Free CPP Practice Test – 2025 Updated

A. ICS is not limited to the private sector; it originated in the public sector and is a standard for government response.

B. ICS is used by all levels of government (local, state, tribal, and federal), not exclusively by federal agencies.

D. The private sector is a critical partner in emergency management and is strongly encouraged by NIMS to adopt and use ICS.

1. Federal Emergency Management Agency (FEMA). (2017). National Incident Management System (NIMS) Doctrine. FEMA P-1000.

Page 1, Introduction: "NIMS provides a common, nationwide approach that enables the whole community to work together to manage all threats and hazards. NIMS is applicable to all stakeholders with incident management and support responsibilities... This includes all levels of government, nongovernmental organizations (NGOs), and the private sector."

Page 4, Scope: "NIMS is applicable to all incidents... It is a comprehensive framework that can be used by all stakeholders... including governmental entities at all levels, NGOs, and the private sector."

2. ASIS International. (2021). Protection of Assets (POA), Crisis Management.

Chapter 3, Incident Management, Section on National Incident Management System (NIMS): This section details that NIMS provides a consistent framework for government, the private sector, and nongovernmental organizations to collaborate. It emphasizes that private sector organizations should adopt ICS to effectively interface with public sector first responders during an incident.

3. Jensen, J. L. (2010). Business's Role in Emergency Preparedness and Response: A Guide to Inter-organizational, Public-Private Collaboration. Naval Postgraduate School.

Page 11, Section on NIMS: "NIMS provides a consistent nationwide template to enable Federal, State, local, and tribal governments, the private sector, and nongovernmental organizations to work together to prepare for, prevent, respond to, recover from, and mitigate the effects of incidents, regardless of cause, size, location, or complexity."

A. This describes a business decision related to risk tolerance or an acceptable quality level, not the specific technical performance metric of CER.

C. This describes only the False Rejection Rate (FRR), which is the probability that an authorized user is incorrectly denied access.

D. The term "positive rejections" is not standard biometric terminology. The CER is where the False Rejection Rate equals the False Acceptance Rate.

1. Fennelly, L. J., & Perry, M. A. (Eds.). (2021). The Professional Protection Officer: Practical Security Strategies and Emerging Trends (2nd ed.). ASIS International & Butterworth-Heinemann. In discussions of biometric access control, the text defines the Equal Error Rate (EER) or Crossover Error Rate (CER) as the point where the false-accept rate and false-reject rate are equal (Chapter 11, Access Control Systems).

2. Jain, A. K., Ross, A., & Prabhakar, S. (2004). An introduction to biometric recognition. IEEE Transactions on Circuits and Systems for Video Technology, 14(1), 4–20. Section III-C, "Performance," states: "The performance of a biometric system is often measured in terms of the false accept rate (FAR) and the false reject rate (FRR)... The EER is the point where the FAR and FRR are equal." (p. 10). DOI: https://doi.org/10.1109/TCSVT.2003.818349

3. ASIS International. (2012). Protection of Assets (POA), Physical Security. The section on "Biometric Access Control" describes performance metrics, including the Crossover Error Rate (CER) as the point where the probability of a false acceptance is the same as the probability of a false rejection.

A. Limiting liability exposure, such as for negligent hiring, is a critical secondary benefit and a risk management outcome of screening, not its primary purpose.

C. Screening is a preliminary step that complements and makes subsequent stages like interviewing and testing more efficient; it does not reduce reliance on them.

D. While efficiency is desirable, the primary objective is to find the most effective and appropriate candidate, not simply to minimize the cost or time of hiring.

1. ASIS International. (2021). Protection of Assets (POA): Personnel Protection. Alexandria, VA: ASIS International. Chapter 2, "Preemployment Measures," Section 2.2, "The Selection Process." The text explains that the goal of the selection process, which begins with screening, is to hire the best-qualified individual by matching their knowledge, skills, and abilities to the job requirements.

2. Fischer, R. J., Halibozek, E., & Walters, D. C. (2019). Introduction to Security (10th ed.). Butterworth-Heinemann. Chapter 11, "Personnel Security," discusses preemployment screening as a key function to ensure the suitability, reliability, and integrity of candidates, which directly supports the objective of finding the most appropriate person for the job.

3. ASIS International. (2019). Preemployment Background Screening Guideline (ASIS GDL PBS-2019). Alexandria, VA: ASIS International. Section 4, "Guideline Elements," outlines the purpose of screening as a due diligence process to verify candidate information and assess suitability for employment, which is integral to selecting the most appropriate person.

B. Commonality: The commonality of an item may relate to its replaceability or value, but it is not a direct factor in the risk formula used to determine protection levels.

C. Place of origin: An item's origin is generally not a primary consideration for selecting a security container, unless it pertains to specific geopolitical threats or regulatory controls.

D. Reproducibility: While reproducibility affects recovery planning and overall business impact, vulnerability is the direct characteristic that a security measure is designed to mitigate to prevent loss in the first place.

1. ASIS International. (2021). Protection of Assets: Security Management. Alexandria, VA: ASIS International. The chapter on "Risk Management" explains that risk analysis involves identifying assets, their value, and their vulnerabilities to specific threats. The selection of countermeasures is based on mitigating these identified vulnerabilities.

2. Fischer, R. J., Halibozek, E., & Walters, D. C. (2019). Introduction to Security (10th ed.). Butterworth-Heinemann. In Chapter 5, "The Security Risk Assessment," the text emphasizes that a vulnerability assessment is a critical step. It states, "A vulnerability is a weakness... The purpose of the security survey is to identify these vulnerabilities so that countermeasures can be implemented" (p. 104).

3. Garcia, M. L. (2008). The Design and Evaluation of Physical Protection Systems. Butterworth-Heinemann. Chapter 2, "Systematic Approach to Physical Protection System Design," outlines that the characterization of a facility or asset includes identifying vulnerabilities. The design of the protection system (e.g., containers, barriers) is a direct response to these vulnerabilities in relation to defined threats.

A. Covert surveillance of employees is highly regulated, often illegal without specific cause, and can severely damage employee morale and trust.

B. This option prematurely dismisses a valid security tool instead of exploring how to implement it in a legally compliant and ethical manner.

C. Recording audio without the consent of all parties is illegal in many jurisdictions under wiretapping laws and dramatically increases the organization's legal risk.

1. ASIS International. (2021). Protection of Assets (POA), Legal Aspects. Alexandria, VA: ASIS International. The text emphasizes that "the most significant legal issue in the use of CCTV is privacy" and strongly advises security professionals to seek legal counsel to navigate the complex web of federal and state laws. It specifically discusses the "reasonable expectation of privacy" standard for areas like locker rooms and restrooms. (Section on "Information Security and Privacy").

2. ASIS International. (2021). Protection of Assets (POA), Physical Security. Alexandria, VA: ASIS International. This volume details the implementation of video surveillance systems and notes that a "video surveillance policy should be developed in consultation with the legal department and human resources" to address privacy and other legal considerations before installation. (Chapter on "Video Surveillance").

3. Fennelly, L. J. (2017). Effective Physical Security (5th ed.). Butterworth-Heinemann. As a foundational text in the security field, it states that legal counsel must be consulted on surveillance activities, particularly regarding audio recording, which is generally prohibited, and camera placement to avoid infringing on privacy rights in sensitive areas. (Chapter 25: CCTV Technology).

4. Cornell University Law School, Legal Information Institute (LII). "The Fourth Amendment's protection against unreasonable searches and seizures by the government has been interpreted to provide a basis for a right to privacy... This concept is often discussed in terms of a 'reasonable expectation of privacy'." While focused on government action, this principle is the foundation for privacy law that extends into private-sector employment law. (Article on "Privacy").

A. Detecting drug use is a medical/testing function; supervisors are not qualified and risk legal liability if they attempt diagnosis.

B. Performance monitoring is routine management; enforcement requires the next step—referral to professional help when abuse is suspected.

C. Identifying on-site drug sales involves security or law-enforcement investigators, not line supervisors.

1. ASIS International, Protection of Assets Manual, Vol. 2 “Security Management”, Section “Substance-Abuse Programs”, pp. 2-35–2-36: supervisors document performance problems and make EAP referrals.

2. Roman, P.M. & Blum, T.C. (1996) “The workplace and alcohol problem prevention”, Alcohol Health & Research World 20(4), p. 252 ¶2: supervisors refer employees to counselling/EAP; they do not diagnose. DOI:10.1037/e494522006-002

3. MIT OpenCourseWare, Course 15.668 People and Organizations, Session 12 “Employee Assistance Programs”, Slide 6: supervisor’s key role—formal referral to counselling resources when performance deteriorates.

4. Journal of Occupational & Environmental Medicine, 37(7) (1995) “Supervisor training and EAP referral patterns”, pp. 784-785: performance documentation followed by supervisory referral is the mandated process.

5. University of Washington School of Public Health, Workplace Substance-Abuse Module, Section “Supervisor Responsibilities”, para 3: supervisors observe, document, and refer to EAP—not detect use or investigate sales.

A. be given to all employees, visitors, and contractors. Training should be role-specific and appropriate to the audience; visitors and contractors typically receive a briefing, not the same in-depth training as employees.

B. cover all aspects of the emergency plan for all participants. Information is provided on a need-to-know basis; most personnel only need training on their specific roles, not the entire comprehensive plan.

D. be reinforced and tested on a quarterly basis. The frequency of drills is determined by risk analysis, regulatory requirements, and organizational complexity; a fixed quarterly schedule is overly prescriptive and not a universal rule.

1. ASIS International. (2021). Protection of Assets (POA), Crisis Management. Section 3.5.3, "Training, Drills, and Exercises." This section emphasizes that plans must be validated and personnel skills maintained through a program of drills and exercises, stating, "A crisis management plan that is not tested is of little value... Drills and exercises are the primary tools for testing the plan."

2. Federal Emergency Management Agency (FEMA). (2020). Homeland Security Exercise and Evaluation Program (HSEEP). Chapter 2, "Exercise Program Management." The doctrine establishes that exercises are "the primary tool for assessing preparedness and identifying gaps" and are essential for "validating plans and procedures, and training and familiarizing personnel."

3. Borodzicz, E. P. (2005). Risk, Crisis and Security Management. John Wiley & Sons. Chapter 8, "Training and Exercising." The text explains that training and exercising are critical for developing competence and confidence in emergency response. It states that exercises are necessary to "test the viability of plans" and "reinforce training" to ensure procedures are workable in a real event.

A. This describes the total or aggregate residual risk profile of an organization, not the fundamental definition. Residual risk is first calculated on a per-threat basis.

C. This is the basic formula for calculating inherent risk or initial risk (Risk = Threat x Vulnerability), not the risk remaining after controls are applied.

D. This is an illogical and incorrect formula. Countermeasures are designed to reduce risk, not act as a multiplier in a risk calculation.

1. Fischer, R. J., Halibozek, E., & Walters, D. C. (2019). Introduction to Security (10th ed.). Butterworth-Heinemann. In Chapter 5, "The Role of Risk Analysis in Security," the concept is explained as the risk that "remains after countermeasures have been implemented." The process described involves analyzing individual risks, applying countermeasures, and then determining the leftover or residual risk for those specific items.

2. National Institute of Standards and Technology (NIST). (2012). Guide for Conducting Risk Assessments (NIST Special Publication 800-30, Revision 1). In Appendix F, Glossary, "Residual Risk" is defined as the "Portion of risk remaining after security controls have been applied." The entire methodology of the guide is based on assessing risk from specific threat events (Section 2.2.2) and then determining the residual risk for those events after controls are considered (Section 2.4).

3. ASIS International. (2012). Protection of Assets (POA). Alexandria, VA: ASIS International. The Security Management volume details the risk management process. It specifies that after risk analysis and the application of countermeasures, a residual risk remains. This evaluation is performed for the specific risks identified during the assessment to determine if they are at an acceptable level for the organization.

A. Pin core: This refers to a component of a mechanical lock cylinder, not an electronic intrusion detection system.

B. Pick resistant: This is a characteristic describing a mechanical lock's ability to withstand covert manipulation, not a type of sensor.

D. Electro-mechanical: This is a broad classification of devices. While a safe might use an electro-mechanical bolt switch, a capacitance sensor is the specific technology used for proximity detection.

1. Fischer, R. J., Halibozek, E., & Walters, D. C. (2019). Introduction to Security (10th ed.). Butterworth-Heinemann. In Chapter 11, "Physical Security I: The Role of Barriers, Alarms, and Lighting," the text describes interior intrusion sensors, noting that capacitance proximity detectors are used to protect specific objects like safes and filing cabinets by sensing a change in the electrical field when a person approaches. (See section on "Proximity or Capacitance Detectors").

2. Garcia, M. L. (2007). The Design and Evaluation of Physical Protection Systems (2nd ed.). Butterworth-Heinemann. Chapter 5, "Detection and Assessment," discusses interior sensors. It explains that proximity sensors, including capacitance types, are used to detect an intruder touching or coming near a specific asset, with safes and vaults being primary examples of their application (pp. 89-90).

3. ASIS International. (2016). Protection of Assets (POA), Physical Security. In the volume on Physical Security, the section covering Interior Intrusion Detection Systems details the function of capacitance proximity detectors. It explicitly states their common application is for the protection of metal objects, including safes, vaults, and file cabinets, by detecting the change in capacitance caused by a human body.

A. Losses would be expected but unintended by the insured.

This describes an insurable risk. Losses must be unintended (fortuitous), and insurers use statistics to expect losses across a large pool of insureds.

C. The risk is predictable through the law of large numbers.

This is a core principle that makes a risk insurable, not uninsurable. It allows insurers to forecast losses and set appropriate premiums.

D. The risk would be worth the cost but not the effort to insure.

This reflects a subjective business decision by the potential insured, not an inherent characteristic that makes the risk uninsurable from an insurer's perspective.

1. Fischer, R. J., Halibozek, E., & Walters, D. C. (2019). Introduction to Security (10th ed.). Butterworth-Heinemann. In the discussion of risk transfer, the text outlines the requirements for an insurable risk, emphasizing that a loss must be measurable and definite in time, place, and amount. A failure to meet this criterion, as described in option B, renders a risk uninsurable. (Chapter 4, Risk Management).

2. Vaughan, E. J., & Vaughan, T. (2013). Fundamentals of Risk and Insurance (11th ed.). Wiley. Chapter 2, "The Problem of Risk," lists the "Requisites of an Insurable Risk." Among these are that the loss must be "definite and measurable." The text explains, "It must be possible to determine that a loss has taken place, and it must be possible to measure the value of the loss." This directly supports why option B describes an uninsurable risk. (pp. 26-27).

3. ASIS International. (2021). Protection of Assets (POA), Business Principles. This foundational text for the CPP exam details the principles of risk management. In the section on Risk Treatment/Mitigation, the criteria for transferring risk via insurance are explained. A key criterion is that the loss must be quantifiable and tied to a specific event, without which an insurance contract cannot be properly structured or executed. (Risk Management volume, Section on Risk Transfer).

B. laminated steel. Laminated steel is primarily used to enhance a safe's resistance to physical (burglary) attacks, not for heat dissipation.

C. vacuum. A vacuum is an excellent insulator that prevents heat transfer, but it is not a practical design for safes and does not actively dissipate heat like the steaming process.

D. carbon. While some specialized fire-resistant materials may contain carbon, it is not the primary agent for heat dissipation in standard record safes; moisture is the key component.

1. Fennelly, L. J. (Ed.). (2021). Protection of Assets: Physical Security. ASIS International. Chapter 5, "Barriers, Locks, and Safes," Section: "Fire-Resistive Safes and Containers." The text explains that the insulation in fire-rated safes contains moisture that turns to steam to absorb heat and protect the contents.

2. Underwriters Laboratories. (2016). UL 72: Standard for Tests for Fire Resistance of Record Protection Equipment. Section 1.1. This standard's testing protocol is based on a safe's ability to limit the internal temperature rise, a performance characteristic achieved by designs incorporating moisture-releasing insulation that creates steam.

3. Garcia, M. L. (2008). The Design and Evaluation of Physical Protection Systems (2nd ed.). Butterworth-Heinemann. Chapter 4, "Delay," pp. 85-86. The book discusses the construction of fire-resistant containers, noting the use of materials like gypsum that release water vapor when heated to keep internal temperatures low.

A. Gathering specific cost information is a tactical step performed only after security requirements, which are derived from corporate goals, have been defined.

B. Estimating a share of the corporate budget is a reactive, top-down approach that may not reflect the actual security needs required to support business objectives.

C. Determining minimum staffing levels is a component of the budget, but it must be based on the services needed to achieve security objectives aligned with corporate strategy.

1. ASIS International. (2021). Protection of Assets (POA), Business Principles. Alexandria, VA: ASIS International. The section on Financial Management emphasizes that a budget is the financial expression of a plan, and the plan must be derived from the organization's goals and objectives. The process begins with understanding the business context.

2. Sennewald, C. A., & Baillie, C. (2020). Effective Security Management (7th ed.). Butterworth-Heinemann. In Chapter 10, "Budgeting for Security," it is stated, "The security budget must be based on the needs of the organization... The security manager must understand the organization's mission, goals, and objectives to develop a budget that supports them." (p. 121).

3. Fischer, R. J., Halibozek, E., & Green, G. (2022). Introduction to Security (11th ed.). Butterworth-Heinemann. Chapter 4, "Management of Security," discusses the necessity for security managers to align their department's functions and financial planning with the broader business objectives to demonstrate value and gain support.

A. A nondisclosure agreement is a legal mechanism used to enforce a policy, not a mandatory component of the policy document itself.

B. Classifying information into multiple levels is a best practice for risk management but not a universal requirement for a policy to be valid.

C. A non-compete agreement is a separate legal contract concerning post-employment activities and is distinct from an information protection policy.

1. ASIS International. (2021). Protection of Assets: Information Security. Alexandria, VA: ASIS International. In the chapter on Information Security Governance, the development of security policies is detailed. It is a core principle that a policy must clearly define its scope, which includes identifying the specific information assets and data types that the policy is intended to protect (Chapter 2, Section: "Policy, Standards, and Guidelines").

2. Fischer, R. J., Halibozek, E., & Walters, D. C. (2019). Introduction to Security (10th ed.). Butterworth-Heinemann. In Chapter 15, "Information Security," the text states that an effective information security policy must "define what information is considered sensitive and proprietary" to provide clear direction to employees (p. 385).

3. Peltier, T. R. (2013). Information Security Policies, Procedures, and Standards: A Practitioner's Reference. Auerbach Publications. Chapter 3, "Developing and Implementing Security Policies," emphasizes that a critical early step is to identify and inventory information assets. The policy document must then explicitly define the types of information to be protected to be effective (Section 3.2, "Policy Development Life Cycle"). DOI: https://doi.org/10.1201/b15782

B. financial risk: This pertains to a company's capital structure, credit, liquidity, and market fluctuations (e.g., interest rates), not the governmental policies that may influence them.

C. economic risk: This relates to broader macroeconomic factors such as inflation, recession, currency exchange rates, and GDP growth, rather than specific laws or regulations.

D. institutional risk: This is a broader concept concerning the stability and quality of a country's formal and informal institutions (e.g., legal system, property rights), but political risk is the more precise term for specific government policies.

1. ASIS International. (2021). Protection of Assets: Security Management. Alexandria, VA: ASIS International. In the chapter on "Global Business Environment," the PESTLE (Political, Economic, Social, Technological, Legal, and Environmental) analysis model is discussed. The 'Political' and 'Legal' components explicitly cover government policy, political stability, tax policy, labor law, and other regulations that constrain business, which are all forms of political risk. (Section on Strategic Planning and the External Environment).

2. An, H., & Chen, Y. (2021). The effect of political risk on corporate risk-taking: A literature review. Finance Research Letters, 43, 101978. https://doi.org/10.1016/j.frl.2021.101978. This academic review defines political risk as stemming from "government actions which interfere with or prevent business transactions, or change the terms of agreements, or cause the confiscation of wholly or partially-owned business property," directly linking government policy and regulation to the concept. (Section 1. Introduction).

3. Rice, G., & Zeglat, D. (2012). The Process of Risk Management in an International Context. In Global Business: An Economic, Social, and Environmental Perspective. The Saylor Foundation. This university-level text states, "Political risk refers to the political forces and government actions that could negatively affect a company’s operations and profits." It lists examples such as changes in regulations and legal constraints. (Chapter 11, Section 11.2).

A. Humans work only to satisfy basic needs.

This describes the motivational assumption behind Theory X (related to Maslow's lower-order needs), but B describes the actual management technique applied, which is more specific to the question.

C. The average human seeks responsibility and job satisfaction.

This is a core assumption of Theory Y, which presents a more optimistic and participative view of employees.

D. Work is as natural as play or rest.

This is a fundamental tenet of Theory Y, directly contradicting the Theory X assumption that people inherently dislike work.

1. ASIS International. (2021). Protection of Assets (POA), Business Principles. Alexandria, VA: ASIS International. In the chapter on "Management and Leadership," the section on "Theories of Motivation" explicitly states that under Theory X, "most people must be coerced, controlled, directed, and threatened with punishment to get them to put forth adequate effort toward the achievement of organizational objectives."

2. McGregor, D. (1960). The Human Side of Enterprise. McGraw-Hill. In Chapter 3, "Theory X: The Traditional View of Direction and Control," McGregor outlines the core proposition that management must use threats and coercion because of the average human's inherent dislike for work (pp. 33-34).

3. Carson, C. M. (2005). A historical view of Douglas McGregor's Theory Y. Management Decision, 43(3), 450-460. https://doi.org/10.1108/00251740510589814. This article reviews McGregor's original work, reaffirming that Theory X is characterized by a management style of "coercion and control" (p. 452).

A. Checking with police is a reactive step that focuses on external threats before a comprehensive internal vulnerability assessment has been completed.

C. Recommending high-security seals is a premature solution; the consultant must first determine if seal integrity is actually the point of failure.

D. Employing GPS is a reactive tracking measure, not a proactive first step to identify and mitigate the root cause of the theft itself.

1. Fischer, R. J., Halibozek, E., & Walters, D. C. (2019). Introduction to Security (10th ed.). Butterworth-Heinemann. In Chapter 12, "The Security Survey," the text emphasizes that the initial phase involves collecting data, which includes a detailed review of all relevant policies, procedures, and records to understand the current state of operations and identify weaknesses.

2. ASIS International. (2021). Protection of Assets (POA), Security Management. In the section on "Security Surveys and Risk Assessments," the methodology prescribed begins with understanding the facility's mission and operations. This includes a comprehensive review of existing procedures, such as shipping, receiving, and inventory control, to identify exploitable weaknesses before considering external factors or specific countermeasures.

3. ASIS International. (2021). Protection of Assets (POA), Physical Security. The chapter on "Warehouse and Distribution Center Security" explicitly states that procedural controls, including documentation verification, shipping/receiving protocols, and inventory management, are the first line of defense against theft. An assessment of these procedures is the starting point for any security review.

A. Obtaining a consultant's analysis is a method for identifying needs, not the fundamental first step itself, which is the identification of tasks.

B. Operating costs can only be accurately estimated after the required tasks, and the associated personnel and resources, have been clearly defined.

D. An implementation timeline is a project management tool that can only be developed once the scope of work (the tasks) and resources are known.

1. ASIS International. (2021). Protection of Assets (POA), Security Management volume. In the section "The Security Function in an Organization," the text emphasizes that the role and structure of the security department are derived from the organization's specific needs and the risks it faces. The process begins with a risk assessment to identify necessary protective functions (tasks) before organizational and budgetary decisions are made. (Specific chapter/page varies by edition, but this principle is foundational to the Security Management domain).

2. Fischer, R. J., Halibozek, E., & Walters, D. C. (2019). Introduction to Security (10th ed.). Butterworth-Heinemann. Chapter 5, "Planning, Organization, and Evaluation," explains that the security planning process begins with an assessment of needs and the establishment of objectives. These objectives are then translated into the specific functions and tasks the security department will perform, which precedes organizational structuring and budgeting.

3. Sennewald, C. A., & Baillie, C. (2020). Effective Security Management (7th ed.). Butterworth-Heinemann. Chapter 3, "The Security Function: Its Place in the Organization," details that the security manager's first responsibility is to understand the protection needs of the organization. This understanding forms the basis for defining the security department's duties (tasks), which then informs staffing, policy, and budget.

A. supply chain management: This refers to the overall management of the flow of goods and services, not a specific agreement for emergency facility use.

C. emergency response agency: This term typically applies to public sector entities like fire departments, police, or civil defense, not private companies assisting each other.

D. business support network: This is a broad, generic term. "Mutual aid association" is the precise and standard terminology in emergency management for this type of formal agreement.

1. ASIS International. (2012). Protection of Assets: Crisis Management and Business Continuity. Alexandria, VA: ASIS International. In the section on Business Continuity, recovery strategies are discussed, including "reciprocal or mutual aid agreements with other organizations" as a method for securing alternate facilities and resources (Chapter 4, Section 4.3.2, Alternate Sites).

2. Fischer, R. J., Halibozek, E., & Green, G. (2014). Introduction to Security (9th ed.). Butterworth-Heinemann. Chapter 16, "Emergency Management and Counterterrorism," discusses the importance of inter-organizational cooperation, stating that "Mutual aid agreements are agreements between agencies, organizations, and jurisdictions to provide assistance across boundaries when needed."

3. ASIS International. (2017). ASIS Business Continuity Management System Standard (ASIS BCM.01-2017). This standard outlines requirements for a business continuity management system, where Section 8.4.3, "Business continuity strategies and solutions," includes establishing arrangements for alternate resources, which commonly take the form of mutual aid agreements.

B. stimulants. Stimulants (e.g., cocaine, amphetamines) produce opposite effects, such as increased energy, alertness, and hyperactivity, rather than the sedation caused by alcohol.

C. hallucinogens. Hallucinogens (e.g., LSD) primarily alter perception, thought, and mood, causing hallucinations, which are not the defining symptoms of alcohol intoxication.

D. narcotics. While narcotics (opioids) are also CNS depressants, "depressants" is the broader and more precise pharmacological category that includes alcohol itself.

1. ASIS International. (2021). Protection of Assets: Security Management. Alexandria, VA. The manual's sections on workplace substance abuse and employee assistance programs categorize alcohol as a CNS depressant, grouping its effects and symptoms with other drugs in that class.

2. University of Minnesota Libraries Publishing. (2015). Introduction to Psychology. Chapter 5.2, "Altering Consciousness with Psychoactive Drugs." This university text explicitly states, "A depressant is a psychoactive drug that reduces the activity of the CNS. Alcohol is the most widely used depressant." (https://doi.org/10.24926/8668.2301)

3. Fischer, R. J., Halibozek, E. P., & Walters, D. C. (2019). Introduction to Security (10th ed.). Butterworth-Heinemann. In Chapter 11, "Emergency Management: The Human Element," the text discusses substance abuse, classifying alcohol as a depressant and outlining its effects on behavior and coordination, which are relevant to security and safety protocols.

A. Defining critical business processes: This is a primary function of a Business Impact Analysis (BIA), which is typically led by senior management and business continuity professionals, not the emergency plan coordinator.

C. Deciding whether to evacuate the building: This is a real-time, tactical decision made during an incident by the designated authority on-site, such as an incident commander, emergency response team leader, or senior executive.

D. Determining levels of insurance coverage: This is a strategic financial and risk management function, typically handled by the organization's risk management department, chief financial officer (CFO), or senior leadership.

1. Fennelly, L. J., & Perry, M. A. (Eds.). (2021). The Professional Protection Officer: Practical Security Strategies and Emerging Trends (9th ed.). Butterworth-Heinemann. In the context of emergency planning roles, the text outlines that the coordinator or manager is responsible for "maintaining and updating all components of the emergency plan" (Chapter 18, Emergency Planning, Section: The Emergency Plan).

2. Federal Emergency Management Agency (FEMA). (2021). Comprehensive Preparedness Guide (CPG) 101: Developing and Maintaining Emergency Operations Plans, Version 3.0. Washington, D.C. Step 6 of the planning process, "Plan Implementation and Maintenance," explicitly states that the planning team, led by the emergency manager/coordinator, is responsible for establishing a "formal, cyclic review process to ensure [plans] are kept current." (p. 6-1).

3. Coppola, D. P. (2020). Introduction to International Disaster Management (4th ed.). Butterworth-Heinemann. This text, widely used in university emergency management programs, describes the emergency planning process as a continuous cycle. It emphasizes that after a plan is developed, the emergency manager's role shifts to "a cycle of training and exercising, and plan evaluation and revision." (Chapter 7, The Practice of Disaster Management: The Plan, Section: The Planning Process).

A. $25.00: This amount of sales would only generate $1.25 in profit ($25.00 x 0.05), which is insufficient to cover the $50 loss.

B. $250.00: This amount of sales would only generate $12.50 in profit ($250.00 x 0.05), failing to offset the full $50 loss.

D. $10,000.00: This amount of sales would generate $500 in profit ($10,000.00 x 0.05), which is ten times more than needed to offset the $50 loss.

1. ASIS International. (2021). Protection of Assets: Business Principles. Alexandria, VA: ASIS International. Chapter 2, "Financial Management," Section 2.3, "Financial Statements and Ratios." This section details the use of financial ratios like net profit margin to understand business performance and the financial impact of losses, illustrating the principle that sales must be generated to recover the profit lost from an incident.

2. Fennelly, L. J., & Perry, M. A. (Eds.). (2018). The Professional Protection Officer: Practical Security Strategies and Emerging Trends. Butterworth-Heinemann. Chapter 5, "The Business of Security," discusses the importance of security professionals understanding financial concepts to justify security measures and demonstrate value. The calculation to determine sales needed to offset losses is a key metric used in this context.

3. Fischer, R. J., Halibozek, E., & Green, G. (2022). Introduction to Security (11th ed.). Butterworth-Heinemann. Chapter 4, "The Role of Security in Business Organizations," explains how security contributes to profitability by preventing losses. It provides the framework for calculating the revenue replacement value of a loss based on the organization's profit margin.

B. Awareness of the plan by employees: Employee awareness is a crucial outcome and component of the program's implementation phase, not the governing factor for its initial planning.

C. Indoctrination training of newly assigned personnel: This is a specific tactical element within the broader program. It is part of the execution, not the foundational principle that governs planning.

D. Employee background screening program: This is a specific security control or procedure. It is a component of an asset protection program, not the key factor that governs its overall planning.

1. Fischer, R. J., Halibozek, E., & Walters, D. C. (2019). Introduction to Security (10th ed.). Butterworth-Heinemann. In Chapter 5, "The Role of the Security Manager," the text emphasizes that gaining and maintaining the support of top management is a primary and essential responsibility for the security leader, as this support underpins the entire security function's authority and resources.

2. ASIS International. (2021). Protection of Assets (POA), Security Management. In the chapter "Strategic Planning and Management," it is established that the foundation of a successful security program is its alignment with the organization's mission and goals, which can only be achieved with the direction and endorsement of top management. This support is a prerequisite for effective planning.

3. ASIS International. (2012). ASIS/BSI Business Continuity Management Systems: Requirements with Guidance for Use. (ASIS BCM.1-2010). Section 4.2, "Management Commitment," states that top management shall demonstrate its commitment to establish, implement, operate, monitor, review, maintain, and improve the management system, which is a foundational principle applicable to all organizational protection programs.

B. issue and enforce the use of clearance badges. This is an access control measure implemented after information has been classified and access requirements have been defined.

C. prescreen and conduct background checks on all employees. This personnel security control is guided by the sensitivity of the information an employee will access, which is determined during classification.

D. restrict and control access to file rooms. This is a physical security control applied to protect assets that have already been identified as sensitive and valuable.

1. Fennelly, L. J., & Perry, M. A. (Eds.). (2021). The Professional Protection Officer: Practical Security Strategies and Emerging Trends (9th ed.). Butterworth-Heinemann. In Chapter 13, "Information Security and Computer Technology," the text emphasizes that the first step is to "identify and classify the information to be protected."

2. ASIS International. (2012). Protection of Assets (POA), Information Security. Alexandria, VA: ASIS International. The volume on Information Security, in its discussion of building an information protection program, establishes that the process begins with an inventory and classification of information assets (Chapter 2, "Information Security Program").

3. International Organization for Standardization. (2022). ISO/IEC 27001:2022 Information security, cybersecurity and privacy protection — Information security management systems — Requirements. In Annex A, Control A.5.12 "Classification of information," the standard states, "Information should be classified according to the information security needs of the organization... based on confidentiality, integrity, availability and relevant interested party requirements." This classification is a prerequisite for applying other controls.

A. Microwave sensor: Microwave sensors detect motion using the Doppler effect on reflected radio waves. Their performance is generally not affected by changes in ambient temperature, light, or air currents.

B. Ultrasonic sensor: While extreme air turbulence caused by temperature changes can affect ultrasonic sensors (which rely on sound waves), the effect is less direct and certain than the thermal masking experienced by a PIR sensor at this specific temperature.

C. Photoelectric beam sensor: This sensor detects the physical interruption of a light beam. Ambient temperature changes within an enclosed space do not impact this detection principle.

1. ASIS International. (2021). Protection of Assets (POA): Physical Security. Section 3.4.3.2, Intrusion Detection Sensors. This section details the operating principles of various sensors, explicitly stating that PIR sensors are vulnerable to thermal masking when the ambient temperature approaches that of a human intruder.

2. Garcia, M. L. (2012). The Design and Evaluation of Physical Protection Systems (2nd ed.). Butterworth-Heinemann. In Chapter 5, "Intrusion Detection," the text explains that the primary limitation of PIR sensors is their reliance on a temperature differential, noting that detection probability decreases significantly as the background temperature approaches the target's temperature.

3. Fennelly, L. J., & Perry, M. A. (2021). Effective Physical Security (6th ed.). Butterworth-Heinemann. Chapter 11, "Intrusion Detection Systems," discusses the environmental limitations of sensors, highlighting that PIR detectors can be "defeated" when the background temperature is the same as an intruder's body temperature. (ISBN: 978-0128202596)

A. Bomb evaluation and assessment response (BEAR) team: This term is not a standard, widely recognized acronym in ASIS literature. It is too specific to bomb threats, whereas the question refers to a general "incident."

B. Bomb assessment team (BAT): While such a team may exist within a bomb threat response plan, its scope is limited exclusively to assessing bomb threats, not all types of incidents as implied by the question.

C. Bomb threat response team (BTRT): This team is focused on the operational response to a bomb threat (e.g., search, evacuation), not necessarily the initial evaluation and decision-making process on the threat's credibility.

1. ASIS International. (2019). Protection of Assets (POA). Alexandria, VA: ASIS International. In the Security Management volume, the concept of a threat management team is detailed. It describes this team as a multidisciplinary group responsible for the evaluation of threats and advising on a response, which aligns with the function of a TET. (Specific reference to the section on Workplace Violence Prevention and Threat Management).

2. ASIS International. (2020). ASIS/ANSI WVPI.1-2020: Workplace Violence and Active Assailant—Prevention, Intervention, and Response Standard. Alexandria, VA: ASIS International. Section 7.3, "Threat Management Program," outlines the requirement for a "multidisciplinary threat management team" responsible for "assessing and managing threats of violence." This team's function is precisely to make informed decisions based on available information.

3. Fischer, R. J., Halibozek, E., & Walters, D. C. (2019). Introduction to Security (10th ed.). Butterworth-Heinemann. Chapter 15, "Emergency Management: Preparedness and Response," discusses the formation of crisis and threat assessment teams. It emphasizes their role in gathering intelligence and making informed recommendations, which is the core function described in the question. (Note: This is a widely used academic text in security management programs and aligns with ASIS principles).

A. copyright: This protects original works of authorship like books, music, and art, not the functional aspects of an invention.

B. trademark: This protects brand identifiers such as names, logos, and slogans used to distinguish goods or services in the marketplace.

D. trade secret: This is proprietary information protected by maintaining its confidentiality, not by a formal government grant of exclusive rights.

1. Fischer, R. J., Halibozek, E., & Walters, D. C. (2019). Introduction to Security (10th ed.). Butterworth-Heinemann. In the context of proprietary information, the text distinguishes between patents as a grant for inventions and other forms of intellectual property. (Chapter on Information Security).

2. World Intellectual Property Organization (WIPO). (n.d.). What is a Patent? WIPO. Retrieved from https://www.wipo.int/patents/en/. "A patent is an exclusive right granted for an invention... a patent provides the patent owner with the right to decide how - or whether - the invention can be used by others."

3. United States Patent and Trademark Office (USPTO). (n.d.). General information concerning patents. USPTO.gov. Retrieved from https://www.uspto.gov/patents/basics/general-information-patents. "A U.S. patent is a property right granted to an inventor 'to exclude others from making, using, offering for sale, or selling the invention throughout the United States or importing the invention into the United States' for a limited time..."

4. Cornell Law School Legal Information Institute (LII). (n.d.). Patent. In Wex Legal Dictionary/Encyclopedia. Retrieved from https://www.law.cornell.edu/wex/patent. "A patent is an exclusive right granted by a government to an inventor to manufacture, use, or sell an invention for a certain number of years."

A. Human-resources strategy concerns staffing and personnel policies, not the evaluation of protective countermeasures at the end of a risk assessment.

C. Insurance is one possible risk-transfer option, but the final step is to weigh all proposed security controls, not only insurance.

D. Risk strategy (risk-accept, avoid, transfer) is selected earlier; cost/benefit analysis is applied specifically to the chosen security controls afterward.

1. ASIS International. General Security Risk Assessment Guideline, rev. 2010, Clause 7 “Identify and Assess Possible Risk Control Measures,” ¶4: “Conduct a cost/benefit analysis of each proposed security measure…”

2. Protection of Assets (POA) – Security Management (ASIS, 2012), Ch. 3 “Risk Analysis,” pp. 3-12: “The final phase is an economic analysis comparing the cost of safeguards with expected loss reduction.”

3. ANSI/ASIS/ISO 31000 2010, §6.3.3 “Risk Treatment – Selection of options,” notes that treatment options must be evaluated for cost-effectiveness before implementation.

B. The number of occupants and visitors is a critical data point for risk assessment and system design (e.g., for access control throughput), but it is an input to the plan, not the overarching principle of the final scheme itself.

C. Countermeasures should be based on a risk analysis specific to each tenant's assets and operations. Applying equal protection is inefficient and ineffective, as a high-risk tenant (e.g., a jewelry store) requires different controls than a low-risk one (e.g., a small administrative office).

D. Agreements with utility suppliers are crucial for business continuity, but they should be formal, written contracts or Service Level Agreements (SLAs), not verbal. This is also only one specific component, not the core of the overall protection scheme.

1. Fennelly, L. J., & Perry, M. A. (Eds.). (2021). Protection of Assets: Physical Security. ASIS International. In the chapter "Security in the Built Environment," the text emphasizes the division of security responsibilities between landlord and tenant. It states, "The landlord is responsible for providing a safe and secure environment in the common areas of the building... The tenant is responsible for securing its own space." (Section on Commercial Office Buildings). This division necessitates a cooperative framework for an effective overall plan.

2. ASIS International. (2019). Physical Asset Protection Standard (ASIS PAP-2019). This standard highlights the importance of identifying stakeholders and defining their roles and responsibilities as a key component of developing a physical protection system (PPS). In a multi-tenant scenario, the owner and tenants are primary stakeholders whose cooperation is essential for defining and implementing these roles. (See Section 5: The Physical Asset Protection Management Process).

3. Garcia, M. L. (2008). The Design and Evaluation of Physical Protection Systems (2nd ed.). Butterworth-Heinemann. The book outlines that an effective Physical Protection System (PPS) is an integrated system. In a multi-tenant building, integration between the base building's security and each tenant's security is impossible without a cooperative effort and clear agreements on interfaces, procedures, and responsibilities. (See Chapter 2: The Systems Approach).

B. Worker's compensation and unemployment claims: These are specific forms of fraud, often handled primarily by Human Resources or specialized insurance investigators, not the most common general security issue.

C. Vendor and contractor abuses: This is a specific and significant form of fraud, but it is less universally encountered by all security professionals than general employee theft.

D. Wage and overtime violations: These are often compliance or HR issues. When they involve employee dishonesty (e.g., timecard fraud), they fall under the broader category of fraud.

1. ASIS International. (2021). Protection of Assets (POA), Investigations. This volume extensively covers the methodologies for investigating internal and external crimes against an organization, with theft and fraud being the primary subjects. The entire volume is predicated on these two areas being the core of security investigations.

2. Fischer, R. J., Halibozek, E., & Green, G. (2022). Introduction to Security (11th ed.). Butterworth-Heinemann. Chapter 12, "White-Collar Crime," explicitly discusses various forms of fraud, while other chapters on physical and personnel security focus on theft prevention as a primary goal. The text establishes these as the foundational crimes security professionals address.

3. Sennewald, C. A., & Baillie, C. (2020). Effective Security Management (7th ed.). Butterworth-Heinemann. Chapter 10, "The Investigative Process," details that investigations are typically initiated in response to losses, with theft and fraud being the most common causes requiring a security response.

A. Organizing: This function deals with structuring resources and delegating tasks to implement the plan, a distinct activity from creating the financial plan itself.

C. Directing: This involves leading and motivating personnel to carry out plans. Budgeting provides financial parameters but is not the act of directing people.

D. Controlling: This function uses the completed budget as a benchmark to compare actual results against the plan, but the initial development of the budget is a planning function.

1. Fischer, R. J., Halibozek, E., & Walters, D. C. (2019). Introduction to Security (10th ed.). Butterworth-Heinemann. In discussions of security management, budgeting is consistently presented as a key component of the planning phase, where resources are allocated to meet security objectives.

2. ASIS International. (2021). Protection of Assets (POA), Business Principles. In the chapter "Management Principles and Practices," planning is defined as the function that involves setting goals and deciding how to achieve them. The text explicitly lists budgeting as a primary planning activity. It states, "Planning... includes activities such as forecasting, developing objectives, programming, scheduling, and budgeting."

3. Carpenter, M., Bauer, T., & Erdogan, B. (2012). Principles of Management. University of Minnesota Libraries Publishing. In Chapter 6, "Planning," Section 6.4, "Types of Plans," budgets are described as "a type of plan that is formally prepared and expressed in financial terms." This positions budgeting squarely within the planning function. (Available via University of Minnesota, an open-source university text).