Physical Security Requirements

Is it possible to secure an asset with securing Physical perimeter of your building? – answer is “No”.

If a malicious person can gain physical access to your facility or equipment, they can do just about anything they want, from destruction to disclosure or alteration. Physical controls are your first line of defense, and people are your last.

All physical security should be based in a layered defense model.


Crime Prevention Through Environmental Design (CPTED) refers to designing a facility from the ground up to support security. It is actually a broad concept that can be applied to any project. Some of key points mentioned in CPTED are as below.


Physical Security Plan

Another important aspect of site and facility design is the proper convergence between the physical layout and the physical security plan. Achieving all the goals of CPTED is not always possible, and in cases where gaps exist, the physical security plan should include policies and/or procedures designed to close any gaps. The plan should address the following issues.

Strategy for Physical Security
Strategy for Physical Security

The security controls implemented to manage physical security can be divided into three groups: administrative, technical, and physical.

Administrative Physical Security Control

For selection of site, a number of decision has to be made such as

  • Will the site be externally marked as a data center?
  • Is there shared tenancy in the building?
  • Where is the telecom demarc (the telecom demarcation point)?

Site selection should be based on the security needs of the organization. Below figure explain some of common questions which can help in Decision making.

Once site is selected; The support systems built into the building play critical role in overall physical security posture. Hence, there are multiple factors we need to look into while designing security.

Administrative Control
Administrative Control

Physical Control

Refer to below picture for all the physical controls used in an Organization

Technical Physical Control

Technical Physical Control
Technical Physical Control

Other Physical Security Requirements

In addition to the above mentioned control; there are few controls which are required for a specific area types such as Wiring closet, Data center, Server room, Media room etc.

In below figure we have discussed multiple controls for such special areas.

Specific Controls Based on Type of Area
Specific Controls Based on Type of Area

QUIZ TIME * – Practicing questions along with Concepts is Best way to Maintain Interest in Study. Hence, Please take some time for a small Quiz on Physical Security? – Please click on below image for quiz to start.

* The questions in these practice tests are listed to help you study information and concepts that are likely to be tested on CISSP certification and do not represent questions from any actual test. Your score on these practice tests is not meant to and will not correlate to any particular score on any test.

Equipment Failure

No matter the quality of the equipment your organization chooses to purchase and install, eventually it will fail.

Most IT professionals are used to talking about uptime, downtime, and system failure. But not everyone is entirely clear on the definition of the terms widely used in the industry. What exactly differentiates “mean time to failure” from “mean time between failures”? And how does “mean time to repair” play into it? Let’s get some definitions straight!

An SLA clearly defines the response time a vendor will provide in the event of an equipment failure emergency.

MTTF is the expected typical functional lifetime of the device given a specific operating environment.

MTTR is the average length of time required to perform a repair on the device.

MTBF is an estimation of the time between the first and any subsequent failures.

Refer to below picture for clear differences among MTTR, MTTF, MTBF


Make sure to schedule all devices to be replaced before their MTTF expires

One thought on “Physical Security Requirements

  1. Pingback: Domain 3: Security Architecture and Engineering – mrcissp

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.