Threat On The Wire
Secure facility in deep indigo wireframe with badge readers, cameras, and environmental sensors pulsing as living nodes throughout structure
CISSP Domain 7 Security Operations

Physical and Environmental Security in Daily Operations

J
J

Why this matters

CISSP lens

Pick answers that align business risk, governance intent, and practical control execution.

Security operations is not just about firewalls and SIEM platforms. Physical breaches, power problems, and environmental issues can disrupt service faster than many cyber attacks. Someone has to operate doors, cameras, and power systems every day.

Core concept

Physical and environmental security controls protect facilities and equipment that support information systems.

Operational tasks include:

  • Managing badges and physical access rights
  • Operating cameras and intrusion detection systems
  • Coordinating with guards and facilities staff
  • Monitoring environmental sensors for temperature, humidity, water, and smoke
  • Testing uninterruptible power supplies and generators

Security operations must make sure these controls are not only installed but also maintained and monitored.

Physical access control operations

Badge systems and locks are the physical equivalent of authentication and authorization.

Daily operational tasks include:

  • Issuing badges to new staff and revoking them for leavers
  • Managing visitor access, including sign in, identification, and escorts
  • Updating access zones when staff change roles or locations
  • Reviewing access logs for anomalies, especially after incidents

Similar to IAM, physical access processes should track joiners, movers, and leavers.

Cameras and monitoring

Video surveillance supports deterrence, detection, and investigation.

Operations teams should ensure that:

  • Cameras are placed appropriately and kept in working order
  • Recording devices have sufficient storage and retention periods
  • Time settings are accurate for correlation with other logs
  • Access to live and recorded footage is restricted and logged

Regular checks are necessary so that footage is available when needed.

Environmental monitoring

Environmental controls protect availability and hardware.

Key elements include:

  • Temperature and humidity sensors in data centers and equipment rooms
  • Water leak detection near critical cabling and racks
  • Smoke detection integrated with fire suppression systems

Operations must configure alerts for out of range conditions and test them periodically. Ignored alarms can lead to equipment damage and outages.

Power protection and drills

Power protection is more than installing a UPS or generator. It requires ongoing maintenance.

Operational practices include:

  • Testing UPS systems under load on a regular schedule
  • Exercising generators and verifying automatic failover
  • Managing fuel supplies and delivery contracts where applicable
  • Documenting results of tests and addressing issues promptly

These steps ensure that backup power works when needed instead of failing at the worst moment.

Coordination with facilities and security teams

IT security operations rarely own all physical and environmental controls. Facilities, corporate security, and building management have major roles.

Effective collaboration means:

  • Joint planning for facility changes and upgrades
  • Shared procedures for responding to physical alarms and incidents
  • Clear ownership for controls that span teams, such as data center access

Strong relationships across teams reduce gaps and misunderstandings.

CISSP lens

Domain cross-reference

While physical and environmental security is a core part of another CISSP domain, Domain 7 focuses on how these controls are operated.

Exam relevant themes include:

  • Physical access controls and environmental systems need ongoing operational attention.
  • Visitor management and badge issuance are part of access control.
  • Environmental controls protect availability.

When answering questions, think about how processes, staffing, and maintenance keep these controls effective over time.

Real-world scenario

An organization relies on an access control system for its main office and data center. Over time, the system becomes unreliable and doors frequently fail to unlock for staff.

To avoid delays, employees begin propping doors open. The behavior becomes normal, and no one reports it.

Eventually, a theft occurs. Equipment goes missing from a secure area, and there is no clear video footage or reliable access logs. Insurance and police investigations are complicated by the lack of evidence.

In reviewing the incident, the company finds that:

  • Badge system failures had been reported informally but never logged or escalated.
  • There was no clear ownership of physical access maintenance.
  • Staff had not been trained to treat propped open doors as security issues.

The organization responds by:

  • Establishing a joint operations process between facilities and security for access control systems.
  • Implementing regular health checks on badge readers and door mechanisms.
  • Training staff to report physical security problems and reinforcing expectations about keeping doors closed.

Physical operations become part of regular security reporting, alongside cyber metrics.

Fire detection and suppression: the operational view

Fire protection appears in design-focused study materials, but Domain 7 cares about running it. The operational facts worth knowing:

SystemHow it worksOperational considerations
Wet pipe sprinklerWater in pipes, released per sprinkler head by heatSimple, reliable; pipe leak risk over equipment; heads activate individually
Dry pipe / pre-actionPipes pressurized with air; water enters on detection, releases on head activationTwo-stage design suits data centers; needs regular valve and compressor testing
Clean agent (inert gas or chemical)Floods the room, suppressing fire without damaging electronicsRequires room integrity testing, evacuation alarms before discharge, and costly refills
Portable extinguishersClass-rated for the fire type (electrical fires need Class C / CO2)Monthly visual checks, annual service, staff must actually know locations and ratings

The recurring operational failures are mundane: suppression systems left in maintenance bypass after work and never re-armed, room integrity destroyed by uncapped cable penetrations so the clean agent escapes, and nobody on the night shift knowing where the manual release or abort buttons are. Each is a testing-and-procedure problem, not an engineering one - which is exactly why it lands in Domain 7.

Treating physical alarms like security alerts

A door forced open, a badge used at 3 a.m. by someone on leave, a camera that has been offline for a week, a temperature spike in a server room: these are detections, and they deserve the same lifecycle as SIEM alerts - routing to a monitored queue, triage with defined severities, documented response steps, and metrics on response time.

In practice the biggest gap is integration. Badge events and camera health usually live in a facilities system nobody in the SOC watches, so physical-digital attack correlation (badge entry followed by console logins on a different person's account) goes unseen. Bringing high-value physical events into the central monitoring platform - even just door alarms for sensitive rooms, badge anomalies, and environmental alerts - closes the gap cheaply. The complementary habit is the walkthrough audit: quarterly, physically verify that cameras cover what the diagram claims, doors actually latch, propped-door alarms fire, and UPS test results match the paperwork. Physical controls degrade through daily convenience, and only physical inspection catches a door wedged open with a fire extinguisher.

Common mistakes

Treating physical access control systems as one time installations instead of ongoing operational responsibilities.

Allowing shared or borrowed badges for convenience.

Ignoring environmental warnings until equipment fails or outages occur.

Having no documented process for responding to physical security alarms or access anomalies.

Poor coordination between IT security, facilities, and corporate security teams.

Actionable checklist

  • Review badge issuance and revocation processes, and verify that they integrate with HR joiner and leaver events.
  • Ensure visitor procedures include identification, logging, and escorts where required.
  • Confirm that environmental sensors are installed in critical areas and that alerts are configured and tested.
  • Test UPS and generator systems on a defined schedule and record the outcomes.
  • Establish a joint response process with facilities and corporate security for physical and environmental events.
  • Train staff on physical security expectations, including how to report propped open doors, tailgating, and unusual activity.

Key takeaways

  • Physical and environmental controls require daily operational attention just like technical controls.
  • Visitor and badge management are extensions of access control principles.
  • Environmental monitoring protects availability and hardware investments.
  • Coordination with facilities and corporate security is essential for effective operations.
  • CISSP Domain 7 expects you to integrate physical and logical operations into a coherent whole.

Exam-style reflection

Exam practice

Question: A data center experiences a brief power outage, but the UPS fails to keep systems online. Investigation shows the batteries were never tested or replaced. Which control activity was missing?

Answer: Regular testing and maintenance of power protection systems. UPS batteries must be tested and replaced on a schedule as part of operational procedures. Installing a UPS alone is not enough.

This article is part of the CISSP Domain 7: Security Operations study guide. Use the pillar to navigate every article in this domain.

You might also like
Secure Coding Foundations For Managers
CISSP
members

Secure Coding Foundations For Managers

J
J
Security Operations Foundations: Running Day to Day Security Without Burning Out Your Team
CISSP
members

Security Operations Foundations: Running Day to Day Security Without Burning Out Your Team

J
J
Security Assessment And Testing Fundamentals: How To Know If Your Controls Actually Work
CISSP
members

Security Assessment And Testing Fundamentals: How To Know If Your Controls Actually Work

J
J
© 2025 Threat On The Wire. All rights reserved.