Implementing and Managing Physical Security
Implementing and Managing Physical Security

This course is the final module of Domain 7 of the CISSP, covering Security Operations.

Learning Objectives

The objectives of this course are to provide you with the ability to:

  • Participate in business continuity planning
  • Implement and manage physical security
  • Participate in personnel safety

Intended Audience

This course is designed for those looking to take the most in-demand information security professional certification currently available, the CISSP.


Any experience relating to information security would be advantageous, but not essential.  All topics discussed are thoroughly explained and presented in a way allowing the information to be absorbed by everyone, regardless of experience within the security field.


If you have thoughts or suggestions for this course, please contact Cloud Academy at


So we're going to move into section 15 and we're going to shift topics because we're going to shift to the Implementation and Management of Physical Security. Now, the primary goal of a physical protection program is to control access to the facility. In its own way, it will make a contribution to the preservation of our confidentiality, integrity and availability elements for all of the information and the other resources and assets within our organization. Now, when it comes to what a physical security system strives to do, bearing in mind that its job is to protect the facility and its occupants, it needs to have tasks, configuration elements, even physical attributes that will do the following things so that we can assure our occupants that the system, the building, etc., the grounds are safe.

The first thing is to deter. Deter a possible assailant from committing whatever act they may be contemplating. Should they decide that deterrence has failed, and they're going to go ahead with it, we need to have layered defenses that will delay their ability to cause damage as long as possible, giving us time to mount a response. Almost in parallel with their attempt to cause whatever damage they seek to, is a detection function, and that, of course, triggers our ability to respond. As the detection is done, as the assailant continues to attempt to cause the damage that he does, we need to assess at every instant what is happening, so that the response that is formulated can be appropriate to that.

In the physical security room, defense in depth, is a practice that has been around for millennia. This is a layered barrier designed to put in multiple layers of defenses between the attackers and the goal that they seek. In this layered design, there are advantages because each layer is different than the one on either side of it, requiring of the attacker different kinds of skills, different knowledge, different levels of determination and talent in order to circumvent them. And by building our defense in depth in this way, we make this much more difficult for an attacker to get through in the end. 

One of our layers, of course, will be access control. Access control generally ensures that only authorized personnel are permitted inside the controlled area, and, of course, there will be a mechanism to that effect. Persons subject to this control will include employees, visitors, customers, vendors and the general public if the general public is allowed to be around. One form that this frequently takes is a type two authenticator. A something that you have in the form of a card. Some cards will have a magnetic stripe. Some cards will be of the proximity type where no contact but passing the card through a field is how it activates it. And the smart cards, sharing information through a system that reads it and processes it and then allows or denies access.

Even while we have access controls that allow or deny the penetration of our system, our facility, we have to have ways of monitoring this activity. The most common of which is Closed Circuit TV. But it isn't just TV, there are cameras, recorders, various types of switches, keyboards and monitors that will allow every action in the physical environment to be viewed and recorded so that if it ever comes into play, it can be reviewed. This is a highly flexible method of surveillance and monitoring, and it contributes its quality of recording to preserving evidence as well.

Now, it's obvious that Closed Circuit TV provides surveillance. The viewing of the live action allows us to assess what is going on. The mere presence - the knowledge of it being present - provides a deterrent effect to those contemplating causing some sort of damage or problem. And in the recording of all of this, our video resource provides the ability to capture evidence for later usage. And we have various forms, we have external and we have internal. The external monitoring can make use of infrared sensors, microwave, a coaxial strain sensitive cable sometimes called a PIDAS fence (P-I-D-A-S), lighting and cameras, monitoring displays that support all the surveillance. There may be guards, guards and guard dogs, and then some sort of alarming system to let us know when something is seriously wrong.

Now, all of these external monitoring capabilities are passive in the sense that they themselves cannot respond. In each case, a human response will be required thus underscoring the necessity of having some sort of guard type of a function. As a complement to the external monitoring, we have internal monitoring. These make use of things like card readers, a balanced magnetic switch, various forms of acoustic sensors. They couldn't use infrared linear beam sensors or passive infrared. There can be the automatic request to exit, walking through an ultrasonic beam, detecting your presence and then opening the door. We have various forms of dual technology sensors and various types of badge controls. But like most of the things that we have in the external sensing, these two will require human response in the event that something amiss is detected.

There are various forms of portals, safeguards at our points of internal access. Here you see various pictures: doors, turnstiles, mantraps, a two-stage airlock-type entry, and then, of course, the common keys and the various lock types, and then safes. These are used in conjunction with the various internal sensors that you saw on the previous slide. And together, they have a deterrent and a delay and a denial type of activity that they perform.

About the Author
Learning Paths

Mr. Leo has been in Information System for 38 years, and an Information Security professional for over 36 years.  He has worked internationally as a Systems Analyst/Engineer, and as a Security and Privacy Consultant.  His past employers include IBM, St. Luke’s Episcopal Hospital, Computer Sciences Corporation, and Rockwell International.  A NASA contractor for 22 years, from 1998 to 2002 he was Director of Security Engineering and Chief Security Architect for Mission Control at the Johnson Space Center.  From 2002 to 2006 Mr. Leo was the Director of Information Systems, and Chief Information Security Officer for the Managed Care Division of the University of Texas Medical Branch in Galveston, Texas.


Upon attaining his CISSP license in 1997, Mr. Leo joined ISC2 (a professional role) as Chairman of the Curriculum Development Committee, and served in this role until 2004.   During this time, he formulated and directed the effort that produced what became and remains the standard curriculum used to train CISSP candidates worldwide.  He has maintained his professional standards as a professional educator and has since trained and certified nearly 8500 CISSP candidates since 1998, and nearly 2500 in HIPAA compliance certification since 2004.  Mr. leo is an ISC2 Certified Instructor.