This week’s article looks at the Physical and Environmental Security domain of CISSP.  First and foremost, (ISC)2 and the CISSP exam consider human safety paramount.  If you have a test question and one of the answers is human safety, that is the right answer, it is always MOST important.

Let’s talk about the physical.  Physical Security means just what it says, securing the physical perimeter.  Define who has access to the physical site, whether it is the entire building housing your data center or simply a self-contained room which contains your servers.  Remember and follow the simple rule we defined for firewalls, deny all.  No one gets access to the server room, and then only permit the people in who have a need to be there.  And that doesn’t include someone who’s using the server room as storage for paper files.  But that’s an environmental issue and we aren’t there yet.

The other thing to remember about physical access is that there will be times when vendors need to be physically present to perform maintenance or diagnostics.  Those vendors should always be escorted by someone who is on the approved access list. You’ll need to maintain a log of who entered at what time, and when they left.  Speaking of the approved access list, like other access lists you need to have a review process in place, which periodically looks at who is on the approved list and whether they should continue to have access.

Depending upon your level of security, the physical design could include things like external boundary protection. Bollards preventing someone from driving their car through the front door,  fencing, guard dogs, and perhaps armed guards — now this is really paranoia at its best.  But seriously, at Federal Courthouses, I’ve seen bollards in the middle of the driveway to enter the building.  By the way, you already know what a bollard is, though you may not know its name. Google it if you don’t know what a bollard is.

Your security awareness training plays into successful physical security access as much as it does anywhere else. For example, say it’s raining and you’re walking towards the passcard protected door to go into the data center and there’s a person walking alongside you — who you don’t know. Their hands are full with an umbrella, a lunch bag, a gym bag, a computer bag, some books and maybe even a box of Krispy Kremes.  Being polite, what do you do? You hold the door open for them, of course. Wrong. That’s piggybacking in its simplest form.

Now when we talk about Environmental security, we’re talking about the basics: electricity, water, fire, natural phenomena, and even unnatural phenomena.

Electricity basics to be aware of: no single point of failure; two feeds from different power sub-stations; UPSs; generators; and, of course, batteries.  You should know the difference between voltage regulators and surge protectors; the difference between voltage spikes, sags, faults, and brownouts; the role UPSs play in the electrical scheme of things; how long it takes for your generators to come online and how long your batteries should last.

Water basics:  If it’s brown don’t drink it. Just kidding. But you should be aware of moisture detection and prevention as well as acceptable humidity ranges.  You should also know the difference between wet pipe and dry pipe fire extinguisher systems.  You should also be familiar with the newer WADSC — that’s short for Water Alert Detection Sensor Cable.

Fire basics:  Halon is no longer in vogue. In fact, it is against the law to use.  Hand-held fire extinguishers should be visible, inspected, of the appropriate type, and the people who have access to the data center should be trained to use them.  Know the classes of fire extinguishers and fires: A, B, C.  The computer room is NOT a storage room for paper files, that’s adding fuel to your potential fire. Besides everyone will then be wanting to get in the computer room to get a file out of a box. Do you really want to go digging through boxes looking for files when you could be testing your NIDS? Of course not.

Natural phenomena:  Hurricanes, tornadoes, earthquakes, and other sorts of dangerous weather present different damage risks. Remember YOU might not suffer any actual damage, but the supporting environment (power lines, phone and data lines, or even roads) may not be working for awhile. This basically means you should have a proactive incident response plan. If a tornado alert is issued, what do you do?

Non-natural phenomena:  Civil disturbance, disgruntled employee/contractor/customer, terrorist attack, biological attack, airborne agents or something as simple as the flu can negatively affect physical security.  What’s your backup plan if a vendor needs to get into the computer room and everyone who is authorized to access the server room is out, either sick or on vacation?  How do you handle airborne agents – let them dissipate.

And as a final note, using your facility as a training facility for the volunteer firefighters and/or volunteer ambulance group can work wonders for establishing a rapport with the local community.  Just remember, only those that have a need to know should be allowed into the most secure areas.

And as is always the case, test your disaster recovery plans, contingency plans, and incident response plans. Then critique them after the test and update them as necessary.

Fill out the short form below for pricing information and details regarding our various training options (self paced, online mentored & instructor lead) for the CISSP.

Want to learn more?? The InfoSec Institute CISSP Training course trains and prepares you to pass the premier security certification, the CISSP. Professionals that hold the CISSP have demonstrated that they have deep knowledge of all 10 Common Body of Knowledge Domains, and have the necessary skills to provide leadership in the creation and operational duties of enterprise wide information security programs.

InfoSec Institute's proprietary CISSP certification courseware materials are always up to date and synchronized with the latest ISC2 exam objectives. Our industry leading course curriculum combined with our award-winning CISSP training provided by expert instructors delivers the platform you need in order to pass the CISSP exam with flying colors. You will leave the InfoSec Institute CISSP Boot Camp with the knowledge and domain expertise to successfully pass the CISSP exam the first time you take it. Some benefits of the CISSP Boot Camp are:

  • Dual Certification - CISSP and ISSEP/ISSMP/ISSAP
  • We have cultivated a strong reputation for getting at the secrets of the CISSP certification exam
  • Our materials are always updated with the latest information on the exam objectives: This is NOT a Common Body of Knowledge review-it is intense, successful preparation for CISSP certification.
  • We focus on preparing you for the CISSP certification exam through drill sessions, review of the entire Common Body of Knowledge, and practical question and answer scenarios, all following a high-energy seminar approach.