Page 675 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 675
Apply Security Principles to Site and Facility
Design
It should be blatantly obvious at this point that without control over
the physical environment, no collection of administrative, technical, or
logical access controls can provide adequate security. If a malicious
person can gain physical access to your facility or equipment, they can
do just about anything they want, from destruction to disclosure or
alteration. Physical controls are your first line of defense, and people
are your last.
There are many aspects of implementing and maintaining physical
security. A core element is selecting or designing the facility to house
your information technology (IT) infrastructure and your
organization’s operations. The process of selecting or designing
facilities security always starts with a plan.
Secure Facility Plan
A secure facility plan outlines the security needs of your organization
and emphasizes methods or mechanisms to employ to provide
security. Such a plan is developed through a process known as critical
path analysis. Critical path analysis is a systematic effort to identify
relationships between mission-critical applications, processes, and
operations and all the necessary supporting elements. For example, an
e-commerce server used to sell products over the web relies on
internet access, computer hardware, electricity, temperature control,
storage facility, and so on.
When critical path analysis is performed properly, a complete picture
of the interdependencies and interactions necessary to sustain the
organization is produced. Once that analysis is complete, its results
serve as a list of items to secure. The first step in designing a secure IT
infrastructure is providing security for the basic requirements of the
organization and its computers. These basic requirements include
electricity, environmental controls (in other words, a building, air
conditioning, heating, humidity control, and so on), and
