Before an effective physical security program can be rolled out, a number of steps must be taken. Which of the following steps comes first in the process of rolling out a security program?

A.
Create countermeasure performance metrics.

B.
Conduct a risk analysis.

C.
Design the program.

D.
Implement countermeasures.

Explanation:
B: Of the steps listed, the first in the process of rolling out an effective physical security program is to carry out a risk analysis to identify the vulnerabilities and
threats, and calculate the business impact of each threat. But before this is done, a team of internal employees and/or external consultants need to be identified to
build the physical security program. The team presents the risk analysis findings to management and works with them to define an acceptable risk level for the
physical security program. From there, the team must develop baselines and metrics in order to evaluate and determine if the baselines are being met by the
implemented countermeasures. Once the team identifies and implements the countermeasures, the performance of these countermeasures should be continually
evaluated and expressed in the previously created metrics. These performance values are compared to the set baselines. If the baselines are continually
maintained, then the security program is successful because the company’s acceptable risk level is not being exceeded.
A is incorrect because of the steps listed, creating countermeasure performance metrics is not the first step in creating a physical security program. It is,
however, a very important one because it is only possible to determine how beneficial and effective the program is if it is monitored through a performance-based
approach. This means you should devise measurements and metrics to measure the effectiveness of the chosen countermeasures. This enables management to
make informed business decisions when investing in the protection of the organization’s physical security. The goal is to increase the performance of the physical
security program and decrease the risk to the company in a cost-effective manner. You should establish a baseline of performance and thereafter continually
evaluate performance to make sure that the company’s protection objectives are being met. Examples of possible performance metrics include number of
successful crimes, number of successful disruptions, and the time it took for a criminal to defeat a control.
C is incorrect because designing the program should take place after the risk analysis. Once the level of risk is understood then the design phase can take
place to protect from the threats identified in the risk analysis. The design will incorporate the controls required for each category of the program: deterrence,
delaying, detection, assessment, and response.
D is incorrect because implementing countermeasures is of one of the last steps in the process rolling out a physical security program. Before countermeasures
can be identified and implemented, it is important to conduct a risk analysis and work with management to define an acceptable level of risk. From the acceptable
risk level, the team should derive the required performance baselines, and then create countermeasure performance metrics. Next, the team should develop
criteria from the results of the analysis, outlining the level of protection and performance required for deterrence, delaying, detection, assessment, and response.
Only after these steps are completed should the team identify and implement countermeasures for each of these categories.