Physical Security Requirements

Question 1

Understand why there is no security without physical security

Answer 1

Without control over the physical environment, no amount of administrative or technical/logical access controls can provide adequate security. If a malicious person can gain physical access to your facility or equipment, they can do just about anything they want, from destruction to disclosure and alteration.

Question 2

Understand a security facility plan

Answer 2

A secure facility plan outlines the security needs of your organization and emphasizes methods or mechanisms to provide security. Such a plan is developed through risk assessment and critical path analysis.

Question 3

Define critical path analysis

Answer 3

Critical path analysis is a systematic effort to identify relationships between mission-critical applications, processes, and operations and all the necessary supporting elements.

Question 4

Know about technology convergence

Answer 4

Technology convergence is the tendency for various technologies, solutions, utilities, and systems to evolve and merge over time. Though in some instances this can result in improved efficiency and cost savings, it can also represent a single point of failure and become a more valuable target for malicious hackers and intruders.

Question 5

Understand site selection

Answer 5

Site selection should be based on the security needs of the organization. Cost, location, and size are important, but addressing the requirements of security should always take precedence. The key elements in making a site selection are visibility, composition of the surrounding area, and area accessibility.

Question 6

Know the key elements in designing a facility for construction

Answer 6

key element in designing a facility for construction is understanding the level of security needed by your organization and planning for it before construction begins.

Question 7

Define CPTED

Answer 7

Crime Prevention Through Environmental Design (CPTED) is based on the idea to structure the physical environment and surroundings to influence individual decisions that potential offenders make before committing any criminal acts.

Question 8

Be able to list administrative physical security controls

Answer 8

Examples of administrative physical security controls are facility construction and selection, site management, building design, personnel controls, awareness training, and emergency response and procedures.

Question 9

Be able to list technical physical security controls

Answer 9

Technical physical security controls can be building access controls; intrusion detection; alarms; security cameras; monitoring; heating, ventilation, and air-conditioning (HVAC) power supplies; and fire detection and suppression.

Question 10

Be able to name physical controls for physical security

Answer 10

Physical controls for physical security are fencing, lighting, locks, construction materials, access control vestibules (formerly known as mantraps), guard dogs, and security guards.

Question 11

Know the functional order of controls

Answer 11

These are deter, deny, detect, delay, determine, and decide.

Question 12

Understand equipment failure

Answer 12

No matter the quality of the equipment your organization chooses to purchase and install, eventually it will fail. Preparing for equipment failure may include purchasing replacement parts, storing equipment, or having an SLA with a vendor.

Question 13

Define MTTF, MTTR, and MTBF

Answer 13

Mean time to failure (MTTF) is the expected typical functional lifetime of the device given a specific operating environment. Mean time to repair (MTTR) is the average length of time required to perform a repair on the device. Mean time between failures (MTBF) is an estimation of the time between the first and any subsequent failures.

Question 14

Know how to design and configure secure work areas

Answer 14

There should not be equal access to all locations within a facility. Areas that contain assets of higher value or importance should have restricted access. Valuable and confidential assets should be located in the heart or center of protection provided by a facility.

Question 15

Understand the security concerns of a wiring closet

Answer 15

A wiring closet is where the networking cables for a whole building or just a floor are connected to other essential equipment, such as patch panels, switches, routers, LAN extenders, and backbone channels. Most of the security for a wiring closet focuses on preventing physical unauthorized access. If an unauthorized intruder gains access to the area, they may be able to steal equipment, pull or cut cables, or even plant a listening device.

Question 16

Understand smartcards

Answer 16

Smartcards are credit card–sized IDs, badges, or security passes with an embedded magnetic stripe, bar code, or integrated circuit chip. They contain information about the authorized bearer that can be used for identification and/or authentication purposes.

Question 17

Know about proximity devices and readers

Answer 17

A proximity device can be a passive device, a field-powered device, or a transponder. When it passes near a proximity reader, the reader device is able to determine who the bearer is and whether they have authorized access.

Question 18

Understand intrusion detection systems

Answer 18

Intrusion detection systems (IDSs) or burglar alarms are systems—automated or manual—designed to detect an attempted intrusion, breach, or attack; the use of an unauthorized entry point; or the occurrence of some specific event at an unauthorized or abnormal time.

Question 19

Know about cameras

Answer 19

Video surveillance, video monitoring, closed-circuit television (CCTV), and security cameras are all means to deter unwanted activity and create a digital record of the occurrence of events. Cameras can be overt or hidden; can record locally or to a cloud storage service; may offer pan, tilt, and zoom; may operate in visible or infrared light; may be triggered by movement; may support time-lapse recording, tracking, facial recognition, object detection, or infrared or color-filtered recording; and may offer face recognition, gait analysis, and/or object detection.

Question 20

Understand security needs for media storage

Answer 20

Media storage facilities should be designed to securely store blank media, reusable media, and installation media. The concerns include theft, corruption, and data remnant recovery. Media storage facility protections include using locked cabinets or safes, using a media librarian/custodian, implementing a check-in/check-out process, and using media sanitization.

Question 21

Understand the concerns of evidence storage

Answer 21

Evidence storage is used to retain logs, drive images, virtual machine snapshots, and other datasets for recovery, internal investigations, and forensic investigations. Protections include dedicated/isolated storage facilities, offline storage, activity tracking, hash management, access restrictions, and encryption.

Question 22

Know the common threats to physical access controls

Answer 22

No matter what form of physical access control is used, a security guard or other monitoring system must be deployed to prevent abuse, impersonation, masquerading, tailgating, and piggybacking.

Question 23

Know the terms commonly associated with power issues

Answer 23

Know the definitions of the following: fault, blackout, sag, brownout, spike, surge, inrush, ground, and noise.

Question 24

Understand how to control your environment

Answer 24

In addition to power considerations, maintaining the environment involves control over the HVAC mechanisms. Rooms containing primarily computers should be kept at 59 to 89.6 degrees Fahrenheit (15 to 32 degrees Celsius). Humidity in a computer room should be maintained between 20 and 80 percent. Too much humidity can cause corrosion. Too little humidity causes static electricity.

Question 25

Know about static electricity

Answer 25

Even on nonstatic carpeting, if the environment has low humidity it is still possible to generate 20,000-volt static discharges. Even minimal levels of static discharge can destroy electronic equipment.

Question 26

Understand the need to manage water leakage and flooding

Answer 26

Water leakage and flooding should be addressed in your environmental safety policy and procedures. Plumbing leaks are not an everyday occurrence, but when they occur, they often cause significant damage. Water and electricity don’t mix. If your computer systems come in contact with water, especially while they are operating, damage is sure to occur. Whenever possible, locate server rooms and critical computer equipment away from any water source or transport pipes.

Question 27

Understand the importance of fire detection and suppression

Answer 27

Fire detection and suppression must not be overlooked. Protecting personnel from harm should always be the most important goal of any security or protection system. In addition to protecting people, fire detection and suppression are designed to keep damage caused by fire, smoke, heat, and suppression materials to a minimum, especially in regard to the IT infrastructure.

Question 28

Understand the possible contamination and damage caused by a fire and suppression

Answer 28

The destructive elements of a fire include smoke and heat but also the suppression medium, such as water or soda acid. Smoke is damaging to most storage devices. Heat can damage any electronic or computer component. Suppression mediums can cause short circuits, initiate corrosion, or otherwise render equipment useless. All of these issues must be addressed when designing a fire response system.

Question 29

Know about physical perimeter security controls

Answer 29

Control access to a facility can be accomplished using fences, gates, turnstiles, access control vestibules, bollards, and barricades.

Question 30

Understand lighting

Answer 30

Lighting is the most commonly used form of perimeter security control, providing the security benefit of deterrence.

Question 31

Know about security guards and guard dogs

Answer 31

Guards can be posted around a perimeter or inside to monitor access points or watch detection and surveillance monitors. The real benefit of guards is that they are able to adapt and react to various conditions or situations. Guards can learn and recognize attack and intrusion activities and patterns, can adjust to a changing environment, and can make decisions and judgment calls. Guard dogs can be an alternative to security guards. They can often be deployed as a perimeter security control. As a detection and deterrent, dogs are extremely effective.

Question 32

Understand how to handle visitors in a secure facility

Answer 32

If a facility employs restricted areas to control physical security, then a mechanism to handle visitors is required. Often an escort is assigned to visitors, and their access and activities are monitored closely. Failing to track the actions of outsiders when they are granted access to a protected area can result in malicious activity against the most protected assets.

Question 33

Understand internal security controls

Answer 33

There are many physical security mechanisms for internal control, including locks, badges, protective distribution systems (PDSs), motion detectors, intrusion alarms, and secondary verification mechanisms.

Question 34

Understand personnel privacy and safety

Answer 34

In all circumstances and under all conditions, the most important aspect of security is protecting people. Thus, preventing harm to people is the most important goal for all security solutions.

Question 35

Know about KPIs of physical security

Answer 35

Key performance indicators (KPIs) of physical security should be determined, monitored, recorded, and evaluated. KPIs are metrics or measurements of the operation of or the failure of various aspects of physical security.