Facility Design Controls

Inside the Building: Where Design Meets Availability

Module 26 covered decisions made before and around the building. This module moves inside. Data center layout, power redundancy, fire suppression, and physical access controls are the engineering decisions that determine whether a facility can survive the threats it will inevitably face.

A data center that cannot survive a power outage, contain a fire, or control who walks through its doors has failed at its most basic function — regardless of the software running inside it.

This module covers CISSP exam objective 3.9: design site and facility security controls. The exam tests your ability to match facility controls to risk scenarios and understand why one suppression system, power configuration, or access mechanism is appropriate over another.

Data Center Design

Data center design is about managing heat, power, and physical access in a space that concentrates an organization’s most valuable information assets.

• Hot aisle / cold aisle — Server racks are arranged so that the front (intake) sides face each other across a cold aisle, and the back (exhaust) sides face each other across a hot aisle. Cold air is delivered through the cold aisle, passes through the equipment, and exits into the hot aisle where it is returned to the cooling system. This arrangement prevents hot exhaust from recirculating into equipment intakes. Mixing hot and cold air reduces cooling efficiency and creates hotspots that accelerate hardware failure.
• Raised floors — Elevated flooring creates a plenum (air space) beneath the equipment that serves as a pathway for power cabling, network cabling, and conditioned air delivery through perforated tiles. Raised floors also allow water detection sensors to be placed below the equipment level, providing early warning of leaks.
• Cable management — Structured cabling prevents airflow obstruction, simplifies troubleshooting, and reduces the risk of accidental disconnection. Overhead cable trays separate power and data cabling to reduce electromagnetic interference. Cable pathways should be documented and labeled to support incident response and maintenance.
• Containment — Hot aisle containment (enclosing the hot aisle) or cold aisle containment (enclosing the cold aisle) further improves cooling efficiency by preventing air mixing. This reduces energy consumption and extends equipment lifespan.

Power Systems

Power is the single largest availability threat to a data center. Every other system — cooling, fire detection, access control, network equipment — depends on it.

• Uninterruptible Power Supply (UPS) — Battery-backed systems that provide immediate power during the gap between a utility outage and generator startup. UPS systems typically provide 15–30 minutes of runtime, enough to bridge the generator startup delay or perform a controlled shutdown. Online (double-conversion) UPS is the standard for data centers because it continuously conditions power and provides zero-transfer-time switchover.
• Generators — Diesel or natural gas generators provide long-term backup power during extended outages. Generators require 10–30 seconds to start and reach operating capacity, which is why UPS is needed to bridge the gap. Fuel contracts and on-site fuel storage capacity determine how long the generator can run. Regular testing under load is required — a generator that has not been tested may not start when needed.
• Power distribution — Power Distribution Units (PDUs) distribute electricity from the main feed to individual racks and equipment. Redundant PDUs fed from separate circuits ensure that a single PDU failure does not take down a rack. Dual-corded servers connected to separate PDUs can survive any single power distribution failure.
• Redundancy levels — The Uptime Institute tier classification describes data center redundancy:
  • Tier I — Single path, no redundancy. Any component failure or maintenance causes downtime.
  • Tier II — Redundant capacity components (N+1). Single distribution path.
  • Tier III — Concurrently maintainable. Multiple distribution paths, but only one active. Any component can be maintained without downtime.
  • Tier IV — Fault tolerant. Multiple active distribution paths. Can sustain any single failure without impact.

The governance decision is matching the tier to the organization’s availability requirements and budget. A Tier IV data center costs significantly more than Tier II, but for systems with near-zero tolerance for downtime, the investment is justified.

Fire Detection and Suppression

Fire suppression is the most heavily tested physical security topic on the CISSP. You need to know the system types, when each is appropriate, and the safety considerations that drive the selection decision.

Detection

• Smoke detectors — Ionization detectors respond quickly to flaming fires. Photoelectric detectors respond better to slow, smoldering fires. Data centers typically use photoelectric or aspirating (air-sampling) detectors because electrical fires often smolder before producing flame.
• Heat detectors — Fixed-temperature detectors activate at a preset temperature. Rate-of-rise detectors activate when temperature increases rapidly. Heat detectors are less prone to false alarms but respond slower than smoke detectors.
• Very Early Smoke Detection Apparatus (VESDA) — Aspirating systems that continuously sample air and can detect smoke particles at extremely low concentrations, well before a conventional detector would activate. Appropriate for data centers where early warning is critical.

Water-Based Suppression

• Wet pipe — Pipes are always filled with water. Fastest response time because water flows immediately when a sprinkler head activates. Risk: accidental activation or pipe leak causes water damage. Not ideal for rooms with electronic equipment.
• Dry pipe — Pipes are filled with pressurized air. When a sprinkler head activates, the air pressure drops, opening a valve that fills the pipes with water. Slight delay compared to wet pipe, but reduces accidental water damage risk. Used in areas where pipes might freeze or where a leak would be costly.
• Pre-action — Requires two triggers before water flows: a detection system (smoke or heat) must activate AND a sprinkler head must open. This double-interlock design is the preferred water-based system for data centers and server rooms because it virtually eliminates accidental discharge. If a sprinkler head breaks, no water flows because the detection system has not triggered.
• Deluge — All sprinkler heads are open (no individual heat-activated plugs). When the system activates, water flows from every head simultaneously. Used in high-hazard areas (chemical storage, aircraft hangars) where rapid, total coverage is needed. Not appropriate for data centers.

Gas-Based Suppression

• FM-200 (HFC-227ea) — A clean agent that suppresses fire by absorbing heat. Safe for occupied spaces at design concentrations. Leaves no residue, so equipment is not damaged. This is the most common gas-based system for data centers and server rooms.
• Novec 1230 — A clean agent similar to FM-200 but with a lower global warming potential. Safe for occupied spaces. No residue. Increasingly preferred for new installations due to environmental considerations.
• CO2 (carbon dioxide) — Suppresses fire by displacing oxygen. Extremely effective but lethal to humans at the concentrations required for fire suppression. CO2 systems require evacuation alarms, time delays, and lockout procedures. Only appropriate for unoccupied or rarely occupied spaces where human safety can be assured.
• Inert gas systems (Inergen, Argonite) — Reduce oxygen concentration to a level that will not support combustion (typically 12–14%) while remaining breathable for humans. Slower discharge than FM-200 but safe for occupied spaces.

The exam decision framework: if people work in the space regularly, choose FM-200, Novec 1230, or inert gas. If the space is unoccupied, CO2 may be acceptable. For spaces with electronic equipment, avoid water-based systems or use pre-action as the minimum standard. Wet pipe and deluge systems should never be the answer for a data center question.

Water Detection

Water is a persistent threat in any facility. Leaks from plumbing, HVAC condensation, roof failures, and rising groundwater can all damage equipment.

• Spot detectors — Placed at specific high-risk locations: under HVAC units, at pipe entry points, and beneath raised floors. They alarm when water contacts the sensor.
• Cable-based sensors — Moisture-sensing cables that run along the floor or beneath raised flooring. They detect water at any point along the cable’s length, providing zone-wide coverage rather than point detection.
• Automatic shutoff — Water detection systems can be integrated with building management systems to automatically shut off water supply valves when a leak is detected in a protected area.

Physical Access Controls

Physical access controls determine who gets into a space, how their identity is verified, and what record is created of their entry and exit.

• Mantraps / security vestibules — A pair of interlocking doors where the second door cannot open until the first has closed and locked. This prevents tailgating by ensuring only one person (or one authenticated group) passes through at a time. Weight sensors or optical turnstiles inside the vestibule can detect if more than one person is present. The exam now uses the term “security vestibule” more frequently than “mantrap.”
• Turnstiles — Waist-high or full-height barriers that allow one person through per authentication event. Full-height turnstiles prevent climbing over. Effective for high-throughput entrances where a security vestibule would create bottlenecks.
• Badge readers — Proximity cards, smart cards, or magnetic stripe cards that identify the cardholder. Badge readers are “something you have” — a single authentication factor. For higher-security zones, badge readers are combined with a PIN (“something you know”) or biometric (“something you are”) for multi-factor authentication.
• Biometrics for physical access — Fingerprint, iris, retina, hand geometry, and facial recognition scanners provide the “something you are” factor. Biometrics are evaluated by two error rates: False Acceptance Rate (FAR — allowing an unauthorized person) and False Rejection Rate (FRR — denying an authorized person). The Crossover Error Rate (CER) is the point where FAR equals FRR and indicates overall system accuracy. Lower CER means a more accurate system.

Surveillance Systems

Surveillance supports both detection and investigation. It deters bad behavior when visible and provides evidence when incidents occur.

• CCTV placement — Cameras should cover all entry and exit points, server room doors, loading docks, parking areas, and perimeter boundaries. Interior cameras should cover hallways leading to restricted zones. Placement must consider lighting conditions, camera angle, and field of view to produce usable footage.
• Recording and retention — Video must be recorded, not just monitored. Retention periods should align with organizational policy and regulatory requirements — typically 30 to 90 days minimum. Storage capacity planning must account for resolution, frame rate, and the number of cameras.
• Monitoring — Live monitoring by security personnel allows real-time response. Recorded-only systems provide evidence after the fact but cannot prevent an incident in progress. The governance decision is whether the risk justifies the cost of 24/7 monitoring staff.

Visitor Management

Visitors represent an authorized but untrusted presence inside controlled space. Managing them is a process control, not just a courtesy.

• Pre-registration — Visitors should be expected and logged before arrival. Walk-in visitors to restricted areas should be treated as exceptions requiring management approval.
• Identification and logging — Government-issued ID should be checked and recorded. Visitor logs capture name, organization, host employee, arrival time, and departure time.
• Badges — Visitor badges should be visually distinct from employee badges (different color, prominent “VISITOR” text). Badges should expire automatically (time-sensitive ink or electronic deactivation) to prevent reuse.
• Escort requirements — In restricted and high-security zones, visitors must be accompanied by an authorized employee at all times. The escort is responsible for the visitor’s actions within the zone.
• Badge return — Visitor badges must be collected at departure. A process for tracking unreturned badges helps identify potential security gaps.

Pattern Recognition

Facility design questions on the CISSP tend to follow these structures:

• Fire suppression selection — A scenario describes a space (data center, office, warehouse, chemical storage) and asks which system is appropriate. Match the system to the space: pre-action or gas-based for electronics, wet pipe for general office, deluge for high-hazard areas. If people are present, eliminate CO2.
• Power failure sequence — A scenario describes a power outage and asks what happens next. The answer follows the sequence: UPS provides immediate bridge power → generator starts within seconds → generator provides sustained power. If the question asks about a gap, it is testing whether UPS is present to bridge generator startup.
• Access control escalation — A scenario describes a zone and asks what access mechanism is appropriate. Match the factor count to the zone: badge for operations, badge + PIN for restricted, badge + biometric (or all three) for high-security.
• Tailgating prevention — The answer is almost always a security vestibule (mantrap) or full-height turnstile. Cameras detect tailgating after the fact but do not prevent it.

Trap Patterns

Watch for these wrong answers:

• “Wet pipe sprinklers in the server room” — Wet pipe is never the preferred answer for a space with electronic equipment. Pre-action is the minimum water-based standard, and gas-based is preferred.
• “CO2 in an occupied data center” — CO2 at fire suppression concentrations is lethal. If the scenario mentions people working in the space, CO2 is wrong. Choose FM-200, Novec 1230, or inert gas.
• “Biometrics alone for access control” — Biometrics are one factor. High-security zones require multi-factor authentication. Biometrics combined with a badge or PIN is the correct pattern.
• “Cameras prevent tailgating” — Cameras detect and record. They do not physically prevent someone from following an authorized person through a door. Physical controls (vestibules, turnstiles) prevent tailgating.

Scenario Practice

Question 1

A company is upgrading the fire suppression system in its primary data center. The data center is staffed 24/7 by operations personnel. The current system is a wet pipe sprinkler that has accidentally discharged twice in five years, causing equipment damage both times.

What system should replace the wet pipe?

A. Dry pipe sprinkler to reduce accidental discharge risk
B. CO2 total flooding system for rapid fire suppression
C. FM-200 or Novec 1230 clean agent system with VESDA early detection
D. Deluge system to ensure complete coverage

Question 2

A data center experiences a brief utility power outage. The UPS system engages and provides power for 20 minutes. The backup generator fails to start due to a dead starter battery. By the time a technician replaces the battery and starts the generator manually, the UPS batteries are depleted and all systems go down.

What is the root cause of the outage?

A. The UPS battery capacity was insufficient
B. The utility power was unreliable
C. The generator was not tested regularly under load conditions, so the starter battery failure was not detected
D. The data center should have had dual utility feeds instead of a generator

Question 3

A security review finds that the organization’s visitor management process issues generic visitor badges with no expiration and does not require escort in the operations zone. Visitor badges are the same color as contractor badges.

What is the MOST significant risk this creates?

A. Contractors may be confused with visitors, creating scheduling conflicts
B. An unauthorized person could retain a visitor badge and return on a different day, moving freely through the operations zone without escort
C. Visitors may access the break room without authorization
D. The visitor log will be inaccurate because badge returns are not tracked

Key Takeaway

Facility design controls protect availability and confidentiality at the physical layer. The exam tests three decision points repeatedly: which suppression system fits the space and its occupants, how power redundancy matches availability requirements, and what level of physical access control matches the zone classification. When you see a facility scenario, run through those three checks. The wrong answers will always be either disproportionate to the risk (too much or too little) or technically inappropriate for the environment described (water on servers, CO2 around people, single-factor authentication in a restricted zone).