Physical / Environmental Security

Question 1

Threat Mitigation Technique

Internal

Answer 1

Address insider threats, from those who already have access

i.e. A door lock on server room is designed to keep out those already in the building

Question 2

Threat Mitigation Technique

External

Answer 2

Addresses perimeter security, or access to building or room from outsiders

i.e.
Electric fence surrounding the facility designed to keep out those who don’t have access

Question 3

Geographical Threats

Answer 3

Hurricane / Tropical Storm
Location of facility should dictate how much is spent in mitigating possible damages

Tornadoes
Rate and severity of tornadoes in an area from historical perspective help determine protective measures

Earthquakes
Treated same way as hurricanes

Floods
Can occur anywhere. Keep computing systems off the floor, Build server rooms and wiring closets on raised floors

Question 4

Electrical threats

Answer 4

all mission critical systems should be on a UPS

use onsite generators for longer term

maintain 40-60% relative humidity around equipment

use line conditioners to maintain clean, steady power

Question 5

Communications

Answer 5

Maintain fault-tolerant connections to internet

know contact phone numbers for employee notifications

Establish radio communications over entire compass with repeater antennas to provide comms during emergencies

Question 6

Man-made threats

explosions
fire
vandalism

Answer 6

Explosions
prevent access to areas where explosions could cause serious damage

Fire
all walls should have 2 hour minimum fire rating
deploy auxiliary station alarm
use proper extinguisher / suppression system

Vandalism
ensure critical components are inaccessible

Question 7

Man-made threats

Fraud
Theft
Collusion

Answer 7

Fraud
prevent physical access to critical systems

Theft
Prevent physical access to facility

Collusion
can be caused by separation of duties. Consider the tradeoff

Question 8

Politically Motivated Threats

Strikes
Riots
Civil disobedience
Terrorist acts
Bombing

Answer 8

Strikes
can cost productivity and hurt image of company

Riots
Enterprise is seen as willing participant in some perceived slight

Civil Disobedience
physical security of facility becomes important in case action is taken against facility

Terrorist acts
includes emergency planning to address terrorism
reactions should be rehearsed

Bombing
evacuation plans should address terrorist threats and bombings

Question 9

Site and Facility Design

Layered Defense Model

Answer 9

Reliance should not be based on any single physical security concept but on the use of multiple approaches that support one another

Permiter-Network-Host-Application-Data

Question 10

CPTED

Crime Prevention Through Environmental Design

3 main strategies

Answer 10

Design facility from ground up to support security

Natural Access Control
place doors, lights, fences, landscaping to satisfy security goals in least obtrusive and appealing way possible

Natural Surveillance
Promotes visibility of all areas to discourage crime

Natural Territorials Reinforcement
Promotes feeling of community, tries to extend sense of ownership to employees

Question 11

Physical Security Plan Goals

Answer 11

Deter criminal activity

delay intruders

detect intruders

asses situation - id specific personnel, actions to take when event occurs

respond to intrusions and disruptions - anticipate and develop responses to intruders and disruptions

Question 12

Facility Selection Issues

Answer 12

Visibility - amount depends on organization and processes being done by facility

surrounding areas and external entities - consider nature and operations of surrounding businesses, and people they attract

accessibility - how easily can employees access facility

construction - what are support systems built into the building

internal compartments - are there drop ceilings in rooms that need to be secured?

Question 13

Computer and Equipment rooms

Answer 13

should be locked and secured

should be in center of building
have single point of entry
avoid top floors of buildings and the basement
install and test fire detection and suppressions systems
install raised flooring
install separate power supplies
use only solid doors

Question 14

Perimeter Security

Concentric Circle Approach

Answer 14

Perimeter fence
Exterior door
Office door
Locked cabinet

Question 15

Perimeter Security

Protection from vehicles

Answer 15

Bollards in front of doorways

Question 16

Perimeter Security

Fences and Gates

Answer 16

Fences

3-4 foot tall fences - casual intruders
6-7 foot fences - too tall to climb easily
8 foot and taller - deter more determined people

Gates
Class 1 - Residential
Class 2 - Commercial
Class 3 - Industrial
Class 4 - Restricted

Question 17

Perimeter Security

Intrusion Detection Systems

Answer 17

Infrared - changes in heat waves

Electromechanical - detect break in electrical circuit

Photometric or Photoelectric - detect changes in light, used in windowless areas

Acoustical - microphones detect sounds

Wave Motion - generate wave pattern and detect any motion that disturbs it

Capacitance Detector - emits magnet field and monitors it

CCTV - cameras for real time view and/or recording

Question 18

Perimeter Security

Lighting Systems

Answer 18

Continuous Lighting - array of lights producing even amount of illumination across an area

Standby Lighting - illuminates only at certain times or on a schedule

Movable Lighting - can be repositioned as needed

Emergency Lighting - have own power source for use when general power is out

Question 19

Perimeter Security

Types of Lighting

Answer 19

Fluorescent - low pressure mercury vapor gas-discharge lamp

Mercury Vapor - gas discharge, electronic arc through vaporized mercury

Sodium Vapor - gas discharge, uses excited sodium to produce light

Quartz lamps - UV light source like mercury vapor contained in fused silica bulb that transmits UV light with little absorption

Question 20

Perimeter Security

Patrol Force
Access Control

Answer 20

Guards can use discriminating judgement which automated systems cannot do

Every successful and unsuccessful attempt to enter facility should record:
date and time
specific entry point
use ID employed during attempt

Question 21

Building and Internal Security

Doors

Answer 21

Vault Doors - lead into walk-in safes or security rooms

Personnel Doors - used by people to enter facility

Industrial Doors - large doors for vehicles

Vehicle access doors - doors to parking building or lots

Bullet resistant doors - for withstanding firearms

Question 22

Building and Internal Security

Electronic Locks

Answer 22

Electric locks or cipher locks use a keypad

Proximity Authentication device uses programmable card to deliver access code

These devices typically have these EAC (Electronic Access Control) components

Electromagnetic lock
Credential reader
Closed door sensor

Question 23

Building and Internal Security

Mantraps

Answer 23

2 doors that hold a person in small room until they’re verified before opening the second door

Question 24

Building and Internal Security

Warded locks

Answer 24

Key must pass through the wards to unlock

Question 25

Building and Internal Security Tumbler locks

Answer 25

If the key is the right pattern, tumblers fall into right place and open the door

Question 26

Building and Internal Security Combination locks

Answer 26

Turn the dial left and right to align studs and pins

Question 27

Building and Internal Security Glass entries

Answer 27

Standard - used for residential, easily broken Tempered glass - heated for extra strength Acrylic - made of polycarbonate acrylic. Much stronger than regular glass. Toxic when burns Laminated - sheets of glass with plastic film between, making it harder break

Question 28

Building and Internal Security Interior considerations

Answer 28

Visitor control - ways to accompany visitor/contractor to destination Equipment rooms - lock and keep inventory so theft can be discovered Work areas - prohibiting some employees from certain areas can be beneficial

Question 29

Secure Data Center

Answer 29

Data center shouldn't be on top floor or basement off switch should be located near door for easy access separate HVAC for these is recommended environmental monitoring should be deployed with alerting enabled for temp and humidity issues Use raised floors to help prevent water damage All systems should have a UPS and room on generator

Question 30

Fire detectors

Answer 30

smoke activated - uses photoelectric device to detect variations in light caused by smoke particles Head activated - detects heat changes. Can alert at predefined temperature or when rate of rise is certain value Flame actuated - optical devices that "look at" an area. Typically react faster to a fire than non-optical devices

Question 31

Fire Suppression Systems

Answer 31

Wet Pipe water is contained in pipes to extinguish fire water could freeze and burst in some areas not recommended for rooms where equipment can be damaged by water (like computer rooms) Dry Pipe water held in a holding tank, not in pipes only pushed to pipes if actual fire

Question 32

Fire Suppression Preaction and Deluge

Answer 32

Preaction Operates like dry pipe except sprinkler head holds thermal-usable link that must be melted before water is released. Currently the recommended system for computer rooms Deluge Allows large amounts of water to be released. Not a good choice for computer rooms

Question 33

Fire Suppression / Environmental Security EPA approved replacements for Halon

Answer 33

Water Argon NAF-S-III FM-200

Question 34

Types of Power Issues

Answer 34

Surge - prolonged high voltage Brownout - prolonged voltage decrease below normal Fault - momentary power outage Blackout - prolonged power outage Sags - momentary reduction in power level

Question 35

How to prevent static electricity

Answer 35

antistatic sprays maintain proper humidity levels use antistatic mats, wristbands

Question 36

To protect against dirty power

Answer 36

power conditioners sits between wall outlet and device to smooth power fluctuations UPS between wall outlet and device and has a battery to provide power if source is lost both can be in same device

Question 37

HVAC Issues Heat High humidity Low humidity

Answer 37

excess heat causes crashes and reboots too much humidity causes corrosion too little humidity causes static, which can cause damage

Question 38

HVAC Issues Heat temperature guidelines

Answer 38

at 100 degrees damage starts occurring to magnetic media, primarily floppy disks at 175 degrees damage starts occurring to computers and peripherals at 350 degrees damage starts occurring to paper products

Question 39

Equipment Security

Answer 39

Corporate Procedures should address: tamper protection encryption inventory physical protection of security devices tracking devices portable media procedures

Question 40

Personnel Privacy and Safety

Answer 40

HR are most important assets OEP - Occupant Emergency Plan provides coordinated procedures for minimizing loss of life or injury