Chapter 7 SIS 210
what area is generally the most vulnerable to major loss due to crime?
accounting
why do cost-effectiveness studies need to be made?
as part of a periodic review of protection systems even though such studies cannot be used as a general rule in devising a magic formula for computing the cost-per-$1000 actually saved in cash or goods that would otherwise have been lost
if the security director cannot assign a probability or criticality to a certain item what should they do?
assume the criticality to be fatal and the probability virtually certain
what systems in the accounting sector must be reevaluated regularly?
cashier, accounts receivable, accounts payable, payroll, company bank accounts
what is 3-D coverage?
comprehensive dishonesty, destruction, disappearance coverage. these policies are designed to provide the widest possible coverage in cases of criminal attack of various kinds
risk spreading?
decentralizing a procedure or operation so that a security or safety problem at one location will not cause a complete loss
risk reduction?
decreasing the potential ill effects of safety and security problems when it is impossible to avoid them
what does a security survey do?
determine existing state of security, locate weaknesses, determine degree of protection required, make recommendations
what is the fidelity coverage insurance type?
employee honesty insurance (coverage provides payment for losses due to employee acts of dishonesty which can include falsifying expense reports, stealing cash, etc)
terrorism risk insurance act of 2002
established a federal program to share the burden of commercial property and casualty losses resulting from acts of terrorism with the private sector. was to cease in 2005, but was extended for 15 years via the TRIREA
what are the additional types of insurance?
fire insurance, business property insurance, liability insurance, workers' compensation insurance, portfolio commercial crime insurance, cyber liability coverage
describe kidnap and ransom insurance
generally cover all costs associated with recovery of a kidnapped executive/key employee certain security measures must be followed with this coverage: -execs and key employees must maintain secrecy about the existence of coverage -verifiable education and awareness training including countermeasures and defensive driving may also be called out in the policy -every reasonable effort must be made to contact the police, FBI, and insurance company before payment is made -serial numbers on ransom money must be recorded -a plan of action for dealing with kidnapping must be in place
what can security be considered as?
insurance against unacceptable risk
why is it wise to "bond" employees with the fidelity coverage insurance?
it is a further check on backgrounds of employees who handle cash/high value merchandise
risk management definition
making the most efficient before-the loss arrangement for an after-the-loss continuation of business it allows risk to be managed in a logical manner
do insurance companies usually provide coverage against loss of use and extra expense coverage?
no, but both of these losses can be covered either by endorsement or by additional policies that will provide that coverage on a broad basis
can insurance be used to replace security program?
no; adequate safety and security measures be in place before coverage. it is impossible to insure against all possible losses. insurance is supportive of security operations rather than principal defense
what may asset assessments include (not limited to)?
people, buildings, machines, raw materials, paperwork/info stored in computer systems
when one is analyzing the facility what should one look at?
perimeter, parking lot, adjacent building windows/rooftops, doors/windows less that 18 feet above ground level, the roof, lock control, shared occupancy, all areas containing valuables, the off hours of the facility, nighttime hours, control and entry into the facility, keys/key control (traditional & electronic), fire control/suppression, computer access, video surveillance, computer systems & network, landscaping
what are the basics of probability calculations?
physical location, physical aspects of the facility, procedures, policies, history of the industry, specific site history, state of the art of the criminal element
what are key areas of internal concern?
pilferage/theft, sabotage, corporate espionage, money storage/handling, drug storage, mail/postal operations, high-value item storage, shipping/receiving, chemical/explosives storage, fuel pumps/storage, utilities, telecommunications distribution rooms
self-assumption of risk?
planning for an eventual loss without the benefit of insurance
what is the probability/criticality/vulnerability matrix? (pretend they are side by side)
probability 1) virtually certain 2) highly probable 3) moderately probable 4) probable 5) improbable 6) probability unknown criticality A) fatal B) very serious C) moderately serious D) Serious E) relatively unimportant F) criticality unknown
describe federal crime insurance program
provides federally funded crime insurance at reasonable rates
describe surety coverage
provides protection for failure to live up to contractual obligations
what is the first step in risk management
recognize the threat
what is risk avoidance?
removing the problem by eliminating the risk
risk transfer?
removing the risk to the company by paying for the protection of an insurance policy
what else constitutes as dollar loss
replacement cost, temporary replacement, downtime, discounted cash, insurance rate change, loss of market place advantage, impact to company reputation
what is an example in a threat assessment?
retailer less concerned about fire hazards than a manufacturing firm (retailer is more concerned with shoplifting). each individual firm has problems and threats that are unique
what are the alternatives for optimizing risk management?
risk avoidance, risk reduction, risk spreading, risk transfer, self assumption of risk
who is a security survey conducted by?
staff security personnel/qualified security specialists must be trained in the field and have achieved high level of ability
how do you determine the cost-effectiveness of security?
the average losses suffered by the industry in general, or the reduction in losses by the organization over a given period
what is the definition of criticality?
the impact of a loss as measured in dollars
what is the risk equation
threat x vulnerability x impact (on asset value)= RISK
when does graft become a security matter?
when the agent succumbs to the extent of paying for goods never delivered or paying invoices twice
what can some security files contain/provide information on?
-certain days/seasons/times emerge when problems occur -targets for crime become evident as data is gathered -profile of the types and incidences of crimes may emerge -patterns and modus operandi may become evident -criminal assaults on company property many take a definable shape or description
what is a risk analysis
-identification of areas of potential loss -to develop and install appropriate security countermeasures must be a comprehensive, integrated function
what are some considerations when looking at the information systems (to analyze computer-related security problems)?
1) are adequate auditing procedures in effect on all programs and systems? 2) what are the protocols governing system access? 3) how is computer use logged? how is the accuracy of this record verified? 4) how is remote access tracked for LANS, WANS, WLANS? 5) firewalls adequate? 6) outside access through internet? 7) download audits to laptops/tablets? 8) offsite storage procedures? updates? 9) key control to information system? authorization? 10) access control authorization and updates? 11) fire prevention/protection/suppression procedures? 12) off-sire back-up hardware? how secured? 13) hard copies of confidential information procedures?
what would the security manager consider to ensure personal information is properly protected?
1) can the Human Resources are be isolated from the rest of the facility and/or building after hours? 2) how are the door and file keys secured? how is access control to Human Resources areas managed? if human resource records are stored on computer systems, are proper controls in place? can computer files be accessed from remote locations? 3) are hard copy files kept locked during the day when they r not in use? 4) what system is followed with regard to the payroll department when employees are hired or terminated? 5) what are the relationships between personnel and payroll staff? 6) what are the employment procedures? how are applicants screened? 7) how closely do personnel work with security on personnel employment procedures? 8) are new employees given a security briefing? by whom? 9) does the company have an incident reporting system? are employees aware of the program? does the company have a follow-up security awareness training program?
what are some concerns in the purchasing function in which security is involved?
1) double payment of invoices? 2) competitive bids for purchases (lowest bids)? 3) forms used for ordering? 4) scrap/waste haulaway?
what does a good risk-management program involve?
1) identification of risks through the analysis of threats and vulnerabilities 2) analysis and study of risks, which includes the probability and severity of an event 3) optimization of risk-management alternatives (risk avoidance, risk reduction, risk spreading, risk transfer, self-assumption of risk, any combination of the above) 4)on-going study of security programs
what are some questions to consider when looking at the shipping/receiving security aspect?
1)inspection of employees entering/leaving? 2) traffic control into facility? 3) storage of merchandise? 4) accountability of shipments and receipts? 5) areas guarded? 6) losses in these departments? 7) merchandise left unattended in these areas? 8) driver facilities? 9) authorized personnel in storage areas?
what are the two terms that signify the potential consequences of taking security risks
1)investment in loss-prevention techniques 2)insurance
what are some general department evaluation questions?
1)vulnerable to embezzlement? 2) cash funds/negotiable instruments on hand? 3) confidential records? 4) heavy external/internal traffic? 5) target items? (drugs/jewelry) 6) special fire hazards?
what is the definition of probability?
a mathematical statement concerning the possibility of an event occurring
what is a security survey (vulnerability analysis)?
a robust physical exam of the premises and thorough inspection of all operational systems/procedures
what is a vulnerability analysis
a thorough analysis that is comprehensive and accurate and leads to effective counter measures (also called a security survey or audit)