CISSP CBK 10 – Physical Security

Physical Security Controls

Types of controls:

 – Administrative controls
– Facility selection or construction
– Facility management
– Personnel controls
– Training
– Emergency response and procedures

 – Technical controls
– Access controls
– Intrusion detection
– Alarms
– Monitoring (CCTV)
– Heating, ventilation and air conditioning (HVAC)
– Power supply
– Fire detection and suppression
– Backups

 – Physical controls
– Fencing
– Locks
– Lighting
– Facility construction materials

Facility Management

Issues with selecting a location:
– Visibility
– Surrounding area and external entities
– Accessibility
– Natural disaster

Construction issues when designing and building a facility:
– Walls
– Doors
– Ceilings
– Windows
– Flooring
– Heating and Air Conditioning
– Power Supplies
– Water and Gas Lines
– Fire Detection and Suppression


The load – How much weight that can be held of a building’s walls, floors and ceilings needs to be estimated and projected to ensure that the building will not collapse in different situations.

Positive flow (water and gas lines) – Material should flow out of building, not in.

Internal partitions – Many buildings have hung ceilings, meaning the interior partitions may not extend above the ceiling; therefore an intruder can lift a ceiling panel and climb over the partition.

Physical Security Component Selection Process

Security Musts: Obliged by law to obey certain safety requirements

Security Shoulds: Protection procedures that should be put into place to help protect the company from devastating activities and their results.

Hardware: SLAs / Servicelevel agreements – Ensure that vendors provide the necessary level of

MTBF / Mean Time Between Failure – Is used to determine the expected lifetime of a device or when an element within that device is expected to give out.

MTTR / Mean Time To Repair – Is used to estimate the amount of time between repairs.

Power Supply

Power protection –
– Online systems: Use a bank of batteries
– Standby UPS: Stay inactive until a power line fails
– Backup power supplies: Used to supply main power or charge batteries in a UPS system.
– Voltage regulators and line conditioners: Can be used to ensure a clean and smooth distribution of power.

Electrical Power Definitions

Ground: The pahtway to the earth to enabled excessive voltage to dissipate
Noise: Electromagnetic or frequency intererence that disrupts the power flow and can dagusse fluctations
Transient noise: Short duration of power line disruption
Clean power: Power that does not fluctate
Fault: Momentary power loss/out
Blackout: Complete / Prolonged loss of  power
Sag: Momentary low voltage
Brownout: Prolonged  low voltage
Spike: Momentary  high voltage
Surge: Prolonged high voltage
Inrush: Initial surge of power at the beginning

Environmental issues

Positive drains – Their contents flow out instead of in.

Relative humidity – 40 to 60 % is acceptable

High humidity – Can cause corrosion

Low humidity – Can cause excessive static electricity

Positive pressurization – When an employee opens a door, the air goes out and outside air does not come in.

Fire detectors

Smoke activated – Photoelectric device.

Heat activated – Rate-of-rise temperature sensors and fixed-temperature sensors.

Flame activated – Senses the infrared energy

Automatic Dial-up Alarm – Call the local fire station to report detected fire.

Fire suppression: Portable extinguishers should be located within 50 feet of any electrical equipment and
located near exists.

Fire classes and suppression medium:

A  – Common combustibles – Water or Soda Acid
B  – Liquid – CO2, Soda Acid or Halon
C  – Electrical – CO2 or Halon

Water – Suppresses the temperature required to sustain the fire.

Soda Acid – Suppresses the fuel supply of the fire

CO2 – Suppresses the oxygen supply required to sustain the fire

Halon – Suppresses the combustion through a chemical reaction

Replacement list for Halon: FM-200, NAF-S-III, CEA-410, FE-13, Water, Inergen, Argon, Argonite.

Water Sprinkler

Wet Pipe – Always contain water in the pipes and are usually discharged by temperature control level sensors.

Dry Pipe – The water is held by a valve until a specific temperature is reached. There is a time delay between the predefined temperature being met and the release of water.

Preaction – Combine the use of wet and dry pipe system. Water is not held in the pipes and is only released into the pipes once a predefined temperature is met. Once this temperature is met, the pipes are filled with water, but it does not release right away. A link has to melt before the water is released from the sprinkler head itself.

Deluge – The same as a dry pipe system except the sprinkler head is open.

Perimeter Security

Facility Access Control

Enforced through physical and technical components

Locks: Are the most inexpensive access control mechanisms. Are considered deterrent to semiserious intruders and delaying to serious intruders.

Preset Locks – Are locks usually used on doors.

Cipher Locks / programmable locks – Use keypads to control access into an area or facility.

  Options available on many cipher locks:
– Door delay: If the door is held open for a long period of time, an alarm will trigger to alert personnel of suspicious activity.
– Key-override: A specific combination can be programmed to be used in emergency situations to override usual procedures or for supervisory overrides.
– Master-keying: Enables supervisory personnel to change access codes and other features of the cipher lock.
– Hostage alarm: If an individual is in duress and/or held hostage, there can be a combination he or she enter to communicate this situation to the guard station and/or police station.

Device Locks – To protect devices by using Switch controls, slot locks, port controls, peripheral switch control and cable traps.

Personnel Access Controls: Proper identification to verify if the person attempting to access a facility or area should actually be allowed in.

Piggybacking – When an individual gains unauthorized access by using someone else’s legitimate credentials or access rights.

Magnetic cards:

Memory card – The reader will pull information form it and make an access decision.

Smart card – The individual may be required to enter a PIN or password, which the reader compares against the information held within the card.

Wireless Proximity Readers:

User activated – Transmits a sequence of values to the reader

System sensing – Will recognize the presence of the coded device within a specific area.

   – Transponders: The card and reader have a receiver, transmitter and battery
– Passive devices: The card does not have any power source of its own
– Field-powered devices: The card and reader contain a transmitter and active electronics.

External Boundary Protection Mechanism

3-4 feet – Deter casual trespassers
6-7 feet – Considered too high to climb easy
8 feet with 3 strands of barbed wire – Deter intruders
Mantrap – The entrance is routed through a set of double doors that may be monitored by a guard.

Should be used to discourage intruders and provide safety for personnel, entrances, parking areas and critical sections.
Critical areas should be illuminated 8 feet high and 2 feet out.

Surveillance Devices

Three main categories –
– Patrol Force and Guards – Can make determinations
– Dogs – Are loyal, reliable and have a sense of smell and hearing
– Visual Recording Devices: Camera, CCTV, etc.

Proximity Detection System / Capacitance detector – Emits a measurable magnetic field while in use. The detector monitor this electrical field and an alarm sounds if the field is disrupted.

Photoelectric or Photometric System – Detects the change in the level of light within an area.

Wave Patterns – Generates a wave pattern that is sent over an area and reflected back to the receiver.

Passive Infrared System – Identifies the changes of heat waves with an area it is configured to protect.

Acoustical-Seismic Detection System – Is sensitive to sounds and vibrations and detects the changes in the noise level of an area it is placed.

Media Storage Requirements

Data that is no longer needed or used must be destroyed.

Object reuse – The concept of reusing data storage media after its initial use

Data remanence – Is the problem of residual information remaining on the media after erasure.

Stages of data erasure –
– Clearing: Overwriting of datamedia intended to be reused in the same organization or
monitored environment.
– Purging: Degaussing or overwriting media intended to be removed from a monitored
– Destruction: Completely destroying the media and therefore residual data.