Chapter 10: Site and Facility Security PDF

Summary

This chapter discusses environmental issues related to facility security, including how humidity and static electricity can affect components. It also reviews physical security planning and implementation for sites and facilities, including access control, design principles, and cost-effective security controls.

Full Transcript

Chapter 10: Site and Facility Security
461
Environmental Issues
In drier climates, or during the winter, the air contains less moisture, which can cause
static electricity when two dissimilar objects touch each other. This electricity usually
travels through the body and produces a spark from a person’s finger that can release
several thousand volts. This can be more damaging than you would think. Usually, the
charge is released on a system casing and is of no concern, but sometimes it is released
directly to an internal computer component and causes damage. People who work on
the internal parts of a computer usually wear antistatic armbands to reduce the chance
of this happening.
In more humid climates, or during the summer, more humidity is in the air, which
can also affect components. Particles of silver can begin to move away from connectors
onto copper circuits, which cement the connectors into their sockets. This can adversely
affect the electrical efficiency of the connection. A hygrometer is usually used to monitor

PART III
humidity. It can be manually read, or an automatic alarm can be set up to go off if the
humidity passes a set threshold.

Chapter Review
Physical security of our sites and facilities requires a deliberate planning, execution, and
review process. In this chapter, we have discussed the most important topics you’ll need
to know about to ensure that your organization’s physical spaces are secure, but it’s up
to you to apply them in your particular situations. One of the most important aspects
of securing a facility is controlling access in and out of it. In our experience, it is rare for
an auditor (such as a physical penetration tester) to not be able to breach this perimeter
through social engineering, lockpicking, or simply waiting for someone to leave a door
propped open when they shouldn’t. This underscores the importance of applying defense
in depth and the other principles we discussed in the first half of the chapter.
The practical application of these secure design principles happens through security
controls. Though our focus is on physical security, these controls can be administrative
(e.g., policies and procedures), technical (e.g., keycard entry systems and security
cameras), or physical (e.g., fences and guards). By carefully balancing threats, resources,
and controls in a deliberate manner, we can provide effective site and facility security.

Quick Review
A site is a geographic area with fixed boundaries that typically contains at least one
building and its supporting structures (e.g., a parking lot or electric substation).
A facility is a building or a part of a building dedicated to a specific purpose, such
as corporate headquarters or a data center.
The secure design principles covered in Chapter 9 for information systems are
just as applicable to the design of physical security.
The value of property within the facility and the value of the facility itself need
to be ascertained to determine the proper budget for physical security so that
security controls are cost-effective.
CISSP All-in-One Exam Guide
462
Some physical security controls may conflict with the safety of people. These
issues need to be addressed; human life is always more important than protecting
a facility or the assets it contains.
When looking at locations for a facility, consider local crime; natural disaster
possibilities; and distance to hospitals, police and fire stations, airports, and railroads.
Crime Prevention Through Environmental Design (CPTED) combines the
physical environment and sociology issues that surround it to reduce crime rates
and the fear of crime.
CPTED provides four main strategies, which are natural access control, natural
surveillance, territorial reinforcement, and maintenance.
Natural access control is the guidance of people entering and leaving a space by
the placement of doors, fences, lighting, and even landscaping.
The goal of natural surveillance is not only to make criminals feel uncomfortable
by providing many ways observers could potentially see them but also to make
authorized personnel feel safe and comfortable by providing an open and well-
designed environment.
Territorial reinforcement creates physical designs (e.g., using walls, fences,
landscaping) that emphasize or extend the organization’s physical sphere of
influence so legitimate users feel a sense of ownership of that space.
CPTED’s maintenance principle focuses on deterring criminal activity by
making sites look well cared for, thus implying that site personnel are more
attentive, well resourced, and alert.
Target hardening focuses on denying access through physical and artificial
barriers (alarms, locks, fences, and so on).
If interior partitions do not go all the way up to the true ceiling, an intruder
can remove a ceiling tile and climb over the partition into a critical portion of
the facility.
The primary power source is what is used in day-to-day operations, and the
alternative power source is a backup in case the primary source fails.
Smoke detectors should be located on and above suspended ceilings, below raised
floors, and in air ducts to provide maximum fire detection.
A fire needs high temperatures, oxygen, and fuel. To suppress it, one or more
of those items needs to be reduced or eliminated.
Portable fire extinguishers should be located within 50 feet of electrical equipment
and should be inspected quarterly.
CO2 is a colorless, odorless, and potentially lethal substance because it removes
the oxygen from the air in order to suppress fires.
Window types that should be understood are standard, tempered, acrylic, wired,
and laminated.