CISSP – Physical Security

Human safety is the most important factor in designing physical security safeguards. Physical security protects against threats such as unauthorized access and disasters, both man-made and natural. Controls used in this domain are primarily physical (such as locks, fences, guards, etc.); administrative controls (such as policy and procedures) and technical (such as biometrics) are also used.

Crime Prevention through Environmental Design (CPTED)

This is a multidisciplinary approach to crime prevention through the use of common-sense tactics within the natural and manmade environment. Alot of organisation will already have these tactics in place such as placing security guards near all entry points, locating server rooms off the beaten path, having thick bushes near an entrance that you don’t want people to wander into.  

3 Categories of CPTED

• Mechanical – turnstiles at each entrance
• Organisational- guards at entrances
• Natural design – thick shrubbery along the pathways to a restricted work area

CPTED is comprised of three basic strategies:

• Natural access control: Natural access control is the guidance of people entering and leaving a building by limiting points of entry into a building using structures such as sidewalks, lighting to guide visitors to main entrances.
• Natural surveillance: This approach aims to reduces criminal threats by making intruder activity more observable and easily detected. Natural surveillance can be accomplished by maximizing visibility and activity in strategic areas, for example, by placing windows to overlook streets and parking areas, landscaping to eliminate hidden areas and so on.
• Territorial reinforcement: This approach helps distinguish between private and public areas and encourages community ownership of the public areas. This can be done by giving people responsibility, trying to beautify the environment, putting amenities, and so on.

Sensitive compartmented information facilities (SCIFs) – This is just a fancy way of saying restricted area. In most cases almost of an organisations building is a SCIF except the front foyer. When it comes to Information security, we focus more on the data center or secure room that houses the information systems, secure from intruders. Special considerations for physical security should be given to areas where important infrastructure resides like servers and networking gear, where external communications enter the facility, where phones, networks, and special connections occur, and where any internet service provider (ISP) equipment is located.  Considerations for security include:

• Physical access to the room must be restricted to authorized personnel. 
• Physical access to the room must be monitored
• Consider locks on equipment such as cables or cages
• Tamper proofing for wiring
• Surge/shock protection
• Uninterruptible power supply 
• Temperature control
• Fire detection/suppression
• Emergency shutoffs
• Soundproof doors/walls
• Its own power/telecoms/security systems
• Isolated ducting
• RF protection
• Nondescript exterior
• No windows
• Motion/intrusion detection
• Non-sprinkler fire suppression

Now let us take a more wholistic view on Secure facility design considerations. includes:

• Fence: Fencing is referred to as a physical barrier around the secure area. Multiple types of the fence like perimeter fence, chain link fence, the Anti-scale fence is used outside of the building.
• Exterior Walls: these walls should be able to withstand high winds. Exterior windows should be avoided throughout the building, particularly on lower levels. Metal bars over windows may be necessary. No one should be able to open the window. Window must be sufficiently, opaque to conceal inside activities.
• Interior walls: These walls adjacent to secure or restricted areas must extend from the floor to the ceiling. Bulletproof walls should protect the most sensitive areas. Walls must comply with applicable building and fire codes. Walls adjacent to storage areas (like paper, media, or other flammable materials) must meet minimum fire ratings, which are typically higher than for other interior walls.
• Doors: Locks and doors must be sufficiently strong and well-designed to resist forcible entry. They need a fire rating equivalent to adjacent walls. Emergency exits must remain unlocked from the inside and should also be clearly marked, as well as monitored or alarmed. Many doors swing out to facilitate emergency exiting; thus door hinges are located on the outside of the room or building. These hinges must be properly secured to prevent an intruder from easily lifting hinge pins and removing the door. Electronic lock mechanisms and other access control devices should fail open (unlock) in the event of an emergency to permit people to exit the building.
• Floors: Flooring must be capable of bearing loads in accordance with local building codes. Raised flooring must have a nonconductive surface and be properly grounded to reduce personnel safety risks.
• Alarms: The function of an alarm is to alert the operator about any abnormal condition or activity. Tuning an alarm, will provide accurate and useful and desired information.
• Ceilings: Weight-bearing and fire ratings must be considered. Stained drop-ceiling tiles can reveal leaks while temporarily impeding water damage. So, they are a good choice.
• Lighting: An essential part of physical security is proper lighting. Eexterior lighting for all physical spaces and buildings in the security perimeter (including entrances and parking areas) should be sufficient to provide safety for personnel, as well as to discourage prowlers and casual intruders. Both internal and external lighting is important to keep aware of any unauthorized activities and other security purposes. Areas that are dimly lit or unlit makes it easy for the intruder to perform unauthorized activities without fear of being noticed or observed.
• Proper Wiring: All wiring, conduits, and cable runs must comply with building and fire Codes. Protected Cabling is needed to protect the cable from physical damage and to avoid communication failure. Plenum cabling must be used below raised floors and above drop ceilings.
• Security Guard: They are responsible for protecting assets, building access, secure individual room, office access, and perform facility patrols. A guard station can serve as a central control of security systems such as video surveillance and key control.

Secure Access

• Keypad/cipher locks: A secure type of keypads scramble the number locations on the pad each time it is used, so no one can follow the code that a person is entering while they enter it. A cipher lock is a door unlocking system that uses a door handle, a latch, and a sequence of mechanical push buttons. Only when the buttons are pressed in the correct order, the door unlocks, and the door operates. If the buttons are pressed in any other order, the lock will not open.
• Biometrics: Biometrics access is the best way to build physical security by using a unique physical characteristic of a person (like fingerprints, handprints, voice recognition, retina scans, and so on) and to allow access to a controlled IT resource.

Heating, Ventilating, and Air Conditioning (HVAC)

Maintaining the environment involves maintenance of the heating, ventilating, and air conditioning (HVAC) mechanisms. This is vital in computer and server rooms, which should be kept to a temperature of 60 – 75 degrees Fahrenheit or 15 – 23 degrees Celsius, and the humidity should be sustained between 40 and 60 percent. The humidity level is significant in these rooms as high humidity can cause corrosion, and excessively low humidity can cause static electricity.

Fire prevention, detection, and suppression

Fire is a serious risk in environments that have a lot of electronic equipment. Fire detection and fire suppression systems must be installed to preserve the safety of personnel as well as the electronic equipment. Other hazards associated with fires include smoke, explosions, building collapse, release of toxic materials or vapors, and water damage.

Fires are categorized by the type of fuel:

• Class A: Ordinary solid combustibles (e.g. paper, wood, plastic)
• Class B: Flammable liquids and gases (e.g. gasoline)
• Class C: Energized electrical equipment
• Class D: Combustible metals (e.g. lithium metal, but not lithium-ion batteries, which are considered Class B, although water will also work well with Li-ion battery fires)

Following are some common fire protection techniques, which are to be considered:

• Construct the buildings/offices having an emergency exit to protect employees from harm
• Place Fire extinguisher
• Install Fire & Smoke Alarms
• Store hazardous materials in designated areas.
• Make sure there are good connections and effective grounds in the wiring.

Note: Saving human lives is the first priority.

For a fire to burn, it requires three elements: heat, oxygen, and fuel. These three elements are sometimes referred to as the fire triangle.

Fires are classified according to the fuel type:

Fire Prevention Plan (FPP)

Occupational Safety and Health Administration (OSHA) offers the Fire Prevention Plan (FPP). The purpose of the fire prevention plan is to prevent a fire from occurring in a workplace.

However, your fire prevention plan must include:

• A list of all major fire hazards, proper handling and storage procedures for hazardous materials, potential ignition sources and their control, and the type of fire protection equipment necessary to control each major hazard.
• Procedures to control accumulations of flammable and combustible waste materials.
• Procedures for regular maintenance of safeguards installed on heat-producing equipment to prevent the accidental ignition of combustible materials.
• The name or job title of employees responsible for maintaining equipment to prevent or control sources of ignition or fires.
• The name or job title of employees responsible for the control of fuel source hazards.

Fire detection

Fire detection system is an automated and integrated system to detect fire, perform some emergency response, and generate some alerts. There are several electronic sensors that are integrated into an embedded system to detect smoke, heat, flame, and provide a response.

Following are the common sensors used in a Fire Detection System:

1- Heat Detector: These devices sense either temperatures exceeding a predetermined level or rapidly rising temperatures.

2- Flame Detector: These devices sense either the flicker of flames or the infrared energy of a flame. These systems are provide an extremely rapid response time but are expensive.

3- Smoke Detector: These devices detect smoke, one of the by-products of fire. The four types of smoke detectors are:

• Aspirating: Draw air into a sampling chamber to detect minute amounts of smoke
• Ionization Detector: Detect disturbances in the normal ionization current of radioactive materials
• Photoelectric Detector: Sense variations in light intensity
• Beam: Similar to photoelectric; sense when smoke interrupts beams of light

Fire Suppression Systems

Classes of Fire and Suppression Agents :

• Class A  – fires are common combustibles such as wood, paper, etc. This type of fire is the most common and should be extinguished with water or soda acid.
• Class B  – fires are burning alcohol, oil, and other petroleum products such as gasoline. They are extinguished with gas or soda acid. You should never use water to extinguish a class B fire.
• Class C  – fires are electrical fires which are fed by electricity and may occur in equipment or wiring. Electrical fires are Conductive fires, and the extinguishing agent must be non-Conductive, such as any type of gas.
• Class D  – fires are burning metals and are extinguished with dry powder.
• Class K – fires are kitchen fires, such as burning oil or grease. Wet chemicals are used to extinguish class K fires.

The two primary types of fire suppression systems are:

• Fire sprinkler system: Water sprinkler systems: Water extinguishes fire by removing the heat element from the fire triangle, and it’s most effective against Class A fires. Water is the primary fire-extinguishing agent for all business environments. Water is one of the most effective, inexpensive, readily available, and least harmful (to humans) extinguishing agents available.
• Gaseous fire suppression system: These systems may be portable (such as a CO2 extinguisher) or fixed (beneath a raised floor).

The four variations of water sprinkler systems are:

1. Wet-pipe: Most commonly used and considered the most reliable. Disadvantages include flooding because of nozzle or pipe failure and because of frozen pipes in cold weather.
2. Dry-pipe: No standing water in the pipes. This type of system is less efficient than the wet pipe system but reduces the risk of accidental flooding.
3. Deluge: Operates similarly to a dry-pipe system but is designed to deliver large volumes of water quickly. Note, these systems are not used for computer-equipment areas.
4. Preaction: This system is automatic and smart. In this system, pipes are initially dry. Now, f a sensor heats up, this system considers it as green light to charge a pipe with water and then an alarm is activated.

Gaseous fire suppression system are typically classified according to the extinguishing agent that’s employed. These agents include:

1. Gas-discharge: These systems suppress fire by separating the elements of the fire triangle; they are most effective against Class B and C fires. Halon used to be the gas of choice in gas-discharge fire suppression Systems. Halon is an ozone-depleting substance, so the Montreal Protocol of 1987 prohibited the production and installation of Halon systems. Acceptable replacements include FM-200, CEA-410 or CEA-308, NAF-S-III, FE-13, Argon or Argonite and Inergen.
2. Carbon dioxide (CO2): It is a commonly used colorless, odorless gas that extinguishes fire by removing the oxygen element from the fire triangle. CO2 is most effective against Class B and C fires. Its use is potentially lethal and therefore best suited for unmanned areas or with a delay action.
3. Soda acid: Includes a variety of chemical compounds that extinguish fires by removing the fuel element of the fire triangle. Soda acid is most effective against Class A and B fires.