2 cissp ® Official Study Guide Eighth Edition

Implement Site and Facility Security Controls 
403
Important issues to consider include combustibility, fire rating, construction materials, 
load rating, placement, and control of items such as walls, doors, ceilings, flooring, HVAC, 
power, water, sewage, gas, and so on. Forced intrusion, emergency access, resistance to 
entry, direction of entries and exits, use of alarms, and conductivity are other important 
aspects to evaluate. Every element within a facility should be evaluated in terms of how 
it could be used for and against the protection of the IT infrastructure and personnel (for 
example, positive flows for air and water from inside a facility to outside its boundaries).
There’s also a well-established school of thought on “secure architecture” that’s often called 
Crime Prevention through Environmental Design (CPTED)
. The guiding idea is to structure 
the physical environment and surroundings to influence individual decisions that potential 
offenders make before committing any criminal acts. The International CPTED Association 
is an excellent source for information on this subject (
www.cpted.net
), as is Oscar Newman’s 
book 
Creating Defensible Space,
published by HUD’s Office of Policy Development and 
Research (you can obtain a free PDF download at 
www.defensiblespace.com/book.htm
).
Implement Site and Facility 
Security Controls
The security controls implemented to manage physical security can be divided into three 
groups: administrative, technical, and physical. Because these are the same categories used 
to describe access controls, it is vital to focus on the physical security aspects of these con-
trols. 
Administrative physical security controls
include facility construction and selection, 
site management, personnel controls, awareness training, and emergency response and pro-
cedures. 
Technical physical security controls
include access controls; intrusion detection; 
alarms; closed-circuit television (CCTV); monitoring; heating, ventilation, and air condi-
tioning (HVAC) power supplies; and fire detection and suppression. 
Physical controls for 
physical security
include fencing, lighting, locks, construction materials, mantraps, dogs, 
and guards.
Corporate vs. Personal Property
Many business environments have both visible and invisible physical security controls. 
You see them at the post office, at the corner store, and in certain areas of your own 
computing environment. They are so pervasive that some people choose where they live 
based on their presence, as in gated access communities or secure apartment complexes.

404
Chapter 10 
■
Physical Security Requirements
Alison is a security analyst for a major technology corporation that specializes in data 
management. This company includes an in-house security staff (guards, administrators, 
and so on) that is capable of handling physical security breaches.
Brad experienced an intrusion—into his personal vehicle in the company parking lot. He 
asks Alison whether she observed or recorded anyone breaking into and entering his 
vehicle, but this is a personal item and not a company possession, and she has no control 
or regulation over damage to employee assets.
This is understandably unnerving for Brad, but he understands that she’s protecting the 
business and not his belongings. When or where would you think it would be necessary 
to implement security measures for both? The usual answer is anywhere business assets 
are or might be involved. Had Brad been using a company vehicle parked in the company 
parking lot, then perhaps Alison could make allowances for an incidental break-in involv-
ing Brad’s things, but even then she isn’t responsible for their safekeeping. On the other 
hand, where key people are also important assets (executive staff at most enterprises, 
security analysts who work in sensitive positions, heads of state, and so forth), protection 
and safeguards usually extend to embrace them and their belongings as part of asset pro-
tection and risk mitigation. Of course, if danger to employees or what they carry with them 
becomes a problem, securing the parking garage with key cards and installing CCTV moni-
tors on every floor begins to make sense. Simply put, if the costs of allowing break-ins to 
occur exceeds that of installing preventive measures, it’s prudent to put them in place.
When designing physical security for an environment, focus on the functional order in 
which controls should be used. The order is as follows:

Download 19,3 Mb.

Do'stlaringiz bilan baham: