Environmental controls and the CISSP
This article is part of our CISSP certification prep series. For more CISSP-related resources, see our CISSP certification hub.
It is quite easy to understand why ensuring a proper level of Environmental Controls plays a major role in the protection of any enterprise’s key resources and sensitive information. For starters, environmental security covers the vital aspects, such as protection from the natural environmental threats (i.e. blizzards, floods, earthquakes, storms and tornadoes, fires, extreme temperature conditions) to supply system threats (i.e. power distribution failures, communications interruptions, interruption of other critical resources such as water, gas, air filtration).
Failures in environmental controls can lead to major damage to services, hardware, and even lives. For instance, the interruption of some services such as power, heating, ventilation, air-conditioning, and air quality can cause unpredicted and unfortunate results that may endanger or even prevent businesses from operating.
The key point here is understanding that even a single control failure (i.e. a malfunctioning smoke detector) may escalate into a total disaster that could actually destroy key assets (i.e., servers and every piece of equipment stored into a datacenter) and, in a worst-case scenario, put in risk the life of employees or any other person close enough to be affected.
Environmental controls can be quite complex and full of variables. Taking into account the fact that they all must be operating properly and also should be closely monitored, it means the person in charge of their design and operation must have sufficient experience and authority to adopt a holistic risk-based approach and create clear set of rules in order to ensure the necessary level of protection.
A CISSP certified candidate is required to completely understand all aspects regarding the environmental and safety measures required to protect people, the facility, and its resources. This topic is a part of CISSP’s Common Body of Knowledge (CBK) Domain 3: Security Engineering.
The environmental controls and threats
As previously mentioned, there is a wide array of different environmental controls and each one can be quite complex and full of variables. While it is important to know each type of control and the sort of protection it provides, it is essential to understand whatever it applies or not to the environment that it is supposed to protect.
There are different categories of Environmental Controls that can be put to good use:
- Management (Administrative) Controls: These include the Policies, Standards, Processes, Procedures and Guidelines that will help create a clear set of rules on how to approach environmental control issues.
- Physical Controls: This category can include controls such as Locks, Doors, Walls. While they seem to be more oriented to enforcing access control, they should also provide protection against natural environmental threats. A great example is the use of fireproof doors and walls for protecting data centers.
- Technical (Logical) Controls: Logical controls can help in monitoring environmental aspects and acting upon an incident once it is detected. This category can include moisture detection system, Fire/Smoke detection system, Fire suppression, Environmental control system, Uninterruptable Power Supply systems, Wet or Dry Pipes, and Motion and Sound Detectors, and that is only to name a few of the possibilities.
These controls can also be organized in different types:
- Directive (administrative) controls: The primary objective of any form of administrative control is ensuring proper behavior. If we limit this to environmental protection, a good example is stating that no food/drink/smoking is allowed in restricted areas.
- Preventive controls: These include any sort of measure designed to prevent an environmental issue from happening. For example, controlling the access and having security cameras in restricted areas can greatly reduce the chance of an environmental incident.
- Deterrent controls: The goal of a Deterrent Control is to reduce the likelihood of a vulnerability being exploited without actually reducing the exposure. This type of control is used basically to discourage the violation of security policies, mostly by employing warnings of consequences to security violations.
- Detective controls: Detective controls are used to identify unwanted or unauthorized activities or situations. These can involve the use of practices, processes, and tools that identify and possibly react (becoming a corrective control) to specific triggers. For environmental controls, a simple example is using a data center temperature sensor or smoke detector.
- Corrective controls: This type of control acts once an unwanted or unauthorized activity or situation is detected. Using a previous example, once a detective control such as a smoke detector identifies the presence of smoke, it can trigger a corrective control such as an automated fire suppression system, which depending on how it was designed can use inert gases or other chemical agents to extinguish a fire.
- Recovery controls: Whenever an incident happens, the implementation of recovery controls is necessary to return to a normal operating state. For instance, the automated fire suppression system, used in the previous example, must be resupplied with inert gas, also action should be taken to understand why a fire started and work on a way of preventing it from happening again.
Whenever selecting the categories or types of controls that are required to ensure a proper level of protection, the determining factor is the type of threats that may affect the physical environment being protected. These may come in the following types:
- Natural / Environmental threats: These are the consequences of natural phenomena such as earthquakes, blizzards, floods, storms, hurricanes, fires, snow/ice. For most cases, they are bound to the geographic location of the facility. It is quite obvious that there is little to gain from using controls for specific situations (i.e. earthquakes, hurricanes) if the facility is not in a geographical location that has a record of such natural phenomena occurring. It is also important to pay attention to the facility’s surroundings. For instance, if a neighboring company stores lots of fuel, it increases the chance of a fire that may affect your environment.
- Man-made threats: There is no lack of man-made threats that can effectively affect environmental security. From simply disgruntled employees that may try to enter restricted areas, employee errors, industrial espionage, arson, acts of sabotage, hazardous/toxic spills, chemical contamination, vandalism, theft and even cases of usage explosives, including acts of terrorism. Each of these threats can affect companies independent of where they are physically located.
A risk-based approach
Dealing with environmental issues should be no different from any other form of threat to information security: It should be a part of a larger risk management effort. Each and every control should be designed solely on the Business risk appetite.
For example, from a strictly technical point of view, using a fire suppression system that disperses inert gas whenever a fire is detected is one of the best options for protecting key resources and the sensitive information stored on them. So, every company should buy it, right? In truth, it does not work like that. Several factors should be taken into consideration, including the cost of the solution and whether it is really required. Many companies will feel adequately protected using simple fire extinguishers and having a sound backup process that ensures information will be stored off-site and can be recovered in the case of a disaster.
All in all, it falls to simple risk management: First, it is necessary to identify the environmental threats along with any environmental vulnerability, and then calculate the likelihood of occurrence and subsequent impact. With this information, a good information security professional can clearly define what controls must be implemented in order to ensure the necessary level of protection, according to the company’s risk appetite.
One way or the other, environmental issues affect every existing business. It does not matter the company size, its branch, its physical location, there will always be some sort of environmental risk that needs to be dealt with.
Ensuring environmental security can definitely be a tough challenge, it requires a good risk management approach, a deep understanding of the threats that may affect the business and how different categories/types of controls can be used to effectively reduce the impact of incidents. Again, this is not only a question of protecting key business assets and information, but also of taking good care of people. It is very important to never forget that a simple mistake, in a worst-case scenario, can result in the loss of life.