Pass your certification exam. Faster. Guaranteed.

Physical Access Controls Transcription

Welcome to our physical security module. Physical security is your first line of defense when protecting your organization and your assets. We need to develop a strategy of defense in depth where we have multiple layers of protection in order to protect our facility. The first level of protection is our perimeter protection.

Here we can use our surroundings to protect us, such as our terrain or the remoteness of our facility. We can use structural protection like fences, bollards, walls and gates, and we can also make sure that our building structure is designed with security in mind. So using very solid doors and a minimum number of entrances, which creates less access points for an intruder.

We should also consider technical controls to prevent and detect intruders from entering our facility. Here the goal is to deter intruders, detect them, and then responds to them. With defense in depth we can use proximity devices outside our building, like motion lights, so that if someone is walking on the property, a light would activate and perhaps even notify our security staff.

And we can also use physical intrusion detection systems or burglar alarms, with motion sensors and door sensors to detect any unauthorized entry into our facility. We also need to make sure that our facility is running efficiently, and has the resources that it needs to operate, so we need to make sure that it has access to utilities.

We should have reliable electrical power as well, as backup power, and we should also make sure we have access to water and sewer and any other utilities that are necessary for our facility to operate. We also should have heating, ventilation and air conditioning systems, or HVAC, that support our facility.

And we should also consider using a backup HVAC system, especially in a server room, where extreme temperatures can significantly damage your sensitive equipment. You should also make sure that you have fire detection and suppression systems in place to combat any threats from fire in your facility. We need to determine if the physical security protection mechanisms we place are appropriate or not for our assets.

If we have very high value assets, we should spend a significant amount of money on physical security controls. And if our assets are not very valuable then we do not have to spend as much money on these controls. Sometimes these physical security controls are required by law, by code, or by a regulation in your local area.

And you may not have any choice but to implement these options. Some examples are exit doors with panic bars so that employees can exit in case of an emergency. And also exit lighting to guide individuals to an exit in case there's a problem. Whenever you're placing a control in place, you should make sure that you have a good cost benefit ratio.

You would like the cost of the control to be low and have it provide a high level of protection. The benefit of your control should always outweigh its cost. So for example, door locks are not that expensive but they can protect your very valuable assets. It's important to make sure that you’re not putting controls in place that are not cost effective.

For example, if you only have about $20,000 worth of assets inside your building, you would not want to spend $1,000,000 on a security system to protect those $20,000 worth of assets. You should also make sure that you have employee security awareness training. Your employees should know that they should either question suspicious individuals or those that are not wearing identification, or even report those individuals to security if they're not comfortable questioning them.

When we look at door locks we have a few options that we can select for our organization. Conventional locks can be easily picked or bumped and keys can be easily duplicated. It's difficult to maintain key control because employees could make unauthorized copies of the keys, and you also have to find a way to distribute the keys efficiently.

We also have pick and bump resistant locks that are more expensive, but they're harder to pick, they are resistant to bump key attacks, and the keys are harder to duplicate, so that we do not have the issue of employees making unauthorized copies of the keys. But we still need to figure out a way to distribute the keys to our authorized employees and have a system in place to make sure the keys are returned when the employee is no longer with the organization.

On the CISSP exam, you may see a question about bump keys. Bump keys are modified keys that are used by burglars placed in a door lock and then they are bumped using a small hammer or another object. And when the bump occurs, the individual is able to turn the key and open the lock, even though it is not an authorized key for that lock.

We do have some other options for types of locks that we can use in our organization. An electronic combination lock, or cypher lock, uses a something you know authentication mechanism. Here, we can change the combination on the lock and program it to something that is easy for us to remember.

We should change the combination at least once every 12 months, every time when an employee leaves the organization and also if we have any sign of a possible compromise. Some of these locks also have a delay option, where an alarm will sound if the door is held open for a certain period of time.

We can also use keycard systems, which is a something you have authentication mechanism. With these systems, we provide a card to our employees that is encoded with an access card. And this is red when the employee approaches the door, and it will unlock the door. RFID systems can be very convenient because you do not have to swipe the card, however these systems can be cloned, and that is a concern that should be considered.

We can also have high end systems that will control when people can enter, and also maintain a sophisticated log of when users enter and when users exit the building. When an employee leaves the company, you an simply disable their card. This way if an employee refuses to return the card, you can simply disable it, and they will no longer have access to the facility.

Finally, biometric systems are something you are a factor of authentication. Here, individuals can use their fingerprint, a retina scan, or some other type of biometric identifier to access the building. Piggy backing, also known as tailgating, is definitely a concern with many organizations. This is when an individual accesses your building by using someone else's legitimate credentials or access rights.

Piggy backing implies consent from an authorized individual. The example here is an employee walks up to enter the building, swipes their card and the door unlocks. And then the unauthorized individual is walking in the building behind them and the authorized employee holds the door for that individual and allows them to enter behind them.

Tailgating implies that there was no consent. The attacker might just be standing near the entrance, pretending that they are not going to enter. And as soon as the employee enters the building and prior to the door closing, the attacker grabs the door and walks inside the building. A man trap can be used to prevent piggy backing.

With a man trap, employees enter through the first door and then are in a small hallway. They then need to swipe their card again to enter through the second door. These are typically designed that the second door will not open until the first door closes, and then the employee can be sure that nobody followed them into the man trap.

These can also be designed with a security guard sitting inside a control room, who is able to look through the window into the hallway and verify that no additional persons are entering through the doors when that authorized employee enters the building. You want to remember, for the CISSP exam, that a man trap is a control that can be used to prevent piggybacking, or tailgating.

We can also use security guards to protect our organization. Security guards are able to deter intruders, detect intruders, and also perform investigations and fix improper actions. We can use them to check credentials at entry and exit points. We can use security guards to make sure that individuals are not stealing our company property.

They can enforce regulations. They can look for suspicious activity, monitor our alarm systems. And at the end of the day, they can verify that our doors and windows are all locked. One of the biggest advantages of using security guards, compared to using a non-human control, is that they can exercise discernment, or judgment. ACF M26 - Physical Security They can look at a situation and determine if it is suspicious, or determine if they should take action or not, whereas a nonhuman control would not be able to make these types of decisions. The disadvantage of security guards is that it is your most expensive counter measure to any physical security risks.

Unlike other controls where you pay for the control once and then perhaps pay a maintenance fee to make sure that it's continuing to work properly, security guards will need to be paid a salary along the clock along with benefits and other expenses. You also have increased liability and chances of lawsuit, in case your security guard takes improper action or has some type of physical contact with an intruder or an employee.

This concludes our physical security module. Thank you for watching.