Physical Security Requirements Flashcards
(35 cards)
Understand why there is no security without physical security
Without control over the physical environment, no amount of administrative or technical/logical access controls can provide adequate security. If a malicious person can gain physical access to your facility or equipment, they can do just about anything they want, from destruction to disclosure and alteration.
Understand a security facility plan
A secure facility plan outlines the security needs of your organization and emphasizes methods or mechanisms to provide security. Such a plan is developed through risk assessment and critical path analysis.
Define critical path analysis
Critical path analysis is a systematic effort to identify relationships between mission-critical applications, processes, and operations and all the necessary supporting elements.
Know about technology convergence
Technology convergence is the tendency for various technologies, solutions, utilities, and systems to evolve and merge over time. Though in some instances this can result in improved efficiency and cost savings, it can also represent a single point of failure and become a more valuable target for malicious hackers and intruders.
Understand site selection
Site selection should be based on the security needs of the organization. Cost, location, and size are important, but addressing the requirements of security should always take precedence. The key elements in making a site selection are visibility, composition of the surrounding area, and area accessibility.
Know the key elements in designing a facility for construction
key element in designing a facility for construction is understanding the level of security needed by your organization and planning for it before construction begins.
Define CPTED
Crime Prevention Through Environmental Design (CPTED) is based on the idea to structure the physical environment and surroundings to influence individual decisions that potential offenders make before committing any criminal acts.
Be able to list administrative physical security controls
Examples of administrative physical security controls are facility construction and selection, site management, building design, personnel controls, awareness training, and emergency response and procedures.
Be able to list technical physical security controls
Technical physical security controls can be building access controls; intrusion detection; alarms; security cameras; monitoring; heating, ventilation, and air-conditioning (HVAC) power supplies; and fire detection and suppression.
Be able to name physical controls for physical security
Physical controls for physical security are fencing, lighting, locks, construction materials, access control vestibules (formerly known as mantraps), guard dogs, and security guards.
Know the functional order of controls
These are deter, deny, detect, delay, determine, and decide.
Understand equipment failure
No matter the quality of the equipment your organization chooses to purchase and install, eventually it will fail. Preparing for equipment failure may include purchasing replacement parts, storing equipment, or having an SLA with a vendor.
Define MTTF, MTTR, and MTBF
Mean time to failure (MTTF) is the expected typical functional lifetime of the device given a specific operating environment. Mean time to repair (MTTR) is the average length of time required to perform a repair on the device. Mean time between failures (MTBF) is an estimation of the time between the first and any subsequent failures.
Know how to design and configure secure work areas
There should not be equal access to all locations within a facility. Areas that contain assets of higher value or importance should have restricted access. Valuable and confidential assets should be located in the heart or center of protection provided by a facility.
Understand the security concerns of a wiring closet
A wiring closet is where the networking cables for a whole building or just a floor are connected to other essential equipment, such as patch panels, switches, routers, LAN extenders, and backbone channels. Most of the security for a wiring closet focuses on preventing physical unauthorized access. If an unauthorized intruder gains access to the area, they may be able to steal equipment, pull or cut cables, or even plant a listening device.
Understand smartcards
Smartcards are credit card–sized IDs, badges, or security passes with an embedded magnetic stripe, bar code, or integrated circuit chip. They contain information about the authorized bearer that can be used for identification and/or authentication purposes.
Know about proximity devices and readers
A proximity device can be a passive device, a field-powered device, or a transponder. When it passes near a proximity reader, the reader device is able to determine who the bearer is and whether they have authorized access.
Understand intrusion detection systems
Intrusion detection systems (IDSs) or burglar alarms are systems—automated or manual—designed to detect an attempted intrusion, breach, or attack; the use of an unauthorized entry point; or the occurrence of some specific event at an unauthorized or abnormal time.
Know about cameras
Video surveillance, video monitoring, closed-circuit television (CCTV), and security cameras are all means to deter unwanted activity and create a digital record of the occurrence of events. Cameras can be overt or hidden; can record locally or to a cloud storage service; may offer pan, tilt, and zoom; may operate in visible or infrared light; may be triggered by movement; may support time-lapse recording, tracking, facial recognition, object detection, or infrared or color-filtered recording; and may offer face recognition, gait analysis, and/or object detection.
Understand security needs for media storage
Media storage facilities should be designed to securely store blank media, reusable media, and installation media. The concerns include theft, corruption, and data remnant recovery. Media storage facility protections include using locked cabinets or safes, using a media librarian/custodian, implementing a check-in/check-out process, and using media sanitization.
Understand the concerns of evidence storage
Evidence storage is used to retain logs, drive images, virtual machine snapshots, and other datasets for recovery, internal investigations, and forensic investigations. Protections include dedicated/isolated storage facilities, offline storage, activity tracking, hash management, access restrictions, and encryption.
Know the common threats to physical access controls
No matter what form of physical access control is used, a security guard or other monitoring system must be deployed to prevent abuse, impersonation, masquerading, tailgating, and piggybacking.
Know the terms commonly associated with power issues
Know the definitions of the following: fault, blackout, sag, brownout, spike, surge, inrush, ground, and noise.
Understand how to control your environment
In addition to power considerations, maintaining the environment involves control over the HVAC mechanisms. Rooms containing primarily computers should be kept at 59 to 89.6 degrees Fahrenheit (15 to 32 degrees Celsius). Humidity in a computer room should be maintained between 20 and 80 percent. Too much humidity can cause corrosion. Too little humidity causes static electricity.
