Site and Facility Security Principles

The Decisions That Happen Before the Building Exists

Physical security on the CISSP is not about how to install a fence or wire a camera. It is about the governance decisions that determine what level of protection a facility needs, how to layer those protections from the perimeter inward, and what trade-offs are acceptable given the organization’s risk profile.

Physical security failures create information security failures. A perfectly configured firewall means nothing if someone can walk into the server room.

This module covers CISSP exam objective 3.8: apply security principles to site and facility design. The exam tests whether you can match physical controls to risk levels, understand the logic behind layered defense, and recognize when a site design decision creates or eliminates exposure.

Site Selection Considerations

Choosing a facility location is a risk decision. The site itself introduces threats that no amount of internal controls can fully mitigate after the fact.

• Natural disaster exposure — Flood plains, earthquake zones, hurricane corridors, and wildfire-prone areas each introduce threats that affect availability. Site selection should factor in historical disaster data, not just current conditions. A data center in a 100-year flood plain still has a 1% annual probability of flooding.
• Proximity to emergency services — Response time from fire, police, and medical services affects the residual risk of any physical security event. A remote location may offer obscurity but extends response times.
• Visibility and profile — Facilities that process sensitive data benefit from a low profile. A building with no signage indicating it houses a data center is harder to target than one with the company logo on the roof. Conversely, retail locations need visibility for business reasons — security design must account for that.
• Adjacent occupants and land use — A chemical plant next door introduces hazmat risk. A highway overpass creates vibration exposure. An airport flight path creates both noise and crash risk. These are not theoretical — they affect insurance, regulatory compliance, and operational continuity.
• Infrastructure availability — Multiple power feeds from different substations, diverse telecommunications paths, and adequate water supply for fire suppression are infrastructure requirements that must be validated during site selection, not after the lease is signed.

Crime Prevention Through Environmental Design (CPTED)

CPTED is a design philosophy that uses the physical environment itself as a deterrent. Rather than relying solely on guards and cameras, CPTED shapes the space so that criminal activity is naturally discouraged.

Three core CPTED principles:

• Natural surveillance — Design spaces so that legitimate users can easily observe activity. Windows facing parking areas, open sight lines in lobbies, well-lit walkways, and low landscaping near entrances all increase the likelihood that suspicious behavior will be noticed. People behave differently when they know they can be seen.
• Natural access control — Use design elements to guide people through authorized entry points. Walkways, fences, hedges, and terrain changes direct foot traffic without requiring guards at every possible approach. A well-designed campus funnels visitors toward the reception area naturally.
• Territorial reinforcement — Create clear visual boundaries between public, semi-public, and private spaces. Signage, changes in paving material, landscaping borders, and different lighting levels signal ownership and expected behavior. Trespassers are more conspicuous when boundaries are obvious.

CPTED is a governance decision because it must be incorporated during facility design. Retrofitting CPTED principles into an existing building is expensive and often only partially effective.

Perimeter Security

The perimeter is the first physical boundary an unauthorized person must cross. Its purpose is to deter, delay, and detect — not necessarily to stop a determined attacker outright.

• Fencing — Standard chain-link at 3–4 feet deters casual trespass. At 7 feet with barbed wire or razor ribbon, it deters most determined attempts. At 8 feet with a double fence and intrusion detection, it is considered high-security. The exam expects you to know that fencing delays but does not prevent entry — it buys time for detection and response.
• Bollards — Concrete or steel posts that prevent vehicle-borne attacks against buildings. They protect against ramming without blocking pedestrian access. The decision to install bollards is a risk-based one — they are appropriate for facilities with high-value targets or public-facing entrances.
• Gates and vehicle barriers — Control vehicular access and create chokepoints for inspection. Staffed gates allow credential verification. Automated gates balance security with traffic flow. The design choice depends on throughput requirements and threat level.
• Lighting — Serves both deterrence and detection. Perimeter lighting should eliminate shadows where an intruder could hide and provide sufficient illumination for CCTV to capture usable footage. The standard guidance is 2 foot-candles at the perimeter and 8 foot-candles at entry points. Continuous lighting is the most common approach; standby lighting activates on motion detection to alert security and startle intruders.

Security Zones and Layered Defense

Physical security operates on the principle of defense in depth, just like network security. Each zone adds a layer of controls, and moving inward requires progressively higher trust and authorization.

1. Public zone — Parking areas, sidewalks, and exterior grounds. Minimal access control but surveillance and lighting are present. Anyone can be here without raising suspicion.
2. Reception zone — The lobby or entry area where visitors are identified and processed. Badge issuance, visitor logs, and initial screening happen here. This is the boundary between public and controlled space.
3. Operations zone — General office areas, meeting rooms, and common facilities. Access requires a valid badge. Visitors must be escorted. This zone contains day-to-day business operations but not the most sensitive assets.
4. Restricted zone — Server rooms, network closets, financial processing areas, and executive spaces. Access is limited to specific personnel with a demonstrated need. Two-factor authentication (badge plus PIN or biometric) is common.
5. High-security zone — Vaults, secure compartmented information facilities (SCIFs), and critical infrastructure rooms. Access requires multiple authentication factors, escort requirements may apply even for authorized personnel, and all entry and exit is logged and monitored in real time.

The governance question on the exam is always about matching the zone level to the asset value. Storing top-secret materials in an operations zone is a classification mismatch. Applying high-security controls to a break room is wasteful and disruptive. Proportionality matters.

Environmental Controls

Environmental threats — heat, humidity, fire, water, and electromagnetic interference — destroy more equipment than most organizations lose to external attackers. Managing these threats is a facility design responsibility.

• HVAC — Data centers require temperature control between 64–81°F (18–27°C) and humidity between 40–60%. Too hot accelerates hardware failure. Too cold causes condensation when systems power on. Too dry creates static discharge risk. Too humid promotes corrosion. Dedicated HVAC for server rooms is standard because office HVAC cannot maintain the precision required.
• Fire suppression — Fire is covered in detail in Module 27. At the site level, the governance decision is what class of suppression system is appropriate for each zone. Water-based systems protect general office areas. Gas-based systems protect equipment rooms where water would cause more damage than the fire itself.
• Water damage prevention — Water sensors on raised floors and below ceilings detect leaks before they reach equipment. Server rooms should not be located below restrooms, kitchens, or exterior walls prone to condensation. Pipe routing through data center spaces should be avoided entirely when possible.
• Electromagnetic interference (EMI) — EMI from nearby power lines, motors, or radio transmitters can corrupt data and disrupt sensitive equipment. Shielding options include Faraday cages for the most sensitive environments and proper cable shielding (STP over UTP) for general protection. TEMPEST standards apply to government facilities processing classified information — they prevent electromagnetic emanations from being intercepted to reconstruct data.

Pattern Recognition

Physical security questions on the CISSP tend to follow these structures:

• Site selection scenario — The question describes a location and asks about the risk it introduces. The answer connects the site characteristic to a specific threat category (availability, confidentiality, or safety).
• Zone mismatch — A sensitive asset is stored or processed in a zone with insufficient controls. The answer is to move the asset or upgrade the zone controls to match the classification level.
• CPTED application — The question describes a facility design problem (blind spots, unclear boundaries, uncontrolled entry paths) and asks which CPTED principle addresses it. Match the symptom to the principle: visibility problem = natural surveillance, traffic flow problem = natural access control, boundary problem = territorial reinforcement.
• Environmental failure — Equipment damage traced to temperature, humidity, water, or EMI. The answer identifies the environmental control that should have been in place and the governance failure in facility design or maintenance.

Trap Patterns

Watch for these wrong answers:

• “Install more cameras” — Cameras are detection controls. If the question describes a deterrence or delay gap, cameras alone are insufficient. The exam distinguishes between controls that detect and controls that prevent or delay.
• “The highest security controls everywhere” — Physical security must be proportional to asset value and risk. Applying vault-level controls to every room in the building wastes resources and impedes operations. The CISSP rewards proportional, risk-based answers.
• “Obscurity equals security” — An unmarked building adds a layer of difficulty for targeted attacks, but security through obscurity alone is never the answer. Low visibility is a supplementary control, not a primary one.
• “Fencing stops intruders” — Fencing delays and deters. A determined attacker will climb, cut, or go under a fence. The value of fencing is the time it buys for detection and response systems to activate.

Scenario Practice

Question 1

An organization is selecting a location for a new data center. Site A is in a business park with dual power feeds, diverse telecom paths, and a fire station 2 miles away. Site B is in a rural area with lower costs, a single power feed, and emergency services 25 miles away.

Which site presents the LOWER overall risk for a data center, and why?

A. Site B, because the rural location provides natural obscurity and lower profile
B. Site A, because infrastructure redundancy and emergency response time reduce availability and safety risks
C. Site B, because the lower cost allows more budget for internal security controls
D. Both sites are equivalent if the same internal controls are applied

Question 2

A corporate campus has experienced multiple tailgating incidents at a side entrance that leads directly to the operations area. The entrance is in a recessed alcove with no windows facing it and dense landscaping on both sides.

Which CPTED principle should be applied to address this problem?

A. Territorial reinforcement — install signage and change the paving to mark the boundary
B. Natural surveillance — remove the dense landscaping and add windows or sight lines to the entrance
C. Natural access control — add a walkway that redirects foot traffic to the main entrance
D. Both B and C should be applied together

Question 3

A security audit of a financial services firm reveals that backup tapes containing customer financial data are stored in a locked cabinet in the general office area (operations zone). The cabinet key is kept at the reception desk.

What is the PRIMARY security concern?

A. The cabinet should use a combination lock instead of a key lock
B. Backup tapes with sensitive financial data are stored in a zone that does not match their classification level
C. The reception desk is too far from the cabinet for effective key management
D. Backup tapes should be stored off-site rather than on-site

Key Takeaway

Physical security on the CISSP is a governance exercise in proportionality. Every decision — site selection, perimeter design, zone assignment, environmental controls — ties back to one question: does the level of protection match the value and sensitivity of what you are protecting? The exam will present scenarios where the mismatch is the vulnerability, and the answer is always to align the control level with the risk level. Think in layers, think in zones, and remember that the most expensive control is not always the right one.