CISSP - Certified Information Systems Security Professional Study Guide, 2nd Edition (2004)

Exam Essentials 581

Summary

If you don’t have control over the physical environment, no amount of administrative or technical/ logical access controls can provide adequate security. If a malicious person can gain physical access to your facility or equipment, they own it.

There are many aspects and elements to implementing and maintaining physical security. One of the core elements is selecting or designing the facility that will house your IT infrastructure and the operations of your organization. You must start with a plan that outlines the security needs of your organization and emphasizes methods or mechanisms to employ to provide security. Such a plan is developed through a process known as critical path analysis.

The security controls implemented to manage physical security can be divided into three groups: administrative, technical, and physical. Administrative physical security controls include facility construction and selection, site management, personnel controls, awareness training, and emergency response and procedures. Technical physical security controls include access controls, intrusion detection, alarms, CCTV, monitoring, HVAC, power supplies, and fire detection and suppression. Examples of physical controls for physical security include fencing, lighting, locks, construction materials, mantraps, dogs, and guards.

There are many types of physical access control mechanisms that can be deployed in an environment to control, monitor, and manage access to a facility. These range from deterrents to detection mechanisms. They can be fences, gates, turnstiles, mantraps, lighting, security guards, security dogs, key locks, combination locks, badges, motion detectors, sensors, and alarms.

The technical controls most often found employed as an access control mechanism to manage physical access include smart/dumb cards and biometrics. In addition to access control, physical security mechanisms can be in the form of audit trails, access logs, and intrusion detection systems.

An important aspect of physical access control and maintaining the security of a facility is protecting the basic elements of the environment and protecting human life. In all circumstance and under all conditions, the most important aspect of security is protecting people. Preventing harm is the utmost goal of all security solutions. Providing clean power sources and managing the environment are also important.

Fire detection and suppression must not be overlooked. In addition to protecting people, fire detection and suppression is designed to keep damage caused by fire, smoke, heat, and suppression materials to a minimum, especially in regard to the IT infrastructure.

Exam Essentials

Understand why there is no security without physical security. Without control over the physical environment, no amount of administrative or technical/logical access controls can provide adequate security. If a malicious person can gain physical access to your facility or equipment, they can do just about anything they want, from destruction to disclosure and alteration.

582 Chapter 19 Physical Security Requirements

Be able to list administrative physical security controls. Examples of administrative physical security controls are facility construction and selection, site management, personnel controls, awareness training, and emergency response and procedures.

Be able to list the technical physical security controls. Technical physical security controls can be access controls, intrusion detection, alarms, CCTV, monitoring, HVAC, power supplies, and fire detection and suppression.

Be able to name the physical controls for physical security. Physical controls for physical security are fencing, lighting, locks, construction materials, mantraps, dogs, and guards.

Know the key elements in making a site selection and designing a facility for construction.

The key elements in making a site selection are visibility, composition of the surrounding area, area accessibility, and the effects of natural disasters. A key element in designing a facility for construction is understanding the level of security needed by your organization and planning for it before construction begins.

Know how to design and configure secure work areas. There should not be equal access to all locations within a facility. Areas that contain assets of higher value or importance should have restricted access. Valuable and confidential assets should be located in the heart or center of protection provided by a facility. Also, centralized server or computer rooms need not be human compatible.

Understand how to handle visitors in a secure facility. If a facility employs restricted areas to control physical security, then a mechanism to handle visitors is required. Often an escort is assigned to visitors and their access and activities are monitored closely. Failing to track the actions of outsiders when they are granted access into a protected area can result in malicious activity against the most protected assets.

Know the three categories of security controls implemented to manage physical security and be able to name examples of each. The security controls implemented to manage physical security can be divided into three groups: administrative, technical, and physical. Understand when and how to use each and be able to list examples of each kind.

Know the common threats to physical access controls. No matter what form of physical access control is used, a security guard or other monitoring system must be deployed to prevent abuse, masquerading, and piggybacking. Abuses of physical access control are propping open secured doors and bypassing locks or access controls. Masquerading is using someone else’s security ID to gain entry into a facility. Piggybacking is following someone through a secured gate or doorway without being identified or authorized personally.

Understand the need for audit trails and access logs. Audit trails and access logs are useful tools even for physical access control. They may need to be created manually by security guards. Or they can be generated automatically if sufficiently automated access control mechanisms are in place (i.e., smart cards and certain proximity readers). You should also consider monitoring entry points with CCTV. Through CCTV, you can compare the audit trails and access logs with a visually recorded history of the events. Such information is critical to reconstructing the events of an intrusion, breach, or attack.

Exam Essentials 583

Understand the need for clean power. Power supplied by electric companies is not always consistent and clean. Most electronic equipment demands clean power in order to function properly. Equipment damage due to power fluctuations is a common occurrence. Many organizations opt to manage their own power through several means. A UPS (uninterruptible power supply) is a type of self-charging battery that can be used to supply consistent clean power to sensitive equipment. UPSs also provide continuous power even after the primary power source fails. A UPS can continue to supply power for minutes or hours depending on its capacity and the draw by equipment.

Know the terms commonly associated with power issues. Know the definitions of the following: fault, blackout, sag, brownout, spike, surge, inrush, noise, transient, clean, and ground.

Understand controlling the environment. In addition to power considerations, maintaining the environment involves control over the HVAC mechanisms. Rooms primarily containing computers should be kept at 60 to 75 degrees Fahrenheit (15 to 23 degrees Celsius). Humidity in a computer room should be maintained between 40 and 60 percent. Too much humidity can cause corrosion. Too little humidity causes static electricity.

Know about static electricity. Even on nonstatic carpeting, if the environment has low humidity, it is still possible to generate 20,000-volt static discharges. Even minimal levels of static discharge can destroy electronic equipment.

Understand the need to manage water leakage and flooding. Water leakage and flooding should be addressed in your environmental safety policy and procedures. Plumbing leaks are not an everyday occurrence, but when they do happen, they often cause significant damage. Water and electricity don’t mix. If your computer systems come in contact with water, especially while they are operating, damage is sure to occur. Whenever possible, locate server rooms and critical computer equipment away from any water source or transport pipes.

Understand the importance of fire detection and suppression. Fire detection and suppression must not be overlooked. Protecting personnel from harm should always be the most important goal of any security or protection system. In addition to protecting people, fire detection and suppression is designed to keep damage caused by fire, smoke, heat, and suppression materials to a minimum, especially in regard to the IT infrastructure.

Understand the possible contamination and damage caused by a fire and suppression. The destructive elements of a fire include smoke and heat, but they also include the suppression medium, such as water or soda acid. Smoke is damaging to most storage devices. Heat can damage any electronic or computer component. Suppression mediums can cause short circuits, initiate corrosion, or otherwise render equipment useless. All of these issues must be addressed when designing a fire response system.

584 Chapter 19 Physical Security Requirements

Review Questions

1.Which of the following is the most important aspect of security?

A.Physical security

B.Intrusion detection

C.Fire detection and suppression

D.Awareness training

2.What method can be used to map out the needs of an organization for a new facility?

A.Log file audit

B.Critical path analysis

C.Risk analysis

D.Inventory

3.What type of physical security controls focus on facility construction and selection, site management, personnel controls, awareness training, and emergency response and procedures?

A.Technical

B.Physical

C.Administrative

D.Logical

4.Which of the following is not a security-focused design element of a facility or site?

A.Separation of work and visitor areas

B.Restricted access to areas with higher value or importance

C.Confidential assets located in the heart or center of a facility

D.Equal access to all locations within a facility

5.Which of the following does not need to be true in order to maintain the most efficient and secure server room?

A.It must be human compatible.

B.It must include the use of non-water fire suppressants.

C.The humidity must be kept between 40 and 60 percent.

D.The temperature must be kept between 60 and 75 degrees Fahrenheit.

6.What is a perimeter-defining device used to deter casual trespassing?

A.Gates

B.Fencing

C.Security guards

D.Motion detectors

7.Which of the following is a double set of doors that is often protected by a guard and is used to contain a subject until their identity and authentication is verified?

A.Gate

B.Turnstile

C.Mantrap

D.Proximity detector

8.What is the most common form of perimeter security devices or mechanisms?

A.Security guards

B.Fences

C.CCTV

D.Lighting

9.Which of the following is not a disadvantage of using security guards?

A.Security guards are usually unaware of the scope of the operations within a facility.

B.Not all environments and facilities support security guards.

C.Not all security guards are themselves reliable.

D.Prescreening, bonding, and training does not guarantee effective and reliable security guards.

10.Which of the following is a benefit of security dogs?

A.Cost

B.Ability to act as a detection and deterrent mechanism

C.Level of maintenance

D.Insurance and liability requirements

11.What is the most common and inexpensive form of physical access control device?

A.Lighting

B.Security guard

C.Key locks

D.Fences

12.What type of motion detector senses changes in the electrical or magnetic field surrounding a monitored object?

A.Wave

B.Photoelectric

C.Heat

D.Capacitance

586 Chapter 19 Physical Security Requirements

13.Which of the following is not a typical type of alarm that can be triggered for physical security?

A.Preventative

B.Deterrent

C.Repellant

D.Notification

14.No matter what form of physical access control is used, a security guard or other monitoring system must be deployed to prevent all but which of the following?

A.Piggybacking

B.Espionage

C.Masquerading

D.Abuse

15.What is the most important goal of all security solutions?

A.Prevention of disclosure

B.Maintaining integrity

C.Human safety

D.Sustaining availability

16.What is the ideal humidity range for a computer room?

A.20–40 percent

B.40–60 percent

C.60–75 percent

D.80–95 percent

17.At what voltage level can static electricity cause destruction of data stored on hard drives?

A.4,000

B.17,000

C.40

D.1,500

18.A Type B fire extinguisher may use all but which of the following suppression mediums?

A.Water

B.CO2

C.Halon

D.Soda acid

19.What is the best type of water-based fire suppression system for a computer facility?

A.Wet pipe system

B.Dry pipe system

C.Preaction system

D.Deluge system

20.Which of the following is typically not a culprit in causing damage to computer equipment in the event of a fire and a triggered suppression?

A.Heat

B.Suppression medium

C.Smoke

D.Light

588 Chapter 19 Physical Security Requirements

Answers to Review Questions

1.A. Physical security is the most important aspect of overall security.

2.B. Critical path analysis can be used to map out the needs of an organization for a new facility. A critical path analysis is the process of identifying relationships between mission-critical applications, processes, and operations and all of the supporting elements.

3.C. Administrative physical security controls include facility construction and selection, site management, personnel controls, awareness training, and emergency response and procedures.

4.D. Equal access to all locations within a facility is not a security-focused design element. Each area containing assets or resources of different importance, value, and confidentiality should have a corresponding level of security restriction placed on it.

5.A. A computer room does not need to be human compatible to be efficient and secure. Having a human-incompatible server room provides a greater level of protection against attacks.

6.B. Fencing is a perimeter-defining device used to deter casual trespassing. Gates, security guards, and motion detectors do not define a facility’s perimeter.

7.C. A mantrap is a double set of doors that is often protected by a guard and used to contain a subject until their identity and authentication is verified.

8.D. Lighting is the most common form of perimeter security devices or mechanisms. Your entire site should be clearly lit. This provides for easy identification of personnel and makes it easier to notice intrusions.

9.A. Security guards are usually unaware of the scope of the operations within a facility, which supports confidentiality and helps reduce the possibility that a security guard will be involved in disclosure of confidential information.

10.B. A benefit of security dogs is that they can act as both a detection and a deterrent. Cost, level of maintenance, and insurance and liability requirements are all disadvantages to security dogs.

11.C. Key locks are the most common and inexpensive form of physical access control device. Lighting, security guards, and fences are all much more cost intensive.

12.D. A capacitance motion detector senses changes in the electrical or magnetic field surrounding a monitored object.

13.A. There is no preventative alarm. Alarms are always triggered in response to a detected intrusion or attack.

14.B. No matter what form of physical access control is used, a security guard or other monitoring system must be deployed to prevent abuse, masquerading, and piggybacking. Espionage cannot be prevented by physical access controls.

15.C. Human safety is the most important goal of all security solutions.

16.B. The humidity in a computer room should ideally be from 40 to 60 percent.

17.D. Destruction of data stored on hard drives can be caused by 1,500 volts of static electricity.

18.A. Water is never the suppression medium in Type B fire extinguishers because they are used on liquid fires.

19.C. A preaction system is the best type of water-based fire suppression system for a computer facility.

20.D. Light is usually not damaging to most computer equipment, but fire, smoke, and the suppression medium (typically water) are very destructive.