CISSP Domain – Physical and Environmental Security

February 24, 2011 by Kenneth Magee

This week’s article looks at the Physical and Environmental Security domain of CISSP.  First and foremost, (ISC)2 and the CISSP exam consider human safety paramount.  If you have a test question and one of the answers is human safety, that is the right answer, it is always MOST important.

Let’s talk about the physical.  Physical Security means just what it says, securing the physical perimeter.  Define who has access to the physical site, whether it is the entire building housing your data center or simply a self-contained room which contains your servers.  Remember and follow the simple rule we defined for firewalls, deny all.  No one gets access to the server room, and then only permit the people in who have a need to be there.  And that doesn’t include someone who’s using the server room as storage for paper files.  But that’s an environmental issue and we aren’t there yet.

The other thing to remember about physical access is that there will be times when vendors need to be physically present to perform maintenance or diagnostics.  Those vendors should always be escorted by someone who is on the approved access list. You’ll need to maintain a log of who entered at what time, and when they left.  Speaking of the approved access list, like other access lists you need to have a review process in place, which periodically looks at who is on the approved list and whether they should continue to have access.

Depending upon your level of security, the physical design could include things like external boundary protection. Bollards preventing someone from driving their car through the front door,  fencing, guard dogs, and perhaps armed guards — now this is really paranoia at its best.  But seriously, at Federal Courthouses, I’ve seen bollards in the middle of the driveway to enter the building.  By the way, you already know what a bollard is, though you may not know its name. Google it if you don’t know what a bollard is.

Your security awareness training plays into successful physical security access as much as it does anywhere else. For example, say it’s raining and you’re walking towards the passcard protected door to go into the data center and there’s a person walking alongside you — who you don’t know. Their hands are full with an umbrella, a lunch bag, a gym bag, a computer bag, some books and maybe even a box of Krispy Kremes.  Being polite, what do you do? You hold the door open for them, of course. Wrong. That’s piggybacking in its simplest form.

Now when we talk about Environmental security, we’re talking about the basics: electricity, water, fire, natural phenomena, and even unnatural phenomena.

Electricity basics to be aware of: no single point of failure; two feeds from different power sub-stations; UPSs; generators; and, of course, batteries.  You should know the difference between voltage regulators and surge protectors; the difference between voltage spikes, sags, faults, and brownouts; the role UPSs play in the electrical scheme of things; how long it takes for your generators to come online and how long your batteries should last.

Water basics:  If it’s brown don’t drink it. Just kidding. But you should be aware of moisture detection and prevention as well as acceptable humidity ranges.  You should also know the difference between wet pipe and dry pipe fire extinguisher systems.  You should also be familiar with the newer WADSC — that’s short for Water Alert Detection Sensor Cable.

Fire basics:  Halon is no longer in vogue. In fact, it is against the law to use.  Hand-held fire extinguishers should be visible, inspected, of the appropriate type, and the people who have access to the data center should be trained to use them.  Know the classes of fire extinguishers and fires: A, B, C.  The computer room is NOT a storage room for paper files, that’s adding fuel to your potential fire. Besides everyone will then be wanting to get in the computer room to get a file out of a box. Do you really want to go digging through boxes looking for files when you could be testing your NIDS? Of course not.

Natural phenomena:  Hurricanes, tornadoes, earthquakes, and other sorts of dangerous weather present different damage risks. Remember YOU might not suffer any actual damage, but the supporting environment (power lines, phone and data lines, or even roads) may not be working for awhile. This basically means you should have a proactive incident response plan. If a tornado alert is issued, what do you do?

Non-natural phenomena:  Civil disturbance, disgruntled employee/contractor/customer, terrorist attack, biological attack, airborne agents or something as simple as the flu can negatively affect physical security.  What’s your backup plan if a vendor needs to get into the computer room and everyone who is authorized to access the server room is out, either sick or on vacation?  How do you handle airborne agents – let them dissipate.

And as a final note, using your facility as a training facility for the volunteer firefighters and/or volunteer ambulance group can work wonders for establishing a rapport with the local community.  Just remember, only those that have a need to know should be allowed into the most secure areas.

And as is always the case, test your disaster recovery plans, contingency plans, and incident response plans. Then critique them after the test and update them as necessary.

Fill out the short form below for pricing information and details regarding our various training options (self paced, online mentored & instructor lead) for the CISSP.

Posted: February 24, 2011
Articles Author
Kenneth Magee
View Profile

J Kenneth (Ken) Magee is president and owner of Data Security Consultation and Training, LLC, which specializes in data security auditing and information security training. He has over 40 years of IT experience in both private industry and the public sector with the last 21 devoted to IT security and Risk Management.

Ken holds degrees from Robert Morris University and Fairleigh Dickinson University. He holds 30 certifications including: CTT+, CEH, CPT, SSCP, CISSP-ISSMP, CAP, CISA, CISM, ISO 27001 PA, GIAC-GWAPT/GSEC/GSNA, CIA-CGAP, Security+, and CDP. He is a Senior Instructor with the InfoSec Institute.