CHAPTER 10 Questions Flashcards
What method is a systematic effort to identify relationships between mission-critical applications, processes, and operations and all the necessary supporting elements when evaluating the security of a facility or designing a new facility?
A. Log file audit
B. Critical path analysis
C. Risk analysis
D. Taking inventory
B. Critical path analysis
Critical path analysis is a systematic effort to identify relationships between mission-critical applications, processes, and operations and all the necessary supporting elements when evaluating the security of a facility or designing a new facility. Log file audit can help detect violations to hold users accountable, but it is not a security facility design element. Risk analysis is often involved in facility design, but it is the evaluation of threats against assets in regard to rate of occurrence and levels of consequence. Taking inventory is an important part of facility and equipment management, but it is not an element in overall facility design.
Your organization is planning on building a new facility to house a majority of on-site workers. The current facility has had numerous security issues, such as loitering, theft, graffiti, and even a few physical altercations between employees and nonemployees. The CEO has asked you to assist in developing the facility plan to reduce these security concerns. While researching options you discover the concepts of CPTED. Which of the following is not one of its core strategies?
A. Natural territorial reinforcement
B. Natural access control
C. Natural training and enrichment
D. Natural surveillance
C. Natural training and enrichment
Natural training and enrichment is not a core strategy of CPTED. Crime Prevention Through Environmental Design (CPTED) has three main strategies: natural access control, natural surveillance, and natural territorial reinforcement. Natural access control is the subtle guidance of those entering and leaving a building through placement of entranceways, use of fences and bollards, and placement of lights. Natural surveillance is any means to make criminals feel uneasy through the increasing of opportunities for them to be observed. Natural territorial reinforcement is the attempt to make the area feel like an inclusive, caring community.
Which of the following is a true statement in regard to security cameras? (Choose all that apply.)
A. Cameras should be positioned to watch exit and entry points allowing any change in authorization or access level.
B. Cameras are not needed around valuable assets and resources as well as to provide additional protection in public areas such as parking structures and walkways.
C. Cameras should be positioned to have clear sight lines of all exterior walls, entrance and exit points, and interior hallways.
D. Security cameras should only be overt and obvious in order to provide a deterrent benefit.
E. Security cameras have a fixed area of view for recording.
F. Some camera systems include a system on a chip (SoC) or embedded components and may be able to perform various specialty functions, such as time-lapse recording, tracking, facial recognition, object detection, or infrared or color-filtered recording.
G. Motion detection or sensing cameras can always distinguish between humans and animals.
A. Cameras should be positioned to watch exit and entry points allowing any change in authorization or access level.
C. Cameras should be positioned to have clear sight lines of all exterior walls, entrance and exit points, and interior hallways.
F. Some camera systems include a system on a chip (SoC) or embedded components and may be able to perform various specialty functions, such as time-lapse recording, tracking, facial recognition, object detection, or infrared or color-filtered recording.
The true statements are option A, cameras should be positioned to watch exit and entry points allowing any change in authorization or access level; option C, cameras should be positioned to have clear sight lines of all exterior walls, entrance and exit points, and interior hallways; and option F, some camera systems include a system on a chip (SoC) or embedded components and may be able to perform various specialty functions, such as time-lapse recording, tracking, facial recognition, object detection, or infrared or color-filtered recording. The remaining answer options are incorrect. The corrected statements for those options are: option B: Cameras should also be used to monitor activities around valuable assets and resources as well as to provide additional protection in public areas such as parking structures and walkways; option D: Security cameras can be overt and obvious in order to provide a deterrent benefit, or hidden and concealed in order to primarily provide a detective benefit; option E: Some cameras are fixed, whereas others support remote control of automated pan, tilt, and zoom (PTZ); and option G: Simple motion recognition or motion-triggered cameras may be fooled by animals, birds, insects, weather, or foliage.
Your organization is planning on building a new primary headquarters in a new town. You have been asked to contribute to the design process, so you have been given copies of the proposed blueprints to review. Which of the following is not a security-focused design element of a facility or site?
A. Separation of work and visitor areas
B. Restricted access to areas with higher value or importance
C. Confidential assets located in the heart or center of a facility
D. Equal access to all locations within a facility
D. Equal access to all locations within a facility
Equal access to all locations within a facility is not a security-focused design element. Each area containing assets or resources of different importance, value, and confidentiality should have a corresponding level of security restriction placed on it. A secure facility should have a separation between work and visitor areas and should restrict access to areas with higher value or importance, and confidential assets should be located in the heart or center of a facility.
A recent security audit of your organization’s facilities has revealed a few items that need to be addressed. A few of them are related to your main data center. But you think at least one of the findings is a false positive. Which of the following does not need to be true in order to maintain the most efficient and secure server room?
A. It must be optimized for workers.
B. It must include the use of nonwater fire suppressants.
C. The humidity must be kept between 20 and 80 percent.
D. The temperature must be kept between 59 and 89.6 degrees Fahrenheit.
A. It must be optimized for workers.
A computer room does not need to be optimized for human workers to be efficient and secure. A server room would be more secure with a nonwater fire suppressant system (it would protect against damage caused by water suppressant). A server room should have humidity maintained between 20 and 80 percent relative humidity and maintain a temperature between 59 and 89.6 degrees Fahrenheit.
A recent security policy update has restricted the use of portable storage devices when they are brought in from outside. As a compensation, a media storage management process has been implemented. Which of the following is not a typical security measure implemented in relation to a media storage facility containing reusable removable media?
A. Employing a media librarian or custodian
B. Using a check-in/check-out process
C. Hashing
D. Using sanitization tools on returned media
C. Hashing
Hashing is not a typical security measure implemented in relation to a media storage facility containing reusable removable media. Hashing is used when it is necessary to verify the integrity of a dataset, whereas data on reusable removable media should be removed and not retained. Usually the security features for a media storage facility include using a media librarian or custodian, using a check-in/check-out process, and using sanitization tools on returned media.
The company’s server room has been updated with raised floors and MFA door locks. You want to ensure that updated facility is able to maintain optimal operational efficiency. What is the ideal humidity range for a server room?
A. 20–40 percent
B. 20–80 percent
C. 80–89.6 percent
D. 70–95 percent
B. 20–80 percent
The humidity in a computer room should ideally be from 20 to 80 percent. Humidity above 80 percent can result in condensation, which causes corrosion. Humidity below 20 percent can result in increased static electricity buildup. However, this does require managing temperature properly as well. The other number ranges are not the relative humidity ranges recommended for a data center.
You are mapping out the critical paths of network cables throughout the building. Which of the following items do you need to make sure to include and label on your master cabling map as part of crafting the cable plant management policy? (Choose all that apply.)
A. Access control vestibule
B. Entrance facility
C. Equipment room
D. Fire escapes
E. Backbone distribution system
F. Telecommunications room
G. UPSs
H. Horizontal distribution system
I. Loading dock
B. Entrance facility
C. Equipment room
E. Backbone distribution system
F. Telecommunications room
H. Horizontal distribution system
The primary elements of a cable plant management policy should include a mapping of the entrance facility (i.e., demarcation point), equipment room, backbone distribution system, telecommunications room, and horizontal distribution system. The other items are not elements of a cable plant. Thus, access control vestibule, fire escapes, UPSs, and the loading dock are not needed elements on a cable map.
What is the best type of water-based fire suppression system for a computer facility?
A. Wet pipe system
B. Dry pipe system
C. Preaction system
D. Deluge system
C. Preaction system
A preaction system is the best type of water-based fire suppression system for a computer facility because it provides the opportunity to prevent the release of water in the event of a false alarm or false initial trigger. The other options of wet pipe, dry pipe, and deluge system use only a single trigger mechanism without the ability to prevent accidental water release.
Your company has a yearly fire detection and suppression system inspection performed by the local authorities. You start up a conversation with the lead inspector and they ask you, “What is the most common cause of a false positive for a water-based fire suppression system?” So, what do you answer?
A. Water shortage
B. People
C. Ionization detectors
D. Placement of detectors in drop ceilings
B. People
The most common cause of a false positive for a water-based system is human error. If you turn off the water source after a fire and forget to turn it back on, you’ll be in trouble for the future. Also, pulling an alarm when there is no fire will trigger damaging water release throughout the office. Water shortage would be a problem, but it is not a cause for a false positive event. Ionization detectors are highly reliable, so they are usually not the cause of a false positive event. Detectors can be placed in drop ceilings in order to monitor that air space; this would only be a problem if another detector was not placed in the main area of the room. If there are only detectors in the drop ceiling, then that could result in a false negative event.
A data center has had repeated hardware failures. An auditor notices that systems are stacked together in dense groupings with no clear organization. What should be implemented to address this issue?
A. Visitor logs
B. Industrial camouflage
C. Gas-based fire suppression
D. Hot aisles and cold aisles
D. Hot aisles and cold aisles
The cause of the hardware failures is implied by the lack of organization of the equipment, which is heat buildup. This could be addressed by better management of temperature and airflow, which would involve implementing hot aisles and cold aisles in the data center. A data center should have few if any actual visitors (such as outsiders), but anyone entering and leaving a data center should be tracked and recorded in a log. However, whether or not a visitor log is present has little to do with system failure due to poor heat management. Industrial camouflage is not relevant here since it is about hiding the purpose of a facility from outside observers. A gas-based fire suppression system is more appropriate for a data center than a water-based system, but neither would cause heat problems due to poor system organization.
Which of the following are benefits of a gas-based fire suppression system? (Choose all that apply.)
A. Can be deployed throughout a company facility
B. Will cause the least damage to computer systems
C. Extinguishes the fire by removing oxygen
D. May be able to extinguish the fire faster than a water discharge system
B. Will cause the least damage to computer systems
C. Extinguishes the fire by removing oxygen
D. May be able to extinguish the fire faster than a water discharge system
Benefits of gas-based fire suppression include causing the least damage to computer systems and extinguishing the fire quickly by removing oxygen. Also, gas-based fire suppression may be more effective and faster than a water-based system. A gas-based fire suppression system can only be used where human presence is at a minimum, since it removes oxygen from the air.
When designing physical security for an environment, it is important to focus on the functional order in which controls should be used. Which of the following is the correct order of the six common physical security control mechanisms?
A. Decide, Delay, Deny, Detect, Deter, Determine
B. Deter, Deny, Detect, Delay, Determine, Decide
C. Deny, Deter, Delay, Detect, Decide, Determine
D. Decide, Detect, Deny, Determine, Deter, Delay
B. Deter, Deny, Detect, Delay, Determine, Decide
The correct order of the six common physical security control mechanisms is Deter, Deny, Detect, Delay, Determine, Decide. The other options are incorrect.
Equipment failure is a common cause of a loss of availability. When deciding on strategies to maintain availability, it is often important to understand the criticality of each asset and business process as well as the organization’s capacity to weather adverse conditions. Match the term to the definition.
1. MTTF
2. MTTR
3. MTBF
4. SLA
- Clearly defines the response time a vendor will provide in the event of an equipment failure emergency
- An estimation of the time between the first and any subsequent failures
- The expected typical functional lifetime of the device given a specific operating environment
- The average length of time required to perform a repair on the device.
A. I - 1, II - 2, III - 4, IV - 3
B. I - 4, II - 3, III - 1, IV - 2
C. I - 3, II - 4, III - 2, IV - 1
D. I - 2, II - 1, III - 3, IV - 4
C. I - 3, II - 4, III - 2, IV - 1
Mean time to failure (MTTF) is the expected typical functional lifetime of the device given a specific operating environment. Mean time to repair (MTTR) is the average length of time required to perform a repair on the device. Mean time between failures (MTBF) is an estimation of the time between the first and any subsequent failures. A service level agreement (SLA) clearly defines the response time a vendor will provide in the event of an equipment failure emergency.
You have been placed on the facility security planning team. You’ve been tasked to create a priority list of issues to address during the initial design phase. What is the most important goal of all security solutions?
A. Prevention of disclosure
B. Maintaining integrity
C. Human safety
D. Sustaining availability
C. Human safety
Human safety is the most important goal of all security solutions. The top priority of security should always be the protection of the lives and safety of personnel. The protection of CIA (confidentiality, integrity, and availability) of company data and other assets is the second priority after human life and safety.
