The effectiveness of security controls is measured by the probability of detection at the point where there is enough time for a response team to interrupt an adversary. The critical path is the adversary path with the lowest probability of interruption.
An adversary path is an ordered sequence of actions against an asset that could result in it being compromised. Adversaries could normally be expected to take the easiest and most direct route. Early detection of unauthorised access enables a quicker response. Ideally interception should occur before access to the asset, but this depends on the asset and the security objectives. Interruption may not be required if tamper evidence is the objective for protecting the asset. See example below:
Critical Path Analysis Physical Security
THE CISSP EXAM AND PHYSICAL SECURITY
Information security depends on the security and management of the physical space in which computer systems operate. The CISSP exam's Common Body of Knowledge addresses the challenges of securing the physical space, its systems and the people who work within it by use of administrative, technical and physical controls.
The following topics are covered:
Facilities management: The administrative processes that govern the maintenance and protection of the physical operations space, from site selection through emergency response.
Risks, issues and protection strategies: Risk identification and the selection of security protection components.
Perimeter security: Typical physical protection controls.
Facilities management
Facilities management is a complex component of corporate security that ranges from the planning of a secure physical site to the management of the physical information system environment. Facilities management responsibilities include site selection and physical security planning (i.e. facility construction, design and layout, fire and water damage protection, antitheft mechanisms, intrusion detection and security procedures.) Protections must extend to both people and assets. The necessary level of protection depends on the value of the assets and data.
As an exam candidate your must learn the concept of critical-path analysis as a means of determining a component's business function criticality relative to the cost of operation and replacement. Furthermore, students need to gain an understanding of the optimal location and physical attributes of a secure facility. Among the topics covered in this domain are site inspection, location, accessibility and obscurity, considering the area crime rate, and the likelihood of natural hazards such as floods or earthquakes.
EXAM TIP:
This topic could be either from a Physical Security perspective or from a Logical Security
Perspective.
From a logical perspective it is define as: An analysis that defines relationships between mission critical applications. This type of analysis is performed to show what must happen to stay in business.
Reference(s) used for this question:
HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2001,
Page 281.
and
http://www.protectivesecurity.gov.au/physicalsecurity/Documents/Security-zones-and-risk- mitigation-control-measures.pdf and
http://www.onlineexpert.com/elearning/user/SampleFiles/SECURITY/CISSP_PS_Glossary.
html
