Get Prepared And Pass The CISSP Exam

Physical and Environmental Security

Objective of Physical Security

The physical security is the first line of defense. The objective of Physical security is to physically protect the resources of an organization, which include people, data, facilities, equipment, systems, etc. It concerns with people safety, how people can physically enter the environment and how the environment issues affect equipment and systems. People safety always takes precedence over the other security factors.

Man made vs. Nature threats

Man made threats are started and created by people. Some examples of man made threats are theft, vandalism, sabotage, espionage, errors.
Nature made threats are caused by events that are outside of human control. Examples are chemical spills, extreme weather conditions, earthquake, fire, flood, lighting, wind, tornado.

Layered Defense

Physical security, like general information security should be based on a layered defense model. Layers of security are implemented starting at the perimeter and moving toward an asset. A physical security program must address:

      • Crime and disruption protection through deterrence via fences, security guards, warning signs, etc.
      • Reduction of damages through the use of delaying mechanisms such as locks, security personnel, dogs, locks, etc.
      • Crime or disruption detection via motion detectors, alarms, smoke detectors, etc.
      • Incident assessment through response to incidents and determination of damage levels.
      • Response procedures, such are fire suppression mechanisms, emergency response, etc.

Physical Security Components

Some of the main physical security components are fences, security guards, dogs, locks, escorts, badges, warning signs, property controls, locks, security personnel, motion detectors, alarms, smoke detectors, fire detection, fire suppression mechanisms, emergency response, power protection, HVAC, water protection.

Types of Physical Controls

There are three major types of physical security controls: Administrative controls, Physical Controls, Technical Controls.
Administrative controls are enforced by proper administrative steps. These steps include facility selection, facility construction and management, personnel control, evacuation procedure, system shutdown procedure, fire suppression procedure, handling procedures for other exceptions such as hardware failure, bomb threats, etc.
Physical controls are facility construction material, key and lock, access card and reader, fence, lighting, etc.
Technical controls are physical access control and monitoring system, intrusion detection and alarm system, fire detection and suppression system, uninterrupted power supply, HVAC, disk mirroring, data backup, etc.

Electrical Power

The continued supply of steady power is required to maintain uninterrupted daily operations.

Key Words Associated with Electric Power Interruption

Definitions associated with electrical power interruptions:
Blackout - complete loss of power
Brownout - prolonged disturbance that interferes with a device
Noise - steady interfering disturbance
Sag - short period of low voltage
Spike - momentary high voltage
Surge - prolonged high voltage
Transient - short duration of line noise/disturbance at normal voltage
Inrush - initial surge of power
Clean - Non-fluctuating power
Ground - one wire is ground

Electrical Interference Types

Noise is one of the most common threats to electrical power. Noise is the presence of electrical radiation in the system that interferes with the continuos power supply. There are two types of noise:
Electromagnetic Interference (EMI)

      • Common-mode noise: noise generated by the difference between hot and ground wires
      • Traverse-mode noise: noise generated be the difference between hot and neutral wires

Radio Frequency Interference (RFI)
RFI is generated by the components of an electrical system and this can damage sensitive equipment components.

Electrical Interference Countermeasures

Proper grounding, cable shielding, the power supply has to go through a surge protector, limiting exposure to magnets, fluorescent lights and space heaters.

Facility Design Requirements

When choosing a physical site the following factors should be considered:
Visibility - surrounding terrain, signs, markings.
Local Considerations - crime rate, neighbors, proximity to police and fire station
Transportations - road access and traffic conditions, proximity to public transportation.
Natural Threats - likelihood of flood, earthquake, or other natural threats.

When designing and building a facility, the following items should be considered:
Wall - fire rating, the maximum weight load, floor to ceiling barrier, reinforcement for secured area.
Partition – considerations similar to those of wall, plus the requirement of extension above drop ceiling.
Door – the fire rating should be equal to that of the surrounding walls, emergency marking, directional opening, resistance from being forced open, intrusion detection alarm, fail-soft vs fail-safe lock (i.e. lock that is unlocked or locked in a power outage), placement of doors.
Window – characteristics of windows material (opaque, translucent, transparent, shatterproof, bulletproof), intrusion detection alarm, placement of windows.
Ceiling – fire rating, load, waterproof (preventing water leakage from the upper floor), drop ceiling.
Floor – fire rating, load, raised floor, electrical grounding (for raised floor), nonconducting material.
Heating, ventilation, and air conditioning (HVAC) – independent power source, positive air pressure - air will flow out of a room when the door is open, which can avoid contamination of the room, protected intake vents to prevent tampering, monitoring of environmental condition, emergency power off, placement of HVAC system.
Power supplies – backup power supply, clean power supply, circuit breaker, access to power distribution panels, placement of power sockets.
Liquid and gas line – shutoff valve, positive flow (i.e. liquid or gas should flow out of a building, not in), leakage sensor, placement of liquid and gas lines.
Fire detection and suppression – fire or smoke detector and alarm, sprinkler, gas discharge system, placement of detectors and sprinkler heads.
Emergency lighting – essential power supply and battery for emergency lighting.

Data center


      • Should not be located on the top floor (for fire consideration)
      • Should not be located in the basement (for flood consideration)
      • Should be located in the core of the building and not close to public areas
      • Dedicated circuits
      • Power Distribution Panels
      • Master Circuit Breakers
      • Transformers
      • Feeder cable:electric cable used to remotely connect portable racks, power distribution racks, etc to the electrical supply.
      • Emergency power off controls
      • Voltage Monitoring
      • Surge Protection
      • Backup Power - alternate feeders, UPS, emergency power generator
      • Fire Protection Systems
      • Computing Equipment
      • Communication Equipment
      • Telephone Systems
      • HVAC
      • Air Conditioning
      • Humidity Control - risk to electric connections
      • Air Quality
      • Water Protection - failing, rising, drains, protective coverings, moisture detection systems

Perimeter Security

Access Control Readers

The access control readers are of the following types:

      • Security Card Systems
      • Photo Identification Badges
      • Manual Visual Verification
      • Combined with Smart Technology
      • Combination of PIN and a Card
      • Card Reader Types - can be Card Insertion, Card Swipe & Proximity; Contact, Contactless and Biometric Readers
      • PIV - Personal Identity Verification
      • CAC - Common Access Card
      • PACS - Physical Access Card Readers

Mantraps and turnstiles

Mantraps and turnstiles are designed to prevent piggybacking and tailgating.
Turnstile is a form of gate that allows one person to pass at a time. Turnstile also enforces one-way traffic of people. It can support paid access only traffic.

Mantraps are physical security devices used to entrap a human. Mantrap is typically a small space that has two sets of interlocking doors, the first set of doors must close before the other one opens.