a. Electrical characteristics of a building

b. Physical characteristics of a building

c. Mechanical characteristics of a building

d. Environmental characteristics of a building

111. b. The physical characteristics of a building have a bearing on opportunities for audio and electronic surveillance. Some of these factors are poor access control designs, inadequate soundproofing, common or shared ducts, and space above false ceilings that enable access for the placement of devices. Physical inspection of these weak areas can hinder penetration.

112. What is the most common concern regarding a physical security area?

a. Fire suppression system

b. Piggybacking

c. Locks and keys

d. Natural disasters

112. b. Piggybacking occurs when unauthorized access is gained to a computer system or facility via a user’s legitimate connection. Then both the authorized and the unauthorized person enter the sensitive area. This kind of entry cannot be predicted or anticipated, and its frequency of occurrence can be high.

Fire suppression systems should not be a concern if tested periodically. Locks and keys are the first line of defense against intruders entering into a computer center building or computer room. Natural disasters are not a concern because of their low frequency.

Scenario-Based Questions, Answers, and Explanations

Use the following information to answer questions 1 through 7.

The DRS Company is designing a new data center that will centrally process more than 100 offices’ global transactions. Each office batch transmits more than 10,000 transactions per day. Each batch consists of a maximum of 1,000 transactions or 1 hour of processing, whichever comes first. The plan calls for a fully redundant data center operation with a maximum of one lost batch in the event of a failover.

1. Which of the following is not appropriate to provide adequate complementary physical access controls?

a. ID badge card

b. Password

c. Magnetic stripe card

d. Visitor log

1. b. Passwords provide logical access controls, not physical access controls. The other three are examples of complementary controls. Each control enhances the other. A function or an area doesn’t need to be weak to use complementary controls. Complementary controls can magnify the effectiveness of two or more controls when applied to a function, program, or operation. Identification (ID) badge cards, magnetic stripe cards, and visitor logs have a synergistic effect in providing a strong physical access control.

2. Which of the following controls is not appropriate to prevent unauthorized people from entering a computer center?

a. Double-locked doors

b. Television monitors

c. Terminal IDs

d. Picture ID badges

2. c. Logical access controls verify the terminal identification (ID) number and not a part of physical security. Logical access controls provide a technical means of controlling what information users can utilize, the programs they can run, and the modifications they can make. The other three choices deal with physical security, which is the right kind of control to prevent unauthorized people from entering a computer center.

3. Controls such as locked doors, intrusion detection devices, and security guards address which of the following risks?

a. Heat failure

b. Fraud or theft

c. Power failure

d. Equipment failure

3. b. Locked doors, intrusion detection devices, and security guards that restrict physical access are important preventive measures to control sabotage, riots, fraud, or theft. Sabotage can be caused by a disgruntled employee and by outsiders. Personnel policies should require the immediate termination and removal from the premise of any employee considered a threat. Restricting access to information that may be altered reduces fraud or theft exposures. Power failure can be controlled by an uninterruptible power supply. Heat failure may cause an inconvenience to employees. Equipment failure may result in extended processing delays. Performance of preventive maintenance enhances system reliability and should be extended to all supporting equipment, such as temperature and humidity control systems and alarm or detecting devices.

4. Which of the following security controls is simple to implement with the least amount of delay?

a. Operating system security controls

b. Network security controls

c. Physical security controls

d. Application system security controls

4. c. Physical security is achieved through the use of locks, guards, and administratively controlled procedures such as visitor badges. It also protects the structures housing the computer and related equipment against damage from accident, fire, and environmental hazards, thus ensuring the protection of their contents. Physical security measures are the first line of defense against the risks that stem from the uncertainties in the environment and from the unpredictability of human behavior. Frequently, they are the simplest safeguards to implement and can be put into practice with the least delay. The controls listed in the other three choices take a long time to implement and are not simple to install.

5. Which of the following is not a technical security measure?

a. Hardware

b. Software

c. Firmware

d. Physical control

5. d. A major part of the security of an IT system can often be achieved through nontechnical measures, such as organizational, personnel, physical, and administrative controls. However, there is a growing tendency and need to employ technical IT security measures implemented in hardware, software, and firmware.

6. Which of the following security safeguards is ineffective in an online application system serving multiple users at multiple locations?

a. Procedural controls

b. Physical controls

c. Hardware controls

d. Software controls

6. b. An online application system serving multiple users at multiple locations assumes that a network is in place. With a network there is often no centralized computer room with physical security controls that can be implemented. Therefore, physical controls are ineffective. Examples of physical controls include locked doors, intrusion detection devices, security guards, and magnetic badge readers that restrict physical access. Procedural controls are incorrect because they include instructions to request a user profile, add and delete users, instructions to request database views, and so on. Hardware controls are incorrect because they include fault-tolerance devices such as disk mirroring and disk duplexing, smart card processing, encryption, parity checks, and switched ports. Software controls are incorrect because they include user IDs and passwords, smart card processing, encryption, check digits, and message authentication.

7. What is the most effective control in handling potential terrorist attacks, especially bombing?