Without physical security, technical/logical controls are useless.

If someone gains access, they can destroy, disclose, or alter systems.

Security begins with the facility itself.

Based on risk assessment + critical path analysis.

Critical Path = all dependencies for business survival (power, HVAC, internet, storage, etc.).

Watch for technology convergence (e.g., one network carrying voice, video, storage → single point of failure).

Must follow layered defense → security = a gauntlet attackers must cross.

Security needs > cost & location.

Evaluate proximity: noisy industries, hazardous materials, crime-prone areas.

Consider emergency services proximity.

Facility must resist local weather conditions & break-ins.

Watch for camouflage strategy (e.g., data center disguised as warehouse).

Top priority = safety of people.

Must comply with laws (OSHA, EPA, building codes).

Key factors: fire rating, materials, load rating, intrusion resistance, HVAC, power, water.

Secure Architecture principle → CPTED (Crime Prevention Through Environmental Design).

First-Generation CPTED (Physical design)

Second-Generation CPTED (Community factors)

so...

Examples

Physical security = policies + people + tech + barriers.

📝 Administrative controls → site selection, facility design, personnel checks, awareness training, emergency procedures.

💻 Technical controls → access badges, biometrics, alarms, CCTV, HVAC monitoring, fire suppression.

🔒 Physical controls → fencing, locks, lighting, turnstiles, dogs, guards.

Controls should follow a logical flow:

🚫 Deter → discourage intruders with fences, lighting, signage.

🔒 Deny → block access with locked doors, mantraps, safes.

👀 Detect → sensors, alarms, CCTV.

⏳ Delay → slow attackers (cable locks, safes, reinforced doors).

🕵️ Determine → assess incident (guards or SOC analyze).

🛑 Decide → take action (intercept, evidence collection, escalation).

👉 A layered “gauntlet” approach makes intruders work harder at every step.

🔗 Cable locks for laptops → not unbreakable, but discourages theft.

⚡ Plan for equipment failure:

Non-critical: 48-hr vendor replacement is okay.

Critical: On-site spares OR SLA with vendor.

⏱️ Metrics to track:

MTTF (Mean Time to Failure) = expected life span.

MTTR (Mean Time to Repair) = avg repair time.

MTBF (Mean Time Between Failures).

♻️ Replace aging hardware before it reaches MTTF.

A cable plant = all cables + supporting equipment that carry the network.

Key components:

🚪 Entrance Facility (MDF) – where ISP line enters.

🖥️ Equipment Room – main wiring hub.

🧩 Backbone Distribution – cross-floor connections.

📦 Wiring Closet (IDF) – per-floor distribution.

📡 Horizontal Distribution – connects closets to work areas.

Protective Distribution Systems (PDS)

Conduits, sealed paths, regular inspections.

Some PDS have intrusion detection inside conduits.

🚫 Don’t use as a storage room.

🔒 Use strong locks (badge or biometrics).

🧹 Keep tidy → avoid clutter/fire risk.

🔥 Don’t store flammables.

🎥 Install CCTV for monitoring.

🚨 Door sensors to log entries.

🧑‍💻 Restrict key access → admins only.

📋 Do regular inspections.

🌡️ Monitor environment → temperature, flooding, fire risk.

🏢 Inform building management about cable security policy.

🏢 Core of the building → not on ground/top floor or basement.

💧 Avoid water, gas, sewage lines → reduce flooding/leakage risk.

🔥 Walls with at least 1-hour fire rating.

❄️ Environmental controls → HVAC, humidity, low temperature.

🌑 Lights-out area → optimized for machines, not humans.

🧯 Fire suppression → halon substitutes / oxygen-displacement systems.

👉 Goal = keep servers running optimally and keep humans out unless authorized.

🔹 Badges / Smartcards

🔹 Magnetic Stripe Cards

🔹 Visitor & Day Passes

🔹 Proximity Devices

🔹 AREX – Automatic Request to Exit

🔑 Defense in Depth → combine:

Detects unauthorized entry / breach / abnormal activity.

Can be manual (guards 👮) or automated (alarms, sensors).

Main purpose: detect + notify + trigger response.

⚡ Power loss → fix with 24-hr battery backup.

📡 Communication cut → fix with heartbeat monitoring to check line integrity.

👉 Without these, intruders can just cut power or cables to bypass IDS.

📹 Digital motion detector → smart camera analyzes pattern changes.

🌡️ Passive Infrared (PIR) → detects body heat changes.

📡 Microwave / Wave pattern → sends signals, monitors reflection changes.

⚡ Capacitance detector → senses changes in electric/magnetic field.

💡 Photoelectric detector → watches light levels (useful in dark rooms).

🎤 Audio detector → listens for abnormal sounds.

🔀 Dual-tech sensors → combine 2 types (e.g., PIR + Microwave) → fewer false alarms.

Contact Devices (Balanced Magnetic Switch – BMS) → detect when door/window opens.

🔦 Infrared linear beam sensors → detect beam interruption (like garage door safety).

⛔ Both trigger alarms/logging when perimeter is crossed.

By Action:

By Location/Response:

"Imagine a burglar entering a data center:

The door contact sensor (BMS) detects the door open.

A PIR motion sensor detects body heat.

A repellent alarm blares loudly 🚨.

Meanwhile, a silent notification alarm pings the guard room 👮.

If power is cut, the battery backup keeps the system running.

If lines are cut, the heartbeat signal fails → alarm triggers anyway."*

As IDS sensitivity increases, false alarms increase (🐦 birds, 🐕 animals, 🍂 foliage, 👷 authorized staff).

Solution: Require 2+ triggers (e.g., motion detector + door contact) before raising alarm.

✅ Reduces false positives, increases confidence that alarms = real intrusions.

📷 Not automatic by default → need guards to watch feeds or review recordings.

👀 Extend human visibility → one guard can “see” many areas.

🧠 With AI/ML, cameras can become primary detection tools (e.g., facial recognition, object detection).

🔍 Cameras = both deterrent (visible) and detection (hidden).

🖥️ Traditional CCTV → closed loop, recorded + monitored by guards.

🌐 Modern IP Cameras → remote-controlled, often cloud-based, network-accessible.

📡 Placement → entry/exit points, hallways, around assets, parking, walkways.

🎭 Overt cameras = deterrent (intruder sees and backs off).

🕵️ Hidden cameras = detection (intruder unaware).

🔦 Visible light → standard video.

🌡️ Infrared (IR) → works in dark.

🎬 Motion-triggered → records only on movement.

🎥 PTZ (Pan-Tilt-Zoom) → remote control to track intruders.

⚙️ Smart functions (SoC / EVS):

⚠️ Cameras themselves can be attacked → malware, remote control, disabling.

Dummy/decoy cameras → cheap deterrent, no actual detection.

🤖 AI/ML-enhanced cameras → better pattern/activity interpretation, reduce false positives.

Imagine a motion sensor is triggered at 2 AM. Instead of immediately sounding a siren, the system checks the nearest CCTV feed. If the AI sees it’s just a stray cat 🐈, the alarm stays quiet. If it sees a masked intruder 🥷, the system confirms the alarm, locks doors, and alerts guards. This is secondary verification at work.

Even with locks, badges, or biometrics, people can abuse access.

🚪 Propping open doors → bypasses security controls.

Impersonation / Masquerading → using another person’s ID.

👫 Tailgating → following behind an authorized person.

🐖 Piggybacking → being let in by an authorized person.

📋 Detection: audit trails, access logs, CCTV, and security guards.

👉 Best practice: Compare logs (who swiped in) with camera footage to catch misuse.

Protect blank, reusable, and installation media:

🔒 Store in locked cabinet/safe (not on shelves).

👨‍💼 Appoint a media custodian (check-in / check-out).

♻️ For reusable media: secure wipe / zeroization before reuse.

🧾 Verify sanitization with hash checks.

🔖 Use classification labels / RFID tags for tracking.

🔥 Consider fire, flood, temperature protection for critical media.

👉 Risk: Data remnants can be recovered if only deleted/formatted → use secure wiping tools.

💻 Store logs, audit trails, VM snapshots, disk images.

🔒 Dedicated system, separate from production.

🌐 Keep offline or no internet connectivity if possible.

🧮 Use hashes for integrity verification.

🧑‍⚖️ Restrict access → only admins + legal counsel.

🔐 Encrypt all datasets.

📜 Follow regulations / industry standards (e.g., law enforcement chain-of-custody).

🌀 Concentric layers of protection → more sensitive = deeper inside.

🧱 Walls/partitions to reduce shoulder surfing & eavesdropping.

🗄️ Clean-desk policy → lock up sensitive docs & devices at end of shift.

🔑 Classify work areas → only cleared staff allowed inside.

🚷 Visitor control → escorts, badges, logs, cameras, guards.

Example: SCIF (Sensitive Compartmented Information Facility)

Physical security isn’t only about guards and locks. It extends to how people behave (access abuse), how data is stored (media & evidence), and how workplaces are structured (clean desks, concentric zones, SCIFs).

⚡ Clean Power Needed – inconsistent power damages equipment.

🔌 Surge Protector – protects from spikes, but cuts power completely.

⚙️ Power Conditioner – filters noise + stabilizes line.

🔋 UPS (Uninterruptible Power Supply) – surge protection + clean power + backup battery.

Double Conversion UPS → always runs off battery (best, smooth).

Line-Interactive UPS → switches to battery only when grid fails (tiny delay).

🔋🏢 Battery Backups – building-level failover batteries (some solar/green).

⛽ Generators – long-term backup, fuel-based. UPS bridges gap until generator kicks in.

Power Issues (⚠️ memorize these!)

EMI (Electromagnetic Interference) → disrupts signals (phone, radio, LAN).

RFI (Radio Frequency Interference) → caused by appliances (fluorescent lights, motors, computers).

Countermeasures:

📊 Optimal data center temp: 59°F – 89.6°F (15°C – 32°C).

🌬️ Hot/Cold Aisle Design – airflow separation for efficient cooling.

📦 Plenum spaces – HVAC airflow paths; only use plenum-rated cabling.

🔄 Maintain stable temp → avoid heat oscillations (prevents chip creep).

💨 Maintain positive air pressure + filtration → reduces dust/chemicals.

💧 Humidity Range: 20–80% RH (some allow 8–90%).

Static Voltage Damage (⚠️ exam loves this table!)

🌡️ Monitor: temp, humidity, dust, smoke, contaminants.

🧪 Advanced: chemical, biological, radiological detectors.

⚙️

Condition Monitoring → real-time tracking of system health → predict/prevent failures

🚱 Keep servers away from water/gas/sewage lines.

🚨 Install water-detection circuits (esp. under raised floors).

🛑 Know shutoff valves & drainage.

🌧️ Check building site risk (valley vs hill, drainage history, landscaping near walls).

To extinguish a fire, remove one element of the triangle:

💧 Water → reduces temperature.

🧯 Dry powder / soda acid → removes fuel.

CO₂ → removes oxygen.

🧊 Halon substitutes / inert gases → interrupt chemical reaction / oxygen.

AFFF (Aqueous Film Forming Foam) → blocks fuel + cools temperature.

🌫️ Incipient Stage → ionization only, no smoke.

🚬 Smoke Stage → visible smoke.

🔥 Flame Stage → flames appear.

♨️ Heat Stage → intense heat, total burn.

👉 Early detection = easier suppression + less damage.

⚡ Overloaded outlets / circuits (most common).

🔥 Improper heating devices → coffee pots, hot plates, space heaters near paper/cloth.

🛑 Know 2 evacuation routes.

🚪 Follow exit signs / maps.

🧯 Trained on fire extinguishers.

📍 Rendezvous point after evacuation.

⏱️ Conduct regular drills & simulations.

❤️ Emergency training: CPR, AED, shutdown, first aid.

✅ Legal requirement: inspect fire alarms, extinguishers, elevators regularly.

🌊 Water sprinklers → good for people safety, but can damage electronics.

❄️ Gas-based systems (halon substitutes, FM-200, Inergen) → safe for electronics.

AFFF Foam → best for liquid fuel fires.

🧯 Portable extinguishers → CO₂, dry chemical, foam types available.

CO₂ & Halon substitutes → best for data centers (safe for electronics).

Water & Foam → good for human safety, ❌ not safe for IT equipment.

Powder → effective but messy; ❌ not for sensitive areas.

Key takeaway for CISSP students:

"Imagine you’re in a data center when an electrical outlet sparks. At the incipient stage, the ionization detector trips an alarm. A CO₂ system floods the room, removing oxygen , while staff evacuate through two marked exits 🚪. Because of early detection, damage is minimal, and suppression avoids destroying servers."

Stage use: Extinguishers useful in Stages 1–3 (incipient → smoke → flame), NOT at Stage 4 (heat).

ABC Extinguishers → Most offices use multi-class ABC for flexibility.

🚫 Never use water on B (liquids), C (electrical), or K (oil) fires.

🚫 Never use oxygen suppression on D (metal) fires.

✅ Remember: People first, assets second → only use extinguishers if safe to do so.

Know A = solids, B = liquids, C = electrical, D = metals, K = kitchen oils and which suppression material is safe vs unsafe.

"Imagine you’re in a server room. A fire starts in the power strip 🔌 → Class C. You grab a CO₂ extinguisher (safe for electronics). But if the same fire happened in the pantry fryer 🍳 → Class K, you’d need a potassium-based extinguisher 🧂, not water, or else the burning oil would explode."

“Ashes Boil Current Dense Kitchen.”

A = Ashes (wood/paper)

B = Boil (liquids)

C = Current (electrical)

D = Dense (metals)

K = Kitchen (oils/fats)

🌡️ Fixed-Temperature Detectors → trigger at a set temp (common, cheap, reliable).

📈 Rate-of-Rise Detectors → trigger if temp increases too quickly (can be fooled by HVAC).

🔥 Flame-Actuated → detect infrared from flames (fast, reliable, expensive).

🚬 Smoke-Actuated →

🧪 Incipient Smoke Detection (Aspirating Sensors) → detects chemical signs of early combustion (very costly, used in high-risk areas).

👉 Placement: under raised floors, above ceilings, server rooms, HVAC vents, elevators, basements.

🔊 Loud sirens + 💡 flashing lights → immediate attention.

🔗 Can auto-notify fire department.

👩‍🏫 Personnel should follow training → evacuate, not investigate.

Use pressurized gases to remove oxygen or disrupt combustion.

⚠️ Dangerous for people → only for non-human areas.

✅ Best for protecting IT systems (no water/equipment damage).

Types

Data centers → prefer Gas systems (FM-200, Inergen) or Preaction sprinklers.

CO₂ → only in unmanned areas (engine rooms, generators).

Deluge → never for IT rooms.

Incipient detectors → best for early detection but costly.

Halon → know it’s banned but still appears in CISSP exam questions.

Imagine a fire starts under the raised floor of a server room:

An incipient detector smells early chemical signs 🧪.

An alarm flashes & sirens go off 🔔.

Preaction sprinklers arm the pipes but wait until heads activate.

If staff confirm it’s a false alarm, they can stop water release.

If fire spreads, the sprinklers activate, while gas suppression (FM-200) in another zone silently protects the servers."

Signage → marks restricted areas, warns of surveillance, gives safety instructions.

🧪 Testing controls → regularly check locks, gates, turnstiles, cameras, etc.

🏷️ Zones → areas should be classified as Public, Private, Restricted.

🔲 Fences

🚪 Gates

🔄 Turnstiles

🚷 Person Traps (Man Traps / Access Control Vestibules)

🚗 Security Bollards & Barricades

"A data center uses an 8 ft barbed fence 🚧. Entry is through a guarded gate 🚪, followed by a turnstile 🔄. To reach the server floor, you pass through a mantrap 🚷. Outside, bollards 🚗⛔ prevent car ramming. This layered defense delays intruders and allows guards to respond."

Perimeter → Fences/Gates

Controlled Access → Turnstiles/Mantraps

Vehicle Defense → Bollards/Barricades

Always layered defense = deter, delay, detect, respond.

Lighting 💡

Security Guards 👮

Guard Dogs 🐕

Robot Sentries 🤖

Internal Visitor Controls 🙋

Keys & Locks 🔑

Exam tip

*"Imagine an office building:

The parking lot is well lit 💡 with overlapping coverage.

At reception 🚪, visitors must sign in 📋 and wear badges.

Server room entry uses an EAC lock 🔒 with smartcard + PIN.

Security guards 👮 patrol at random times, supported by CCTV 📹.

Guard dogs 🐕 cover the exterior perimeter at night."*

Top priority in security = human life.

After people are safe → restore environment → restore IT utilities.

Hazards: 🌊 Flooding, 🔥 Fires, ☣️ Toxic releases, 🌪️ Natural disasters, 💣 Human-made disasters.

👉 Always apply the principle: Life safety first, continuity second.

Focuses ONLY on personnel safety (not IT).

Covers:

Difference from other plans:

Every organization must follow industry, state, national, and sometimes city-level regulations.

Examples:

✅ Regulations = baseline → security infrastructure is built on top of compliance.

Metrics to measure effectiveness of security → helps justify cost & improvements.

Examples of KPIs:

👉 Baseline + historical records = essential for trend analysis.

👉 Feed into Lessons Learned phase of incident response.

👉 Used for ROSI (Return on Security Investment) & cost-benefit analysis.

"Imagine a flood in the basement 🌊. Step 1: ensure all employees are safe 👨‍👩‍👧‍👦. Step 2: apply the OEP → evacuation routes 🚪, roll call 📋, first aid 🏥. Step 3: once safe, IT can engage DRP (restore servers). Later, management reviews KPIs: How long did it take to detect? How fast was evacuation? How much downtime occurred? Lessons learned improve future response."

People first → OEP before BCP/DRP.

Compliance is the baseline, not the goal.

KPIs = measure effectiveness and enable continuous improvement.