Читаем CISSP Practice полностью

Procedural controls, such as logging visitors and recording temperatures, are generally the least expensive. They can be manual or automated; the latter can be expensive. Hardware devices can include, for example, locks, keys, fences, gates, document shredders, vaults, and barricades. Electronic systems can include, for example, access controls, alarms, CCTV, and detectors.

110. Which of the following is the last line of defense in a physical security?

a. Perimeter barriers

b. Exterior protection

c. Interior barriers

d. People

110. d. The perimeter barriers (e.g., fences) are located at the outer edge of property and usually are the first line of defense. The exterior protection, such as walls, ceilings, roofs, and floors of buildings, is considered the second line of defense. Interior barriers within the building such as doors and locks are considered the third line of defense. After all the preceding defenses fail, the last line of defense is people—employees working in the building. They should question strangers and others unfamiliar to them.

111. Which of the following has a bearing on opportunities for electronic surveillance?

a. Electrical characteristics of a building

b. Physical characteristics of a building

c. Mechanical characteristics of a building

d. Environmental characteristics of a building

111. b. The physical characteristics of a building have a bearing on opportunities for audio and electronic surveillance. Some of these factors are poor access control designs, inadequate soundproofing, common or shared ducts, and space above false ceilings that enable access for the placement of devices. Physical inspection of these weak areas can hinder penetration.

112. What is the most common concern regarding a physical security area?

a. Fire suppression system

b. Piggybacking

c. Locks and keys

d. Natural disasters

112. b. Piggybacking occurs when unauthorized access is gained to a computer system or facility via a user’s legitimate connection. Then both the authorized and the unauthorized person enter the sensitive area. This kind of entry cannot be predicted or anticipated, and its frequency of occurrence can be high.

Fire suppression systems should not be a concern if tested periodically. Locks and keys are the first line of defense against intruders entering into a computer center building or computer room. Natural disasters are not a concern because of their low frequency.

Scenario-Based Questions, Answers, and Explanations

Use the following information to answer questions 1 through 7.

The DRS Company is designing a new data center that will centrally process more than 100 offices’ global transactions. Each office batch transmits more than 10,000 transactions per day. Each batch consists of a maximum of 1,000 transactions or 1 hour of processing, whichever comes first. The plan calls for a fully redundant data center operation with a maximum of one lost batch in the event of a failover.

1. Which of the following is not appropriate to provide adequate complementary physical access controls?

a. ID badge card

b. Password

c. Magnetic stripe card

d. Visitor log

1. b. Passwords provide logical access controls, not physical access controls. The other three are examples of complementary controls. Each control enhances the other. A function or an area doesn’t need to be weak to use complementary controls. Complementary controls can magnify the effectiveness of two or more controls when applied to a function, program, or operation. Identification (ID) badge cards, magnetic stripe cards, and visitor logs have a synergistic effect in providing a strong physical access control.

2. Which of the following controls is not appropriate to prevent unauthorized people from entering a computer center?

a. Double-locked doors

b. Television monitors

c. Terminal IDs

d. Picture ID badges

2. c. Logical access controls verify the terminal identification (ID) number and not a part of physical security. Logical access controls provide a technical means of controlling what information users can utilize, the programs they can run, and the modifications they can make. The other three choices deal with physical security, which is the right kind of control to prevent unauthorized people from entering a computer center.