Domain 3 – Section C Review: Physical Security and System Lifecycle

This section integrates:

• Site Selection, CPTED, and Perimeter Security
• Security Zones and Layered Physical Defense
• Data Center Design, Power Systems, and Environmental Controls
• Fire Detection and Suppression Systems
• Physical Access Controls, Surveillance, and Visitor Management
• System Development Lifecycle, Assessment and Authorization, Change Control, and Disposal

Section C questions test whether you can connect physical security decisions to risk levels and match lifecycle governance activities to their correct phases. The common thread: proportionality. Controls must match the value of what they protect, and security activities must occur at the right time in the lifecycle.

Section C – Practice Questions

Question 1

A company is evaluating two potential data center sites. Site A is located in a flood plain but offers dual utility feeds and three diverse telecom paths. Site B is on high ground with a single utility feed and one telecom provider.

What should the site selection decision prioritize?

A. Site B, because the flood risk at Site A cannot be mitigated by infrastructure redundancy
B. Site A, because dual utility feeds and diverse telecom outweigh the flood risk
C. Neither site is acceptable — both have disqualifying single points of failure
D. A risk assessment comparing the probability and impact of flooding against the probability and impact of utility and telecom failures for each site

Question 2

A security consultant reviews a corporate campus and finds that the building’s main entrance opens directly into the operations area with no reception zone. Visitors, delivery personnel, and employees all use the same entrance and have immediate access to workspaces.

Which CPTED principle is MOST directly violated?

A. Natural surveillance
B. Natural access control
C. Territorial reinforcement
D. Target hardening

Question 3

A data center uses hot aisle containment with precision HVAC. During a routine check, the facilities team discovers that a contractor left containment panels open after a cabling project two weeks ago. Server inlet temperatures in the affected zone have been running 12°F above baseline.

What is the PRIMARY risk created by this situation?

A. Accelerated hardware degradation and potential component failure from sustained elevated temperatures
B. Increased electricity costs from the HVAC system working harder
C. The contractor should be terminated for violating the service agreement
D. The containment system is poorly designed if it cannot compensate for open panels

Question 4

An organization’s server room uses a wet pipe sprinkler system. The security team proposes upgrading to a pre-action system. The facilities manager argues that wet pipe is faster and the server room already has waterproof covers for the equipment.

Why is the pre-action system still the better choice?

A. Pre-action systems are required by fire code for all server rooms
B. Waterproof covers protect against minor leaks but not against the volume of water from an accidental sprinkler discharge, which pre-action’s double-interlock design prevents
C. Pre-action systems are less expensive to maintain than wet pipe
D. Wet pipe systems cannot be used in any room containing electronic equipment

Question 5

A pharmaceutical company requires two-factor authentication (badge plus biometric) to enter its research laboratory. A visiting auditor is issued a temporary badge and escorted by a lab manager. The auditor needs to enter and exit the lab multiple times during the day.

What is the MOST appropriate access approach for the auditor?

A. The lab manager escorts the auditor through the two-factor door each time, with the auditor’s entry logged under the manager’s credential plus escort notation
B. Enroll the auditor’s biometric temporarily so they can enter independently
C. Disable the biometric requirement for the day to accommodate the audit
D. Give the auditor the lab manager’s badge and PIN to use independently

Question 6

During a power outage, a data center’s UPS provides 20 minutes of backup power. The diesel generator starts within 15 seconds. However, the generator runs for only 45 minutes before shutting down due to a fuel delivery valve that was closed during recent maintenance.

What process failure caused the extended outage?

A. The UPS battery capacity was insufficient for the outage duration
B. The generator should have been connected to dual fuel sources
C. Post-maintenance testing did not verify that the generator could sustain operation under load, which would have detected the closed valve
D. The facilities team should have manually opened the valve during the outage

Question 7

A security team is designing a new system that will process personally identifiable information subject to GDPR. The project manager wants to skip the security requirements phase to meet an aggressive timeline, promising that security testing will be thorough before deployment.

Why is this approach problematic?

A. Both C and D are correct
B. GDPR specifically requires documented security requirements before development begins
C. Security testing before deployment can identify vulnerabilities but cannot fix architectural decisions that were made without security requirements — remediation at that stage is far more costly
D. Security testing is not effective without a requirements baseline to test against

Question 8

An organization receives an Authorization to Operate (ATO) for a financial processing system with three conditions: implement encryption for data in transit within 90 days, complete a penetration test within 60 days, and deploy a SIEM integration within 120 days. After 150 days, only the penetration test has been completed.

What is the current authorization status?

A. The ATO remains valid because one of the three conditions was met
B. The conditions are advisory and do not affect the authorization
C. The system should be immediately disconnected without management review
D. The ATO is effectively void — failure to meet the conditions of authorization means the Authorizing Official must reassess and make a new authorization decision

Question 9

An organization’s change advisory board approves a database schema change. During implementation, the database administrator also updates the database engine to a newer version “while the maintenance window was open.” The engine update was not part of the approved change. Two days later, performance degradation is traced to an incompatibility between the new engine version and the application.

What change control principle was violated?

A. Changes should only be made during business hours when support staff are available
B. Only the approved change should be implemented during a maintenance window — unapproved changes bypass impact analysis and introduce unassessed risk
C. Database administrators should not have access to perform engine updates
D. The change advisory board should have anticipated that the administrator would make additional changes

Question 10

An organization decommissions a web application but does not remove the server’s SSL certificate from the certificate authority’s active list or delete the DNS A record. Three months later, an attacker provisions a virtual server at the same IP address (which was returned to the cloud provider’s IP pool) and serves a phishing site using the still-valid certificate and DNS entry.

What disposal failure enabled this attack?

A. The server hardware should have been physically destroyed
B. The web application code should have been deleted before decommissioning
C. SSL certificates, DNS records, and other external trust references were not revoked during the decommissioning process
D. The cloud provider should have prevented reuse of the IP address