ASIS-PSP Questions and Answers

Microwave sensors are active volumetric sensors that transmit microwave signals and detect motion based on frequency changes. For optimal coverage and effectiveness, they are typically mounted near the ceiling of the protected area. This elevated placement allows the sensor to cover a wider detection zone and reduces interference from obstacles such as furniture or equipment. In workplace security and Human Resource safety management, proper sensor placement is essential to ensure reliable detection and minimize false alarms. Mounting sensors too low can limit their range and increase the likelihood of obstructions affecting performance. Positioning them at ceiling level enhances monitoring efficiency and supports a safer working environment by ensuring comprehensive coverage. Therefore, option D is correct because it provides the most effective installation position for microwave sensors.

Comprehensive Detailed Explanation:

During the planning phase of a physical protection system, key deliverables include:

Preliminary design: Conceptual plans showing system layout and strategy.

Drawings: Visual representations that help in communicating system intent and scope.

These work products set the foundation for detailed design and implementation.

A, B, and C include elements used later in the process (procurement, budgeting).

A tort is a civil wrong for which a remedy may be obtained in the form of damages. It is based on the idea that individuals owe certain duties to others and can be held liable when they breach those duties, resulting in harm or injury.

Transitivity (A), Reassembly (C), and Procurement (D) are not related to civil legal liability.

A Material Safety Data Sheet (MSDS), now standardized globally as a Safety Data Sheet (SDS), includes multiple essential sections, among them:

Product identification (A): Basic information about the chemical, manufacturer, and use.

Hazardous ingredients list (B): Details on harmful components and their concentrations.

Physical characteristics (C): Such as boiling point, vapor pressure, appearance, and odor.

These are just a few of the required elements; current SDS formats usually contain 16 standardized sections.

Comprehensive Detailed Explanation:

Microwave sensors, which work by emitting electromagnetic waves and detecting changes in the reflected signal, are most effective when a target moves laterally (side-to-side) across the detection zone. This movement creates the greatest frequency shift (Doppler effect), making it easier for the sensor to detect motion.

Movement directly toward or away (C) causes minimal frequency change and can go undetected.

Speed (B or D) matters, but direction relative to the sensor is the key factor for detection efficiency.

The effectiveness of entry control systems is typically measured by:

Throughput (speed of entry)

False Acceptance Rate (FAR) — unauthorized access

False Rejection Rate (FRR) — denial of access to authorized users

These metrics provide insight into both the security and user experience of the access control system.

A (Cost) is relevant to budgeting, not effectiveness.

B (Activation delays) may affect throughput but isn’t a primary measure.

D (System obsolescence) relates to lifecycle, not effectiveness.

Controlled areas are secure zones that restrict access to authorized personnel and vehicles only. These areas may include military zones, secure corporate facilities, or sensitive operational spaces where access control is enforced through badges, guards, surveillance, or barriers.

Terminal operations (A) refers to logistical or transportation hubs.

Surveillance (B) is a monitoring method, not a restricted area itself.

Total programs (C) is not a recognized security term.

The cost-of-loss formula [K = (Cp + Ct + Cr + Ci) – I] represents:

Cp: Cost of permanent replacement

Ct: Cost of temporary substitute

Cr: Repair costs

Ci: Lost income

I: Insurance reimbursement

These elements combine to determine the total value at risk if an asset is compromised or lost.

The correct answer is C. 328 ft. (100 m).

In PSP physical security system design, cabling distance is important because electronic security systems such as access control, video surveillance, and intrusion detection depend on proper communication infrastructure. The ASIS PSP Body of Knowledge includes electronic security systems, applicable codes/standards, performance requirements, and technical system design capacities under physical security system design.

For category-rated UTP cable, the standard distance limitation is 100 meters, which equals approximately 328 feet. This is the commonly accepted maximum channel distance for category-rated twisted-pair Ethernet cabling. TIA/EIA cabling references repeatedly use 100 m (328 ft) as the standard measurement length for category-rated cable performance values.

Therefore, the correct PSP-relevant answer is C. 328 ft. (100 m).

Under the 50/50 rule (also known as the " modified comparative negligence " rule), the plaintiff may recover damages only if they are 50% or less at fault. If the plaintiff ' s fault is more than 50%, they cannot recover any damages. Therefore, a person responsible for more than 50% of the negligence would be barred from recovery.

The correct answer is A. employee identification card.

In PSP-related physical security, access control is one of the core physical security countermeasures. The ASIS Certification Handbook places electronic security systems, including access control, and visitor/vendor management policies within the PSP Body of Knowledge under physical security system application, design, and integration.

An employee identification card or badge is considered a basic and long-established access control tool because it helps security personnel verify that a person belongs to the organization. It may include the employee’s name, photograph, department, ID number, color coding, expiration date, or access authorization level. A security management reference also uses this exact concept, describing the employee identification card or badge as a basic and time-honored access control tool.

The other options are less accurate:

Personal recognition is a method of recognition, not a physical access control tool.

Visitor pass is mainly for temporary/non-employee access, not the basic employee access control tool.

Proximity card is an electronic access credential, but it is a more modern technology-based tool, not the classic “time-honored” one.

Therefore, the best answer is A. employee identification card.

Span of control refers to the number of subordinates or direct reports that a manager or supervisor can effectively oversee. A narrower span (fewer direct reports) typically allows for closer supervision, while a wider span may require more autonomy among subordinates.

In security management, span of control helps determine appropriate team structures and resource allocation, especially in large-scale operations.

Class K fires involve cooking oils, grease, and fats typically found in commercial kitchens. These fires require specific extinguishers that saponify the oil, cooling and smothering the flames. Class K extinguishers often contain wet chemical agents.

Class C (A) involves energized electrical equipment.

Class D (B) involves combustible metals.

Class L (D) is not a recognized fire class.

Business resumption refers to the long-term process (typically more than 60 days) of returning the organization to full, normal operations after a disruption. It follows the earlier stages of emergency response and business recovery and focuses on rebuilding systems and restoring service levels.

Business continuity (A) is a broader concept that includes all planning efforts.

Business recovery (B) focuses on short-term, interim operations.

Business healing (D) is not a formal term in continuity planning.

The value of an asset to an organization is most appropriately characterized by its replacement value, which represents the cost required to replace or restore the asset if it is lost, damaged, or compromised. In Human Resource and organizational management contexts, understanding asset value is essential for prioritizing protection measures, budgeting, and risk management planning. Replacement value provides a practical and measurable basis for decision-making, especially when allocating resources for security, insurance, and contingency planning. While surveys or industry publications may provide general insights, they do not reflect the specific operational importance of an asset within a particular organization. Cumulative value is not a standard method used in risk assessment. Therefore, option B is correct because replacement value offers a clear, objective, and widely accepted way to determine an asset’s importance.

The first step in the Enterprise Security Risk Management (ESRM) process is to understand the context of the organization—its mission, assets, stakeholders, regulatory environment, and strategic goals. This foundational knowledge frames all future risk assessments and mitigation planning.

A, C, and D are steps that follow contextual understanding.

Warm sites are backup facilities that are partially equipped and can be brought online relatively quickly in the event of a disaster. They typically have necessary infrastructure (e.g., power, networking) and some hardware but are missing the primary computer systems or up-to-date data.

Hot sites (A) are fully configured and ready for immediate use.

Cold sites (C) are empty facilities with just space and basic utilities.

Frequent sites (D) is not a recognized term.

Physical barriers are designed to defend against three main penetration techniques:

Stealth: Unauthorized entry without detection.

Deception: Gaining access through trickery or impersonation.

Force: Physical breaching of barriers or using tools or vehicles to gain entry.

Security systems are designed to detect and delay each of these methods effectively.

A and B mix categories inaccurately.

C (Vehicle) is a tool/method of force, not a category on its own.

High-pressure sodium (HPS) lamps are ideal for parking lots and large outdoor areas because they offer long service life, energy efficiency, and good visibility, even in adverse weather. Their slightly yellowish hue is acceptable for general surveillance and area illumination.

A (Metal halide) has better color rendering but shorter life.

B (Low-pressure sodium) has poor color rendering.

C (Halogen) is less efficient and has a shorter lifespan.

Effective risk mitigation requires proportional countermeasures. As threats become more advanced or sophisticated, security measures must also be upgraded accordingly. If not, the residual risk must be transferred, avoided, or accepted.

A and B are incorrect because they imply static or uniform responses to dynamic threats.

C is overly narrow; system performance depends on multiple factors, not just departmental capability.

Risk assessment in the PSP framework is centered on understanding the interplay between assets, exposure, and losses.

Assets are the people, property, information, and operations that must be protected.

Exposure represents the vulnerability or likelihood that an asset will be affected by threats or hazards.

Losses are the potential consequences, whether financial, operational, reputational, or physical, if a threat materializes.

By systematically analyzing these three considerations, security professionals can prioritize risks, allocate resources effectively, and design appropriate mitigation strategies. Countermeasures are developed later as responses to identified exposures and potential losses, not as a primary input to risk classification. This aligns with ASIS guidance on structured risk assessment and enterprise security risk management.

Recovery of critical processes depends heavily on identifying and assessing the resources needed—such as personnel, facilities, IT systems, and communication tools. Without a proper resource assessment, recovery plans may fail to address key operational dependencies.

Intangible assets are non-physical resources that carry value for an organization and require protection despite lacking a tangible form. Patents are a classic example because they represent proprietary technology or intellectual property, which can provide competitive advantage and legal protection.

Reputation and digital files may hold value, but in PSP asset valuation, patents are specifically recognized as legal intangible assets with quantifiable ownership rights.

Obsolete equipment is a tangible, depreciated asset and does not qualify as intangible.

Properly identifying and valuing intangible assets like patents ensures that security strategies address not only physical property but also intellectual and proprietary assets, aligning with PSP guidance on comprehensive asset protection.

Pre-action sprinkler systems are designed to prevent accidental water discharge. These systems include a detection component (such as smoke or heat detectors) that must activate before the water enters the pipes. They are often used in areas where water damage would be catastrophic (e.g., data centers, museums).

Discovery system (A), Exposure (B), and Post-action system (C) are not standard terms in fire suppression.

“Post-action system” is incorrect; the correct terminology is “pre-action system.”

A change key is designed to operate a single specific lock within a keyed system and is typically assigned to an individual user for limited access. In key control systems, which are important in organizational and Human Resource security management, different key types are used to control access levels. A change key provides the lowest level of access, ensuring that employees can only enter authorized areas relevant to their roles. This supports accountability, reduces security risks, and helps enforce workplace policies. Options A and C describe functions of master or grand master keys, which open multiple locks. Option D refers to control or core keys used for lock maintenance. Proper use of change keys helps organizations maintain structured access control and protect assets, personnel, and sensitive areas effectively.

The contingency fee in a bid package is typically set at 10% of the total project cost. This budgetary buffer accounts for unforeseen issues, changes, or risks that might arise during project execution. It is a standard practice in both construction and security system projects.

A (5%) may be insufficient.

C (15%) and D (20%) are considered excessive unless the project has high uncertainty.

Comprehensive Detailed Explanation:

Lux is the SI unit of illuminance and is used to measure the amount of light that falls on a surface. It quantifies how much luminous flux is spread over a given area. One lux equals one lumen per square meter. It is critical in physical security when designing lighting for surveillance, perimeter control, or safety.

A is too general.

C (Luminare) refers to a complete lighting unit.

D refers to fluorescent tube operation, not illumination measurement.

An Uninterruptible Power Supply (UPS) is the best solution to immediately mitigate the risk of power loss in a computer. It provides backup power instantly upon power failure, allowing safe shutdown or continued operation for a limited period.

A (Surge protector) protects against voltage spikes but doesn’t provide backup power.

C (Emergency generator) has a startup delay and is more suitable for large systems.

D (Batteries) are components of a UPS, not a standalone mitigation.

A network security policy defines the scope of security measures within an organization’s network. It sets the rules for behavior, outlines acceptable use, identifies protected resources, defines responses to security breaches, and lays out disciplinary measures for violations.

Physical security (A) focuses on tangible access control.

Forensic investigations (C) deal with post-incident evidence gathering.

Spam filtering (D) is a specific technical control, not a policy framework.

An active volumetric sensor emits energy (such as sound waves or electromagnetic fields) into a defined volume and detects changes caused by movement or presence within that space. Ultrasonic sensors are a common example:

They transmit high-frequency sound waves and measure the reflections to detect objects or intruders in a monitored area.

Infrared sensors are often passive (detecting heat) or line-of-sight, rather than volumetric.

Capacitive sensors detect changes in an electric field but are typically used for proximity or tamper detection.

Vibration sensors detect mechanical disturbances rather than volumetric intrusion.

Active volumetric sensors are widely used in intrusion detection systems for rooms, corridors, or other enclosed spaces because they monitor an entire volume rather than just a single point or surface.

Bottom of Form

Risk transfer refers to shifting the financial burden of potential losses from an organization to a third party, typically through insurance. By paying a premium, the company secures coverage that will compensate for specific losses, thereby reducing its own financial exposure.

References from PSP: ASIS POA – Risk Management and Insurance Strategies; PSP Study Manual – Financial Risk Treatment Options

In an exchange badge system, individuals surrender a personal credential in return for a temporary badge (often with a photo). One of the ways to bypass such a system is to steal or borrow a badge and alter your appearance to resemble the photo—exploiting human recognition weaknesses.

A, B, and C are more related to access control systems or hacking, not specific to defeating exchange badge visual verification.

Staff personnel serve in a supportive or advisory capacity to the organization’s line executives. They provide specialized knowledge, consultation, and services (e.g., legal, HR, finance) without having direct authority over operations. Their role is crucial in supporting efficient decision-making and strategic planning.

CFO (A) may be a staff officer but is a specific example.

Merchandiser (B) and Retail marketer (D) are job functions, not general categories of organizational roles.

Patrol duty involves moving through assigned routes or areas to monitor activity, detect irregularities, and observe the general condition of the facility. Patrolling can be conducted on foot or by vehicle and is a fundamental component of proactive security operations.

Posts (B) are stationary assignments.

Reserves (C) are backup personnel.

" None of the above " (D) is incorrect because patrol duty is the accurate answer.

In risk assessment, the tangibility of an asset does not automatically determine whether it is more or less valuable than another asset. Both tangible assets, such as equipment and facilities, and intangible assets, such as reputation, information, and employee knowledge, can be critical to an organization. Human Resource management especially recognizes that intangible assets like workforce expertise, trust, and organizational culture can have major strategic value. Because of this, each asset must be evaluated based on its specific importance, exposure to risk, and potential impact on operations. Protection measures should then be matched to that value and level of risk. A physical item is not always more valuable than a nonphysical one, and mitigation strategies should not automatically be identical. Therefore, option D is the most accurate answer.

Conditional honesty is a behavior pattern where a person acts honestly primarily due to the fear of being caught or facing consequences. Unlike integrity, which is internal and moral-based, conditional honesty is external and consequence-based. It is considered a product of reasoning and is a key concept in evaluating personnel risk in security-sensitive roles.

The pre-bid conference is held to clarify specifications, answer bidder questions, and ensure all prospective contractors understand the requirements. It supports transparency and consistency across all bids.

A is incorrect—bids are not anonymous.

C misrepresents the purpose of the meeting.

D (Disclosing project cost) may or may not occur, and it ' s not the primary goal.

A study by BDP International found that 35 percent of shippers were accounting for additional time to comply with the Advanced Manifest System (AMS), a U.S. Department of Homeland Security requirement that came into effect in February 2003. AMS mandates that import manifest information must be submitted at least 24 hours before the cargo is loaded onto U.S.-bound vessels at foreign ports.

In developing a maintenance plan, priority should be given to components whose failure would significantly affect the system’s performance or create a major security gap. This is a risk-based approach, ensuring that critical equipment is maintained for maximum system reliability and protection.

A and C are valid considerations but not as crucial as impact.

D addresses maintenance requirements but not prioritization.

Internet Protocol (IP) typically transmits data in packets that have a maximum transmission unit (MTU) of approximately 1,500 bytes (or characters) for standard Ethernet networks. This size ensures compatibility and minimizes fragmentation across various network types.

Options A, B, and D are not consistent with the standardized MTU for IP packets.

Vicarious liability arises when one party (often an employer or principal) is held legally responsible for the actions of another party (such as an employee or agent), particularly when the controlling party has authority over the actions being performed. This principle is central to agency law and is especially relevant in security services and corporate liability cases.

Compliance liability (A), Active liability (C), and Passive liability (D) are not formal legal terms in this context.

Auxiliary systems are fire alarm systems that are connected directly to a municipal fire alarm system, such as those operated by a local fire department. These systems provide immediate notification to the authorities in the event of an alarm activation and are commonly found in buildings located within cities with centralized emergency response networks.

Warning system (A), Main system (C), and Alert system (D) are not formal classifications of municipal-linked fire alarm systems.

Electromechanical sensors, including magnetic reed switches and contact sensors, are the most common type used on doors and windows. They detect the opening or closing of an entry point and are widely deployed in intrusion detection systems.

A (Capacitance), C (Infrasonic), and D (Fiber optic) sensors are more specialized and not commonly used for standard door/window monitoring.

A hybrid staffing model uses both proprietary and contract security personnel. In this scenario:

Proprietary staff can be assigned to sensitive and top-secret projects for tighter control, loyalty, and internal vetting.

Contract staff can manage less critical areas such as visitor parking, reducing cost.

This model is both secure and cost-effective, offering flexibility and risk-based deployment.

B (Contract) is cost-effective but lacks control for sensitive tasks.

C (Proprietary) is highly secure but more expensive.

D (Total systems) is not a staffing strategy.

In the PSP methodology, the preliminary design phase includes both threat assessments and vulnerability analyses.

Threat assessment identifies potential adversaries, hazards, and scenarios that could negatively impact the facility or operations.

Vulnerability analysis examines weaknesses in systems, processes, and physical infrastructure that could be exploited by threats.

These analyses inform the design of security measures by determining risk exposure and guiding the selection of protective layers. While operating security reviews and security systems architecture focus on implementation and operational evaluation, the preliminary design phase is where risks are systematically identified and addressed in the system concept and specifications, consistent with ASIS PSP guidance.

The three types of comparative negligence statutes include:

Pure approach (A): The plaintiff’s compensation is reduced by their percentage of fault, no matter how high.

50/50 rule (B): The plaintiff can recover damages only if their fault is 50% or less.

51 percent rule (C): The plaintiff can recover only if they are less than 51% at fault.

All three are valid comparative negligence models used in different jurisdictions.

Security consultants are often retained to provide strategic input on staffing needs, policy design, and technology integration. Their advice helps organizations make informed decisions regarding the deployment of personnel, the structure of policies, and the selection of physical and electronic security systems.

A good risk management program incorporates multiple stages:

Identifying risks or vulnerabilities (e.g., threats to assets or processes)

Analyzing risks based on likelihood and potential impact (quantitative or qualitative assessment)

Evaluating and aligning existing or proposed security programs to determine adequacy and needed improvements

All three elements are part of a systematic approach to managing security and organizational risk effectively.

References from PSP: Risk Management Process – ASIS POA; PSP Study Manual – Security Program Development

A comprehensive contingency planning program consists of:

Emergency Response: Immediate actions during a crisis to protect life and property.

Crisis Management: Command structure and coordination during an event.

Business Continuity: Efforts to maintain or quickly restore essential functions.

Together, these components form a resilient framework for organizational preparedness.

The correct answer is D. annually.

In the ASIS PSP Body of Knowledge, lighting is specifically included as an environmental factor that impacts physical security assessment and as a structural security countermeasure. PSP also covers inspection techniques, maintenance of systems and hardware, and ongoing evaluation throughout the security system life cycle.

Exterior security lighting must be evaluated after installation to confirm that the lighting levels, coverage, shadows, glare, blind spots, and protected areas meet the intended security objective. After the initial installation survey, the lighting system should be reviewed annually to ensure it still provides effective illumination and has not been affected by lamp deterioration, damaged fixtures, vegetation growth, changed site conditions, or maintenance issues.

Security lighting guidance also supports an annual security lighting survey, especially when lighting is part of the facility’s protective security program. APTA’s security lighting recommended practice states that a security lighting survey should be performed on an annual basis or when the built environment changes.

Weekly or monthly checks may be useful for routine maintenance, damaged lamps, or outages, but the formal lighting survey after installation is normally conducted annually.

Therefore, the best answer is D. annually.

The primary function of an electronic security system during an attempted or successful penetration is to notify personnel so that appropriate action can be taken. While alarms, countermeasures, and system integrations are important components, they are all secondary to ensuring that responsible individuals are informed promptly. In Human Resource and organizational security management, timely notification enables trained personnel to respond effectively, follow established procedures, and minimize potential damage or risk. Without proper notification, alarms alone may not lead to action, and automated responses may not address the situation appropriately. Effective communication and response coordination are critical aspects of workplace safety and incident management. Therefore, notifying personnel is the most essential function, making option B the correct answer.

Nuisance alarms, particularly from doors, are often caused by mechanical failures such as worn hinges, faulty magnetic switches, or misaligned contacts. Regular inspections and maintenance are the most effective way to reduce false alarms.

Signage (A) helps inform but doesn’t fix the mechanical issue.

Patrols (C) are reactive, not preventative.

Janitorial scheduling (D) can reduce traffic but doesn’t address faulty hardware.

Effective security design must balance technological advances with operational realities, organizational priorities, and human behavior. This holistic approach ensures the system is usable, sustainable, and aligned with company goals.

A (Adversary diagrams) and B (Threats and likelihood) are analytical tools, not integration principles.

D omits the critical “human element,” which affects usability and compliance.

Strict liability applies when a manufacturer or service provider is held legally responsible for damages or injuries caused by a defective product or service, regardless of fault or intent. This type of liability is often associated with consumer protection laws, where the focus is on the danger posed to the user rather than negligence on the part of the provider.

Plaintiff (B) is the party bringing the suit.

Defendant (C) is the party being sued.

" None of the above " (D) is incorrect since " Strict liability " is the correct legal principle.

Modern terrorism, unlike historical or localized violence, leverages advanced technologies and global networks. It necessitates comprehensive national strategies involving political decision-making, resource allocation, intelligence, law enforcement, and industry collaboration to combat the sophisticated threats posed.

The correct answer is C. Equipment performance testing.

In PSP physical security implementation, testing is used to verify that installed security equipment and systems actually perform according to required functional and performance objectives. The ASIS PSP Body of Knowledge includes functional requirements, performance requirements, success metrics, commissioning, and final acceptance testing as part of physical security system design and implementation.

Equipment performance testing is the specific type of testing used to determine whether equipment or a system is functional, has adequate sensitivity, and meets its design and performance objectives. This matches the wording of the question directly. Physical security testing guidance also describes security system performance testing as determining whether security equipment is functional, has adequate sensitivity, and meets design and performance objectives under operating conditions.

The other options are not the best answer:

A. Factory acceptance testing is normally conducted before delivery or installation to verify equipment at the factory or vendor stage.

B. Reliability performance testing focuses more on dependability, availability, or continued operation over time.

D. Site acceptance testing verifies the installed system at the actual site, but the wording about functionality, sensitivity, and design/performance objectives specifically describes equipment performance testing.

Therefore, the correct answer is C. Equipment performance testing.

A catastrophic virus causes widespread and often irrecoverable damage to data on a system and its connected devices. Such viruses are designed to rapidly corrupt, delete, or overwrite data, leading to system failure and loss of operational capability.

Innocuous Bug (A) implies minimal or no harm.

Hostile worm (C) can be destructive but is not a defined term for this scenario.

Trojan Horse (D) is deceptive but does not usually cause sudden widespread destruction immediately.

In security and risk management, criticality refers to the importance or impact of a loss, typically measured in monetary terms. It helps determine how severely the loss of an asset, process, or system could affect operations, productivity, or safety. Understanding criticality allows security professionals to prioritize protection efforts based on potential financial and operational consequences.

References from PSP: Risk Assessment Terminology – ASIS POA; PSP Study Guide – Asset Valuation and Risk Impact

Record safes are designed primarily to protect documents from fire, not theft. They often lack adequate burglary resistance features. Using record safes for storing valuables such as cash, jewelry, or sensitive items prone to theft is a major security vulnerability. This misapplication can lead to easy compromise during unauthorized access or burglary.

???? References:

ASIS International, Protection of Assets (POA), Chapter: Asset Protection and Safes

ASIS PSP Study Guide, Physical Security Devices

An intangible asset is a non-physical resource that holds value for an organization, typically contributing to competitive advantage or operational capability. Examples include intellectual property, such as patents, trademarks, copyrights, and proprietary knowledge.

Land, buildings, and natural resources are tangible assets, meaning they have a physical form that can be seen and touched.

Intangible assets are critical in risk assessment because they often require specialized protection strategies, including legal safeguards, access control, and confidentiality measures.

ASIS PSP guidance highlights the need to recognize both tangible and intangible assets when conducting asset valuation and risk assessments, ensuring security measures are appropriately tailored to protect all forms of organizational value.

The correct answer is D. retinal pattern recognition.

In PSP physical security design, access control is part of integrated physical security systems and countermeasure implementation. ASIS describes the PSP credential as covering physical security assessments, integrated physical security systems, and implementation/evaluation of security measures.

Retinal pattern recognition is a biometric access control method. It verifies a person based on a unique physical characteristic rather than something the person carries or knows. Biometric authentication uses unique body characteristics such as retinas, fingerprints, facial structure, or other biological traits for security and authentication.

The other options provide lower security by comparison:

A. Proximity card — possession-based credential; it can be lost, stolen, shared, or cloned.

B. Computer-controlled keypad — knowledge-based credential; PINs can be observed, guessed, shared, or compromised.

C. Smart card — stronger than a basic proximity card, but still a possession-based credential unless combined with PIN or biometric verification.

D. Retinal pattern recognition — biometric; tied directly to the individual and therefore provides the highest level of security among the listed options.

Therefore, for a high-security area such as a data center, the best answer is D. retinal pattern recognition.

The primary purpose of analyzing data collected during a risk analysis is to support informed decision-making regarding identified risks. In Human Resource and organizational management, data-driven decisions are essential for effectively prioritizing threats, allocating resources, and implementing appropriate security measures. By evaluating collected data, a Physical Security Professional can understand the likelihood and impact of risks, identify vulnerabilities, and determine the most suitable mitigation strategies. While options such as identifying peak activities, selecting technologies, or communicating with management may result from the analysis, they are secondary outcomes. The core objective remains to guide sound and informed decisions that enhance organizational safety and operational efficiency. Therefore, option A is correct because it reflects the fundamental purpose of risk analysis in supporting strategic and evidence-based decision-making.

Observability refers to how easily an adversary can detect or notice a weakness in a system, process, or environment. In risk management and security concepts often applied within Human Resource and organizational safety frameworks, observability is directly linked to the visibility of vulnerabilities. If a vulnerability is highly observable, it means that it can be easily recognized by an external or internal threat actor. This recognition increases the likelihood that the weakness may later be exploited. However, observability itself does not involve exploiting or causing the vulnerability, but rather identifying its presence. HR policies and workplace controls aim to reduce observability by implementing safeguards, training, and awareness programs to ensure that sensitive weaknesses are not easily detected by unauthorized individuals.

Comprehensive Detailed Explanation:

The " Theft Triangle " is a concept used in physical security and loss prevention to illustrate the three primary elements that must exist for theft to occur: motive, desire, and opportunity.

Motive: The reason someone considers committing theft (e.g., financial hardship).

Desire: The internal emotional or psychological urge to obtain something.

Opportunity: The circumstances or vulnerabilities that allow the act to occur.

All three must typically be present for theft to happen. This model is used in behavioral risk assessments and insider threat prevention strategies.

In major construction projects, the security consultant holds the primary responsibility for producing and maintaining the documentation for the final security system design.

The security consultant integrates the client’s requirements, risk assessments, and compliance standards into a coherent design package.

While security vendors and system engineers implement and configure components, and architects manage building design, the security consultant ensures the overall security strategy, technical specifications, and integration documentation are properly detailed for construction, procurement, and operational handover.

This includes schematics, system diagrams, installation guidelines, and operational procedures, ensuring that the system aligns with both security objectives and project standards.

This approach aligns with PSP guidance, emphasizing that oversight and documentation of integrated security systems require professional expertise in security planning, not solely technical or architectural roles.

The three most common categories of risk in organizational security are:

Personnel: Risks to human safety and behavior.

Property: Risks to physical and digital assets.

Liability: Legal exposure due to negligence or failure to act.

This classification helps align mitigation strategies and insurance planning.

A and D incorrectly list “hazards” as a category rather than a risk source.

B omits personnel, a critical category.

Risk spreading refers to decentralizing operations or distributing assets so that if one site or operation is compromised, the entire organization isn’t paralyzed. For example, backing up data across multiple locations ensures that the loss of one system doesn ' t cause total data loss.

References from PSP: Risk Management Techniques – ASIS POA; PSP Certification Guide – Business Resilience Measures

The four common types of physical lock-down systems for protecting hardware, especially in IT environments, include:

Cages: Enclosures for servers or critical equipment.

Plates: Lock-down plates secured to desks or floors.

Cables: Security cables to tether devices.

Alarms: Motion or tamper-detection systems.

These measures are used to deter theft and unauthorized physical access.

In communism, the overthrow of capitalism is based on class struggle between the proletariat and bourgeoisie. Radical Islam is not centered around class conflict but rather on religious ideology and perceived moral decay. While radical Islamists may oppose Western or Russian systems, it is not explicitly framed as a class-based struggle akin to Marxist theory.

In the context of risk management:

A hazard is a condition or factor that increases the likelihood or severity of a peril (a cause of loss).

For example, oily floors (hazard) increase the chance of slips and falls (peril).

A (possible occurrence) and B (probable occurrence) describe likelihood, not hazard.

C (difference between actual and expected losses) refers to variance, not hazard.

Exclusion areas are the most secure zones within a controlled facility, designed specifically for handling or storing high-value, classified, or critical assets. These areas have strict access controls, surveillance, and protective measures in place to prevent unauthorized access or theft.

Limited areas (A) offer less stringent protection than exclusion areas.

Multiple areas (C) is a non-standard term.

“None of the above” (D) is incorrect because exclusion areas is the correct answer.

The Edison Electric Institute, in collaboration with the North American Electric Reliability Council (NERC) and the Department of Energy (DOE), developed security guidelines for the protection of the electrical grid. One of the primary components of these guidelines is performing a vulnerability/risk analysis to identify potential weaknesses and assess the impact of threats to the infrastructure.

While threat response and cyber scenarios are part of broader planning, vulnerability/risk analysis is a foundational element.

Emergency detection is important but not a specifically highlighted part of the referenced guidelines.

The correct answer is A. Post.

In the ASIS PSP Body of Knowledge, general, post, and special orders are specifically included under the implementation of physical security measures and requirements for security personnel.

Post orders are written instructions for security officers assigned to a specific post or guard station. They explain the officer’s duties, procedures, responsibilities, emergency actions, reporting requirements, patrol expectations, access control duties, and other site-specific instructions.

The wording in the question closely matches the purpose of post orders because they:

address specific duties or subjects in clear language,

are available at the guard post or guard station,

guide officers during daily operations, and

provide the foundation for site-specific training.

The other options are not the best answer:

Special orders usually address temporary, unusual, or individual assignments.

General orders apply broadly to security personnel and are not usually limited to one guard station.

Standing orders may be continuing instructions, but the site-specific document kept at a guard station for officer duties and training is best described as post orders.

Therefore, the correct answer is A. Post.

The Transmission Control Protocol (TCP) works with IP as part of the TCP/IP suite. It divides data into packets, numbers them sequentially, and adds error detection and correction codes. This ensures that data is transmitted reliably, in order, and without loss or corruption.

File Transfer Protocol (B) uses TCP but does not handle packet creation itself.

Information Control Protocol (C) is not a recognized protocol.

“None of the above” (D) is incorrect because TCP is the correct answer.

Threats in security risk assessments are typically classified as either man-made (e.g., vandalism, terrorism) or natural (e.g., earthquakes, floods). This distinction helps define appropriate mitigation strategies.

A, B, and C describe other possible classifications but are not the foundational categories.

Ethernet was developed in the early 1970s by Robert Metcalfe and his team at Xerox Corporation’s Palo Alto Research Center (PARC). It became the foundational technology for local area networks (LANs) and remains widely used in networking today.

IBM (B) developed other networking technologies but not Ethernet.

Microsoft (C) is a software company and did not develop Ethernet.

Crisis management plans are primarily concerned with:

Crisis management team structure (A)

Disaster operations and coordination (B)

Media communication strategies (C)

While vital records (D) are important to business continuity planning, they are not a core function of crisis management, which focuses more on command, communication, and high-level decision-making during emergencies.

Targeting refers to the process by which a threat actor selects a specific facility or asset based on attractiveness, vulnerabilities, symbolic value, or opportunity. This helps differentiate why one location may be more likely to be attacked than another.

Motivation (B) refers to the reason behind the attack.

Collusion (C) involves cooperation between insiders.

Desire (D) is a psychological element, not an operational step.

Best practices for data backup recommend redundancy and geographical separation to ensure recovery in various disaster scenarios. Ideally, four sets of backup files should be maintained:

One on-site for quick access and recovery,

Three off-site (including possibly in different physical locations or cloud storage) for protection against local disasters like fire or floods.

A clearly defined and executed procurement contract is critical to successful implementation of a physical security construction project. It outlines scope, deliverables, timelines, cost structures, and responsibilities, ensuring all parties operate with aligned expectations and accountability.

A (RFQ) is a pricing request, not a contract.

B (BIA) informs continuity planning, not project execution.

D (Cost analysis) is useful but not foundational for execution.

Comprehensive Detailed Explanation and References

Intrusion alarms are systems specifically designed to detect unauthorized entry into a protected area while the system is active. These alarms respond when a perimeter is breached, such as through windows, doors, or motion detection. When triggered, they signal unauthorized access.

In risk management and Human Resource contexts, assets are defined as anything that holds value to an organization, whether tangible or intangible. Tangible assets include physical items such as buildings, equipment, and technology, while intangible assets include intellectual property, employee skills, organizational reputation, and data. HR plays a critical role in protecting and developing intangible assets, particularly human capital, which is often one of the most valuable resources of an enterprise. Options A and B are too narrow because assets are not limited to fame or financial gain alone, and option C is incorrect as assets must have value. Recognizing all forms of assets helps organizations implement effective risk management, security measures, and workforce strategies. Therefore, option D correctly defines assets in a comprehensive and accurate manner.

When a bomb threat targets a specific floor, safety protocols typically mandate evacuation of the identified floor and the floors immediately above and below. This accounts for the potential blast radius and structural impact, ensuring personnel safety in adjacent vulnerable areas.

A is too vague.

C and D (all floors above or below) may be excessive unless threat specifics demand it.

" As-built " drawings are finalized versions of project design plans that reflect any changes or deviations made during installation or construction. They are essential for future maintenance, troubleshooting, and upgrades, and are a standard deliverable at project completion.

A (Archival) and B (Post-construction) are not formal document types.

C (Floorplan) is a general drawing, not specific to project finalization.

The three primary types of cost estimates used during the implementation of a physical protection system are:

Budgetary: Initial estimate for planning and approval.

Preliminary design: Estimate based on conceptual design.

Final design: Detailed cost based on approved construction documents and specifications.

This staged estimation approach helps refine costs as the design evolves.

Other options mention contingency or maintenance, which are important but not considered one of the three standard estimating stages.

Communism promotes state or collective ownership of property as a political and economic ideology. Radical Islam, while it may advocate for community-oriented economic practices (e.g., zakat, or almsgiving), does not follow the same foundational principles of property ownership as communism. The idea of " sharing property " in radical Islam is not analogous to " common property " in communism.

Continuity planning involves developing strategies and procedures to ensure that critical infrastructure, processes, and systems continue to function or are restored promptly after a disruption. It includes emergency response, crisis management, recovery, and resumption phases.

Contingent planning (A) is not a standard term.

Resource planning (C) focuses on allocation of resources, not continuity.

Resumption planning (D) is a subset of continuity planning.

Insurance is not a substitute for a security program. It only compensates for loss after it occurs and does not prevent incidents. A comprehensive security program includes preventive measures such as access control, surveillance, personnel training, and emergency planning, which work in tandem with insurance as part of a broader risk management strategy.

References from PSP: ASIS POA – Insurance vs. Security Controls; PSP Study Guide – Prevention vs. Compensation

Credit reports not only reflect a person ' s financial condition (debts, credit utilization, bankruptcies), but also provide useful data such as past addresses and the names of previous employers. This auxiliary information is essential during background investigations and helps validate the accuracy of job applications.

Legal and compliance considerations apply; employers must follow fair credit reporting laws and obtain consent.

A deadbolt lock must have sufficient bolt projection, known as the throw, to resist forced entry techniques such as jamb spreading. The recommended minimum throw is 1 inch because it ensures that the bolt extends deeply into the door frame, increasing resistance against prying or forced separation of the door and frame. In organizational and Human Resource security management, proper physical security measures are essential for protecting employees, assets, and sensitive areas. Installing locks with inadequate throw length may create vulnerabilities that can be exploited easily. While shorter throws may offer basic locking, they do not provide the level of resistance required for secure environments. Therefore, selecting a deadbolt with at least a 1-inch throw supports stronger access control and contributes to overall workplace safety and risk reduction.

From a management perspective, organizing a security operation involves multiple interconnected activities:

Planning and goal setting (A) to define the scope and objectives.

Establishing controls (B) such as policies, standard operating procedures, and compliance mechanisms.

Hiring personnel (C) with appropriate qualifications and placing them in roles suited to their capabilities.

All these components work together to structure and guide the security effort effectively.

System integration combines technology, procedures, and people—i.e., personnel—to create a cohesive and effective security solution. Personnel are essential for operating, monitoring, and responding to events within the system.

A (Safety) and D (Management) are broader organizational functions.

B (Equipment) is a part of the technology component, already implied.

Project management principles emphasize balancing scope, time, and cost, often referred to as the project management “triple constraint” or “iron triangle.”

Scope defines the work required to complete the project successfully, including deliverables, system specifications, and operational objectives.

Time represents the project schedule and deadlines for completing tasks, phases, or milestones.

Cost encompasses budgetary limits, including labor, materials, equipment, and contingencies.

A project manager must continuously monitor and adjust these factors to ensure that changes in one area do not negatively impact the others. For example, expanding scope without adjusting time or cost can jeopardize project success. This approach aligns with PSP guidance for security system projects, where maintaining balance among scope, schedule, and budget is critical to delivering an effective and operationally viable security system.

Establishing performance requirements improves a security program because it helps decision-makers choose security features that directly support the organization’s overall protection strategy. In management and Human Resource related planning, clear performance requirements guide the selection of tools, procedures, and personnel responsibilities based on how well they achieve desired outcomes rather than simply meeting a checklist. This approach ensures that resources are aligned with actual risks, operational goals, and employee safety needs. It also supports better training, accountability, and coordination across departments because everyone understands what level of performance is expected. Validating compliance or certification may be useful later, but those actions do not primarily increase program effectiveness during design. The greatest benefit comes from choosing features that strengthen the full strategy. Therefore, option B is the most accurate answer.

Piecemeal security refers to the ad hoc or fragmented implementation of security measures without an overarching strategic plan. Security elements are added reactively, often after an incident or perceived risk, rather than being guided by a coordinated risk assessment. This results in inconsistent, sometimes redundant or ineffective protection efforts, leaving gaps in security coverage.

References from PSP: ASIS POA – Strategic Security Planning; PSP Study Manual – Program Design Principles

Intrusion sensor performance is commonly evaluated using three key criteria: probability of detection, nuisance alarm rate, and vulnerability to defeat. Probability of detection measures how effectively the sensor identifies actual intrusions. Nuisance alarm rate refers to the frequency of false or unnecessary alarms, which can reduce trust in the system and lead to complacency among personnel. Vulnerability to defeat assesses how easily the sensor can be bypassed or compromised by an intruder. From a Human Resource and organizational management perspective, these factors are critical because they directly influence employee response, security awareness, and overall workplace safety. High false alarm rates may lead to reduced attentiveness among staff, while poor detection capability or high vulnerability can expose the organization to risks. Therefore, option D correctly represents the standard performance criteria.

Computed Tomography CT is the correct answer because it uses a rotating X-ray source to capture multiple images of an object from different angles, creating a detailed three-dimensional view. This technology uniquely calculates a material’s mass, density, and mass absorption coefficient, making it highly effective for detecting explosives and other threats. In organizational and Human Resource related security management, advanced screening technologies like CT scanners are essential for ensuring workplace safety, especially in high-risk environments such as airports, government facilities, and corporate offices. These systems support security personnel by providing accurate threat identification, reducing human error, and improving decision-making. Other technologies like standard X-ray or backscatter systems do not provide the same level of detailed material analysis. Therefore, option B is correct because CT offers the most comprehensive detection capability.

The four main types of invasion of privacy recognized under civil law are:

Misappropriation of name or likeness for commercial use (A)

False light (B) — misrepresenting someone publicly

Intrusion upon seclusion (D) — unauthorized intrusion into someone’s private space or affairs

Public disclosure of private facts — not “private disclosure of public facts” as stated in option C

Option C is incorrect because “private disclosure of public facts” is not a valid tort; it reverses the recognized tort, which is “public disclosure of private facts.”

A methodical examination in security management serves multiple purposes:

Identifying deviations from policies and procedures

Detecting vulnerabilities or loopholes

Improving operational effectiveness while maintaining or enhancing security

This approach is used in audits, inspections, and evaluations to enhance overall security posture without compromising performance.

References from PSP: ASIS POA – Security Audits and Evaluations; PSP Guide – Program Effectiveness and Risk Review

Capacitance proximity sensors detect changes in electrical capacitance, which can be influenced by environmental conditions. Changes in relative humidity can affect the dielectric properties of the air or materials nearby, potentially causing false alarms or degraded performance.

B (Temperature) and C (Air movement) typically affect other sensor types (e.g., infrared or ultrasonic).

D (End-of-line resistance) applies to alarm circuit supervision, not proximity sensing.

According to best practices, the vendor should offer a warranty that includes full maintenance of the equipment because the vendor is typically responsible for delivering the complete solution, including installation, integration, and ongoing support. In Human Resource and organizational management contexts, having a single accountable party ensures clarity, efficiency, and reliable service. Vendors coordinate between manufacturers, technicians, and service providers, making them best positioned to manage maintenance responsibilities and ensure system performance. This arrangement also simplifies communication and accountability, which is important for minimizing downtime and maintaining workplace safety. Manufacturers may provide product warranties, but they usually do not handle full system maintenance. Therefore, option A is correct because the vendor ensures comprehensive support and aligns with best practices in system lifecycle management.

Fidelity bonds specifically cover losses resulting from dishonest acts committed by employees, such as theft, fraud, or embezzlement. These are commonly used in financial institutions and other sectors where employees handle cash or sensitive assets.

Integrity, in the context of information security, refers to ensuring data is accurate, consistent, and unaltered by unauthorized actions. Maintaining integrity prevents data manipulation or corruption, ensuring reliability for organizational decision-making.

Analysis (A) is the process of evaluating data.

Security (C) is a broader term encompassing integrity, confidentiality, and availability.

Availability (D) ensures access but does not guard against data tampering.

Comprehensive Detailed Explanation:

Pandemics primarily impact human health and workforce availability rather than directly damaging physical infrastructure. The effects on infrastructure are typically secondary, such as reduced staffing at utilities or service providers, rather than structural destruction (as in natural disasters).

Infrastructure remains physically intact, but operations may be disrupted due to workforce shortages.

Using two geographically and physically separate cable paths ensures redundancy. If one path is damaged (e.g., due to construction, sabotage, or natural disaster), the other can maintain communication. This is a key principle in critical infrastructure protection.

A: Surveillance helps detect issues but doesn’t prevent physical interruption.

B: Wireless is useful but often less reliable and secure than wired systems.

C: Tamper-proof cables increase security but don’t address path redundancy.

A performance-based specification defines what the system must achieve (e.g., detection rate, response time), without specifying how to achieve it. This allows vendors flexibility in choosing technologies that meet required outcomes.

B (Feature-based) and C (Results-based) are loosely defined or incorrect terms in procurement standards.

D (Cost-based) focuses on budget, not system performance.

The Chief Security Officer (CSO) is responsible for overseeing an organization’s entire security posture—including physical, personnel, and sometimes information security. A crucial part of this role is ensuring that communication channels are effective. The CSO must analyze these channels regularly to ensure that the information received is accurate, relevant, timely, concise, and actionable for security operations and decision-making.

CIO (A) focuses on IT systems.

Information Security Officer (B) handles cybersecurity but may not oversee overall physical security.

Chief Minister (C) is a governmental/political role, not organizational security.