AP Cybersecurity Unit 2 Lesson 3 Lab
Unit 2 • 2.3 • Lab
Lab — Operation Lock Check: Physical Security Walkthrough
6 steps, 30 points — Mixed formats: matching, fill-blank, select-all, MCQ, and written analysis
Score: 0 / 30Each step uses a different assessment format
Investigation Target
Ironclad Distribution Center
You are conducting a physical security walkthrough of Ironclad’s 200,000 sq ft distribution center. The facility operates 24/7 with 150 employees across 3 shifts. Six inspection areas reveal critical gaps in physical security controls.
Step 1Matching
Classify Physical Controls
Match each control to its primary function: Deterrent, Preventive, or Detective.
✎ Think first: Deterrent = discourages. Preventive = physically stops. Detective = records for investigation.
Razor wire on perimeter fence visible from parking lot
→
Mantrap with dual badge readers at server room
→
Motion-activated cameras with 30-day footage retention
→
Razor wire = Deterrent (discourages climbing). Mantrap = Preventive (physically stops tailgating). Cameras = Detective (records activity for after-the-fact investigation).
Exam Tip: Controls serve different timeline purposes: deterrents discourage before an attempt, preventive controls stop during an attempt, detective controls record for investigation after an attempt.
Step 2Fill in the Blank
Complete the Walkthrough Findings
Fill in the correct physical security term for each finding.
✎ Think first: Each blank is a specific vulnerability or policy name.
Employees hold doors for unverified strangers. This is called .
Server room at 84°F with no alert. Failure of monitoring.
Gate code 1234# shared by all 150 staff provides no of who entered.
Printed manifests and USB on desk overnight need a policy.
Old hard drives in regular recycling need destruction.
Answers: (1) tailgating (following through doors). (2) environmental monitoring. (3) audit trail. (4) clean desk policy. (5) physical destruction.
Exam Tip: Key vocabulary: tailgating (exploits courtesy), environmental monitoring (temperature/humidity/water), audit trail (who entered when), clean desk (secure workspace), physical destruction (degauss/shred/drill).
Step 3Select All That Apply
Identify Server Room Requirements
Select ALL controls appropriate for a server room.
✎ Think first: Server rooms need access control, environmental protection, and monitoring. What does NOT belong?
Correct: Badge access (A), temp sensors (B), clean agent fire suppression (D), camera (E). Wrong: Windows (C) create heat gain and visual access to equipment. Shared key locks (F) have no audit trail and cannot be remotely revoked.
Exam Tip: Server room essentials: individual badge access (auditable), environmental monitoring (temp 68-72°F), clean agent fire suppression (NOT water), cameras (30+ day retention). Never: windows, shared keys, water sprinklers.
Step 4Multiple Choice
Prioritize the Most Critical Finding
Findings: open loading docks, propped server room door, unsecured devices, shared gate code, and exposed documents. Which is MOST critical?
✎ Predict first: Which finding gives an attacker access to the most sensitive assets?
C is most critical. A propped server room door gives anyone access to network switches, servers, and cabling — enabling physical network implants that bypass ALL logical security controls. The loading docks (B) are serious but lead to the warehouse, not directly to infrastructure.
Exam Tip: Prioritize by asset sensitivity: server room access = network infrastructure = potential for complete cyber compromise. Physical access to switches trumps all other physical findings.
Step 5Analysis
Evaluate Visitor Management
A pen tester in a delivery uniform walked to the server room unchallenged. No ID check, no schedule verification, no escort.
5a. Select the root cause:
5b. Design a visitor management system that prevents this.
Key terms: ID, photo, badge, scan, verify, schedule, escort, restrict, log, expiration, check-in, alert, kiosk
B is correct. The root cause is a missing process, not an individual failure. Design: Digital check-in kiosk scanning photo ID, automated screening against restricted lists, printed visitor badge with photo/name/expiration, mandatory escort to restricted areas, badge return at checkout.
Exam Tip: Visitor management has three layers: verify identity (ID scan), verify purpose (schedule check), and control movement (escort). Missing ANY layer creates an exploitable gap.
Step 6Written Response
Write the Physical Security Policy
Write three policy requirements addressing the most critical findings. For each, state the rule and what threat it mitigates.
Key terms: badge, individual, access, log, camera, temperature, clean desk, lock, escort, visitor, server room, code, revoke, audit, dedicated
Model: Policy 1: Server room doors must auto-close with badge-only entry — no propping permitted under any circumstances — prevents unauthorized physical access to network infrastructure. Policy 2: All visitor access requires photo ID verification, purpose validation, and mandatory escort in restricted areas — prevents social engineering entry. Policy 3: Replace shared gate code with individual badge credentials for perimeter entry with access logging — creates audit trail and enables instant revocation.
Exam Tip: Physical security policies must be specific (“badge-only”), enforceable (auto-closing doors), and auditable (access logs). Vague policies like “be careful” provide no protection.
AP Cybersecurity 2.3 Lab | APCSExamPrep.com | Built by Tanner Crow, AP CS Teacher (11+ years)
AP® is a registered trademark of the College Board.
AP® is a registered trademark of the College Board.
Get in Touch
Whether you're a student, parent, or teacher — I'd love to hear from you.
Just want free AP CS resources?
Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.
Typically responds within 24 hours
✓
Message Sent!
Thanks for reaching out. I'll get back to you within 24 hours.
Prefer email? Reach me directly at [email protected]