/CPP-Exam-Domains.aspx
• ALL 200 “scoreable” exam questions are divided based on the
following breakdown:
Certified Protection Professional (CPP)
Board Certification in Security Management
ALL 200 “scoreable” exam questions are divided based on the following
breakdown: Crisis Management % of # of
10%
Domains (Subjects) Questions Questions
Information Security
Security Principles &
9% Practices 21% 42
Security Principles &
Practices Business Principles &
21%
Practices 13% 26
Investigations 10% 20
Business
Principles & Personnel Security 12% 24
Physical Security Practices
13%
Physical Security 25% 50
25%
Information Security 9% 18
Crisis Management 10% 20
Personnel Total 100% 200
Security
Investigations
12%
10%
Certified Protection Professional (CPP)
Board Certification in Security Management
Application for the Exam:
• Apply online (if you can pay with a credit card online)
• Cost:
o ASIS Members: US$300
o Non-ASIS Members: US$450
• Are you eligible to be approved to take the exam?
Certified Protection Professional (CPP)
Board Certification in Security Management
Application for the Exam:
• Qualifications to be accepted for the CPP:
• A high level of English comprehension both written and oral.
• An earned Bachelor's degree or higher from an accredited institution of
higher education, and;
• Seven (7) years of security experience, including at least three (3) years
in a team leadership, supervisory or management role.
OR
• A high level of English comprehension both written and oral.
• If the candidate has not obtained a Bachelor’s degree, they must have
nine (9) years of security experience, including at least three (3) years
in a team leadership, supervisory or management role.
Certified Protection Professional (CPP)
Board Certification in Security Management
Application for the Exam:
• NOTE: The requirement “…including at least three (3) years in a team leadership,
supervisory or management role.” is defined by ASIS Int’l as “Responsible Charge”
• “Responsible Charge: Responsible charge is defined as the charge exercised by an
individual in a management position who makes decisions for the successful
completion of objectives without reliance upon directions from a superior as to
specific methods. However, an applicant need not have held a supervisory position, as
long as the positions on which the application relies have specifically included
responsibility for independent decisions or actions. If "responsible charge" is not based
on supervisory responsibilities, then security program management responsibilities
and duties must be clearly shown. Generally, this excludes such positions as patrol
officer or the equivalent.”
Certified Protection Professional (CPP)
Board Certification in Security Management
Application for the Exam – Defining Experience:
• Experience is defined as having:
o Experience as a security professional in the protection of assets, in the public or
private sector, criminal justice system, government intelligence, or investigative
agencies.
o Experience with companies, associations, government, or other organizations
providing services or products, including consulting firms, provided the duties and
responsibilities substantively relate to the design, evaluation, and application of
systems, programs, or equipment, or development and operation of services, for
protection of assets in the private or public sectors.
o Experience as a full-time educator on the faculty of an accredited educational
institution, provided the responsibilities for courses and other duties relate primarily
to knowledge areas pertinent to the management and operation of protection of
assets programs in the public or private sectors.
Certified Protection Professional (CPP)
Board Certification in Security Management
Application for the Exam:
• Apply online but print off a paper application first, complete it, then apply online.
(Recommend allowing the Review Instructor to assess the application before submitting)
• Apply ASAP – Once approved a candidate has up to 90-days to schedule a test.
• Once approved, the exam is conducted at a Prometric Testing Center
• Prometric (www.prometric.com/ASIS) has testing centers in Dammam, Manama (Bahrain)
& Doha (Qatar)
• Testing rules - https://www.asisonline.org/Certification/Resources/Documents/CBT-Fact-
Sheet.pdf
Certified Protection Professional (CPP)
Board Certification in Security Management
What is the Passing Grade:
• Each question is pretested to determine a level of difficulty.
• Since each question has a different difficulty level – questions are not
scored based on a percentage correct our of a total (example:
100/200 = 50%)
• Scaled Scoring is the method used to measure the passing score.
• Candidates must achieve 650 to successfully pass the exam.
• To learn more about scaled scoring – search on Google.
• THERE IS NO RELATIONSHIP TO A PERCENTAGE SCORE!
Certified Protection Professional (CPP)
Board Certification in Security Management
Physical Security Professional (PSP)
Board Certification in Physical Security

MUST READ RESOURCE:

• The Professional Certification Guide
• file:///Users/dennisshepp/Documents/ASIS%20Saudi%20CPP&PSP%2
0Review/Certification%20Handbook_final.pdf
 CERTIFIED PROTECTION PROFESSIONAL
(CPP)
Certification Examination Review

SECURITY PRINCIPLES & PRACTICES (21%)

October 2017 Dennis Shepp, CPP

 CERTIFIED PROTECTION PROFESSIONAL (CPP)
Certification Examination Review

Task 01/01 Plan, develop, implement, and manage the organization’s

security program to protect the organization’s assets
Task 01/02 Develop, manage, or conduct the security risk
assessment process
Task 01/03 Evaluate methods to improve the security program on a
continuous basis through the use of auditing, review, and assessment
Task 01/04 Develop and manage external relations programs with
public sector law enforcement or other external organizations to
achieve security objectives
Task 01/05 Develop, implement, and manage employee security
awareness programs to achieve organizational goals and objectives

October 2017 Dennis Shepp, CPP

 CERTIFIED PROTECTION PROFESSIONAL (CPP)
Certification Examination Review

Task 01/01 Plan, develop, implement, and manage the

organization’s security program to protect the
organization’s assets

October 2017 Dennis Shepp, CPP

 CERTIFIED PROTECTION PROFESSIONAL (CPP)
Certification Examination Review

Knowledge of:
01/01/01 Principles of planning, organization, and control
01/01/02 Security theory, techniques, and processes
01/01/03 Security industry standards
01/01/04 Continuous assessment and improvement
processes
01/01/05 Cross-functional organizational collaboration

October 2017 Dennis Shepp, CPP

 CERTIFIED PROTECTION PROFESSIONAL (CPP)
Certification Examination Review

Knowledge of:
01/01/01 Principles of planning, organization, and control
• The organizational strategy (strategic plan)
o In writing by organization’s top leadership.
o No focus on day-to-day operations.
o Provides a general direction.
o Fundamental template (direction that defines &
supports long-term goals.
POA: Security Management; (Kindle Locations 1192-1194). ASIS International. Kindle
Edition.
October 2017 Dennis Shepp, CPP
 CERTIFIED PROTECTION PROFESSIONAL (CPP)
Certification Examination Review

• The organizational strategy (strategic plan) continued:

o Foundation for developing business processes.
o Processes support overall business structure required
to meet the organizational strategy.
o Key metrics and performance indicators studied to
determine if processes accurately reflect strategy.
o Essential for developing company-specific
management practices.
POA: Security Management; Chapter 1.2 (Kindle Locations 1194-1199).

October 2017 Dennis Shepp, CPP

 CERTIFIED PROTECTION PROFESSIONAL (CPP)
Certification Examination Review

• The organizational strategy (strategic plan) continued:

o SWOT essential part of planning strategy

POA: Security Management; Chapter 1.2 (Kindle Locations 1208). ASIS International. Kindle
Edition.
October 2017 Dennis Shepp, CPP
 CERTIFIED PROTECTION PROFESSIONAL (CPP)
Certification Examination Review

SWOT Matrix

October 2017 Dennis Shepp, CPP

 CERTIFIED PROTECTION PROFESSIONAL (CPP)
Certification Examination Review

Enhanced SWOT Matrix

October 2017 Dennis Shepp, CPP

 CERTIFIED PROTECTION PROFESSIONAL (CPP)
Certification Examination Review

• The organizational strategy (strategic plan) continued:

o Strategy is management’s effort to focus resources on
specific targets.
o Enhance business success through proper planning.
o Budgets are part of the planning process (money
allocated for the year)
o All levels of employees & stakeholders should
participate in planning.
POA: Security Management; Chapter 2.1 (Kindle Locations 1403-1404, 1629, 1989). ASIS
International. Kindle Edition
October 2017 Dennis Shepp, CPP
 CERTIFIED PROTECTION PROFESSIONAL (CPP)
Certification Examination Review

• The organizational strategy (strategic plan) continued:

o Plan-Do-Check-Act (PDCA) cycle - operating principle
of ISO’s management systems standards.
o Also called Assess-Protect-Confirm-Improve model.
o Approach to structured problem solving focused on
continual improvement.
o PLAN: Most critical stage identifying & analyzing the
organization’s problems that could disrupt
operations— and assets.
o ID root causes of problems & rank importance.
POA: Security Management; Chapter 3.4.3 (Kindle Locations 2023-2024). ASIS International.
Kindle Edition.
October 2017 Dennis Shepp, CPP
 CERTIFIED PROTECTION PROFESSIONAL (CPP)
Certification Examination Review

• Organizational Resilience Standard (ASIS Int’l):

o Uses Plan-Do-Check-Act (PDCA) cycle.
o PLANNING is step to conduct risk assessment &
impact analysis - Organization MUST have defined &
documented method.

Security and Resilience in Organizations and their Supply Chains – 2017 (ORM.1)

October 2017 Dennis Shepp, CPP

 CERTIFIED PROTECTION PROFESSIONAL (CPP)
Certification Examination Review

• Concepts in Organizational Management:

o Managing consists of:
 Planning
 Organizing
 Directing
 Coordinating

POA: Security Management; Chapter 4.4.1 (Kindle Locations 2743). ASIS International.
Kindle Edition.
October 2017 Dennis Shepp, CPP
 CERTIFIED PROTECTION PROFESSIONAL (CPP)
Certification Examination Review

• Organizational Management applied to asset protection:

o Planning, management, and evaluation are important
tools in crime prevention programs
o Planning:
 Developing strategic goals & objectives
 Aligning assets protection objectives with the
organizational vision
 Organizing the assets protection function to meet
objectives & determining how accomplish mission.
POA: Security Management; Chapter 4.4.2 (Kindle Locations 2773-2775). ASIS
International. Kindle Edition.
October 2017 Dennis Shepp, CPP
 CERTIFIED PROTECTION PROFESSIONAL (CPP)
Certification Examination Review

• Organizational Management applied to asset protection:

o Planning may entail:
 Developing company’s QA/ QC program
 Obtaining executive buy-in
 Preparing documentation
 Training supervisors
 Establishing procedures

POA: Security Management; Chapter 4.4.2 (Kindle Locations 2783-2784). ASIS International.
Kindle Edition.
October 2017 Dennis Shepp, CPP
 CERTIFIED PROTECTION PROFESSIONAL (CPP)
Certification Examination Review

• Operational Management applied to asset protection:

o Planning may entail:
 Project planning for systems, training, other
security projects
 Developing:
–Emergency plans
–Contingency plans
–Crisis plans

October 2017 Dennis Shepp, CPP

 CERTIFIED PROTECTION PROFESSIONAL (CPP)
Certification Examination Review

• Organization (organizing):
o Security managers must understand business
principles.
o Helps organize efforts to best support the overall
vision and mission of the organization.
o Better able to collaborate with executive management
to obtain resources to enable success in asset
protection.
o Need to be recognized as “business partners”.
POA: Security Management; Chapter 4.4.2 (Kindle Locations 1150-1151). ASIS International.
Kindle Edition.
October 2017 Dennis Shepp, CPP
 CERTIFIED PROTECTION PROFESSIONAL (CPP)
Certification Examination Review

3 Managerial Dimensions

TECHNICAL EXPERTISE
Knowledge of protective MANAGEMENT ABILITY
disciplines, and practices Operating effectively with
and the ability to apply it. and within organizations &
programs.

ABILITY TO DEAL WITH PEOPLE

The interpersonal skills to interact with people at all levels

POA: Security Management; Chapter 4.4 Figure 4-6 (Kindle Locations 2739). ASIS
International. Kindle Edition.
October 2017 Dennis Shepp, CPP
 CERTIFIED PROTECTION PROFESSIONAL (CPP)
Certification Examination Review

• Organization (controlling):
o “Span of control” principle - a single person can
supervise only a limited number of staff members
effectively.
o Specific number depends on:
 Nature of the work
 Type of organization
o General rule - one manager can effectively supervise
up to 10 people
POA: Security Management; Chapter 4.4.3 (Kindle Locations 2807 - 2809). ASIS
International. Kindle Edition.
October 2017 Dennis Shepp, CPP
 CERTIFIED PROTECTION PROFESSIONAL (CPP)
Certification Examination Review

• Organization (controlling):
o Have IT infrastructures, current telecommunications
technology, & flattening of organizational pyramids
enabled an expanded span-of-control?
o Can a single person supervise 100 people?
o Where settings emphasize self-directed, cross-
functional teams and very flat structures, span of
control is less relevant.
o Span-of-control more relevant in traditional, hierarchica
organizations.
POA: Security Management; Chapter 4.4.3 (Kindle Locations 2809-2811). ASIS International.
Kindle Edition.
October 2017 Dennis Shepp, CPP
 CERTIFIED PROTECTION PROFESSIONAL (CPP)
Certification Examination Review

• Organization (controlling):
o Unity of command - an individual should report to
only one supervisor.
o Concept: “a person cannot effectively serve the
interests two or more managers.
o Supervisor’s responsibility to ensure the best
performance from the unit he or she manages.
o Most employees need clear understanding of which
policies they need to adhere to, who provides day-to-
day direction, quality control, and conflict resolution.
POA: Security Management; Chapter 4.4.3 (Kindle Locations 2812-2816). ASIS International.
Kindle Edition.
October 2017 Dennis Shepp, CPP
 CERTIFIED PROTECTION PROFESSIONAL (CPP)
Certification Examination Review

• Organization (controlling):
o Senior security or assets protection professionals
should be placed high as possible in the structure of
an organization & report directly to senior or executive
management.
o Lines of authority, responsibility, and communications
should be as clear and direct as possible.
o Individual and organizational responsibility should
come with an appropriate level of authority.

POA: Security Management; Chapter 4.4.3 (Kindle Locations 2820-2825). ASIS International.
Kindle Edition.
October 2017 Dennis Shepp, CPP
 CERTIFIED PROTECTION PROFESSIONAL (CPP)
Certification Examination Review

• Organization (controlling):
o Organizational alignments and structures should
consider the interrelationships among functions,
roles, and responsibilities (eye the overall mission).
o Communications channels should be structured to
allow effective mission accomplishment and
interaction.

POA: Security Management; Chapter 4.4.3 (Kindle Locations 2825-2829). ASIS International.
Kindle Edition.
October 2017 Dennis Shepp, CPP
 CERTIFIED PROTECTION PROFESSIONAL (CPP)
Certification Examination Review

01/01/02 Security theory, techniques, and processes

• Asset protection programs will not succeed unless
cultivates willing cooperation of workforce
• Mesh goals with personal goals of workforce – apply
motivational theories & behavior sciences.
• Cooperate with internal & external
organizations/personnel.
• Follow studies, trends, research.
• Understand people – learning styles, personalities.
• What motivates crime?
POA: Security Management (Kindle Locations 2885-2911). ASIS International. Kindle
Edition.
October 2017 Dennis Shepp, CPP
 CERTIFIED PROTECTION PROFESSIONAL (CPP)
Certification Examination Review

01/01/02 Security theory, techniques, and processes

• Groups – Review POA: Security Management; Security
Officer Operations; and Crisis Management, 4.5.2
APPLICATIONS OF BEHAVIORAL STUDIES IN ASSET
PROTECTION – 30 minutes then class discussion

October 2017 Dennis Shepp, CPP

 CERTIFIED PROTECTION PROFESSIONAL (CPP)
Certification Examination Review

01/01/02 Security theory, techniques, and processes

Discuss how motivational, behavioral theories impact
these security processes:
• Crime prevention & reaction
• Incident management
• Security personnel management
• Employee training & awareness
• Corporate ethics
• Liaison & leveraging other organizations

ASIS. POA: Security Management (Kindle Locations 2885-2911). ASIS International. Kindle
Edition.
October 2017 Dennis Shepp, CPP
Crime Prevention
• CPTED – Opportunity & rationalization reduction
o Maslow and McGregor
o Impact on criminal motivation
• Theft and workplace behavior
o John Clark and Richard Hollinger (1982), researchers
from the University of Minnesota Department of
Sociology.
 CERTIFIED PROTECTION PROFESSIONAL (CPP)
Certification Examination Review

01/01/02 Security theory, techniques, and processes

Discuss how motivational, behavioral theories impact
these security processes:
• Crime prevention & reaction
• Incident management
• Security personnel management
• Employee training & awareness
• Corporate ethics
• Liaison & leveraging other organizations

POA: Security Management; Chapter 4.5.2 (Kindle Locations 2885-2911). ASIS

International. Kindle Edition.
October 2017 Dennis Shepp, CPP
Incident Management
• Leadership and command – personality profiles
• Motivational theories: Satisfaction / Dissatisfaction
• Myers – Briggs, DiSC, ASSET (leadership in teams)
52
53
ASSESS Leadership in Teams
EARLY
RESOLVER
EVALUATOR TRAILBLAZER

TASK
IDEALS CRAFTER
COMMANDER

INSTINCT
PLAYER
COMMUNITY
MOBILIZER
MAKER

54
 CERTIFIED PROTECTION PROFESSIONAL (CPP)
Certification Examination Review

01/01/02 Security theory, techniques, and processes

Discuss how motivational, behavioral theories impact
these security processes:
• Crime prevention & reaction
• Incident management
• Security personnel management
• Employee training & awareness
• Corporate ethics
• Liaison & leveraging other organizations

POA: Security Management; Chapter 4.5.2 (Kindle Locations 2885-2911). ASIS International.
Kindle Edition.
October 2017 Dennis Shepp, CPP
Employee Awareness Training:
• Motivating employees to learn
• Personality types
 CERTIFIED PROTECTION PROFESSIONAL (CPP)
Certification Examination Review

01/01/02 Security theory, techniques, and processes

Discuss how motivational, behavioral theories impact
these security processes:
• Crime prevention & reaction
• Incident management
• Security personnel management
• Employee training & awareness
• Corporate ethics
• Liaison & leveraging other organizations

International, ASIS2885-2911). ASIS International. Kindle Edition.

October 2017 Dennis Shepp, CPP

Corporate Ethics:
• Motivating employees and organization leadership to
perform ethically
 CERTIFIED PROTECTION PROFESSIONAL (CPP)
Certification Examination Review

01/01/02 Security theory, techniques, and processes

Discuss how motivational, behavioral theories impact
these security processes:
• Crime prevention & reaction
• Incident management
• Security personnel management
• Employee training & awareness
• Corporate ethics
• Liaison & leveraging other organizations

POA: Security Management; Chapter 4.5.2 (Kindle Locations 2885-2911). ASIS International.
Kindle Edition.
October 2017 Dennis Shepp, CPP
Liaison & Leveraging other Organizations:
• Motivating others to cooperate and work as a team
 CERTIFIED PROTECTION PROFESSIONAL (CPP)
Certification Examination Review

01/01/03 Security industry standards

• A standard is a set of criteria, guidelines, and best
practices that can be used to enhance the quality and
reliability of products, services, or processes.
• “Voluntary standards might force security professionals
to conduct their work in a prescribed manner.”
• Security standards exist with more under development.
• Will likely work best if security professionals participate
in their development.
POA: Security Management; Chapter 3 – STANDARDS IN SECURITY (Kindle Locations 1723-
1735). ASIS International. Kindle Edition.

October 2017 Dennis Shepp, CPP

 CERTIFIED PROTECTION PROFESSIONAL (CPP)
Certification Examination Review

Security industry standards:

• May address a product, service, or process.
• Voluntary (different from a regulation).
• Regulation may require compliance with a standard.
• Standards evolved from a technical to business issue of
strategic importance.
• Customers more easily judge product quality if it
conforms with standards.

ASIS. POA: Security Management; Chapter 3 – STANDARDS IN SECURITY (Kindle Locations

1742-1747). ASIS International. Kindle Edition.

October 2017 Dennis Shepp, CPP

 CERTIFIED PROTECTION PROFESSIONAL (CPP)
Certification Examination Review

Standards are of nine main types:

• Basic
• Code
• Product
• Management systems
• Design
• Conformity assessment
• Process
• Personnel certification.
• Specification

They require periodic review to remain relevant and state-

of-the-art.

October 2017 Dennis Shepp, CPP

 CERTIFIED PROTECTION PROFESSIONAL (CPP)
Certification Examination Review

Security industry standards - BENEFITS:

• Officially organizes best practices & processes.
• Shares lessons learned.
• Provides tools to “consistently” assess threats, risks,
vulnerabilities, criticalities, and impacts.
• Defines measurement methods (benchmarks, testing).
• Documents equipment performance requirements to
ensure effectiveness and safety.

ASIS. POA: Security Management; Chapter 3 – STANDARDS IN SECURITY (Kindle Locations

1753-1760). ASIS International. Kindle Edition.

October 2017 Dennis Shepp, CPP

 CERTIFIED PROTECTION PROFESSIONAL (CPP)
Certification Examination Review

Security industry standards – BENEFITS (continued):

• Establishes design requirements for devices, systems, and
infrastructure to withstand threats.
• Define effective (consistent) methods for identification of
individuals.
• Enhance cross-jurisdictional information sharing and
interoperability.
• Provide for consistency of services.

ASIS. POA: Security Management; Chapter 3 – STANDARDS IN SECURITY (Kindle Locations

1765-1770). ASIS International. Kindle Edition.

October 2017 Dennis Shepp, CPP

 CERTIFIED PROTECTION PROFESSIONAL (CPP)
Certification Examination Review

Security industry standards:

• ASIS International:
o Security and Resilience in Organizations and their Supply Chains -
Requirements with Guidance (ORM.1)
o Auditing Management Systems: Risk, Resilience, Security, and
Continuity - Guidance for Application (SPC.2)
o Chief Security Officer - An Organizational Model (CSO)
o Conformity Assessment and Auditing Management Systems for
Quality of Private Security Company Operations (PSC.2)
o Investigations
o Management System for Quality of Private Security Company
Operations - Requirements with Guidance (PSC.1)
October 2017 Dennis Shepp, CPP
 CERTIFIED PROTECTION PROFESSIONAL (CPP)
Certification Examination Review

Security industry standards:

• ASIS International:
o Maturity Model for the Phased Implementation of a
Quality Assurance Management System for Private
Security Service Providers (SPC.3)
o Maturity Model for the Phased Implementation of the
Organizational Resilience Management System (SPC.4)
o Quality Assurance and Security Management for
Private Security Companies Operating at Sea—
Guidance (PSC.4)
o Risk Assessment (RA)
October 2017 Dennis Shepp, CPP
 CERTIFIED PROTECTION PROFESSIONAL (CPP)
Certification Examination Review

Security industry standards:

• ASIS International:
o Security Management Standard: Physical Asset
Protection (PAP)
o Supply Chain Risk Management: A Compilation of Best
Practices (SCRM)
o Workplace Violence Preventionand Intervention
Standard (WPVI)
o ASTM International (formerly the American Society for
Testing and Materials)

October 2017 Dennis Shepp, CPP

 CERTIFIED PROTECTION PROFESSIONAL (CPP)
Certification Examination Review

Security industry standards:

o Standards for high-rise evacuation equipment &
homeland security. (selection of antiterrorism physical
security measures for buildings and hospital
preparedness).
o More than 100 active standards relating to a broad
range of security concerns.

ASIS. POA: Security Management; Legal Issues; Security Officer

Operations; and Crisis Management (Kindle Locations 1803-1806).

October 2017 Dennis Shepp, CPP

 CERTIFIED PROTECTION PROFESSIONAL (CPP)
Certification Examination Review

Security industry standards (continued):

• National Fire Protection Association (NFPA) (Several
security standards - premises security and installation of
electronic premises security systems.)
• American National Standards Institute (ANSI).
• Deutsches Institut für Normung (Germany).
• Japanese Industrial Standards Committee.
• International Organization for Standardization, ISO
(world’s largest standards developer - 159 member
countries).
• ISO standards address the global business community.

October 2017 Dennis Shepp, CPP

 CERTIFIED PROTECTION PROFESSIONAL (CPP)
Certification Examination Review

Security industry standards (continued):

• ISO is non-governmental (stakeholders are private, public
& not-for-profit).
• ISO standards address: products, processes, services &
quality control.
• ISO does not regulate, legislate, or enforce.
• ISO standards often become recognized as industry best
practices and become market requirements.

POA: Security Management; Chapter 43.1.3 (Kindle Locations 1807-1839). ASIS

International. Kindle Edition.

October 2017 Dennis Shepp, CPP

 CERTIFIED PROTECTION PROFESSIONAL (CPP)
Certification Examination Review

More on ISO (continued):

o Equal footing of members (each ISO member
(country) has one vote).
o Market need (develops only standards where
identified market need or that facilitate international
or domestic trade).
o Consensus (standards based on consensus among
interested parties.
o Voluntary participation and application.
o Worldwide applicability.
POA: Security Management; Chapter 3.2.1 (Kindle Locations 1807-1847). ASIS
International. Kindle Edition.
October 2017 Dennis Shepp, CPP
 CERTIFIED PROTECTION PROFESSIONAL (CPP)
Certification Examination Review

Security industry standards (continued):

• Standard more likely to be accepted if developed by all
interested parties/stakeholders.
Other standards – you can relate to these:
• Saudi Arabia (High Commission for Industrial Security)
o Physical security standards for organizations deemed
associated to national critical infrastructure
• Saudi Aramco
o Security Engineering Guidelines
• Others?
October 2017 Dennis Shepp, CPP
 CERTIFIED PROTECTION PROFESSIONAL (CPP)
Certification Examination Review

01/01/04 Continuous assessment and improvement

processes
• Management systems standards: has large impact on
security professionals.
• Designed to help organizations improve the ways in which
they provide services and perform processes.
• Widely accepted & used in many fields/disciplines.
• Developed to be generic – all types of organizations.
POA: Security Management; Chapter 3.4.1 (Kindle Location 1939-1942). ASIS
International. Kindle Edition.

October 2017 Dennis Shepp, CPP

 CERTIFIED PROTECTION PROFESSIONAL (CPP)
Certification Examination Review

Management systems standards:

• Provides framework for what an organization should do –
leaving how to do it to them.
• Provides customers, suppliers, stakeholders confidence in
reliability.
• Show compliance with 9001: 2008 Quality Management
Systems— Requirements & ISO 14001: 2004
Environmental Management Systems— Requirements
with guidance for use.

POA: Security Management; Chapter 3.4.1 (Kindle Location 1939-1947). ASIS

International. Kindle Edition.
October 2017 Dennis Shepp, CPP
 CERTIFIED PROTECTION PROFESSIONAL (CPP)
Certification Examination Review

Management systems standards (continued):

• ISO 9000 series very popular internationally.
• Management standards are NOT regulations.
• Tools to help meet goals, in quality, environmental
concerns, safety, security, preparedness or continuity.
• Based on Plan-Do-Check-Act (PDCA) (Deming Cycle).
• Framework for holistic, strategic approach to
management.

POA: Security Management; Chapter 3.4.1 (Kindle Location 1947-1955). ASIS

International. Kindle Edition.

October 2017 Dennis Shepp, CPP

 CERTIFIED PROTECTION PROFESSIONAL (CPP)
Certification Examination Review

Management systems standards (continued):

• ISO 9000 series:
o Addresses quality management
o Helps organizations meet customer quality expectations
• Advantages to security professionals:
o Learn “Management speak”
o Gain professional advantage.
o Security may be viewed as a strategic business and
operational issue.
POA: Security Management; Chapter 3.4.2 (Kindle Location 1988).

October 2017 Dennis Shepp, CPP

 CERTIFIED PROTECTION PROFESSIONAL (CPP)
Certification Examination Review

Management systems standards (continued):

• Benefits:
o Establishing benchmarks (measure progress &
outcomes).
o Forcing the organization to systematically identify risks
and problems as well as potential solutions.
o Including more participants (broad scope stakeholders).
o Provide problem solving & decision making tools.

POA: Security Management; Chapter 3.4.2 (Kindle Location 1991-2002). ASIS

International. Kindle Edition.

October 2017 Dennis Shepp, CPP

 CERTIFIED PROTECTION PROFESSIONAL (CPP)
Certification Examination Review

Management systems standards (continued):

• Benefits (continued):
o Lead organization to study how standard operating
procedures & controls can enhance performance.
o Protects organization’s brand & reputation.
o Engage processes – PDCA Cycle

POA: Security Management; Chapter 3.4.3 (Kindle Location 1991-2002). ASIS

International. Kindle Edition.

October 2017 Dennis Shepp, CPP

 CERTIFIED PROTECTION PROFESSIONAL (CPP)
Certification Examination Review

PLAN – DO – CHECK – ACT (PDCA) CYCLE

October 2017 Dennis Shepp, CPP

 CERTIFIED PROTECTION PROFESSIONAL (CPP)
Certification Examination Review

Quality: “Conformance to customer requirements.”

• Providing effective professional services or implementing
a meaningful assets protection program for the customer
within appropriate resource constraints means delivering
the required level of quality.
• Quality program involves tools, measures (metrics),
special processes, and the organization’s culture of
quality integrated into all business practices.

POA: Security Management; Chapter 4.4.1 (Kindle Locations 2763-2767).

October 2017 Dennis Shepp, CPP

 CERTIFIED PROTECTION PROFESSIONAL (CPP)
Certification Examination Review

01/01/05 Cross-functional organizational collaboration

• Security Managers who understand business are in
BEST position to collaborate with top management.
• Regarded as “business partners”.
• Cross-functional teams (Strike Planning) generally
representatives from the security, legal, human
resources, risk management, communications
departments, & operational line managers.
POA: Security Management; Chapter 1.1 and Chapter 2.3.1 (Kindle Locations 1152-1154,
9568-9570). ASIS International. Kindle Edition.

October 2017 Dennis Shepp, CPP

 CERTIFIED PROTECTION PROFESSIONAL (CPP)
Certification Examination Review

• Collaboration can create management buy-in that

increases the likelihood that policies will be executed
and maintained.
• Assets protection a broad, complex function, many
departments or elements of an organization may be
involved in it.
• Convergence (integration of traditional and information
[systems] security functions) makes collaboration
important.
POA: Security Management; Chapter 1.3.1 and 4.1.2 (Kindle Locations 1305-1306, 2376-
2377, 2385-2387 ).

October 2017 Dennis Shepp, CPP

 CERTIFIED PROTECTION PROFESSIONAL (CPP)
Certification Examination Review

• Security management requires effective interaction with

other stakeholders – communication skills key!
• Assets protection’s multidisciplinary nature - liaison and
collaboration with a wide variety of people,
organizations, agencies, specialties, and professions is
essential.
• Behavioral theory helps establish and maintain
relationships (network of professional contacts, inside &
outside the assets protection manager’s organization.)
POA: Security Management; Chapter 4.5.2 (Kindle Locations 2916-2918 ). ASIS International.
Kindle Edition.
October 2017 Dennis Shepp, CPP
 CERTIFIED PROTECTION PROFESSIONAL (CPP)
Certification Examination Review

• Collaboration especially valuable & challenging in a

global environment that includes a wide range of
cultures, customs, and perspectives.
• Warren Bennis’ motivational theory promotes
collaboration with stakeholders to better manage &
resolve conflicts.
• Collaboration important process in all aspects of assets
protection.
POA: Security Management; Chapter 3.3 (Kindle Locations 17327). ASIS International. Kindle
Edition.

October 2017 Dennis Shepp, CPP

 CERTIFIED PROTECTION PROFESSIONAL (CPP)
Certification Examination Review

Task 01/02 Develop, manage, or conduct the security

risk assessment process.

October 2017 Dennis Shepp, CPP

 CERTIFIED PROTECTION PROFESSIONAL (CPP)
Certification Examination Review

Knowledge of:
01/02/01 Quantitative and qualitative risk
assessments
01/02/02 Vulnerability, threat, and impact
assessments
01/02/03 Potential security threats (for example,
all hazards, criminal activity)

October 2017 Dennis Shepp, CPP

 CERTIFIED PROTECTION PROFESSIONAL (CPP)
Certification Examination Review

01/02/01 Quantitative and qualitative risk assessments

01/02/02 Vulnerability, threat, and impact assessments
• Qualitative performance-based analysis - uses
designators like high, medium, and low to represent
interruption, neutralization, and system effectiveness.
• Often based on lists and depend on how analysts feel
about the solution.
• Qualitative estimates rank attack possibility as very
likely or highly unlikely.
POA: Physical Security; Chapters 1.2; 1.3; 11.3.3; (Kindle Locations 910-911, 1064-
1065, 6846-6847,). ASIS International. Kindle Edition.

October 2017 Dennis Shepp, CPP

 CERTIFIED PROTECTION PROFESSIONAL (CPP)
Certification Examination Review

Qualitative analysis:
• Terms such as critical, high, medium, low, and
negligible may be used to gauge the asset value &
levels of risk components & risk itself.
• Most suitable when evaluating basic security
applications.
• Qualitative techniques are often based on lists and
depend on how analysts feel about the solution.
POA: Physical Security; Chapter 1.2 (Kindle Locations 910-911). ASIS International.
Kindle Edition.
October 2017 Dennis Shepp, CPP
 CERTIFIED PROTECTION PROFESSIONAL (CPP)
Certification Examination Review

• Quantitative approach - requires measurable data.

• Easier to correlate security system performance and cost
(return on investment [ROI] can be demonstrated).
• Absence of quantitative evaluations of the security
effort is the chief reason senior executives fail to support
security programs.
• Consequence criteria should be shown in quantitative
terms.
• Assets with unacceptably high consequence of loss,
require a rigorous quantitative analysis, even if the
probability of attack is low.
POA: Physical Security; (Kindle Locations 909-911, 1130, 6725-6726).
October 2017 Dennis Shepp, CPP
 CERTIFIED PROTECTION PROFESSIONAL (CPP)
Certification Examination Review

Quantitative analysis:
• Used to measure effectiveness of a physical protection
system (PPS) where primary functions are to detect,
delay, and respond.
• Discuss examples of using Qualitative & Quantitative
methods.

October 2017 Dennis Shepp, CPP

 CERTIFIED PROTECTION PROFESSIONAL (CPP)
Certification Examination Review

• Qualitative & quantitative analysis should be based on

the application of the first principles of physical security
- to verify the effectiveness of installed protection
elements (equipment, people, and procedures).
• EXAMPLE: Calculating PPS Effectiveness (PE):
PE = PI × PN
PI = Probability of Interruption
PN = Probability of Neutralization
• Qualitative performance-based analysis - high, medium,
and low represent interruption, neutralization, &
system effectiveness.
POA: Physical Security; Chapters 11.2 & 11.3.2 (Kindle Locations 6757-6758, 6841-
6842, 6846-6847). ASIS International. Kindle Edition.
October 2017 Dennis Shepp, CPP
This is an example of qualitative
CERTIFIED PROTECTION or quantitative?
PROFESSIONAL (CPP)
Certification Examination Review

October 2017 Dennis Shepp, CPP

This is an example of qualitative
CERTIFIED PROTECTION or quantitative?
PROFESSIONAL (CPP)
Certification Examination Review

October 2017 Dennis Shepp, CPP

 CERTIFIED PROTECTION PROFESSIONAL (CPP)
Certification Examination Review

• CARVER – Qualitative Analysis

• CARVER acronym for the following used to evaluate target
attractiveness:
o Criticality: measures public health & economic impacts
of an attack
o Accessibility: ability to physically access & egress from
target
o Recuperability: ability to recover from an attack
o Vulnerability: ease of accomplishing attack
o Effect: amount of direct loss from an attack
o Recognizability: ease of identifying target
POA: Physical Security; Chapter 11.3.1 (Kindle Locations 6810-6816). ASIS
International. Kindle Edition.
October 2017 Dennis Shepp, CPP
 CERTIFIED PROTECTION PROFESSIONAL (CPP)
Certification Examination Review

• CARVER – Qualitative Analysis (continued)

• Modified CARVER:
o Criticality, Accessibility, Recuperability, Vulnerability,
Effect, Recognizability +
o Combined Health, economic & psychological impacts
of attack (shock effect).
• CARVER evaluates asset as a target of attack by adversary.
• Created by US gov’t – used by military
• Used as part of vulnerability assessment (VA)

POA: Physical Security; Chapter 11.3.1 (Kindle Locations 6810-6816). ASIS

International. Kindle Edition.

October 2017 Dennis Shepp, CPP

 CERTIFIED PROTECTION PROFESSIONAL (CPP)
Certification Examination Review

• CARVER – Qualitative Analysis (continued)

• BEST: comparing assets that share mission, infrastructure
• POOR: Subjective, scoring issues, inconsistent

POA: Physical Security; Chapter 11.3.1 (Kindle Locations 6810-6816). ASIS

International. Kindle Edition.

October 2017 Dennis Shepp, CPP

 CERTIFIED PROTECTION PROFESSIONAL (CPP)
Certification Examination Review

Performance-Based Analysis:
• Qualitative or quantitative analysis - Process:
1. Create an adversary sequence diagram (ASD) for all
asset locations.
2. Conduct a path analysis.
3. Perform a scenario analysis.
4. Complete a neutralization analysis, if appropriate.
5. Determine system effectiveness.
6. System effectiveness (or risk) = not acceptable - develop
and analyze upgrades.
POA: Physical Security; Chapter 11.3.2 (Kindle Locations 6810-6816).
October 2017 Dennis Shepp, CPP
 CERTIFIED PROTECTION PROFESSIONAL (CPP)
Certification Examination Review

• Determining neutralization depends on effective

interruption
• Calculating PPS Effectiveness (PE):
PE = PI × PN
PI = Probability of Interruption
PN = Probability of Neutralization
• Qualitative performance-based analysis - high, medium,
and low represent interruption, neutralization, &
system effectiveness.
• Quantitative analysis uses numbers.
POA: Physical Security; Chapter 11.3.2 (Kindle Locations 6757-6758, 6841-6842,
6846-6847)
October 2017 Dennis Shepp, CPP
 CERTIFIED PROTECTION PROFESSIONAL (CPP)
Certification Examination Review

Analysis Process - Adversary Sequence Diagrams (ASD):

• ASD a functional representation of the PPS at a facility
used to describe the specific protection elements
present.
• Paths adversaries can follow to accomplish sabotage or
theft.
• Done first – because a path analysis determines whether
a system has sufficient detection & delay to result in
interruption.

POA: Physical Security; Chapter 11.3.2 (Kindle Locations 6854-6855, 6855-6856).

October 2017 Dennis Shepp, CPP

 Adversary
Adversary completes
starts tasks tasks

TASK TASK TASK 3 TASK 4 TASK 5 TASK 6 TASK 7 TASK 8

1 2

PD1 PD2 PD3 PD4 PD5 PD5 PD5 PD5

0 0 DETECT DELAY DETECT DETECT DELAY & DELAY &

ALARM DELAY DELAY RESPONSE RESPONSE
VERIFY VERIFY CRITICAL CRITICAL
First 2nd Sensing 3rd Sensing
Sensing & &
verification verification
PPS RESPONSE TIME
Guard Force Response (Adequate Response)
RFT

Probability of Interruption PA = PD x PC
UNIVERSITY OF MARYLAND, Soroush Bassam, Researcher, 2015
https://pt.slideshare.net/SSoroushBassam/paper-35using-sysml-for-modelbased-vulnerability-
assessmentsoroushbassam03161522-46597784/2
 CERTIFIED PROTECTION PROFESSIONAL (CPP)
Certification Examination Review

Adversary Sequence Diagrams (ASD) continued:

• Path with the lowest probability of interruption (PI) can
be determined.
• Calculating PPS Effectiveness (PE):
PE = PI × PN
PI = Probability of Interruption (measure of path
vulnerability)
PN = Probability of Neutralization
• Multiple paths compared = estimate of overall PPS
vulnerability can be made.
• ASD done manually or electronically (software tools).
POA: Physical Security; Chapter 11.3.2 (Kindle Locations 6858-6861)
October 2017 Dennis Shepp, CPP
 CERTIFIED PROTECTION PROFESSIONAL (CPP)
Certification Examination Review

Adversary Sequence Diagrams (ASD) continued:

• 3-basic steps in creating ASD:
o Describing the facility by separating it into adjacent
physical areas
o Defining protection layers & path elements between
the adjacent areas
o Recording detection & delay values for each path
element
• Biggest mistake – only follow a single path from off-site
to the target location & not analysis on other paths.
POA: Physical Security; Chapter 11.3.2 (Kindle Locations 6861-6865, 6869).
October 2017 Dennis Shepp, CPP
 CERTIFIED PROTECTION PROFESSIONAL (CPP)
Certification Examination Review

Adversary Sequence Diagrams (ASD) continued:

• Assess layers (outer to middle to inner then out)
• Key - ASD must be created for each asset (target
location) unless located together – same location.
• Complex facilities where several critical assets need
protection – ASD developed for each unique location.

POA: Physical Security; Chapter 11.3.2 (Kindle Locations 6874-6876).

October 2017 Dennis Shepp, CPP

 CERTIFIED PROTECTION PROFESSIONAL (CPP)
Certification Examination Review

Risk assessment models and considerations

Risk Assessment: The process of assessing
security-related risks from from internal and
external threats to an entity, its assets and
personnel.

(Facilities Physical Security Guideline, ASIS International, Page 3 &

ASIS General Security Risk Assessment Guideline (2003), page 7)

October 2017 Dennis Shepp, CPP

 CERTIFIED PROTECTION PROFESSIONAL (CPP)
Certification Examination Review

ASIS General
October 2017
Security Risk Assessment Guideline (2003), page 7 Dennis Shepp, CPP
 CERTIFIED PROTECTION PROFESSIONAL (CPP)
Certification Examination Review

Risk Assessments:
• Developed in the insurance industry.
• Defined risk in terms of annualized loss expectancy,
which is the product of the potential loss from an event
and the likelihood of the event.
Risk = (Threat × Vulnerability × Impact)
• Risk assessment techniques:
o May be heuristic (ad hoc)
o Inductive
o Deductive.
• Methods are quantitative or qualitative.
POA: Physical Security; Chapter 1.2 (Kindle Locations 900-907, 908-909).
October 2017 Dennis Shepp, CPP
 CERTIFIED PROTECTION PROFESSIONAL (CPP)
Certification Examination Review

Risk Assessments (continued):

• Risk = uncertain situation where a number of possible
outcomes might occur, one or more of which is
undesirable.
(the adverse outcomes (threats/hazards) an organization
wants to avoid * probability of consequences * impact
(magnitude).
POA: Physical Security; Chapter 1.2 (Kindle Locations 900-907).

October 2017 Dennis Shepp, CPP

 CERTIFIED PROTECTION PROFESSIONAL (CPP)
Certification Examination Review

Risk Assessments (continued):

• Inductive techniques = a bottom-up approach.
• Risks are identified at the beginning of the analysis
rather than as a result of a systematic, deductive, top-
down approach.
• Deductive risk assessment uses logic diagrams to
determine how a particular undesired event may occur.
• Fault trees often used with event trees to determine the
basic causes of the event.
• Also use influence diagrams.
POA: Physical Security; Chapter 1.2 (Kindle Locations 912-917).
October 2017 Dennis Shepp, CPP
 ATTACK FACILITY
TO STEAL ASSET

OR

ATTACK
ATTACK ATTACK ATTACK ATTACK
ROOF
MAIN EMPLOYEE WALL REAR
ACCESS
DOOR DOOR I ROLLER
I
P P DOOR
P

OR

ATTACK
DEFEAT
USE KEY DOOR
LOCK
ON LOCK WITH
(PICKING)
I TOOLS
I
P
 ATTACK REAR
ROLLER DOOR

DRIVE CHEAT DOOR

VEHICLE ATTACK DOOR ENTER DOOR
LOCK &
THROUGH WITH TOOLS WITH KEY
HINDGES
DOOR

GET RIGHT
GET RIGHT GET KEY
TOOLS
VEHICLE FROM
COLLEAGUE

VEHICLE FIT
DOORWAY? STEAL KEY
 CERTIFIED PROTECTION PROFESSIONAL (CPP)
Certification Examination Review

Risk Assessments (continued):

• Risk assessment examines outcome of successful
adversary attack + likelihood it will occur + how it will
occur + how many people will be affected.
• When entire population at risk = societal risk.
• Answer:
o What can go wrong?
o What is the likelihood that it would go wrong?
o What are the consequences?
• The process of identifying, measuring, quantifying, and
evaluating risks.
POA: Physical Security; Chapter 1.2 (Kindle Locations 928-934).
October 2017 Dennis Shepp, CPP
 CERTIFIED PROTECTION PROFESSIONAL (CPP)
Certification Examination Review

Vulnerability Assessments:
• Performed to establish a baseline of PPS effectiveness in
meeting goals and objectives.
• Process of identifying and quantifying vulnerabilities.
• Vulnerability analysis is a method of identifying the
weak points of a facility, entity, venue, or person.
• A weakness that can be exploited by an adversary.
• Team must have broad experience.
• Don’t focus on individual PPS components – focus on
system.
POA: Physical Security; Chapter 1.3 and 1.7 (Kindle Locations 980, 1214-1220 ).
October 2017 Dennis Shepp, CPP
 CERTIFIED PROTECTION PROFESSIONAL (CPP)
Certification Examination Review

Vulnerability Assessments (continued):

• Key to thoroughly evaluate the site PPS so that all paths
to the assets are equally protected.
• Consider what vulnerabilities exist given the defined
threats, considering their motivation, tools,
competence, and knowledge.
• The evaluation of the facility’s PPS is facility
characterization – using a site survey.
• Evaluate PPS effectiveness: detection, delay, and
response performance against threats.
POA: Physical Security; Chapter 1.7 (Kindle Locations 1254-1260).
October 2017 Dennis Shepp, CPP
 CERTIFIED PROTECTION PROFESSIONAL (CPP)
Certification Examination Review

Primary PPS Functions:

• Detection, delay, and response are the three primary
functions of a PPS.
• Detection is the discovery of covert or overt action by
an adversary.
• Key measures of effectiveness for the detection
function:
o The probability of sensing adversary action
o The time required for reporting and assessing the
alarm.
POA: Physical Security; Chapter 1.7.3 (Kindle Locations 1278-1280).

October 2017 Dennis Shepp, CPP

 CERTIFIED PROTECTION PROFESSIONAL (CPP)
Certification Examination Review

Primary PPS Functions (continued):

• Delay refers to the slowing down of adversary progress.
• Response force personnel considered elements of delay
if deployed in fixed, well-protected positions.
• Delay effectiveness is measured by the time required by
the adversary (after detection) to bypass each delay
element.
• If adversary delayed before detection, provides little
value - does not provide additional time for response.
• Delay before detection is a deterrent.
POA: Physical Security; Chapter 1.7.3 (Kindle Locations 1288-1292).
October 2017 Dennis Shepp, CPP
 CERTIFIED PROTECTION PROFESSIONAL (CPP)
Certification Examination Review

Primary PPS Functions (continued):

• Response consists of actions by security officers to
prevent adversary success.
• Interruption requires security officers arrive quickly at
the right place to stop the adversary’s progress.
• Response requires communication to the security
officers of accurate information about adversary actions.
and officer.
• Deployment - the actions of the response force from the
time it receives a communication until it is in position to
interrupt the adversary.
POA Physical Security, Chapter 1.7.3 (Kindle Locations 1288-1295).
October 2017 Dennis Shepp, CPP
 CERTIFIED PROTECTION PROFESSIONAL (CPP)
Certification Examination Review

Security Survey:
“A thorough physical examination of a facility and its
systems and procedures, conducted to assess the current
level of security, locate deficiencies, and gauge the degree
of protection required.”

ASIS Facilities Physical Security Measures Guideline, 2009, Pg 4

October 2017 Dennis Shepp, CPP

 CERTIFIED PROTECTION PROFESSIONAL (CPP)
Certification Examination Review

01/02/03 Potential security threats (for example, all

hazards, criminal activity)
Threat Definition (determining the threats/hazards):
• Threat – An action or an event that could result in a loss;
an indication that such an action or event might take
place. ASIS Facilities Physical Security Measures Guideline, 2009, Pg 4
• Threat definition occurs during risk assessment.
• 3 Adversary classes: outsiders, insiders, and outsiders in
collusion with insiders.
• For each class of adversary – define the full range of
tactics (deceit, force, stealth, or any combination).
ASIS POA: Physical Security; Chapter 1.3 (Kindle Locations 986-987).
October 2017 Dennis Shepp, CPP
 CERTIFIED PROTECTION PROFESSIONAL (CPP)
Certification Examination Review

Threat Definition (continued):

• Design Basis Threat (DBT) - “the adversary against which
the utility (site) must be protected”.
• DBT requires consideration of:
o Threat type
o Tactics
o Mode of operations
o Capabilities
o Threat level
o Likelihood of occurrence.
POA: Physical Security; Chapter 1.3 (Kindle Locations 990-992).
October 2017 Dennis Shepp, CPP
 CERTIFIED PROTECTION PROFESSIONAL (CPP)
Certification Examination Review

Threat Definition (continued):

• Design Basis Threat (DBT) - “the threat is human, not
accidental, natural or safety hazards”.
• PPS designed to stop attacks.
• Security refers to the measures used to protect people,
property, or the enterprise from malevolent human
threats
• The DBT includes threat characteristics such as vehicles,
weapons, tools, or explosives, & the threat’s
motivation.
POA: Physical Security Chapter 1.3 (Kindle Locations 998-1005).
October 2017 Dennis Shepp, CPP
 CERTIFIED PROTECTION PROFESSIONAL (CPP)
Certification Examination Review

• DBT - The threat spectrum uses categories or labels to

describe the specific threat characteristics for various
levels of threats. EXAMPLE:
“Vandals. This threat would consists of a small group of 2-5 unarmed
people, whose intent is to deface low-value company assets or
employee vehicles parked on-site. Attacks are most likely at night, but
daytime attacks have occurred. The vandals may be under the
influence of drugs or alcohol. They may carry a few basic hand tools,
such as pliers, wire cutters, screwdrivers, or hammers, as well as cans
of spray paint, paintball guns, or similar items. They do not have
insider assistance. They are not highly motivated and will flee or
surrender if they perceive that they are about to be caught.”

POA: Physical Security; Chapter 1.3 (Kindle Locations 1021-1030).

October 2017 Dennis Shepp, CPP
 CERTIFIED PROTECTION PROFESSIONAL (CPP)
Certification Examination Review

Threat Definition (continued):

• Hazard - “possible source of danger or conditions
(physical or operational) that have a capacity to produce
a particular type of adverse effect.”
ASIS Int’l, “Security and Resilience in Organizations and Their Supply Chains (2017),
Page 5.
• Emergencies or contingencies (3 – categories):
o Natural
o Human (either internal or external)
o Accidental.
POA: Crisis Management (Kindle Locations 19833-19834). ASIS International.
October 2017 Dennis Shepp, CPP
 CERTIFIED PROTECTION PROFESSIONAL (CPP)
Certification Examination Review

Types of Emergencies (continued):

• Fire • Civil disorder
• Explosion • Armed attack barricade/
• Water outage hostage incident
• Power outage • Severe weather (tornado,
• Computer system failure hurricane, thunderstorms,
• Telecommunications failure flood)
• Fuel leak • Other natural occurrences
• Hazmat (hazardous materials)
• (earthquakes, volcanoes)
incident
• Bomb incident
POA: Crisis Management (Kindle Locations 19846-19849). ASIS International. Kindle Edition.
October 2017 Dennis Shepp, CPP
 CERTIFIED PROTECTION PROFESSIONAL (CPP)
Certification Examination Review

Task 01/03 Evaluate methods to improve the security program

on a continuous basis through the use of auditing, review, and
assessment

October 2017 Dennis Shepp, CPP

 CERTIFIED PROTECTION PROFESSIONAL (CPP)
Certification Examination Review

Knowledge of:
01/03/01 Cost-benefit analysis methods
01/03/02 Risk management strategies (for example,
avoid, assume/accept, transfer, spread)
01/03/03 Risk mitigation techniques (for example,
technology, personnel, process, facility design)
01/03/04 Data collection and trend analysis techniques

October 2017 Dennis Shepp, CPP

Task 1.3.1 Evaluate methods to improve the security program
on a continuous basis through the use of auditing, review, and
assessment using cost-benefit analysis methods.

ASIS POA: Physical Security Chapter 12.3 INITIAL PHASES

(Kindle Locations 7153-7157)
• Level of protection for a group of assets must meet the
protection needs of the most critical asset in the group.
• Analysis and definition process is designed to:
o Ensure that the selected solutions will mitigate real
and specific vulnerabilities.
o Provide a cost/ benefit justification for each
solution.
 o Identify all elements (technology, staffing, and
procedures) and resources required for each solution.
o Provide a basis for the accurate and complete system
specification that will be used to procure and
implement the solutions.
ASIS POA: Security Management, Chapter 5.2 WHAT COST
EFFECTIVENESS MEANS (Kindle Locations 3259-3261).
• Cost-effectiveness means producing good results for
the money spent.
• Senior management - cost-effectiveness the primary
factor determining size or existence of the asset
protection program.
• The program must be measurable in financial terms.
• To maximize cost-effectiveness, a security manager
should do the following:
o Ensure operations are conducted in the least
expensive, but cost effective way.
o Maintain the lowest costs consistent with required
operational results.
o Ensure that the amount of money spent generates
the highest return.
• Cost-effectiveness in asset protection requires
balancing expenditures against results and revising
the plan as needed.
• Problem is the inability to justify the cost of an asset
protection.
• The question that senior management wants
answered is this: Does the asset protection function
accomplish anything that can be quantified and that
justifies its cost?
• The security manager must consider whether a given
resource is the most effective one available at the
stated cost.
• Can the security organization be a profit center?
ASIS. POA: Security Management; 5.3.1 RETURN ON
INVESTMENT, (Kindle Locations 3296-3297)
• How much net income is earned by investment.
• Also called return on equity.
• ROI gauges management’s overall effectiveness in
generating profits.
• ROI can be measured in time saved, improved
efficiency, reduced manpower, reduced losses, lower
liability or insurance payments, or greater customer
satisfaction.
• Translates into an improved bottom line over time.
• The expectation is that security measures should not
merely be efficient but should provide a positive
return on investment.
• ROI = AL + R AL = AVOIDED LOSS
R = RECOVERIES
CSP
CSP = SECURITY PROGRAM COSTS
Task 1.3.2 Evaluate methods to improve the security program
on a continuous basis through the use of auditing, review,
and assessment using risk management strategies (for
example, avoid, assume/accept, transfer, spread)
ANSI/ASIS ORM1-2007: Read & review:
Chapter 0.2 “Proactive Management of Risk to Build
Resilience”, pages xvi - xix
Chapters 4 and 5, pages 10 - 14.
Chapter 7.4, page 20.
Chapter 9, pages 23 – 32.
APPENDIX A-7: Pages 50 – 54.
APPENDIX C-2 “Prevention and Risk Mitigation
Procedures”, page 92.
ASIS POA: Physical Security, Chapter 1.2 RISK
ASSESSMENT/MANAGEMENT, (Kindle Locations 956-957)
• Risk Elimination: complete removal of the threat or risk
exposure
• Risk Reduction: modify activities, processes, equipment
or materials.
• Risk Transfer (Financing): Insurance.
• Risk Avoidance: Spread the risk – eliminate cause or
move the asset. (some cost)
• Risk Acceptance (Assumption): accepting the potential
risk and continuing existing security operations or
implementing some no-cost procedures to reduce the
risk to an acceptable level. (No cost)
• Risk Limitation (Reduction): implementing preventive,
detective, and response controls (the “D’s”). (Some cost)
Task 1.3.3 Evaluate methods to improve the security program
on a continuous basis through the use of auditing, review,
and assessment using risk mitigation techniques (for
example, technology, personnel, process, facility design).

ASIS POA: Security Management; Chapter 4.1.2

RELATION TO SECURITY AND OTHER DISCIPLINES, (Kindle
Location 2384).
• Countermeasures need to include people, hardware,
and software.
• Technology:
o Protection-in-depth (Read & review - POA Physical
Security PPS FUNCTION DETECTION, Chapters 4.1;
4.3; 4.4; 4.5)
 o Video and Alarm Assessment (Protection-in-depth
(Read & review - POA Physical Security; Chapter 5:
Video and Alarm Assessment
• Process:
o Business continuity Plans (POA Crisis Management;
Chapter 1)
• Personnel:
o Background investigations (POA Investigations)
o Training and awareness (Security Officer Guidelines)
• Facility:
o PPS applications (Facilities Physical Security
Guideline & POA Physical Security; Chapter 9)
Task 1.3.4 Evaluate methods to improve the security program
on a continuous basis through the use of auditing, review, and
assessment using data collection and trend analysis
techniques.
ASIS POA: Security Management, Chapter 3.4
MANAGEMENT SYSTEM STANDARDS, (Kindle Locations
1938-1939)
• Management system (MS) - the organization’s method of
managing its processes, functions, or activities.
• MS standards designed to help organizations improve
how they provide services and perform processes.
• Investigation – data collection using resume, application
form (POA Investigations, pges 167-169)
POA: Security Management Chapter 5.5 DATA CAPTURE,–
pges 116 – 118; 119-121
• Data capture – Collecting information is of paramount
importance to security management, and the easier it is
to create security reports.
ASIS. POA: Security Management 2.8.1 DATA CAPTURE AND
TREND ANALYSIS, (Kindle Locations 17167-17168).
• Data capture and trend analysis help the security
manager determine the effectiveness of the program.
• Shows what is working and what is not working.
• Justify department’s existence by detailing security
incidents and security responses.
• Trend analysis based on data.
 CERTIFIED PROTECTION PROFESSIONAL (CPP)
Certification Examination Review

Task 01/04 Develop and manage external relations

programs with public sector law enforcement or other
external organizations to achieve security objectives.

October 2017 Dennis Shepp, CPP

 CERTIFIED PROTECTION PROFESSIONAL (CPP)
Certification Examination Review

Knowledge of:
01/04/01 Roles and responsibilities of external
organization and agencies
01/04/02 Methods for creating effective working
relationships
01/04/03 Techniques and protocols of liaison
01/04/04 Local and national Public/Private
Partnerships

October 2017 Dennis Shepp, CPP

Task 1.4.1 Develop and manage external relations programs with public
sector law enforcement or other external organizations to achieve
security objectives explaining the roles and responsibilities of external
organization and agencies.

ASIS POA: Security Management Chapter 7.4 PRIVATE

POLICING ENVIRONMENTS, (Kindle Locations 4900-
4903).pages 190-198
• Police are responsible for managing crime and its effects.
• No other government agency regards itself as specifically
responsible for crime.
• If the police cannot prevent crime, one logical response is
to hire private security firms to do so.
• Private police can be viewed as an additional layer of
security for the community.
• Carlson 1995;
o Operational Roles – police serve public – enforce laws
– security broader and more general – asset
protection
o Financial (police budgets limited)
o Philosophy – same as operational roles – governed by
law
o Legal (security limited powers depend on police
powers)
o Security/political - police are restricted – security
broader – augment police
• Chaiken & Chaiken – Figure 7.2 page 198 –
Responsibilities of police and security – distinctions
outlined
POA, Security Management, CHAPTER 3: STANDARDS IN
SECURITY,
• ANSI and ISO Standards organizations (how they function)
READ & REVIEW:
• POA: Security Officer Operations; Chapter 1.10
PROPRIETARY VS CONTRACT SECURITY and
• CHAPTER 5: SELECTING AND ADMINISTERING THE
SECURITY SERVICES CONTRACT
ANSI/ASIS ORM.1-2017, Chapter 5.2.2 External Context,
page 12/13
• The organization shall identify relevant external
stakeholders, that may impact or be impacted by its
activities, functions, goods and services, that could
contribute to the risk profile.
Task 1.4.2 Develop and manage external relations programs with public
sector law enforcement or other external organizations to achieve
security objectives explaining methods for creating effective working
relationships.

ASIS. POA: Security Management; Chapter 4.5.2 Liaison and

Leveraging Other Organizations, (Kindle Location 2915)
• Liaison and collaboration with a wide variety of people,
organizations, agencies, specialties, and professions is
essential.
• Behavioral theory can help establish and maintain
internal and external relationships.
• Collaboration is especially valuable and challenging in a
global environment that includes a wide range of
cultures, customs, and perspectives.
POA: Security Management Chapter 7.1.3 PUBLIC/ PRIVATE
PARTNERSHIPS AND STATISTICS, ASIS. (Kindle Locations
4479-4480)
• Formal relationships – ASIS International Law
Enforcement Liaison Council (LELC); Private Security
Services Council; and Private Sector Liaison Committee
of the International Association of Chiefs of Police (IACP)
• Innovations like Operation Cooperation program –
models where police work together with security to
combat crime and deliver public safety services.
• Published a document, “Operation Cooperation”-
outlines the history of public/private partnerships and
advocates future cooperative work.
Task 1.4.3 Develop and manage external relations programs with public
sector law enforcement or other external organizations to achieve
security objectives explaining techniques and protocols of liaison.

POA Crisis Management; Chapter 1.7.3 MUTUAL AID (Kindle

Locations 20177-20178)
• Mutual aid association, businesses and other organizations agree
to assist each other by providing materials, equipment, and
personnel for disaster control during emergencies.
POA: Crisis Management Chapter 1.7.4 PUBLIC AFFAIRS/ MEDIA
RELATIONS (Kindle Locations 20191-20192).
• Single source in organization liaise with media.
POA: Security Management Chapter 7.1.3 PUBLIC/ PRIVATE
PARTNERSHIPS AND STATISTICS, (Kindle Locations 4479-4480) pages
183-184
• Police and security partnerships encouraged through meetings
such as ASIS and also having joint training exercises
Task 1.4.4 Develop and manage external relations programs with public
sector law enforcement or other external organizations to achieve
security objectives explaining local and national Public/Private
Partnerships.

POA: Security Management; Chapter 7.1.3 PUBLIC/ PRIVATE PARTNERSHIPS AND

STATISTICS, (Kindle Locations 4479-4480) pages 183-184; 188;
• Issues: Alarm response by police - became a burden, especially with false alarms
(95% or more responses were false alarms (Benson & Olick 1990; Cunningham
1994
• Solution: Private security encouraged by police to handle responses - relieves
financial strain from police
• Example: S. Africa (450 registered alarm companies with 500,000 clients)
• After developing relationships - more information sharing between police &
security.
• Conducting drills & exercises between police and security enhances liaison and
provides valuable data
• Security conducting own internal investigations help police (POA Investigations,
pges 7-9)
 CERTIFIED PROTECTION PROFESSIONAL (CPP)
Certification Examination Review

Task 01/05 Develop, implement, and manage

employee security awareness programs to achieve
organizational goals and objectives

October 2017 Dennis Shepp, CPP

 CERTIFIED PROTECTION PROFESSIONAL (CPP)
Certification Examination Review

Knowledge of:
01/05/01 Training methodologies
01/05/02 Communication strategies, techniques,
and methods
01/05/03 Awareness program objectives and
program metrics
01/05/04 Elements of a security awareness
program (for example, roles and responsibilities,
physical risk, communication risk, privacy)
October 2017 Dennis Shepp, CPP
Task 1.5.1 Develop, implement, and manage employee security
awareness programs to achieve organizational goals and objectives
describing training methodologies.

ASIS POA: Security Management, CHAPTER 10, SECURITY

AWARENESS, (Kindle Locations 6771-6772). Pages 296-299
• Consciousness (awareness) of an existing security
program, its relevance, and the effect of one’s behavior
on reducing security risks.
POA Chapter 10.3.1 TECHNIQUES, MATERIALS, RESOURCES,
(Kindle Locations 6886-6888).
• Unlike security training, security awareness material may
not contain specific security task information.
• Directs recipients to security content available elsewhere
and focus on generating support for the security
program.
• It should be enjoyable and interesting.
• Resources:
o Written materials
o AV equipment
o Formal Security Briefings
o Integration into line operations
o Inside experts
o Outside experts
o CBT (computer-based training)
Task 1.5.2 Develop, implement, and manage employee security
awareness programs to achieve organizational goals and objectives
describing communication strategies, techniques, and methods.

NOTE:
CHAPTER 10, SECURITY AWARENESS, ASIS POA: Security
Management, (Kindle Locations 6771-6772). Pages 296-299
Task 1.5.3 Develop, implement, and manage employee security
awareness programs to achieve organizational goals and objectives
describing awareness program objectives and program metrics.

POA Security Management, Chapter 10.3.3 MEASURING

THE PROGRAM, (Kindle Location 6953)
• Company losses before and after the security
awareness program was implemented.
• # of persons briefed and # of briefings conducted in
specific periods
• Topics covered, projected or actual briefing completion
date, and method of delivery
• Cost of briefings per employee
Task 1.5.4 Develop, implement, and manage employee security
awareness programs to achieve organizational goals and objectives
describing the elements of a security awareness program (for example,
roles and responsibilities, physical risk, communication risk, privacy).

ASIS POA, Security Management, Chapter 10 SECURITY

AWARENESS, pages 294 – 295) 10.1.1 EXECUTIVE
MANAGEMENT (Kindle Locations 6781-6782)
• Chief executives, chief operating officers, and other senior
personnel must be aware of the security program
because they are an enterprise’s top decision makers
regarding risk and resources.
• They need to perceive security programs positively.
• Security awareness means awareness of the security
program’s financial contribution to the bottom line.
POA Security Management, Chapter 10.1.2 MIDDLE
MANAGEMENT (Kindle Locations 6789-6792)
• Middle managers tend to be held accountable for the
success of their individual departments, so they view the
security program in terms of its contribution toward that
goal.
• If manager thinks the security program does not support
the business goals or program initiatives of the business
unit, he or she may not support the program.
• he result may be dislocations and strains that cause
failures elsewhere in the enterprise.
POA Security Management, Chapter 10.1.3 FIRST LINE
SUPERVISION (Kindle Locations 6799-6801)
• Security awareness focuses on how the security program
aids or detracts from specific performance objectives.
• Most complaints from employees about security first
raised with supervisor.
• Efforts should show supervisors that the time and
attention required to comply with security rules are
worthwhile in terms of supporting the supervisor’s main
tasks and protecting the employees and the business.
POA Security Management, Chapter 10.1.4 INDIVIDUAL
EMPLOYEES (Kindle Locations 6809-6811)
• If supervisors and managers are interested in and
supportive of security, employees may gain a favorable
view of the program and support it by observing its rules.
• If supervisors and managers disapprove of the security
program or show no interest in it, employees may feel
little motivation to support it.
POA Security Management, Chapter 10.1.5 NONEMPLOYEES
(Kindle Locations 6814-)
• Have less opportunity than employees to learn the
applicable security requirements.
• Some cases must be supported using a formal
confidentiality agreement.
 CERTIFIED PROTECTION PROFESSIONAL (CPP)
Certification Examination Review

PRACTISE EXAM QUESTIONS

October 2017 Dennis Shepp, CPP

A business unit’s top leadership will develop a
plan that provides a general direction for the
organization. This plan is the fundamental
template for direction that defines and supports
the organization’s long-term goals.
a. SWOT plan
b. Strategic plan
c. STEP plan
d. PEST plan
A business unit’s top leadership will develop a
plan that provides a general direction for the
organization. This plan is the fundamental
template for direction that defines and supports
the organization’s long-term goals.
a. SWOT plan
b. Strategic plan
c. STEP plan
d. PEST plan

POA: Security Management Kindle Edition.

This defines why the business exists, is essential
for developing organization-specific
management practices and how it will maintain
itself as a profitable, viable entity not only in the
moment but also three to five years out. This is
called a:
a. Organizational strategy
b. PEST plan
c. STEP strategy
d. SWOT plan
This defines why the business exists, is essential
for developing organization-specific
management practices and how it will maintain
itself as a profitable, viable entity not only in the
moment but also three to five years out. This is
called a:
a. Organizational strategy
b. PEST plan
c. STEP strategy
d. SWOT plan
POA: Security Management; (Kindle Locations
1199-1201). Kindle Edition.
Security professionals can most effectively
convince management of the need for security
by quantifying and prioritizing the loss potential
with presenting which of the following?
a. A strategic plan that applies to the entire
organization
b. A strategic plan that applies to the security
organization
c. A cost-benefit analysis and return-on-
investment assessment
d. A cost-benefit analysis with business unit
endorsement
Security professionals can most effectively convince
management of the need for security by quantifying
and prioritizing the loss potential with presenting
which of the following?
a. A strategic plan that applies to the entire
organization
b. A strategic plan that applies to the security
organization
c. A cost-benefit analysis and return-on-investment
assessment
d. A cost-benefit analysis with business unit
endorsement
POA: Security Management (Kindle Locations 16372-
16373). ASIS International.
WAECUP can be used as a blueprint for
developing security objectives. WAECUP stands
for which of the following?
a. Waste, Accidents, Environment,
Catastrophes, Unethical Practices
b. Waste, Accidents, Environment, Crisis,
Unethical Practices
c. Waste, Accidents, Error, Crime, Unethical
Practices
d. Waster, Accidents, Error, Crisis, Unethical
practices
WAECUP can be used as a blueprint for
developing security objectives. WAECUP stands
for which of the following?
a. Waste, Accidents, Environment,
Catastrophes, Unethical Practices
b. Waste, Accidents, Environment, Crisis,
Unethical Practices
c. Waste, Accidents, Error, Crime, Unethical
Practices
d. Waster, Accidents, Error, Crisis, Unethical
practices
POA: Security Management (Kindle Locations
3434-3435). ASIS International. Kindle Edition.
A model that includes “Environmental, and
Political” analysis and points out potential
sources of threats. The security manager can
then conduct an analysis to determine whether
such threats are likely and where they could
come from. This analysis is called a:
a. SWOT
b. STEP
c. PEST
d. TRA
A model that includes “Environmental, and
Political” analysis and points out potential
sources of threats. The security manager can
then conduct an analysis to determine whether
such threats are likely and where they could
come from. This analysis is called a:
a. SWOT
b. STEP
c. PEST
d. TRA
POA: Security Management (Kindle Locations
3439-3440). ASIS International. Kindle Edition.
A metric which measures how an organization
or individual is performing against defined goals
and objectives are called:
a. Defined Target Measures
b. Competence Based Metrics
c. Balanced Scorecard Metric
d. Key Performance Indicators
A metric which measures how an organization
or individual is performing against defined goals
and objectives are called:
a. Defined Target Measures
b. Competence Based Metrics
c. Balanced Scorecard Metric
d. Key Performance Indicators

ANSI/ASIS ORM.1-27, 3.33, definition of KPI,

page 5
The following is a clearly defined and
documented plan of action, typically covering
the key personnel, resources, services, and
actions needed to implement the incident
management process. It is referred to as a:
a. Management plan
b. Organizational plan
c. Strategic plan
d. Operational Plan
The following is a clearly defined and
documented plan of action, typically covering
the key personnel, resources, services, and
actions needed to implement the incident
management process. It is referred to as a:
a. Management plan
b. Organizational plan
c. Strategic plan
d. Operational Plan

ANSI/ASIS ORM.1-27, 3.33, definition of KPI,

page 5
The Plan-Do-Check-Act (PDCA) cycle is an
operating principle of ISO’s management
systems standards. It is also referred to as the:
a. Assess-Protect-Check-Action model
b. Assess-Protect-Confirm-Action model
c. Assess-Protect-Confirm-Improve model
d. Assess-Protect-Check-Improve model
The Plan-Do-Check-Act (PDCA) cycle is an
operating principle of ISO’s management
systems standards. It is also referred to as the:
a. Assess-Protect-Check-Action model
b. Assess-Protect-Confirm-Action model
c. Assess-Protect-Confirm-Improve model
d. Assess-Protect-Check-Improve model

POA: Security Management (Kindle Location

2021). ASIS International. Kindle Edition.
The Plan-Do-Check-Act (PDCA) cycle has a step
which looks at the planning analysis, then
devises a solution, prioritizes the next steps, and
develops a detailed action plan. This step is
referred to as which part of the cycle?
a. Plan
b. Do
c. Check
d. Act
The Plan-Do-Check-Act (PDCA) cycle has a step
which looks at the planning analysis, then
devises a solution, prioritizes the next steps, and
develops a detailed action plan. This step is
referred to as which part of the cycle?
a. Plan
b. Do
c. Check
d. Act

POA: Security Management (Kindle Locations

2025-2026). ASIS International. Kindle Edition.
The Plan-Do-Check-Act (PDCA) cycle has a step
where, one examines the solutions devised to
address the problems. The point is to check
whether the solutions are producing outcomes
that are consistent with the plan. This step is
referred to as which part of the cycle?
a. Plan
b. Do
c. Check
d. Act
The Plan-Do-Check-Act (PDCA) cycle has a step
where, one examines the solutions devised to
address the problems. The point is to check
whether the solutions are producing outcomes
that are consistent with the plan. This step is
referred to as which part of the cycle?
a. Plan
b. Do
c. Check
d. Act
POA: Security Management (Kindle Locations
2028-2030). ASIS International. Kindle Edition.
In the Plan-Do-Check-Act (PDCA) cycle, this is
the most critical stage and calls for identifying
and analyzing the organization’s problems and
events that could disrupt operations and assets.
This step is referred to as which part of the
cycle?
a. Plan
b. Do
c. Check
d. Act
In the Plan-Do-Check-Act (PDCA) cycle, this is
the most critical stage and calls for identifying
and analyzing the organization’s problems and
events that could disrupt operations and assets.
This step is referred to as which part of the
cycle?
a. Plan
b. Do
c. Check
d. Act
POA: Security Management (Kindle Locations
2023-2024). ASIS International. Kindle Edition.
Managing involves five (5) basic functions.
Which of the following BEST describes the
functions?
a. Planning, Organizing, Directing, Coordinating,
Controlling
b. Planning, Organizing, Managing,
Coordinating, Leading
c. Planning, Leading, Managing, Coordinating,
Controlling
d. Planning, Leading, Directing, Acting,
Controlling
Managing involves five (5) basic functions. Which
of the following BEST describes the functions?
a. Planning, Organizing, Directing, Coordinating,
Controlling
b. Planning, Organizing, Managing, Coordinating,
Leading
c. Planning, Leading, Managing, Coordinating,
Controlling
d. Planning, Leading, Directing, Acting,
Controlling
POA: Security Management (Kindle Location
2743). ASIS International. Kindle Edition.
In addition to the five (5) functions of
management, managers should be guided by
two (2) other principles, which are:
a. “Continuous improvement” and “Customer
service.”
b. “Quality” and “Who is the customer?”
c. “Continuous improvement” and
“Performance metrics.”
d. “Quality” and “Performance metrics.”
In addition to the five (5) functions of
management, managers should be guided by
two (2) other principles, which are:
a. “Continuous improvement” and “Customer
service.”
b. “Quality” and “Who is the customer?”
c. “Continuous improvement” and
“Performance metrics.”
d. “Quality” and “Performance metrics.”

POA: Security Management (Kindle Location

2745). ASIS International. Kindle Edition.
There are three (3) dimensions to managing the
security of assets. Which of the following BEST
describes the dimensions?
a. Security expertise, Leadership ability and
Ability to deal with people.
b. Security expertise, Leadership ability and
Ability to deal with employees.
c. Technical expertise, Leadership ability and
Ability to deal with employees.
d. Technical expertise, Management ability and
Ability to deal with people.
There are three (3) dimensions to managing the
security of assets. Which of the following BEST
describes the dimensions?
a. Security expertise, Leadership ability and
Ability to deal with people.
b. Security expertise, Leadership ability and
Ability to deal with employees.
c. Technical expertise, Leadership ability and
Ability to deal with employees.
d. Technical expertise, Management ability and
Ability to deal with people.
ASIS. POA: Security Management (Kindle Locations 2738-
2739). ASIS International. Kindle Edition.
The “span of control” principle suggests that a
single person can supervise only a limited
number of staff members effectively. The
specific number depends on such factors as the
nature of the work and type of organization, but
as a general rule one manager can effectively
supervise up to how many persons?
a. Up to five (5) persons
b. Up to eight (8) persons
c. Up to ten (10) persons
d. Up to fifteen (15) persons
The “span of control” principle suggests that a
single person can supervise only a limited number
of staff members effectively. The specific number
depends on such factors as the nature of the work
and type of organization, but as a general rule one
manager can effectively supervise up to how
many persons?
a. Up to five (5) persons
b. Up to eight (8) persons
c. Up to ten (10) persons
d. Up to fifteen (15) persons
POA: Security Management (Kindle Locations
2807-2809). ASIS International. Kindle Edition.
The following theory asserts that a person’s
behavior is driven by basic needs at different
levels and is still widely recommended to analyze
individual employee motivation. It is referred to
which of the following?
a. Maslow’s Theory
b. McGregor’s Theory
c. Hertzberg’s Theory
d. Motivation-Hygiene Theory
The following theory asserts that a person’s
behavior is driven by basic needs at different
levels and is still widely recommended to analyze
individual employee motivation. It is referred to
which of the following?
a. Maslow’s Theory
b. McGregor’s Theory
c. Hertzberg’s Theory
d. Motivation-Hygiene Theory

POA: Security Management (Kindle Location

2856). ASIS International. Kindle Edition.
The following theory asserts is based on the
premise that the opposite of satisfaction is not
dissatisfaction but simply no satisfaction. The
theory maintains that two sets of factors
determine a worker’s motivation, attitude, and
success. It is referred to which of the following?
a. Maslow’s Theory
b. McGregor’s Theory
c. Hertzberg’s Theory
d. Hierarchy of Needs Theory
The following theory asserts is based on the
premise that the opposite of satisfaction is not
dissatisfaction but simply no satisfaction. The
theory maintains that two sets of factors
determine a worker’s motivation, attitude, and
success. It is referred to which of the following?
a. Maslow’s Theory
b. McGregor’s Theory
c. Hertzberg’s Theory
d. Hierarchy of Needs Theory
The following theory asserts job content
(motivators), such as achievement, recognition,
responsibility, and satisfaction are derived from
work itself, is BEST described as part of which of
the following theories?
a. Maslow’s Theory
b. McGregor’s Theory
c. Hertzberg’s Theory
d. Hierarchy of Needs Theory
The following theory asserts job content
(motivators), such as achievement, recognition,
responsibility, and satisfaction are derived from
work itself, is BEST described as part of which of
the following theories?
a. Maslow’s Theory
b. McGregor’s Theory
c. Hertzberg’s Theory
d. Hierarchy of Needs Theory
POA: Security Management (Kindle Locations
2867-2868). ASIS International. Kindle Edition.
The following theory asserts that managers should
avoid quick fixes. Manipulating hygiene factors
may alleviate dissatisfaction but will not result in a
state of satisfaction. Allowing an individual to
reach a state of satisfaction requires changes in
the work content itself, such as increased
autonomy or responsibility. This is BEST described
as part of which of the following theories?
a. Maslow’s Theory
b. McGregor’s Theory
c. Hertzberg’s Theory
d. Hierarchy of Needs Theory
The following theory asserts that managers should
avoid quick fixes. Manipulating hygiene factors may
alleviate dissatisfaction but will not result in a state
of satisfaction. Allowing an individual to reach a
state of satisfaction requires changes in the work
content itself, such as increased autonomy or
responsibility. This is BEST described as part of
which of the following theories?
a. Maslow’s Theory
b. McGregor’s Theory
c. Hertzberg’s Theory
d. Hierarchy of Needs Theory
POA: Security Management (Kindle Locations 2873-2874).
ASIS International. Kindle Edition.
The following theory contends that workers are
inherently lazy and tend to avoid work. They lack
creative ambition, require constant supervision,
and are motivated by fear. This is BEST described
as part of which of the following theories?
a. Maslow’s Theory
b. McGregor’s Theory
c. Hertzberg’s Theory
d. Hierarchy of Needs Theory
The following theory contends that workers are
inherently lazy and tend to avoid work. They lack
creative ambition, require constant supervision,
and are motivated by fear. This is BEST described
as part of which of the following theories?
a. Maslow’s Theory
b. McGregor’s Theory
c. Hertzberg’s Theory
d. Hierarchy of Needs Theory

POA: Security Management (Kindle Locations

2859-2861). ASIS International. Kindle Edition.
A set of criteria, guidelines, and best practices that
can be used to enhance the quality and reliability
of products, services, or processes, is the
definition for which of the following?
a. Guideline
b. Standard
c. Regulation
d. Code
A set of criteria, guidelines, and best practices that
can be used to enhance the quality and reliability
of products, services, or processes, is the
definition for which of the following?
a. Guideline
b. Standard
c. Regulation
d. Code

POA: Security Management Chapter 3 –

STANDARDS IN SECURITY (Kindle Locations 1723-
1735). ASIS International. Kindle Edition.
Which of the following statements concerning
security industry standards is NOT TRUE?
a. Standard addresses a product, service, or
process.
b. Standards are mandatory and require
compliance.
c. Regulation may require compliance with a
standard.
d. Customers more easily judge product quality if
it conforms with standards.
Which of the following statements concerning
security industry standards is NOT TRUE?
a. Standard addresses a product, service, or
process.
b. Standards are mandatory and require
compliance.
c. Regulation may require compliance with a
standard.
d. Customers more easily judge product quality if it
conforms with standards.
POA: Security Management, Chapter 3 – STANDARDS IN
SECURITY (Kindle Locations 1742-1747). ASIS International.
Kindle Edition.
Which of the following statements concerning ISO
industry standards is TRUE?
a. ISO is governmental organization.
b. ISO standards address: training, employee
competencies, products, processes, services
& quality control.
c. ISO regulates, legislates, and enforces
compliance to standards.
d. ISO standards often become recognized as
industry best practices and become market
requirements.
Which of the following statements concerning ISO
industry standards is TRUE?
a. ISO is governmental organization.
b. ISO standards address: training, employee
competencies, products, processes, services
& quality control.
c. ISO regulates, legislates, and enforces
compliance to standards.
d. ISO standards often become recognized as
industry best practices and become market
requirements.
POA: Security Management (Kindle Locations 1807-1839).
ASIS International. Kindle Edition.
Which one of the following statements, BEST
describes ISO management systems standards?
a. ISO 9000 is a standard which requires
mandatory compliance, noncompliance may
net a financial penalty.
b. ISO 9000 regulates environmental
management systems.
c. ISO management systems are based on the
PDCA Cycle.
d. ISO regulates, legislates, and enforces
compliance to standards.
Which one of the following statements, BEST
describes ISO management systems standards?
a. ISO 9000 is a standard which requires
mandatory compliance, noncompliance may
net a financial penalty.
b. ISO 9000 regulates environmental
management systems.
c. ISO management systems are based on the
PDCA Cycle.
d. ISO regulates, legislates, and enforces
compliance to standards.
POA: Security Management (Kindle Location 1947-1955).
ASIS International. Kindle Edition.
The “integration of traditional security functions
and information [systems], IT security functions”
is known as:

a. Security Organization Integration

b. Security Management Systems
c. IT and Security Merger
d. IT and Security Convergence
The “integration of traditional security functions
and information [systems], IT security functions”
is known as:

a. Security Organization Integration

b. Security Management Systems
c. IT and Security Merger
d. IT and Security Convergence
POA: Security Management (Kindle Locations 2385-2386).
ASIS International. Kindle Edition.
“An organization can be an adaptive, problem-
solving, innovative system operating in and coping
with rapidly changing environments. Bureaucracy
and the “organization man” will have no place in
future organizations.” This is a theory known as
which of the following?

a. Warren Bennis’ Theory

b. Crime Prevention Through Environmental
Design
c. Herzberg’s Theory
d. Maslow’s Theory
“An organization can be an adaptive, problem-
solving, innovative system operating in and coping
with rapidly changing environments. Bureaucracy
and the “organization man” will have no place in
future organizations.” This is a theory known as
which of the following?
a. Warren Bennis’ Theory
b. Crime Prevention Through Environmental
Design
c. Herzberg’s Theory
d. Maslow’s Theory
POA: Security Management (Kindle Locations
17320-17322). ASIS International. Kindle Edition.
To monitor and measure an organization’s risk
management performance, a set of performance
indicators should be developed to measure both
the management systems and its outcomes.
Measurements should meet which of the
following metrics?
a. Quantitative and PDCA
b. Qualitative and SMART
c. Quantitative or Qualitative
d. Quantitative and SMART
To monitor and measure an organization’s risk
management performance, a set of performance
indicators should be developed to measure both
the management systems and its outcomes.
Measurements should meet which of the
following metrics?
a. Quantitative
b. Qualitative
c. Quantitative or Qualitative
d. Quantitative and SMART
ANSI/ASIS ORM.1-2017, A.10 PERFORMANCE EVALUATION, A.10.1
“Monitoring and Measurement”, page 78
An analysis approach that does not use numbers
or numeric values to describe the risk
components. The approach uses terms such as
critical, high, medium, low, and negligible to
gauge the asset value & levels of risk components
& risk itself. This approach is BEST described as:
a. Quantitative
b. Qualitative
c. Metrics
d. SMART
An analysis approach that does not use numbers
or numeric values to describe the risk
components. The approach uses terms such as
critical, high, medium, low, and negligible to
gauge the asset value & levels of risk components
& risk itself. This approach is BEST described as:
a. Quantitative
b. Qualitative
c. Metrics
d. SMART
POA: Physical Security; Applications; Information Security; and
Investigation (Kindle Locations 909-911, 1130, 6725-6726). ASIS
International. Kindle Edition.
In the following formula:
PE = PI x PN
What does PE represent?
a. PPS effectiveness
b. Probability of interruption
c. Probability of neutralization
d. Probability of event
In the following formula:
PE = PI x PN
What does PE represent?
a. PPS effectiveness
b. Probability of interruption
c. Probability of neutralization
d. Probability of event

POA: Physical Security; Applications; Information

Security; and Investigation (Kindle Locations 6757-6758,
6841-6842, 6846-6847). ASIS International. Kindle
Edition.
An assessment approach that is used to evaluate
target attractiveness. The approach includes
criticality, accessibility, recuperability,
vulnerability, effect and recoverability. This
approach is BEST described as the:
a. Vulnerability assessment
b. Risk assessment
c. CARVER assessment
d. Security survey
An assessment approach that is used to evaluate
target attractiveness. The approach includes
criticality, accessibility, recuperability,
vulnerability, effect and recoverability. This
approach is BEST described as the:
a. Vulnerability assessment
b. Risk assessment
c. CARVER assessment
d. Security survey
POA: Physical Security; Applications; Information Security; and
Investigation (Kindle Locations 6810-6816). ASIS International.
Kindle Edition.
Describing the facility by separating it into
adjacent physical areas, defining protection layers
& path elements between the adjacent areas and
recording detection & delay values for each path
element tests the existing PPS at a facility. This
approach is BEST described as:
a. A vulnerability assessment
b. A risk assessment
c. An Adversarial Path Diagram
d. A Threat Event Profile
Describing the facility by separating it into
adjacent physical areas, defining protection layers
& path elements between the adjacent areas and
recording detection & delay values for each path
element tests the existing PPS at a facility. This
approach is BEST described as:
a. A vulnerability assessment
b. A risk assessment
c. An Adversarial Path Diagram
d. A Threat Event Profile
POA: Physical Security; Applications; Information
Security; and Investigation (Kindle Locations 6861-6865,
6869). ASIS International. Kindle Edition.
The process of assessing security-related risks
from from internal and external threats to an
entity, its assets and personnel, is BEST described
as:
a. Risk assessment
b. Vulnerability assessment
c. CARVER assessment
d. Security survey
The process of assessing security-related risks
from from internal and external threats to an
entity, its assets and personnel, is BEST described
as:
a. Risk assessment
b. Vulnerability assessment
c. CARVER assessment
d. Security survey

Facilities Physical Security Guideline, ASIS International,

Page 3
The product of the potential loss from an event
and the likelihood of the event, is BEST described
as:
a. Risk Profile
b. Annual Loss Expectancy
c. Vulnerability Exposure
d. Loss event Profile
The product of the potential loss from an event
and the likelihood of the event, is BEST described
as:
a. Risk Profile
b. Annual Loss Expectancy
c. Vulnerability Exposure
d. Loss event Profile

POA: Physical Security; Applications; Information Security; and

Investigation (Kindle Locations 900-907, 908-909). ASIS
International. Kindle Edition.
An uncertain situation where a number of
possible outcomes might occur, one or more of
which is undesirable, BEST describes which of the
following?
a. Risk
b. Threats
c. Loss
d. Targets
An uncertain situation where a number of
possible outcomes might occur, one or more of
which is undesirable, BEST describes which of the
following?
a. Risk
b. Threats
c. Loss
d. Targets
POA: Physical Security; Applications; Information Security; and
Investigation (Kindle Locations 900-907). ASIS International. Kindle
Edition.
A risk assessment process that is a bottom-up
approach where risks are identified at the
beginning of the analysis rather than as a result
of a systematic, top-down approach, is BEST
described as the following:
a. Deductive risk assessment
b. Inductive risk assessment
c. Deductive risk analysis
d. Inductive risk analysis
A risk assessment process that is a bottom-up
approach where risks are identified at the
beginning of the analysis rather than as a result
of a systematic, top-down approach, is BEST
described as the following:
a. Deductive risk assessment
b. Inductive risk assessment
c. Deductive risk analysis
d. Inductive risk analysis

POA: Physical Security; Applications; Information

Security; and Investigation (Kindle Locations 912-917).
ASIS International. Kindle Edition.
This assessment is performed to establish a
baseline of PPS effectiveness in meeting goals
and objectives. The process is a method of
identifying the weak points of a facility, entity,
venue, or person. This is BEST described as a:
a. Risk assessment
b. Risk analysis
c. Security survey
d. Vulnerability assessment
This assessment is performed to establish a
baseline of PPS effectiveness in meeting goals and
objectives. The process is a method of identifying
the weak points of a facility, entity, venue, or
person. This is BEST described as a:
a. Risk assessment
b. Risk analysis
c. Security survey
d. Vulnerability assessment

POA: Physical Security; Applications; Information Security;

and Investigation (Kindle Locations 980, 1214-1220 ). ASIS
International. Kindle Edition.
The three (3) primary functions of a PPS are:
a. Detect, delay and response
b. Deter, detect and response
c. Deter, delay and response
d. Detect, deter and response
The three (3) primary functions of a PPS are:
a. Detect, delay and response
b. Deter, detect and response
c. Deter, delay and response
d. Detect, deter and response

POA: Physical Security; Applications; Information

Security; and Investigation (Kindle Locations 1278-1280).
ASIS International. Kindle Edition.
This process requires consideration of the threat
type, tactics, mode of operations, capabilities,
threat level, and likelihood of occurrence. The
definition can be modified to include all sites,
not only utilities. Threats come from malevolent
humans, not accidental (safety-related) events.
This process is BEST defined as which of the
following?
a. Design Basis Threats
b. Loss Event Profiles
c. Adversarial Sequence Diagrams
d. Threat Risk Assessment
This process requires consideration of the threat
type, tactics, mode of operations, capabilities,
threat level, and likelihood of occurrence. The
definition can be modified to include all sites, not
only utilities. Threats come from malevolent
humans, not accidental (safety-related) events.
This process is BEST defined as which of the
following?
a. Design Basis Threats
b. Loss Event Profiles
c. Adversarial Sequence Diagrams
d. Threat Risk Assessment
POA: Physical Security (Kindle Locations 991-994). ASIS International.
Kindle Edition.
Which of the following definitions, BEST describes
a “Hazard”?
a. “Possible source of danger or conditions
(physical or operational) that have a capacity to
produce a particular type of adverse effect.”
b. “Possible risk (physical or operational) that can
cause a workplace accident.”
c. “Possible source of danger (adversary) that can
produce an adverse effect.”
d. “Confirmed source of danger (adversary) that
can produce an adverse effect.”
Which of the following definitions, BEST describes
a “Hazard”?
a. “Possible source of danger or conditions
(physical or operational) that have a capacity
to produce a particular type of adverse effect.”
b. “Possible risk (physical or operational) that can
cause a workplace accident.”
c. “Possible source of danger (adversary) that can
produce an adverse effect.”
d. “Confirmed source of danger (adversary) that
can produce an adverse effect.”

ANSI/ASIS ORM.1-2017, page 5

The annual costs of nuisance alarms in Y1 were compared to
the costs in Y2, after nuisance alarms were reduced. Nuisance
fire alarms cost the organization $ 50,000 in Y1, alarm costs
dropped to $ 10,000 in Y2, resulting in an avoided loss of $
40,000. The annual cost of the nuisance alarm reduction
initiative is $ 10,000. Determine the ROI using the formula
below.
ROI = AL + R
CSP
The organization saves _______.?
a. $10,000
b. $20,000
c. $30,000
d. $40,000
The annual costs of nuisance alarms in Y1 were compared to
the costs in Y2, after nuisance alarms were reduced. Nuisance
fire alarms cost the organization $ 50,000 in Y1, alarm costs
dropped to $ 10,000 in Y2, resulting in an avoided loss of $
40,000. The annual cost of the nuisance alarm reduction
initiative is $ 10,000. Determine the ROI using the formula
below.
ROI = AL + R
CSP
The organization saves _______.?
a. $10,000
b. $20,000
c. $30,000
d. $40,000
POA: Security Management (Kindle Locations 3327-3330). ASIS
International. Kindle Edition.
Insurance coverage on an asset is considered the
most common form of what type of risk
management?
a. Risk Spreading
b. Risk Reduction
c. Risk Transfer
d. Risk Acceptance
Insurance coverage on an asset is considered the
most common form of what type of risk
management?
a. Risk Spreading
b. Risk Reduction
c. Risk Transfer
d. Risk Acceptance

POA: Security Management (Kindle Location

2933). ASIS International. Kindle Edition.
Which of the following BEST describes “Unity of
Command”?
a. Dictates that an individual is accountable for
more than one (1) employee.
b. Dictates that an individual report to only one
(1) supervisor.
c. States how many persons a supervisor may
effectively supervise.
d. States the number of security personnel.
required to function when guided by incident
management situations.
Which of the following BEST describes “Unity of
Command”?
a. Dictates that an individual is accountable for
more than one (1) employee.
b. Dictates that an individual report to only one
(1) supervisor.
c. States how many persons a supervisor may
effectively supervise.
d. States the number of security personnel.
required to function when guided by incident
management situations.
POA: Security Management (Kindle Location
2813). ASIS International. Kindle Edition.
 CERTIFIED PROTECTION PROFESSIONAL
(CPP)
Certification Examination Review

SECURITY PRINCIPLES & PRACTICES (21%)

October 2017 Dennis Shepp, CPP