Physical and Environmental
This material was developed with funding from the
National Science Foundation under Grant # DUE 1601612
Physical and Environmental Protection Controls
Physical Access Control
An organization determines the types of facility guards needed including security staff, administrative staff, or information system users.
Safeguards for publicly accessible areas within organizational facilities include cameras, monitoring by guards, and isolating selected information systems in secured areas.
Delivery and Removal
The organization authorizes, monitors, and controls both entering and exiting the facility and maintains records of those items.
Physical Access Control
The organization uses lockable physical casings to protect information system components from unauthorized physical access.
The organization employs a penetration testing process that includes unannounced attempts to bypass or circumvent security controls associated with physical access points to the facility.
Physical Access Authorizations
Access to secure areas of the building require a control that identifies access authority for an individual. Badges prevent unauthorized users from roaming freely throughout the facility.
The organization protects the information system from information leakage due to electromagnetic signals emanations. Information leakage is the intentional or unintentional release of information to an untrusted environment from electromagnetic signals emanations.
Water Damage Protection
The organization protects the information system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key personnel.
Physical Access Control
Physical access devices include keys, locks, combinations, and card readers.
Organizations have flexibility in the types of audit logs employed. Audit logs can be a written log of individuals accessing the facility and when such access occurred (procedural), automated by capturing ID provided by a personal identity verification card, or some combination.
Access Control for Transmission Medium
Security safeguards to control physical access to system distribution and transmission lines include locked wiring closets, disconnected or locked spare jacks, and protection of cabling by conduit or cable trays.
Location of Information System Components
Physical and environmental hazards include flooding, fire, tornados, earthquakes, hurricanes, acts of terrorism, vandalism, electromagnetic pulse, and electrical interference. In addition, an organization needs to consider the location of physical entry points where unauthorized individuals might have an increased chance for unauthorized access to secure areas.
Access Control for Output Devices
Controlling physical access to output devices includes placing these devices in locked rooms or other secured areas. You can only allow access to authorized individuals or place output devices in locations that can be monitored by organizational personnel. Monitors, printers, copiers, scanners, facsimile machines, and audio devices are examples of information system output devices.
Asset Monitoring and Tracking
The organization tracks and monitors the location and movement of assets within controlled areas and ensures that asset location technologies are employed in accordance with applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance.
Power Equipment and Cabling
The organization protects power equipment and power cabling for the information system from damage and destruction (generators and power cabling outside of buildings, internal cabling, and uninterruptable power sources).
Visitor Access Records
The organization maintains and reviews visitor access records to the facility where the information system resides. The reception area is where visitors sign-in and get an escort before entering controlled areas of the building.
Monitoring Physical Access
The organization monitors suspicious physical access activities (access outside of normal work hours, repeated entry to areas not normally accessed or for unusual lengths of time, and out-of-sequence accesses to the facility where the information system resides. Monitoring physical access includes detecting and responding to physical security incidents, reviewing physical access logs, and coordinating the results of reviews and investigations with the organizational incident response capability.
Physical and environmental security includes measures taken to protect systems, buildings and the supporting infrastructure against threats associated with their physical environment.
Click on each icon for more information.
The organization provides a short-term uninterruptible power supply to facilitate an orderly shutdown of the information system or transition of the information system to long-term alternate power in the event of a primary power source loss.
The organization provides the capability of shutting off power to the information system or individual system components in emergency situations by having emergency shutoff switches or devices to facilitate safe and easy access for personnel and by protecting emergency power shutoff capability from unauthorized activation.
The organization employs and maintains fire suppression and detection devices/systems (sprinkler systems, handheld fire extinguishers, fixed fire hoses, smoke detectors) for the information systems that are supported by an independent energy source in data centers, server rooms and mainframe computer rooms.
Temperature and Humidity Controls
The organization maintains and monitors temperature and humidity levels within the facility where the information system resides.
Physical Access Authorizations
When a visitor arrives, an organization may require two forms of identification for access to the facility (Visitor presents a driver’s license and his fingerprint).
An organization may require any visitor to the facility be escorted while in the building.
The organization employs and maintains automatic emergency lighting for the information system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility.
Physical Access Control
The organization employs guards and/or alarms to monitor every physical access point to the facility where the information system resides 24 hours per day, 7 days per week.
Policy and Procedures
It is the responsibility of upper management to determine the policies and procedures that an organization should implement to physically protect its assets. These policies and procedures reflect federal laws, Executive Orders, directives, regulations, policies, standards, and guidance and can be included as part of the general information security policy.
Alternate Work Site
An organization has alternate work sites such as remote facilities or employee residences that provides readily available alternate locations as part of contingency operations.
Physical Security Control Challenge 1 of 6
Click on the correct controls to check your answer.
Piggybacking refers to unauthorized persons following authorized persons either physically or virtually into restricted areas. Pick two (2) controls that would address this attack.
Physical Security Control Challenge 2 of 6
Which layer would you need to be concerned with to prevent dumpster diving?
Click on the correct layer to check your answer.
Physical Security Control Challenge 3 of 6
You and your team are working on a project that requires special equipment to be used ONLY by the project team members. Which physical security control will be the most beneficial?
Click on the correct control to check your answer.
Physical Security Control Challenge 4 of 6
You see a friend of a coworker walking down the hallway near your office. You are not sure why this person is in the building, so you stop and chat. The person explains that they are supposed to meet your coworker for lunch, but they cannot remember where the lunchroom is. Which control should the organization review to prevent visitors from wandering through the building?
The facility is in an area that has frequent thunderstorms which results in temporary electrical interruptions. Which physical control protects vital equipment and servers from power interruption?
Physical Security Control Challenge 5 of 6
Physical Security Control Challenge 6 of 6
Which control limits access to a restricted area?
In reviewing the physical security controls in a data center, you notice several issues. Which of the following is the MOST concerning?
b. Scheduled maintenance of the fire suppression system was NOT performed
Physical Security Scenario Challenge 1 of 7
c. There are not security cameras present
a. The emergency power off button cover is missing
d. The emergency exit door is blocked
c. Visitors sign in
Which of the following is the MOST effective control over visitor access to the server room?
Physical Security Scenario Challenge 2 of 7
b. Visitor badges are required
d. Visitors are spot-checked by security guards
a. Visitors are escorted
Physical Security Scenario Challenge 3 of 7
c. A process for promptly deactivating lost or stolen badges exists
d. All badge entry attempts are logged
b. The computer that controls the badge system is backed up frequently
The server room uses a badge-entry system. Which of the following is MOST important to protect the systems located there?
a. Badge readers are installed in locations where tampering would be noticed
b. Non-personalized access cards are given to the cleaning staff, who use a sign-in sheet when accessing secure areas
Physical Security Scenario Challenge 4 of 7
d. The computer system used for programming the cards can only be replaced after three weeks in the event of a system failure
a. Access cards are not labeled with the organization’s name and address
Which of the following should you be MOST concerned about after reviewing your organization’s physical security measures?
c. Different departments can issue cards and assign rights, so there is a lag in issuing new cards to access secure areas
a. Equipped with surveillance capabilities
Which of the following is the MOST important criterion when selecting a location for an offsite storage facility?
c. Given the same level of protection as the on-site facility
b. Outsourced to a reliable third party
Physical Security Scenario Challenge 5 of 7
d. Physically separated from the data center and not subject to the same risk
c. More guard stations
d. Additional external lighting
a. Replace the chain-link fencing with an anti-scale fencing
This organization has experienced several incidents of graffiti tagging and people loitering in the parking lot even though there is a chain-link fence. What is the BEST solution?
b. No Trespassing signage
Physical Security Scenario Challenge 6 of 7
b. Access logs of who has entered and exited the building
c. Alarm codes
After a physical security incident, what critical data can the security guards provide?
Physical Security Scenario Challenge 7 of 7
a. Employee ID information
d. Blueprints of unmonitored areas of the buildings