Test Your Skills
Multiple Choice Questions
Which of the following groups should be assigned responsibility for physical and environmental security?
Information security management
A team of experts including facilities, information security, and building security
Physical and environmental security control decisions should be driven by a(n) ___________.
Which of the following terms best describes CPTED?
Crime prevention through environmental design
Crime prevention through environmental designation
Criminal prevention through energy distribution
Criminal prosecution through environmental design
The design of a secure site starts with the _________.
natural access control
Which of the following models is known as the construct that if an intruder can bypass one layer of controls, the next layer of controls should provide additional deterrence or detection capabilities?
Layered defense model
Perimeter defense model
Physical defense model
Security defense model
The mere fact that an area appears to be secure is in itself a ___________.
Best practices dictate that data centers should be _____________.
located in urban areas
inconspicuous and unremarkable
built on one level
Which of the following would be considered a “detection” control?
Badging or an equivalent system at a secure facility should be used to identify ____________.
everyone who enters the building
Which of the following statements best describes the concept of shoulder surfing?
Shoulder surfing is the use of a keylogger to capture data entry.
Shoulder surfing is the act of looking over someone’s shoulder to see what is on a computer screen.
Shoulder surfing is the act of positioning one’s shoulders to prevent fatigue.
None of the above.
The term BYOD is used to refer to devices owned by ____________.
Which of the following statements is not true about data center best practices?
Data center equipment must be protected from damage caused by power fluctuations or interruptions.
Data center power protection devices must be tested on a scheduled basis for functionality and load capacity.
Data center generators must be tested regularly according to manufacturer’s instructions.
You can optionally log all service and routine maintenance.
Which of the following terms best describes a prolonged increase in voltage?
Common causes of voltage variations include ______________.
lightning, storm damage, and electric demand
using a power conditioner
turning on and off computers
using an uninterruptable power supply
Adhering to building and construction codes, using flame-retardant materials, and properly grounding equipment are examples of which of the following controls?
Fire detection controls
Fire containment controls
Fire prevention controls
Fire suppression controls
A Class C fire indicates the presence of which of the following items?
Confidential data can reside on which of the following items?
All of the above
Which of the following data types includes details about a file or document?
URL history, search history, form history, and download history are stored by the device ___________.
Which of the following statements about formatting a drive is not true?
Formatting a drive creates a bootable partition.
Formatting a drive overwrites data.
Formatting a drive fixes bad sectors.
Formatting a drive permanently deletes files.
Exercise 7.1: Researching Data Destruction Services
Research companies in your area that offer data destruction services.
Document the services they offer.
Make a list of questions you would ask them if you were tasked with selecting a vendor for data destruction services.
Exercise 7.2: Assessing Data Center Visibility
Locate the data center at your school or workplace.
Is the facility or area marked with signage? How easy was it to find? What controls are in place to prevent unauthorized access? Document your findings.
Exercise 7.3: Reviewing Fire Containment
Find at least three on-campus fire extinguishers (do not touch them). Document their location, what class fire they can be used for, and when they were last inspected.
Find at least one fire extinguisher (do not touch it) in your dorm, off-campus apartment, or home. Document the location, what class fire it can be used for, and when it was last inspected.
Exercise 7.4: Assessing Identification Types
Document what type of identification is issued to students, faculty, staff, and visitors at your school. If possible, include pictures of these types of documentation.
Describe the process for obtaining student identification.
Describe the procedure for reporting lost or stolen identification.
Exercise 7.5: Finding Data
Access a public computer in either the library, a computer lab, or a classroom.
Find examples of files or data that other users have left behind. The files can be apparent, temporary, browser based, cached, or document metadata. Document your findings.
What should you do if you discover “personal” information?
Project 7.1: Assessing Physical and Environmental Security
You are going to conduct a physical assessment of a computing device you own. This could be a desktop computer, a laptop, a tablet, or a smartphone. Use the following table as a template to document your findings. You can add additional fields.
Lost or forgotten
Need laptop for schoolwork
Labeled with owner’s contact info
Install remote find software
$20 per year vs. the cost of replacing the laptop
Determine the physical and environmental dangers (threats); for example, losing or forgetting your laptop at school. Document your findings.
For each danger (threat), identify the controls that you have implemented; for example, your case is pink (recognizable) and the case and laptop are labeled with your contact information. It is expected that not all threats will have corresponding safeguards. Document your findings.
For threats that do not have a corresponding safeguard or ones for which you feel the current safeguards are inadequate, research the options you have for mitigating the danger. Based on your research, make recommendations. Your recommendation should include initial and ongoing costs. Compare the costs of the safeguard to the cost impact of the danger. Document your findings.
Project 7.2: Assessing Data Center Design
You have been tasked with recommending environmental and physical controls for a new data center to be built at your school. You are expected to present a report to the Chief Information Officer. The first part of your report should be a synopsis of the importance of data center physical and environmental security.
The second part of your report should address three areas: location, perimeter security, and power.
Location recommendations should include where the data center should be built and a description of the security of the surrounding area (for example, location-based threats include political stability, susceptibility to terrorism, the crime rate, adjacent buildings, roadways, pedestrian traffic, flight paths, utility stability, and vulnerability to natural disasters).
Access control recommendations should address who will be allowed in the building and how they will be identified and monitored.
Power recommendations should take into account power consumption as well as normal and emergency operating conditions.
Project 7.3: Securing the Perimeter
The security perimeter is a barrier of protection from theft, malicious activity, accidental damage, and natural disaster. Almost all buildings have multiple perimeter controls. We have become so accustomed to perimeter controls that they often go unnoticed (that is, security guards). Begin this project with developing a comprehensive list of perimeter controls.
Conduct a site survey by walking around your city or town. You are looking for perimeter controls. Include in your survey results the address of the building, a summary of building occupants, type(s) of perimeter controls, and your opinion as to the effectiveness of the controls. To make your survey valid, you must include at least 10 properties.
Choose one property to focus on. Taking into consideration the location, the depth of security required by the occupants, and the geography, comment in detail on the perimeter controls. Based on your analysis, recommend additional physical controls to enhance perimeter security.