Page 680 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 680
that she’s protecting the business and not his belongings. When or
where would you think it would be necessary to implement security
measures for both? The usual answer is anywhere business assets
are or might be involved. Had Brad been using a company vehicle
parked in the company parking lot, then perhaps Alison could
make allowances for an incidental break-in involving Brad’s things,
but even then she isn’t responsible for their safekeeping. On the
other hand, where key people are also important assets (executive
staff at most enterprises, security analysts who work in sensitive
positions, heads of state, and so forth), protection and safeguards
usually extend to embrace them and their belongings as part of
asset protection and risk mitigation. Of course, if danger to
employees or what they carry with them becomes a problem,
securing the parking garage with key cards and installing CCTV
monitors on every floor begins to make sense. Simply put, if the
costs of allowing break-ins to occur exceeds that of installing
preventive measures, it’s prudent to put them in place.
When designing physical security for an environment, focus on the
functional order in which controls should be used. The order is as
follows:
1. Deterrence
2. Denial
3. Detection
4. Delay
Security controls should be deployed so that initial attempts to access
physical assets are deterred (boundary restrictions accomplish this). If
deterrence fails, then direct access to physical assets should be denied
(for example, locked vault doors). If denial fails, your system needs to
detect intrusion (for example, using motion sensors), and the intruder
should be delayed sufficiently in their access attempts to enable
authorities to respond (for example, a cable lock on the asset). It’s
important to remember this order when deploying physical security
controls: first deterrence, then denial, then detection, then delay.
