Home > Articles

Physical and Environmental Security

📄 Contents

  1. Understanding the Secure Facility Layered Defense Model
  2. Protecting Equipment
  3. Summary
  4. Test Your Skills
  5. References

In this sample chapter from Developing Cybersecurity Programs and Policies, 3rd Edition, you will explore design, obstacles, monitoring, and response as they relate to secure areas, equipment security, and environmental controls.

This chapter is from the book

In the beginning of the computer age, it was easy to protect the systems; they were locked away in a lab, weighed thousands of pounds, and only a select few were granted access. Today, computing devices are ubiquitous. We are tasked with protecting devices that range from massive cloud-based multiplex systems to tiny handheld devices. The explosion of both distributed and mobile computing means that computing devices can be located anywhere in the world and are subject to local law and custom. Possession requires that each individual user take responsibility for mobile device security.

Security professionals are often so focused on technical controls that they overlook the importance of physical controls. The simple reality is that physical access is the most direct path to malicious activity, including unauthorized access, theft, damage, and destruction. Protection mechanisms include controlling the physical security perimeter and physical entry, creating secure offices, rooms, and facilities, and implementing barriers to access, such as monitoring, and alerting. Section 11 of ISO 27002:2013 encompasses both physical and environmental security. Environmental security refers to the workplace environment, which includes the design and construction of the facilities, how and where people move, where equipment is stored, how the equipment is secured, and protection from natural and man-made disasters.

In previous chapters, you learned that to properly protect organizational information, we must first know where it is and how critical it is to the organization. Just as we shouldn’t spend as much money or resources to protect noncritical information as we would to protect critical information, so it goes that we shouldn’t spend the same amount to protect a broom closet as we should to protect information-processing facilities such as data centers, server rooms, or even offices containing client information.

Information security professionals rarely have the expertise to address this security domain on their own. It is critical to involve facilities and physical security personnel in strategic and tactical decisions, policies, and procedures. For example, the information security expert designs a server room with a double steel door, card-reading lock, and a camera outside the door. A facilities expert may question the construction of the walls, floor, vents, and ceilings, the capability of the HVAC and fire suppression systems, as well as the potential for a natural disaster, such as an earthquake, fire, or flood. A physical security expert may question the location, the topography, and even the traffic patterns of pedestrians, automobiles, and airplanes. Creating and maintaining physical and environmental security is a team effort.

In this chapter, we focus on design, obstacles, monitoring, and response as they relate to secure areas, equipment security, and environmental controls. We examine the security issues, related best practices, and of course, physical and environmental security policies.

Understanding the Secure Facility Layered Defense Model

The premise of a layered defense model is that if an intruder can bypass one layer of controls, the next layer of controls should provide additional deterrence or detection capabilities. Layered defense is both physical and psychological. The mere fact that an area appears to be secure is in itself a deterrent. Imagine the design of a medieval castle. The castle itself was built of stone. It was sited high on a hill within a walled property. There may have been a moat and an entry drawbridge. There were certainly lookouts and guards. For intruders to launch a successful attack, they had to overcome and penetrate each of these obstacles. The same concept is used in designing secure buildings and areas.

How Do We Secure the Site?

Depending on the size of the organization, information-processing facilities can range from a closet with one server to an entire complex of buildings with several thousand or even hundreds of thousands of computers. In addressing site physical security, we need to think of the most obvious risks, such as theft and other malicious activity, but we also must consider accidental damage and destruction related to natural disasters.


The design of a secure site starts with the location. Location-based threats that need to be evaluated include political stability, susceptibility to terrorism, the crime rate, adjacent buildings, roadways, flight paths, utility stability, and vulnerability to natural disasters. Historical and predictive data can be used to establish both criminal and natural disaster chronology for a geographic area. The outcome will influence the type of security measures that an organization should implement. Best practices dictate that critical information-processing facilities be inconspicuous and unremarkable. They should not have signage relating to their purpose, nor should their outward appearance hint at what may be inside.

Perimeter Security

The three elements to security are obstacles that deter trivial attackers and delay serious ones, detection systems that make it more likely that the attack will be noticed, and a response capability to repel or catch attackers. Obstacles include physical elements such as berms, fences, gates, and bollards. Lighting is also a valuable deterrent. Entrances, exits, pathways, and parking lots should be illuminated. Fences should be at least eight feet in height, with a two-foot parameter of light used to illuminate along the top portion of the fence. The candlepower of the lighting must meet security standards. Detection systems include IP cameras, closed-circuit TV, alarms, motion sensors, and security guards. Response systems include locking gates and doors, on-site or remote security personnel notification, and direct communication with local, county, or state police.

How Is Physical Access Controlled?

Our next area to consider is physical entry and exit controls. What does it take to get in and out? How is trouble detected and reported? Depending on the site and level of security required, a plethora of access controls are available, including cameras, security guards, mantraps, locks, barriers, metal detectors, biometric scanners, fire-resistant exterior walls that are solid and heavy, and unbreakable/shatterproof glass. The biggest challenge is authorized entry.

Authorizing Entry

How does a company identify authorized personnel, such as employees, contractors, vendors, and visitors? Of greatest concern are the fraudulent or forged credentials obtained through careful profiling or the carelessness of authenticated employees. One commonly used option is a badging system. Badges may also function as access cards. Visitors to secure areas should be credentialed and authorized. Tailgating is one of the most common physical security challenges of all time. In some cases, it might be done innocently by an authorized individual opening a door and holding it open for others, visitors without badges, or someone who looks to be an employee. A number of visitor management systems facilitate ID scanning and verification, photo storage, credentialing, check in and check out, notifications, and monitoring. Visitors should be required to wear some kind of identification that can be evaluated from a distance. For instance, we might choose to have three different colored badges for visitors, which tell our employees what level of supervision should be expected, even if they view the person from across a 100-foot room. If a blue badge denotes close supervision, and you see someone wearing a blue badge without any supervision, you would know immediately to report the visitor or perhaps activate a silent alarm without having to confront or even come within close proximity of the individual. You can install the most advanced security system in the industry, but your security measures will fail if your employees are not educated about the associated security risks. You need to create a secure building culture and good security awareness campaigns.

Background Checks

Your organization should also establish formal policies and procedures to delineate the minimum standards for logical and physical access to your premises and infrastructure hosts. Typically, enterprise organizations conduct criminal background checks, as permitted by law, as part of pre-employment screening practices for employees and matching with the employee’s position within the company and required level of access. The policies also identify functional responsibilities for the administration of physical access during working hours and after hours (including weekends and holidays).

Securing Offices, Rooms, and Facilities

In addition to securing building access, the organization needs to secure the workspaces within the building. Workspaces should be classified based on the level of protection required. The classification system should address personnel security, information systems security, and document security. The security controls must take into consideration workplace violence, intentional crime, and environmental hazards.

Secure design controls for spaces within a building include (but are not limited to) the following:

  • Structural protection, such as full-height walls, fireproof ceilings, and restricted vent access

  • Alarmed solid, fireproof, lockable, and observable doors

  • Alarmed locking, unbreakable windows

  • Monitored and recorded entry controls (keypad, biometric, card swipe)

  • Monitored and recorded activity

Working in Secure Areas

It is not enough to just physically secure an area. Close attention must be paid to who is allowed to access the area and what they are allowed to do. Access control lists should be reviewed frequently. If the area is continually monitored, there should be guidelines specifying what is considered “suspicious” activity. If the area is videoed and not continually monitored, then there should be documented procedures regarding how often and by whom the video should be reviewed. Depending on the circumstances, it may be prudent to restrict cameras or recording devices, including smartphones, tablets, and USB drives, from being taken into the area.

Ensuring Clear Desks and Clear Screens

Documents containing protected and confidential information are subject to intentional or accidental unauthorized disclosure unless secured from viewing by unauthorized personnel when not in use. The same holds true for computer screens. Companies have a responsibility to protect physical and digital information both during the workday and during nonbusiness hours. All too often, organizations make it easy for unauthorized users to view information. Unauthorized access can be the result of viewing a document left unattended or in plain sight, removing (or reprinting) a document from a printer, copier, or fax machine, stealing digital media, such as a DVD or USB drive, and even shoulder surfing, which is the act of looking over someone’s shoulder to see what is displayed on a monitor or device.

Protected or confidential documents should never be viewable by unauthorized personnel. When not in use, documents should be locked in file rooms, cabinets, or desk drawers. Copiers, scanners, and fax machines should be located in nonpublic areas and require use codes. Printers should be assigned to users with similar access rights and permissions and located close to the designated users. Users should be trained to retrieve printed documents immediately. Monitors and device screens should be situated to ensure privacy. Password-protected screen savers should be set to engage automatically. Users should be trained to lock their screens when leaving devices unattended. Physical security expectations and requirements should be included in organizational acceptable use agreements.

Pearson IT Certification Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from Pearson IT Certification and its family of brands. I can unsubscribe at any time.


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about Pearson IT Certification products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information

To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.


Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites; develop new products and services; conduct educational research; and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.


If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information

Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.


This site is not directed to children under the age of 13.


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information

If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.


Users can always make an informed choice as to whether they should proceed with certain services offered by Adobe Press. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.pearsonitcertification.com/u.aspx.

Sale of Personal Information

Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents

California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure

Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact

Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice

We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020