Flashcards in Domain 10 - Physical (Environmental) Security Deck (25):
1. Automatic control devices for access to sensitive areas should:
a. Have backup power supplies
b. Provide a log of every attempted access
c. Be supplemented by a human guard
d. Create and alarm at a failed access attempt
Explanation: Although most automatic control devices do offer the option for backup power supplies, some owners of data centers prefer the doors to ‘fail open’ in the event of a power failure (as do some local fire regulations), so answer a is wrong. Answer b is correct – as the secondary point of having automatic access control (after actually controlling access) is to be able to see what access attempts were made and which were successful. Answer c is incorrect simply because a human guard is not necessary at every access and exit point in a security perimeter and answer d is wrong because many organizations prefer to monitor access attempts rather than to alert potential intruders.
5. The principle of concentric controlled perimeters is meant to:
a. Provide different types of control at different points
b. Repeat and reinforce access control
c. Slow an intruder’s progress toward the protected area
d. Create a show of strength to deter intruders
Explanation: Correct answer a means that concentric perimeters allow for (for example); the control of vehicles at the outer perimeter; material and personnel control at the building perimeter; equipment and personnel control at the data center perimeter, etc. Answer b is incorrect as repeating access control is costly and wasteful. Answer c is incorrect because any point of access control is intended to prevent intrusion – not simply ‘slow progress’. Answer d is incorrect because creating a show of strength is not the purpose of any access control – its purpose is to prevent unauthorized access.
8. In a secure area, the organization’s information processing facilities and third-party processing facilities must be:
a. Connected to the same Uninterruptible Power System (UPS)
b. Managed by the same operations staff
c. Composed of the same hardware and software configurations
d. Kept physically separate
Explanation: The correct answer here is d – third party processing facilities must be kept physically separate from the organization’s facilities to simplify access controls and to avoid the risk of activity being carried out on the ‘wrong’ platforms. Answer a is incorrect as a UPS can well be shared by more than one computing environment – if the UPS is appropriately rated. Answer c is wrong as there is no security concern inherent in the configuration of two environments.
16. The security perimeter should have:
a. Signs indicating what it is
b. No external windows
c. A way to control physical access
d. Fire suppression equipment
Explanation: Answer c is correct according to ISO17799 7.1.1 C. Answer a is wrong because the owner of the site may not want to publicize the existence of the protected area. Answer b is incorrect as external windows can be as well-protected as any other part of the perimeter and so need not be banned. Answer d is wrong as the fire suppression is a function that would most appropriately take place inside and outside the security perimeter.
24. Directories and internal telephone books identifying locations of sensitive information processing facilities should:
a. Be kept in locked cabinets
b. Be under the control of designated staff
c. Be clearly marked
d. Not be readily accessible to the public.
Explanation: Answer d is the correct answer. Documents such as these should be kept away from the public but still be available for authorized use. Therefore, answers a and b are both wrong (as they would impede such access). Answer c is wrong because it defeats the intent of keeping them out of ready access to the public.
43. Delivery areas should be controlled and:
a. Adequately heated and ventilated to prevent deterioration of materials
b. Be separate from the main building
c. Be separate from information processing facilities
d. Monitored with video-monitoring equipment
Explanation: Answer c is the right one – to help avoid unauthorized access to the information processing facility Typically, delivery areas have less-effective access controls than information processing facilities and so should be as far from those facilities as possible. Answer a refers to material handling and workplace comfort. Answer b defeats the purpose of having a delivery area (if a second delivery must be made from there to the main building) and answer d is a matter of policy for the facilities management group
45. Physical security barriers should be
a. Made of non-flammable material
b. From real floor to real ceiling
c. Insulated for sound
d. Monitored by video camera
Explanation: Answer B is correct. Physical security barriers should extend beyond raised floors and false ceilings to prevent access through those spaces. (ISO17799 7.1.1 D). Answer A is incorrect, as physical security barriers should not be relied upon to also be fire barriers. C is wrong because there is no need to prevent sound leakage from a protected area and D is incorrect as video monitoring of the entire perimeter of a protected area may be more costly than the value of the asset being protected warrants.
65. Buildings that are or are in a secure area should:
a. Be clearly marked to deter entry
b. Give minimum indication of their purpose
c. Be no more than two floors high
d. Allow access only to personnel and not to vehicles
Explanation: The correct answer is b – buildings which form or which are secure areas should not give an indication of their purpose because doing so might incite attempts at unauthorized access. Answer a is incorrect for the same reason. Answer c is wrong because the security of a building depends more on the security measures put in place in and around the building than it does on the configuration of the building itself. Answer d is wrong because secure areas must allow for the transit of materials and the vehicles delivering those materials.
68. The computer controlling automatic access control devices must be:
a. Remote from the secured area
b. Protected as well as the other computers in the secure area
c. Isolated from the rest of the network
d. Running a hardened operating system
Explanation: The correct answer is b – if the computer controlling the automatic access control devices is as well protected as the other computers in the secure area then it should meet the criteria of being protected to a degree commensurate with its value. Answer a is a wrong answer because it is not necessary to have the access-control computer in a remote location. Answer c is also wrong, as the access control computer will almost certainly need to be accessed from another point in the network for maintenance and diagnostic purposes. Answer d is incorrect as the standard protection afforded other computers on the network must be adequate for the access control computer or it will be inadequate for the assets the access control computer is helping protect.
77. Fallback equipment and backup media should be sited at a safe distance to avoid:
b. Damage from an incident that affects the main site
c. Mistaken use as ‘production version’ equipment and media
d. Corruption from constant handling
Explanation: Answer b is correct – fallback equipment and media need to be far-enough away from the main site to avoid being affected by the very event that would require their use. Answer a is wrong because wherever the equipment and media is stored, it should be protected against theft. Likewise, answers c and d are wrong because procedures should exist to ensure that fallback equipment and media are not ever used as production versions and so are not subject to constant handling.
86. Personnel should be aware of the activities within a secured area:
a. If the activities constitute a hazard to the employees’ health
b. Where the nearest accessible fire exit is through the secured area
c. Only on a need-to-know basis
d. When those activities create input to the personnel’s jobs.
Explanation: Answer c is correct – only those personnel who have a reason (related to the performance of their duties) should be aware of what goes on in a secure area. Answer b is incorrect because a general fire exit should never be situated within a secure area (fire exit only for employees working in the secure area) and answer a is incorrect because no activity that constitutes a hazard to the health of the general employee population should take place where it can affect the general employee population. Answer d is incorrect because the personnel need ony be aware of where the input comes from and not what processes occur in that area.
89. Visitors to restricted areas should be:
a. Only technical staff
b. Made to wear badges
c. Kept to designated areas
d. Allowed in only at particular times.
Explanation: Answer c is correct according to Computer Security by John M. Carroll, p 90. Answer a is wrong because owners of data centers, etc., frequently want to show their data centers to many types of visitor. Answer b is wrong because badges simply designate someone as a visitor and do not necessarily control that person’s access to a restricted area. Answer d is incorrect as the times visitors may enter is a matter of policy for individual organizations.
90. The objective of secure areas is:
a. To lower insurance costs
b. To keep traffic to a minimum
c. To prevent unauthorized access to business premises
d. To prevent the unauthorized removal of equipment
Explanation: Answer c is the correct one and is taken from ISO17799 7.1 – Secure areas. A is incorrect as having secure areas does not necessarily result in lower insurance premiums, likewise answer b is not correct as secure areas must allow authorized access and that may not be the same as keeping traffic to a minimum. Answer d is incorrect, as equipment removal will be governed by procedures rather than just the existence of a secure area.
130. Hazardous or combustible materials should be:
a. Taken to a local landfill
c. Stored at a safe distance from secure areas
d. Handled and disposed of only by a licensed vendor
Explanation: Answer c is correct because the point here is physical protection of a secure area. Answers a and d – where they are appropriate – are concerned with the disposal (not storage) of hazardous materials. Answer b has to do with management of materials and not with the protection of secure areas.
146. Photographic, video or audio recording equipment should be allowed in secure areas:
a. Only in specific, highly exceptional circumstances
b. Only when accompanied by physical security personnel
c. Only for the purpose of company publicity
d. Only when the normal staff complement is not present
Explanation: Answer a is the correct answer here because the number of times that recording devices are allowed in secure areas should be strictly limited and the purpose for which they are used should be strictly monitored – to avoid an organization’s secure processes being recorded and shown or played for a competitor. Answer b once again may be impractical but, where it is practical, will increase the control. Answer c is wrong because it’s not possible to predict the purpose for which this may be necessary. Answer d is a distracter.
147. Vacant secure areas should be:
a. Locked and periodically checked
b. Cleared of all equipment
c. Made ready to be used as non-secure areas
d. Kept open
Explanation: Answer a is correct – secure areas which are not being used should be kept locked and should be checked periodically to ensure that no breach of security has taken place. Answers b and c are wrong because they assume that the secure area is being ‘decommissioned’ and that may not necessarily be true. Answer d is wrong for the same reason.
151. A secure area might be:
a. In the basement of the building
b. A locked office or offices inside a security perimeter
c. Made up of several different buildings in several locations
d. Close to neighboring premises
Explanation: Answer b is the correct answer – a secured area can be almost any configuration so long as it all lies within the same security perimeter. Answer a is incorrect because it is inadvisable to place a secure area in an area which is prone to flooding – such as a basement. Answer c is wrong because it would be difficult-to-impossible to extend the same security perimeter around several buildings in different locations. Answer d is wrong for much the same reasons as A – neighboring premises pose the threat of leakage or flooding.
173. A security perimeter is:
a. Always manned by a security guard
b. Something which builds a barrier
c. A wall with a locked door
d. A necessary part of a data center
Explanation: Answer b is the correct one according to ISO17799 7.1 – Secure areas. Answer a is not correct because the controlled openings in a security perimeter can be under electronic control. Answer c is wrong as there are many different means of crossing a security perimeter – including a gate with a security guard – and answer d is inaccurate as data centers do not always have security perimeters and security perimeters are not limited only to data centers.
175. Third party access to secure areas should be:
a. Restricted and granted only when required
c. Granted on the same basis as other employees
d. Granted only with a physical escort
Explanation: Answer a is correct. Third party personnel – unlike regular employees – need to be authorized each time they need access to secure areas as failure to do so leads to lax security controls and can allow for misuse of the access. Answer b is incorrect because third-party personnel (such as cleaning staff) will need access to the area. Answer c is not correct as third-party personnel do not need access on the same basis as other employees and answer d is wrong because it is often impractical – but where it is practical it can be a useful additional control.
185. Access rights to secure areas should be:
a. Given only to the people who work there
b. Given by the manager of the area
c. Reviewed regularly and updated regularly
d. Given to emergency services personnel
Explanation: Answer c is correct. Like any other access right, access to a secure area needs to be maintained and can only be done so through regular review and update. Answer a is incorrect as other staff – who do not work in the secured area – and visitors have valid reasons for entering the area (such as troubleshooting problems or collecting sensitive material from the secured area). Answer b is not correct because a higher authority might retain the right to grant access or the manager of the area may delegate that authority to someone in his or her organization. Answer d is wrong because emergency services personnel will be given access on an exception basis and not granted regular access rights.
187. Bulk supplies, such as stationery, should:
a. Be stored in a cool, dark, dry space
b. Be delivered only to designated bulk-handling facilities
c. Be stored somewhere other than a secure facility
d. Be examined regularly for wastage
Explanation: Answer c is correct – bulk supplies are space-consuming and often constitute hazardous material and so should be stored at a separate site. Answer a is a materials-handling reference, not a physical security one. Answer b is also a materials-handling preference, while answer c is about materials management/
188. Visitors to a restricted area should be:
b. Granted access for only a specific date and time
c. Issued with instruction on security procedures
d. All of the above
Explanation: Answer d is the correct answer. Visitors should be supervised or escorted at all times while in a secure area. Their access should be restricted to only the day(s) and time(s) necessary to complete the business of their visit and they should be made aware of prevailing security procedures so they do no inadvertently break them.
198. The security of the Physical Security Perimeter is:
a. Consistent with the value of the assets being protected
b. The outer doors to the building
c. Constantly monitored
d. The responsibility of Information Security
Explanation: Answer a is the correct answer and is taken from ISO17799. Answer b is incorrect because the perimeter can be internal to the building. Answer c is also incorrect because the perimeter can be ‘spot monitored’ (i.e. not constant but periodic) and answer d is incorrect because the responsibility for perimeter security can be assigned to other functions.
221. All vehicles entering or leaving a restricted area should be:
b. Clearly marked as to their reason for being there
c. Accompanied by a security person
d. Subject to search
Explanation: As a condition of entry, all vehicles – upon entry or exit – should be subject to search, so answer D is the correct one. A is wrong because many vehicles routinely and frequently visit restricted areas and are allowed through without stopping if they display appropriate credentials (however, the owner of the restricted areas retains the right to demand that they stop and be searched – randomly). B is wrong because displaying the reason for the visit on a vehicle is costly and time-consuming and unnecessary. Similarly, it is highly impractical for all vehicles to be accompanied by a security person and so C is also wrong.