It’s prerequisites includes a possession of minimum five years of professional experience in the information security field or four years plus a college degree. Or, an Advanced Degree in Information Security from a National Center of Excellence or the regional equivalent can substitute for one year towards the five-year requirement. Then after passing the 250-item exam in six hours and complying with ISC2 Code of Ethics, you still have to be Endorsed. Please visit ISC2 website for more information.

I posted this because I want to share some useful links for you professionals out there, who are thinking or studying for CISSP. SearchSecurity with Shon Harris go over the ten Common Body of Knowledge (CBK) domains for the CISSP in the following webcasts. Be sure to read through all the useful information and try their 10-free quizzes.

Domain 1: Security Management Practices
Domain 2: Access Control
Domain 3: Cryptography
Domain 4: Security Models and Architecture
Domain 5: Telecommunications and Networking
Domain 6: Application and System Development
Domain 7: Business Continuity & Disaster Recovery
Domain 8: Law, Investigations and Ethics
Domain 9: Physical Security
Domain 10: Operations Security

Good luck!

As a security professional, we should be very aware and concerned that the security we protect, such as critcal data and confidential information through the technology like firewall, DLP, IDP, and the like can as easily be compromised as someone stealing the physical server, damaged by natural or environmental calamities, or broken by infrastructure faults. So, physical security must not be ignored and should also be incorporated in the security policies as well as included in any security discussions.

Physical security must be implemented based on the model of a layered defense. The idea is, before unauthorized entity can access the valuable asset, they should go through layers of layers of physical barriers before reaching the spot. If one of the layers fails, the others will protect the asset. So layers of defense should move from the perimeter towards the asset.

I am a firm believer that security should not be a patched-approach, rather, it should be part of the architecture. Similar to software applications, I believe that one of the best ways to stay secure is to develop the program as error-, flaw-free. This way, we don’t have to worry about patching it and afraid of getting compromised by its vulnerabilities. Of course, it is not a perfect world, and that is why as much as we can, security should begin at the very start of the design.

Physical security is not exempted. The CPTED (Crime Prevention Through Environmental Design) is a discipline that structures the proper architectural design of a physical environment to reduce crime by directly affecting human behaviors and activities. The CPTED concept has been around since the 1960s. It provides guidance in loss and crime prevention through proper construction of buildings and the arrangement of environmental components.

CPTED Key Concepts

So the idea of CPTED is before even the construction of a facility, it then address the landscaping, entrances, exits, neighborhood layouts, access roads and freeways, lightnings, and traffic patterns. It also puts into consideration the placement of offices, lobby, restrooms, campuses surrounding, and even up to the scale of the wider scope of the city. As you can imagine, before a facility is built, the security is already put in consideration. Putting the proper landscaping should deter intruders, or building the right height of fence or correct placement of lightnings should stop unauthorized people. Another good example is to architect the built of a data center to be located at the center of the facility so that the walls will protect it from any damages from outside.

There are several components to consider when implementing CPTED as shown from the figure above. The best approach is usually to build an environment from a CPTED approach and then apply these components on top of the design where it is needed. The following target-hardening components are derived from Moffat (1983, p.23):

• Access Control
• Natural Surveillance
• Territoriality
• Defensible Space
• Activity Programme
• Formal Organized Surveillance

Access Control (Natural) – this is the guidance of placing of fences, doors, lightnings, and landscaping to address the flow of people going in and out of a location.

Surveillance (Natural and Formal)- is the components that address the placements of CCTV, security guards, and natural strategies such as line of sight, raised entrances, bollards, etc.)

Territoriality – addresses the concepts of security zones. It can be implemented through the use of physical barriers such as walls, dividers, fences, flags, to clearly marked your dedicated scope of coverage or jurisdiction.

Defensible Space – this is similar to Territorial Reinforcement (above), in that the environment or community being designed incorporates sense of ownership. Good examples are the physical fences or logical borders of jurisdiction where you defend of which you own.

Activity Programme - or activity support involves the use of design to encourage intended patterns of usage of public space. This concept aims to protects community by encouraging safe activities and practices in the surrounding environment to deter any unsafe activities from happening. This approach also includes access control, surveillance, and territoriality.

The CPTED discipline adds value in security as it starts where it needs to be. And although as IT Security professionals, our involvement in the construction of facilities and implementation of CPTED is rare, it is a good knowledge to know and it is there. The CPTED is a security concept that if it is implemented correctly, it will benefit everybody.