c. Firmware

d. Physical control

100. d. A major part of the security of an IT system can often be achieved through nontechnical measures, such as organizational, personnel, physical, and administrative controls. However, there is a growing tendency and need to employ technical IT security measures implemented in hardware, software, and firmware either separately or converged.

101. Which of the following is not a protective measure to control physical access to information system distribution and transmission lines?

a. Card readers

b. Locked wiring closets

c. Locked jacks

d. Protected cables

101. a. Card readers are physical access devices to control entry to facilities containing information systems. Protective measures to control physical access to information system distribution and transmission lines include locked wiring closets, disconnected or locked spare jacks, and cables protected by conduit or cable trays.

102. Biometrics-based access controls are implemented using which of the following?

a. Administrative and directive controls

b. Physical and logical controls

c. Management and preventive controls

d. Corrective and recovery controls

102. b. Physical controls (e.g., memory cards, smart cards, or hardware tokens) are used to identify a user, and logical controls (e.g., fingerprint or voice print) are used to authenticate the same user.

103. Protective lighting does which of the following for computer facilities?

a. Detection and correction

b. Deterrent and detection

c. Correction and action

d. Protection and correction

103. b. Protective lighting should act as a deterrent and make detection likely. The lighting should enable the security staff to observe others without being seen.

104. The effectiveness of physical security controls is most determined by which of the following?

a. Control device used

b. Vulnerabilities in the device

c. Implementation of the device

d. Planning device used

104. b. Organizations should determine whether intruders could easily defeat the controls (i.e., vulnerabilities) in the access control devices. Until the vulnerabilities are eliminated, implementation and operation of the control device do not matter much.

105. Which of the following intruder detection systems cannot be used as a primary system?

a. Photoelectric detection systems

b. Motion detection systems

c. Proximity detection systems

d. Audio detection systems

105. c. Proximity detection systems identify the approach or presence of an object or an individual. It is designed to be supplemental and cannot be used effectively as a primary system because of the system’s vulnerability to nuisance alarms caused by electric supply fluctuations and by the presence of mops, pails, and so on placed near the system. Animals and birds can trigger a system alarm if it is too sensitive. Therefore, proximity systems should be backed up by other security systems. Photoelectric systems operate based on light, motion systems operate based on signal, and audio systems operate based on sound.

106. Which of the following controls the mantraps in a computer center?

a. A person’s body weight and a smart card

b. A person’s body weight and a biometric feature

c. A person’s body weight and a memory card

d. A person’s body weight and a personal identification number

106. b. Mantraps are used in highly-sensitive areas and have a built-in weighing scale. The mantrap-controlling software looks at a combination of a person’s body weight and a biometric feature such as fingerprint scan, hand geometry, facial recognition, iris scan, and voice recognition, and compares it to stored information about that person. Smart cards, memory cards, and personal identification numbers (PINs) can be stolen or lost, and they are a weak form of authentication even when combined with the body weight. A person’s body weight and a biometric features authenticate what the user is, which is stronger than the other controls.

107. The primary function of a physical protection system should be performed in which of the following order?

a. Detection, response, and delay

b. Detection, delay, and response

c. Delay, detection, and response

d. Response, delay, and detection

107. b. A physical protection system must accomplish its objectives by either deterrence or a combination of detection, delay, and response, in that order.

108. What must begin after a physical intrusion detection alarm is initiated and reported?

a. Communication

b. Interruption

c. Assessment

d. Deployment

108. c. When a physical intrusion detection alarm is initiated and reported, situation assessment begins. You need to know whether the alarm is a valid or a nuisance alarm and details about the cause of the alarm.

109. Which of the following is the most costly countermeasure to reduce physical security risks?

a. Procedural controls

b. Hardware devices

c. Electronic systems

d. Personnel

109. d. Personnel such as security guards are the greatest expense due to direct salaries plus fringe benefits paid to them. It is good to use people only in those areas where procedural controls, hardware devices, or electronic systems cannot be utilized at all or cannot be utilized more effectively.

Procedural controls, such as logging visitors and recording temperatures, are generally the least expensive. They can be manual or automated; the latter can be expensive. Hardware devices can include, for example, locks, keys, fences, gates, document shredders, vaults, and barricades. Electronic systems can include, for example, access controls, alarms, CCTV, and detectors.

110. Which of the following is the last line of defense in a physical security?

a. Perimeter barriers

b. Exterior protection

c. Interior barriers

d. People

110. d. The perimeter barriers (e.g., fences) are located at the outer edge of property and usually are the first line of defense. The exterior protection, such as walls, ceilings, roofs, and floors of buildings, is considered the second line of defense. Interior barriers within the building such as doors and locks are considered the third line of defense. After all the preceding defenses fail, the last line of defense is people—employees working in the building. They should question strangers and others unfamiliar to them.

111. Which of the following has a bearing on opportunities for electronic surveillance?