Domain 7 Β· Lesson 6 of 6

Physical Security Operations & Environmental

Vận hành Bảo mật Vật lý & Môi trường

Physical Security Operations

Guards & Patrols

  • Deterrence (visible presence) + detection (respond to incidents)
  • Must have written procedures and patrol logs
  • Guards are a human control β€” can be compromised (social engineering, bribery)
  • Effectiveness depends on training and randomized patrol patterns

CCTV (Cameras)

  • Must be RECORDED β€” not just live monitoring
  • Retention: typically 30–90 days (varies by regulation)
  • Recordings must be stored securely (tamper-evident, restricted access)
  • Legal retention requirements: check local law (Philippines, Vietnam)
  • Camera coverage: all entry/exit points, server rooms, loading docks

Access Logging

  • Badge swipe records, biometric events
  • Provides audit trail: who entered which area, when
  • Audit access logs periodically β€” look for anomalies (access at 3am)
  • Reconcile with HR records (terminated employees still showing access = major gap)

Visitor Management

  • Sign-in required at reception β€” log name, ID, host, purpose, time in/out
  • Escort required in ALL restricted/secure areas β€” no exceptions
  • Visitor badge (different color from employee badge β€” visually distinguishable)
  • Escort is responsible for visitor's actions in the secure area

Media Handling & Transport

Classified media transported in locked, tamper-evident containers. Chain of custody maintained. Upon receipt, verify container seal integrity before opening. Any transport of sensitive media requires documentation.

Fire Suppression Systems

CRITICAL: CO2 Suppression β€” EVACUATE FIRST

CO2 suppression displaces oxygen. It will extinguish people as effectively as it extinguishes fires. All personnel MUST evacuate before CO2 activation. This is the most commonly tested fire suppression fact on the CISSP exam.

System Activation Trigger Human Safety Equipment Safety
Pre-action BOTH smoke AND heat detected (double-interlock) Safe for people β€” human verification before discharge Good β€” reduces accidental discharge risk
FM-200 (HFC-227ea) Smoke / heat sensor Safe for people at design concentrations Excellent β€” clean agent, no residue
CO2 Manual activation or smoke sensor EVACUATE ALL PERSONNEL FIRST Effective β€” but oxygen depletion is lethal to humans
Wet Pipe Sprinkler Any single head heated above threshold Safe for people (water) Poor β€” water damages electronics; risk of accidental discharge

Best for Data Centers

Pre-action or FM-200 (clean agent). FM-200 leaves no residue, safe for equipment and people. Pre-action prevents accidental water discharge. Both are preferred over wet pipe for server rooms.

CO2 β€” Industrial / Unoccupied Spaces

CO2 is effective and cheap but requires guaranteed evacuation before activation. Suitable for unoccupied areas (transformer rooms, generator rooms) where personnel protocols can be strictly enforced.

Environmental Monitoring

Parameter Alert Threshold Risk if Exceeded
Temperature Alert if >27Β°C in server room HVAC failure β†’ hardware failure β†’ unplanned downtime
Humidity (low) Alert if <40% Static electricity risk β€” ESD damage to hardware
Humidity (high) Alert if >60% Condensation β€” moisture damage to electronics
Water leak Any detection HVAC/cooling leak under raised floor or near CRAC units
Power quality UPS activation Power failure β†’ UPS provides 15–30 min battery backup β†’ generator must start within this window

UPS & Generator

UPS (battery) provides 15–30 minutes of power during outage β€” enough time for the diesel generator to start and stabilize. Generator fuel level must be maintained at all times. Fuel monitoring alerts if level drops below 25% threshold.

Raised Floor Benefits

Allows cold air distribution from below (CRAC units), cable management, and water leak detection sensors placed at floor level where water accumulates first. Water sensors under raised floor are essential in data centers.

Asset Disposal & Media Sanitization

Media Type Sanitization Method Notes
HDD (magnetic) Overwrite Γ—3 (DoD 5220.22-M) or degauss Degaussing destroys the drive β€” cannot be reused
SSD / Flash Cryptographic erasure (encrypt then discard key) or physical shredding Overwriting unreliable due to wear-leveling; physical shred is safest
Tape backup Degauss or physical destruction Degauss with certified equipment; physical shred for highly classified
Paper / Printed Cross-cut shredding, not strip-cut Strip-cut shredding can be reconstructed; cross-cut cannot

Destruction Certificate

Paper evidence that media was properly sanitized or destroyed β€” required for audit compliance. Must include: asset tag, media type, serial number, sanitization method, date, technician name, and witness signature. This is your proof to auditors that data was properly disposed of.

Asset Tracking

Asset tag on all hardware. Quarterly reconciliation of physical assets against CMDB. Any unaccounted-for hardware = potential theft of data-bearing device. Equipment leaving the facility (repair, decommission) must be logged in chain of custody record.

Key Terms

CCTV Guard Visitor Management Escort Policy Media Handling Destruction Certificate HVAC UPS Generator Water Detection Asset Tag Environmental Monitoring
Exam Tips
  1. CO2 fire suppression: EVACUATE all personnel BEFORE activation. Oxygen displacement is lethal β€” this is the most frequently tested physical security question.
  2. Visitor escorts: required in ALL restricted/secure areas β€” no exceptions, no "trusted vendors" exemptions.
  3. Destruction certificate: required audit evidence that media was properly sanitized or destroyed. Without it, you cannot prove data was disposed of correctly.
  4. UPS provides minutes of power β€” generator must start BEFORE UPS battery depletes. UPS bridges the gap; generator is the sustained power source.
  5. CCTV two key requirements: (1) RECORDED (not just monitored live), and (2) stored securely with defined retention period (commonly 30–90 days).
  6. SSDs cannot be reliably overwritten β€” use cryptographic erasure or physical shredding. Overwriting HDDs multiple times is acceptable but overwriting SSDs is unreliable due to wear-leveling algorithms.
Work Application β€” Platform C GCP Cloud & FinTech Company X Office Physical Security

Shared responsibility for GCP: Google manages physical security of GCP data centers β€” guards, biometrics, CCTV, fire suppression, environmental monitoring. This is covered by GCP's compliance certifications (SOC 2, ISO 27001). FinTech Company X can request evidence of physical controls via GCP compliance reports.

Office physical security (Hanoi/Manila offices):

  • Server room (if any): badge access + CCTV + visitor log. No tailgating policy.
  • All engineer laptops: full-disk encryption required (FileVault for macOS, BitLocker for Windows). Lost laptop = no data breach if encrypted.
  • Visitor policy: sign-in at reception, escort required in engineering areas, visitor badge different color from employee.

Media disposal: Any old hard drives from dev machines or replaced equipment β€” use physical shredding service with destruction certificate. Never donate or sell equipment without certified sanitization.

Partner E Manila co-location (planned): Negotiate physical security SLA with co-lo provider before signing: uptime guarantee, badge access logs provided to FinTech Company X, CCTV coverage of cabinet, environmental monitoring alerts forwarded to Datadog, and key management (who holds access keys to the cage).

Environmental monitoring for co-lo: Require the co-lo to send temperature/humidity/power alerts to FinTech Company X's Datadog. Do not rely solely on the co-lo provider's internal alerting β€” you need your own visibility.

Practice Quiz

Q1. A CO2 fire suppression system activates in a server room. What must happen BEFORE activation?

β–Ό Reveal Answer
All personnel must evacuate the area before CO2 is released. CO2 extinguishes fires by displacing oxygen β€” at fire-suppression concentrations, CO2 is lethal to humans. The system should have evacuation alarms, countdown timers, and abort switches to allow safe egress before discharge.
This is the #1 most tested physical security fact on the CISSP exam. CO2 is effective at fire suppression but creates an immediately dangerous atmosphere for humans. Modern CO2 systems have pre-discharge alarms (horn/strobe) and mandatory hold periods (typically 30-60 seconds) to allow evacuation. Halon (now banned due to ozone depletion) and its replacements (FM-200, Novec 1230) are safe for humans at suppression concentrations and are preferred for occupied spaces. CO2 should only be used in unoccupied spaces or with guaranteed evacuation protocols.

Q2. A vendor representative needs to access the server room to replace hardware. What is required?

β–Ό Reveal Answer
An employee escort is required at all times. The vendor must sign in at reception, receive a visitor badge, and be accompanied by a designated employee throughout their time in the secure area. The escort is responsible for the visitor's actions.
Escort policy applies to ALL visitors in restricted areas β€” including trusted vendors, contractors, and even auditors. The reason is accountability: without an escort, a visitor could access unauthorized systems, plant a device, or steal hardware/media. "Trusted vendor" is not a security category β€” the trust is in the relationship, not the person's physical presence in your secure space. The escort requirement also ensures someone with knowledge of your environment is present to prevent accidental damage or policy violations.

Q3. Hard drives are being decommissioned from a fintech server. What is a destruction certificate and why is it required?

β–Ό Reveal Answer
A destruction certificate is a formal document that records that media was properly sanitized or physically destroyed. It includes asset tag, serial number, sanitization method, date, and technician's signature. It is required as audit evidence β€” without it, you cannot prove to regulators (NPC, BSP, auditors) that customer data was properly disposed of.
Data protection regulations (GDPR, Philippines DPA, PCI-DSS) require organizations to ensure data is properly destroyed when no longer needed. "We destroyed it" is not enough β€” you need documented proof. If a regulator investigates a breach and asks "what happened to the hard drives from your 2024 server refresh?" you need the destruction certificates. A vendor that provides shredding services should always provide a certificate of destruction. For a fintech processing loan applicant PII, failing to produce destruction certificates = potential regulatory finding.

Q4. Power fails at the co-location facility. What is the role of UPS vs generator?

β–Ό Reveal Answer
UPS (battery) provides immediate, seamless power for 15–30 minutes β€” bridging the gap during the power failure while the diesel generator starts and stabilizes. The generator then provides sustained power for as long as fuel is available. The UPS must hold long enough for the generator to be ready.
The UPS-to-generator handoff is time-critical. A generator takes 10–30 seconds to start and stabilize to correct voltage/frequency. If the UPS battery depletes before the generator is stable, systems will experience a power interruption. This is why UPS runtime (15–30 min) must be longer than generator startup time (typically <30 sec). The co-lo SLA should specify generator startup time and UPS runtime. At FinTech Company X, if Partner E Manila uses a co-lo, you need visibility into fuel level and last test date of the generator β€” these should be part of the vendor SLA and environmental monitoring feed to Datadog.

Q5. What are the two key operational requirements for CCTV in a secure facility?

β–Ό Reveal Answer
(1) Recordings must be stored (not just live-monitored) β€” live monitoring alone is useless for forensic investigation. (2) Recordings must be stored securely with a defined retention period (typically 30–90 days) and restricted access β€” only authorized personnel can review recordings.
Live-only CCTV is security theater β€” if an incident occurs at 3am and nobody was watching, there is no record. The recording is what makes CCTV valuable for forensics, incident investigation, and legal proceedings. Retention periods matter: recordings deleted after 24 hours are useless if an incident isn't discovered for 3 days. 30–90 days is the common standard, but regulations may require longer (financial sector regulators may require 6–12 months for high-risk areas). Recordings must also be protected from tampering β€” if an attacker can delete CCTV footage, they can erase evidence of physical intrusion.

Domain 7 Complete

You've finished Security Operations!

6 lessons covering incident response, digital forensics, monitoring, change management, BCP/DRP, and physical security. Domain 7 is 13% of the CISSP exam β€” these operational controls are where all other domains get tested in the real world.

Continue to Domain 8: Software Development Security β†’
← Lesson 5: BCP & DRP Domain 8: Software Development β†’