1. Home
  2. Training Library
  3. CISSP: Domain 3 - Security Architecture & Engineering - Module 6

Apply secure principles to site and facility design

Apply secure principles to site and facility design

This course is the final module of Domain 3 of the CISSP, covering security architecture and engineering.

Learning Objectives

The objectives of this course are to provide you with and understanding of:

  • Cyber-physical systems (CPS)
  • Industrial control systems (ICS)
  • How to apply security principles to site and facility design through security surveys, planning, and vulnerability assessments
  • How to design and implement facility security, focusing on data center design and considerations

Intended Audience

This course is designed for those looking to take the most in-demand information security professional certification currently available, the CISSP.


Any experience relating to information security would be advantageous, but not essential.  All topics discussed are thoroughly explained and presented in a way allowing the information to be absorbed by everyone, regardless of experience within the security field.


If you have thoughts or suggestions for this course, please contact Cloud Academy at support@cloudacademy.com.


So we're moving on to section 12, and we're going to change topics and threads quite a bit because now, we're going to talk about applying secure principles to site and facility design in a slight move away from our electronic systems. 

So we're going to look at the kind of processes that we have: security survey, vulnerability assessment, site planning, location threats, and utility concerns. So as we frequently do in virtually every other context, we're going to have the security survey in which we're going to assess what we have. Could be a green field. Could be an existing facility that we're going to modify and occupy. Either case, it involves a comprehensive overview of what is intended for this particular location. If it's a building design, we look at the design. If it's an existing building, we want to look at what controls exist. If it's occupied, a cotenancy situation, what policies and procedures and other employee safety measures are being taken by those who are already there? For part of it, the objectives for us include what are our threats, what targets would we have in that place if we either built it or came to occupy it, and then, what are the facility characteristics that can be thought of as either amplifying threat success or acting as mitigations, deterrents, or preventers? 

So threat identification and definition. The question arises, what is the threat? Stating the threat and doing so as precisely and clearly as possible will identify how adversaries can impact assets and will provide guidance in developing a sound physical protection system. The question we have to ask is what would be the impact of the loss if it occurs? And this leads us to do a business impact analysis as part of our threat assessment activities. So you see here several of the facility considerations that we have to make during the threat assessment: security control, personnel and contract security policies and procedures, screening of persons that are going to be there and those who are going to provide the security for that place, the access control systems we may be using including video surveillance, assessment, archiving. What natural surveillance opportunities do we have? If we're going to build a building, this raises the question of are we going to use CPTED as our design philosophy, Crime Prevention Through Environmental Design? What are the protocols for responding to security events when things happen? 

In today's world, active shooter scenarios don't seem to be very uncommon anymore. The degree of integration of all these different systems and the single points of failure or other forms of multiple system disruption that could happen, overall network security. What about proprietary information? What sort of information handling processes are we going to have or need? How do we identify property and track it? And then, if there's going to be a function, shipping and receiving security. Some other things that may be included in this, some of which are not often considered: workplace violence prevention, the mail screening operations and procedures and recommendations to bolster those a bit, parking lot and site security overall, data center if there is one, overall communications security, and this may go well beyond what we have in the way of networking. This could be the radio frequency broadcast. 

What about executive protection? A bit out of the scope of a CISSP, but in general security, this is something that will have to be considered, and then, disaster recovery, any sort of emergency or contingency planning that involves attributes of the facility itself, and we need to, from that, extend this into vulnerability assessment. What about the facility, the grounds, the parking structure, et cetera, either augments or deters any sort of security problem that could arise from any of those other sources? The vulnerability rating should be assigned based on the criteria that we develop that relates to who we are and what kind of a business, what kind of operation, what kind of functions will be performed in the particular facility. Part of the vulnerability assessment project should include an examination of roadway design. 

Now, we know that it is possible for ramming style or bomb placement attacks using vehicles placed at certain locations near a facility or running through the entrance points can produce devastating effects, and so, part of the vulnerability and risk management process of assessing where we're going to build or what we're going to occupy should look at the roadway to try to minimize the likelihood that a vehicle could, in fact, rev up to a certain speed and ram its way through to do the damage. So as you see in the graphics, having a non-straight approach is the preferred way where having a straight shot, so to speak, to the entrance of the facility is exactly what you do not desire. So this needs to be included as part of the risk assessment. 

As I mentioned earlier, architects have been using for many years a philosophy known as Crime Prevention Through Environmental Design or CPTED. This process seeks to make use of the grounds, the building, the land in order to solve various challenges with crime. Predominately, they're trying to accomplish a couple of things. One is to arrange the facility in such a way that they improve natural surveillance opportunities, that it takes care of the people by the way the building is arranged through improved lighting and thruways that people can pass through, and it seeks to optimize how the mechanics of the particular facility can be better protected while not reducing or complicating access to them. 

Windows, of course, have a very high profile role to play in the overall security of the facility. Windows should not be placed in such a way that they're adjacent to doors and be able to open or close. Certain kinds of glass will be specified by the local building code or the local fire code, and so, that should be the authority that is used. You can use laminated glass in place of conventional glass to reduce the likelihood that someone will be cut should the glass be broken for any reason. Windows on the ground level should not have the ability to open, thus reducing the likelihood of surreptitious penetration. Alarms, of course, should be available on the windows and including some form of magnetic switch to detect opening and close condition, and the framing material should be considered for optimal strength, but as I say, it is the local building code, building design, and other parameters, or the local fire code and the constraints and other limitations that it might place on you that will very largely determine what sort of windows, what sort of material you'll have in those windows. 

The types of glass can range from tempered glass to resist breakage. It can be wired glass, though wired glass itself provides a hazard for evacuation if departing through the broken glass is part of the problem, laminated glass, which breaks up in such a way that it dulls sharp edges and reduces the likelihood that people will be cut by it, and bullet resistant glass. Any window that can have a reasonable opportunity for penetration by an intruder should have glass break sensors on them. This is a good intrusion detection device for a building with lots of windows or doors with lots of panes, and it can make use of dual-technology break sensors, which are both acoustic and shock wave, and these are typically the most often used and the most effective. 

Garages, of course, provide the ability for people to park cars conveniently located next to the building that they're going to enter, but garages also provide the ability for assailants to hide out and possibly assault people when they leave or return to their vehicles. As a consequence of this, they need to be designed in such a way to minimize the opportunities for such assailants to find dark corners and to optimize just general safety characteristics as well, so signage needs to be put in proper places. It needs to highlight places where pedestrians can move about safely. There should be closed-circuit TV cameras that are used to monitor various kinds of events. Lighting should be of a proper kind to brighten the place, and they should be open enough to let in ambient light. Now, the lighting levels should be at least 10 to 12 foot-candles over parked cars and 15 to 20 foot-candles in walking and driving aisles. Now, for the sake of any possible math that you might face on the exam, your conversion rate is one foot-candle equals 10 and approximately 3/4 lumens per square meter. Most measurements outside of the English system to gauge lumens or luminosity use the lumen measure. We also want to install high lighting levels to illuminate the exterior of the parking facility. Now, garages having exterior lights should position these approximately 12 feet or so above the ground to reduce the likelihood that an assailant who may want to darken the spot where he chooses to hide will be able to do so with any ease. We want to be sure that we make this as bright and as visible as possible by painting the walls white to reflect light in a way that amplifies the effect of the illuminating fixtures. We want to place these in strategic locations to be sure that the luminosity is spread as evenly and as brightly as possible to eliminate dark corners and give pedestrians a greater feeling of safety. If the garage happens to be under the facility, elevators or walk-ups should empty into the lobby as opposed to rising to higher floors without some form of gatekeeper activity that can be there, and all employees and visitors need to pass through a controlled receptionist or card entry type into the building. 

Part of every design activity that we're going to engage in with regard to a facility needs to take into account any sort of natural threat that might be faced by it. These are largely determined by the geography. Natural threats, of course, would be what you see here, hurricanes, tornadoes, earthquakes, forest fires, mudslides, or flooding. Safeguards against these, that is the effect on the building of any of these, will, of course, have limits. Mother Nature tends to do what she wants to do, and most of what we're going to do in the face of such things will be to safely evacuate the population resident in the facility in order to keep them safe and enable them to return without undue hardship, but there are certain steps that we can take to improve the resilience of our structures against these kinds of things. 

Now, fire suppression systems are, of course, part and parcel of any sort of construction we're going to do, and based on what kind of building we need or are going to build, we need to assess whether or not the fire systems that are built into the building are of the proper kind. Now these, too, are going to be designated by the restrictions of the local building code and the local fire code. Now, fire suppression systems typically are those built into the structure whereas fire extinguishers are those that are typically handheld. The fire extinguishers fall into one or another of four classes: Class A, which are normally combustibles such as wood, paper, and plastics; Class B, flammable or combustible liquids based in oil or alcohol; Class C, electrical fires; and Class D, combustible metals. Now, the electrical concerns we have relate to electrical panels and distribution systems, the conduits, and various kinds of switchgear that may be present in the facility such as those operating elevators. The electrical panels where electricity is brought into the facility and the various kinds of controls that we have over it should be placed in such a way that the failure of one does not foment the failure of the other, making it difficult to control or even shut off the electrical power in the event of an electrical fire. 

Emergency generators should be located away from loading docks, entrances, and parking, primarily because these need to be in a location where they don't form an explosion hazard since they have fuel tanks often associated with them in their location. The main fuel storage for generators should be located away from these places for that reason. Now, the communications that we have for a facility for use under normal or contingent circumstances should include consideration of a second phone or other communication system to address the fact that the primary might be susceptible to being taken out by whatever the event is. 

Take for example the case of Hurricane Katrina. When the hurricane came on shore, it took out all the landline and other terrestrial-based systems. The only thing that remained for quite a period of time was radio or even satellite. Without those and without the ham operators that volunteered to provide service, the devastation would've been far worse in its impact on human life, and this highlights the importance of having multiple communication systems, primary and perhaps even multiple layers of backups to deal with such situations. 

Utilities, water, electricity, even oil, are oftentimes underground, concealed, and protected in their coverings and their delivery mechanisms. For the points at which we will connect to them, we need to consider quick disconnects for portable utility backup systems as well as quick shutoff. During these periods, we need to be sure the drinking supplies are protected to the extent that we are able. We need to minimize signs identifying crucial utilities but not to the point of eliminating the visibility that emergency responders are going to need. 

We should locate where petroleum, oil, lubricant storage tanks are, preferably down slope from occupied buildings should those items even be present, and then, locating utility systems at least 50 feet from loading docks, front entrances, and parking areas, and in taking these precautions in building a facility, we should plan for them to be built-in. For facilities that are already in place, we should locate where they are and ensure that we understand the potential hazards that could be raised by them in their position.

About the Author
Ross Leo
Learning Paths

Mr. Leo has been in Information System for 38 years, and an Information Security professional for over 36 years.  He has worked internationally as a Systems Analyst/Engineer, and as a Security and Privacy Consultant.  His past employers include IBM, St. Luke’s Episcopal Hospital, Computer Sciences Corporation, and Rockwell International.  A NASA contractor for 22 years, from 1998 to 2002 he was Director of Security Engineering and Chief Security Architect for Mission Control at the Johnson Space Center.  From 2002 to 2006 Mr. Leo was the Director of Information Systems, and Chief Information Security Officer for the Managed Care Division of the University of Texas Medical Branch in Galveston, Texas.


Upon attaining his CISSP license in 1997, Mr. Leo joined ISC2 (a professional role) as Chairman of the Curriculum Development Committee, and served in this role until 2004.   During this time, he formulated and directed the effort that produced what became and remains the standard curriculum used to train CISSP candidates worldwide.  He has maintained his professional standards as a professional educator and has since trained and certified nearly 8500 CISSP candidates since 1998, and nearly 2500 in HIPAA compliance certification since 2004.  Mr. leo is an ISC2 Certified Instructor.