Secure Site and Facility Design in the CISSP

The facility design builds the foundation for an office and data center focusing on the physical facilities and adherence to secure management processes that exceed the functional and non-functional security requirements. The facility design approach (Figure 1) illustrates the key aspects of the facility design for a data center, which could also be used for a general facility. CISSP examines the security of the facility beyond this fundamental approach. 

Text Box

In an existing office or data center building, it is paramount to do a walk-through with a team of security professionals to evaluate the facility in terms of overall security and the provisioned services. 

When a company decides to create a new building, there are several things that should be considered before pouring the first batch of cement.  

Of course, land values, customer populace, and marketing policies are studied but, as security professionals, the primary focus areas are on the confidence and protection a specific location can provide. Some organizations that deal with top secret or confidential information make their centers/facility look not so certain, to avoid attention of would be attackers — this is called Urban Camouflage 

The building can be hard to see from the surrounding roads, the company signs and logos can be small and not easily noticed, and the markings on the buildings can be made to not give away any potential evidence that relates to what is going on inside that building. It is a type of city or urban camouflage that makes it harder for the enemy to seek the company out.  

Some buildings are put into areas that are surrounded by hills or mountains to help prevent eavesdropping of electrical signals emitting from the facility’s equipment. Other facilities are built underground or right into the side of an elevated foothill for cover-up and protection from radar tools and spying activities.  

CISSP Training – Resources (InfoSec)CISSP Training – Resources (InfoSec)

Location selection also means identifying other types of risks related to specific areas. These issues include natural disaster possibilities, crime rates, surrounding neighbors, and proximity to airports and railways. If a company is thinking about building a facility in Kansas, then tornado insurance will certainly have to be built into cost and maintenance equations.  

If the company is also looking at erecting a building in a low-income area, although the land prices will most likely be cheap, there will be a need for higher physical and perimeter security levels, which brings along costs and overhead. An inspection of the facility should be done to reveal the vulnerabilities and the extent of those vulnerabilities.  

The value of property within the facility and the value of the facility itself need to be ascertained to determine the proper budget for physical security. External entities may also need to be considered.  

A company should also evaluate how close the facility would be to social defense authorities such as fire station, medical facilities and police station. Many times, the proximity of these entities raises the real estate value of properties, but for a good reason. If a biochemical / chemical company that produces highly volatile ingredients needs to build a new facility, it might make decent business logic to put it in a location that is quickly and easily accessible to the nearest fire station. 

If another company that builds and sells exclusive electronic devices is growing and has to move operations into a different facility, police reaction time may be looked at when choosing one area over another. Each of these issues, fire station, police station, and medical facility proximity, in general, reduce insurance rates and must be looked at carefully. 

The key takeaways include: 

  • Ensuring that the building is designed in such a way as to:  
    • Promote the safe use of the facility (first and foremost)  
    • Harden the physical structure to provide greater security 
  • Primary considerations include: 
    • Access zones 
    • Entry controls 
    • Vehicular access 
    • Standoff distance (Distance required to prevent unscreened vehicles from approaching within a certain distance of a building)  
    • Signage 
    • Parking 
    • Loading docks/service access 
    • Lighting 
    • Sight utilities 

Risk Analysis 

The American Institute of Architects has established these essential questions about security: 

  • What do we want to protect? 
  • What are we protecting against? 
  • What are our vulnerabilities? 
  • What are consequences of loss? 
  • What level of protection is necessary? 
  • What controls are appropriate? 
  • What are our constraints? 
  • What are the specific security design requirements? 

It is also important to conduct a cost/benefit analysis (as per the above parameters) to ensure that our controls are cost-effective.  We should start with a qualitative analysis and then proceed to a quantitative analysis to determine the desirability of a control. Interviews with current staff members often assist in finding vulnerabilities that may be overlooked by management.   

From a site planning perspective, it is essential to be aware of: 

  • Most important goal is to protect life, property and operations. 
  • Often convenience and aesthetics are at cross-purposes with security. 
  • Holistic approach considers both function and security. 
  • Layered Defense (Defense in Depth) 
    • Outer perimeter 
    • Building grounds and construction 
    • Ingress/egress 
    • Interior 

Target Hardening 

At times, you cannot remove a target. But you can harden the target. Target hardening includes the use of electronic devices, locks, or other objects that will DETECT, DENY, DELAY, or DETER the criminal. Target hardening is mostly focused toward all structures, vehicles, and personal property within the rental community. 

  • DETER: It is always preferable to deter a crime than respond to it.  Fencing, lighting, security guards, guard dogs, signs, etc., are all deterrent techniques.   
  • DELAY: Many times, crimes are committed because of an easy opportunity. By means of crime deterrence techniques, you can surge the time and effort essential to commit the crime. This may persuade the person not to commit the crime.  
  • DETECT: By utilizing decent security techniques, you can force the person to make more noise, which would increase the risk of detection. This may perhaps also encourage the person not to commit wrongdoing.  
  • DENY: By having measures such as engraving crucial items, by means of security electronic equipment, or by moving other valuables out of view, you can eliminate the rewards received from a crime. If the rewards are not available, this may encourage the person not to commit the crime.  

Key Physical Threats

that should be considered for facilities include: 

  • Natural 
    • Fire: Proper fire detection and suppression equipment must be in place. 
    • Floods:  Buildings should have positive flow where water runs out of the building. 
    • Hurricanes: Backup power supplies are often essential.  Other issues such as flooding, tornadoes, etc., can result from hurricanes. 
    • Tornadoes: Quality of building materials, the presence of a basement or other safe place can mitigate the risks. 
    • Earthquakes: As with all above disasters, emergency planning can help in assuring employees know what to do in the event of a disaster 
  • Man-made 
    • Theft 
    • Vandalism 
    • Fire 
    • Terrorist attack 
  • Technical 
    • Failure of HVAC system 

Utilities 

In addition to the above areas, key considerations for utilities include: 

  • Should be designed to ensure necessary power for normal, daily operational functionality. 
  • If possible, utilities should be concealed, underground, and protected. 
  • Minimize signs identifying critical utilities and use fencing to prevent unauthorized access. 
  • Locate storage tanks for oil, propane, and similar substances downhill from the building and at least 100 feet away.   
  • Utility systems should be at least 50 feet from entrance areas, loading docks, and other high traffic areas. 
  • Protect drinking water supplies from waterborne contaminants by securing access points. 

Fencing 

Facility fencing is quite an effective physical barrier because it works as a preventive and deterrent mechanism. Fencing can provide crowd control and helps control access to entrances and access to facilities. However, fencing can be costly and unacceptably unsightly. Many companies plant bushes or trees in front of the fence that surrounds their building for aesthetics and attempts to make the building less noticeable. 

Fences come in varying heights and each height provides a different level of security. Critical areas should have fences at least eight feet in height to provide the proper level of protection. Ensure that vegetation or other structures do not provide a bridge over the fence; and absolutely no parking should be allowed near fencing or walls to protect against breaches and damage. 

Key considerations include: 

  • Controls entrance access 
  • Can be costly and unsightly 
  • Heights provide degrees of protection 
    • 3-4 feet – deters casual trespassers  
    • 5-7 feet – too high to climb easily (preventive) 
    • 8 feet with 3 strands of barbed wire – (preventive) Will discourage all but the most determined intruder 
  • Critical areas should have  
    • At least 8-foot fences 
    • Posts should be buried in the ground and secured with cement, 6 feet apart 
    • Barbed wire directed out from the fence at a 45 degree angle or in a “V” 
    • The most critical areas should be protected with two sets of fencing and rolls of concertina wire (razor wire). 

The other key areas to be aware of include gates, CCTV, doors, HVAC controls, and fire safety: 

Key aspects for gates that a security practitioner should be aware of include: 

  • Gates should provide the same degree of security as fences/walls. 
  • UL 325 provides the following specifications for gates: 
    • Class I:  Ornamental/residential 
    • Class II:  Commercial usage where general public access is expected: Gated community, self-storage facility 
    • Class III:  Industrial usage where limited access is expected.   Example:  A Warehouse 
    • Class IV:  Restricted access:  Prisons, military 

Key aspects for doors that a security practitioner should be aware of include: 

  • Hinges should be protected. 
  • Hinges internal to the door provide protection for the hinges while still allowing door to open outwardly. 
  • Panic bar allows for quick evacuation. 
  • Kick plate provides cosmetic protection for door. 
  • Strike plate: T-shaped component of lock which provides reinforcement. 
  • In the event of power failure, electronic doors can: 
    • Fail secure:  Fails locked.  No evacuation.  Only in facilities where value of what is being protected exceeds human life. 
    • Fail Soft:  Opens outward, but door is locked to bar return. 
    • Fail Safe:  Door fails open (easiest to evacuate). 
  • On the CISSP exam never choose fail secure. Fail soft/safe is the best choice. 

Key aspects for HVAC that a security practitioner should be aware of includes: 

  • HVAC is meant for positive airflow (contaminants/smoke should flow out, not in). 
  • Temperature should be around 70 degrees for server room. 
  • Humidity should be around 50% 
    • Too high causes condensation/rust 
    • Too low causes ESD (electro-static discharge), aka static electricity. 

Key aspects of fire safety that a security practitioner should be aware of include:  

  • Flammables must be protected. 
  • One should limit the use and be careful of the placement of space heaters. 
  • Class C fire extinguishers should be properly labeled and within 50 feet of electronic equipment and they should be tested quarterly 
  • Practice electrical safety; for instance, don’t daisy-chain extension cords. 
  • Halon-based systems were outlawed in the 90s because of their effect on the ozone layer. 

CCTVs are detective control; i.e., they can be used to correlate facts after a security event. 

  • Short lens offers wider angle view. 
  • Long lens offers a close-up of an asset. 
  • The flow generally followed should be PTZ (pan, tilt, zoom). 
  • Support for automatic iris capability (detects and adjusts to changes in light). 

CISSP Training – Resources (InfoSec)CISSP Training – Resources (InfoSec)

 

Be Safe

Section Guide

Ryan
Fahey

View more articles from Ryan

Earn your CISSP the first time with InfoSec Institute and pass your exam, GUARANTEED!

Section Guide

Ryan
Fahey

View more articles from Ryan