SPēD SAPPC: General Security/ This study set
supplements CDSE Certification Preparatory Tools
(CPTs) for the Security Asset Protection
Professional Certification (SAPPC). Content covers
General Security
The five-step OPSEC process - Answer: 1. Identify critical information 2. Analyze threats
3.Analyze vulnerabilities 4. Assess risks 5.Apply OPSEC countermeasures
Ways to protect critical information - Answer: Disclose information about your mission and
organization judiciously and on a need-to-know basis. 1. Do not discuss your work in public
places or where others can overhear your conversation 2. Do not discuss critical information on
unencrypted telephones 3. Do not include critical information in unencrypted e-mail messages
4. Do not reveal critical information, indicators, or personal information on the Internet 5. Shred
paper documents before placing them in the trash 6. Refer all inquiries from the press to your
organization's public affairs office
Page 1 of 12
, OPSEC countermeasures - Answer: 1. Minimize predictable patterns 2. Conceal indicators that
may point to critical information 3. Make indicators seem unimportant 4. May be as simple as
choosing not to talk about something 5. Protect critical information
Five categories of risk process assets - Answer: 1. Assess assets (identify value of asset and
degree of impact if asset is damaged or lost) 2. Assess threats (type and degree of threat) 3.
Assess vulnerabilities (identification and extent of vulnerabilities) 4. Assess risks (calculation of
risks) 5. Determine countermeasures (security countermeasure options that can reduce or
mitigate risks cost effectively
Five categories of assets - Answer: 1. People 2. Information 3. Equipment 4. Facilities 5.
Activities & Operations
Risk vulnerability ratings - Answer: Critical - no effective countermeasure 75-100; High - some
countermeasures but multiple weaknesses 50-74; Medium - countermeasures in place with one
weakness 25-49; Low effective countermeasures are in place 0-14
Risk management formula - Answer: Risk = Impact x (Threat x Vulnerability) or (R = I [T x V])
Risk management countermeasures - Answer: Manpower, Equipment, Procedures
Special Access Program (SAP) - Answer: A program established for a specific class of classified
information that imposes safeguarding and access requirements that exceed those normally
required for information at the same classification level
Enhanced security requirements for protecting Special Access Program (SAP) information -
Answer: 1. Within Personnel Security:
• Access Rosters; • Billet Structures (if required); • Indoctrination Agreement; • Clearance based
on an appropriate investigation completed within the last 5 years; • Individual must materially
Page 2 of 12
supplements CDSE Certification Preparatory Tools
(CPTs) for the Security Asset Protection
Professional Certification (SAPPC). Content covers
General Security
The five-step OPSEC process - Answer: 1. Identify critical information 2. Analyze threats
3.Analyze vulnerabilities 4. Assess risks 5.Apply OPSEC countermeasures
Ways to protect critical information - Answer: Disclose information about your mission and
organization judiciously and on a need-to-know basis. 1. Do not discuss your work in public
places or where others can overhear your conversation 2. Do not discuss critical information on
unencrypted telephones 3. Do not include critical information in unencrypted e-mail messages
4. Do not reveal critical information, indicators, or personal information on the Internet 5. Shred
paper documents before placing them in the trash 6. Refer all inquiries from the press to your
organization's public affairs office
Page 1 of 12
, OPSEC countermeasures - Answer: 1. Minimize predictable patterns 2. Conceal indicators that
may point to critical information 3. Make indicators seem unimportant 4. May be as simple as
choosing not to talk about something 5. Protect critical information
Five categories of risk process assets - Answer: 1. Assess assets (identify value of asset and
degree of impact if asset is damaged or lost) 2. Assess threats (type and degree of threat) 3.
Assess vulnerabilities (identification and extent of vulnerabilities) 4. Assess risks (calculation of
risks) 5. Determine countermeasures (security countermeasure options that can reduce or
mitigate risks cost effectively
Five categories of assets - Answer: 1. People 2. Information 3. Equipment 4. Facilities 5.
Activities & Operations
Risk vulnerability ratings - Answer: Critical - no effective countermeasure 75-100; High - some
countermeasures but multiple weaknesses 50-74; Medium - countermeasures in place with one
weakness 25-49; Low effective countermeasures are in place 0-14
Risk management formula - Answer: Risk = Impact x (Threat x Vulnerability) or (R = I [T x V])
Risk management countermeasures - Answer: Manpower, Equipment, Procedures
Special Access Program (SAP) - Answer: A program established for a specific class of classified
information that imposes safeguarding and access requirements that exceed those normally
required for information at the same classification level
Enhanced security requirements for protecting Special Access Program (SAP) information -
Answer: 1. Within Personnel Security:
• Access Rosters; • Billet Structures (if required); • Indoctrination Agreement; • Clearance based
on an appropriate investigation completed within the last 5 years; • Individual must materially
Page 2 of 12
