Friday, July 31, 2009

Legal and Compliance help for Security

The last couple of years, there has been so much discussion around Security and IT "convergence". I myself have sat in meetings with the reluctant IT team who, due to "Streamlining" and "Downsizing", has been placed in charge of a disparate video and access control system.

Issues can be raised on both sides. The Security Team loses control of very important assets in getting their basic jobs done. The IT Team has a better understanding of the underlying infrastructure required for many of the modern security systems. The Security Team should be open to the idea of not having to support a fully networked system because it frees them up to focus on their primary objectives. The IT Department ticketing system is cumbersome and difficult to get immediate answers to problems. These types of issues often raises walls between the teams, which seem impassable.

But consider for a moment who the internal customers might be of the security system (specifically CCTV), and how the ongoing argument and apparent gridlock might affect them. Consider the Legal Department first. Imagine a consumer filing a complaint that says they slipped in a back aisle of a store. The legal department calls upon the Security Department to show all video from the store's CCTV System that might prove or disprove the case. Security Department connects remotely to the in-store recording system, downloads the appropriate video, and centrally stores it for legal purposes. A timely presentation of video shows the consumer setup the scene and acted injured. Case closed. But if video system is not connected to the corporate network, the process becomes quite cumbersome and a risk of "chain of evidence" and time delays, becomes standard!

Compliance is another group often affected by a security system's remote connectivity. Standard Operating Procedures (SOP) of an organization may require that a branch maintain at last 90 days of storage in a retail bank's video recording system. With proper network connectivity, and centralized management software showing "Days on Disk" in a spreadsheet-type format, a regular check of the system for compliance, immediately, and by the Compliance Officer themselves, is natural and simple. Imagine attempting to accomplish the same goal requiring potentially hundreds of individuals (store managers, or technicians) with a written process of querying the recording system and reporting back to a central group of people in the hopes that, at sometime, the information can be compiled and put into a spreadsheet-like format with limited number of errors.

Take head Security Managers, maybe "discussions" with IT about the cost of them supporting your large roll out of NVRs is NOT such a huge issue. Perhaps gaining the ear of the Legal Department is another way to overcome these impasses and maybe even provide increased budget...

Security Caffeine...

Thursday, July 16, 2009

Bandwidth Challenges and IP Video

As the convergence of Security and IT becomes more prevalent, need for CCTV Video Review across an organizations network is becoming more and more available. For the Physical Security Professional, there is not much to be concerned about as thier interface to the video may or may not change. However for the IT Professional, the implications of putting video on an organization's network can be very intimidating, and is often resisted with great effort.

When faced with this possible task, there are a few things that should be considered which may make the decision-making much easier. First, consider how much video will actually be traversing the network. An IP Video system can be built such that the higher frame rates, higher resolution video (requiring much more bandwidth) is only used in alarm type scenarios and is only transmitted across a designated network pipe. This allows for much better control of the amount of video.

Second, to manage the bandwidth, give careful consideration of which spans the video really needs to traverse. If built properly, a Networked Digital Video system should have very little negative impact on the organization's corporate network. By utilizing distributed recording platforms wherever possible and dedicated LANs, separated by virtual private networks, the direction the video flows may be controlled quite comfortably.

Third, review the list of potential users and manage those users with the inherent throttling capabilities of the Recording System or with the network's own technologies, like QOS. This gives appropriate amounts of bandwidth to the critical users/ applications, and reduces bandwidth across those network spans.

Lastly, consider the many different types (by criticality) of video and where it should/ could be stored. In some environments and Recording Systems, video may be segmented and flagged for longer term storage (whether on the original recording device, or in an off site storage system). Consider storing surveillance video (24/7 video) for a few days and then have the system automatically remove pictures WITHOUT motion to free up HDD space. Then after another period of time, see if the system can automatically off load event video (alarms or transactions) to a centralized storage at a designated point during the late night.

Careful consideration and proper planning/ design will ensure a successful implementation of IP Video in an organization's corporate network. We have only reviewed a few thoughts related to bandwidth and IP video.

For more information, feel free to comment on the blog...


Security Caffeine

Tuesday, July 14, 2009

Securing Utilities

Securing a nation's utilities has become very important over the last few years. Here, we'll review The Why, The What and start getting into The How of securing an organizations utilities.

THE WHY and THE WHAT - Reviewing just the MAJOR Utilities, and what impact could be felt.

Water and Sewage - Not many think about Water and Wastewater as a significant target. However, in many cases a city's reservoir holds only up to 3 days of reserve for an entire community. Of course this means if any significant damage were imposed upon the major pumping stations, the community would be without water. It only takes a matter of days before lack of water can cause significant impact on health and social interests.Of course "significant damage" could be something as simple as injecting insecticides in key locations in the system, or something as dramatic as a bomb destroying an entire plant.

Electricity and Natural Gas - We have all grown accustomed to the warmth and cooling these two utilities provide to our homes and work spaces. Significant impact on either can certainly result in lack of creature comfort, but consider also the potential for toxic and physical damages to those living anywhere near the plants.

Telecommunications - Recent natural catastrophes have shown how difficult it can be to coordinate emergency efforts without telecommunications. Land lines, cellular, and even satellite communication can be disrupted during significant events. Without proper preparation, emergency response teams are effectively working with a severe handicap. Telecommunications is also interesting because there are some relatively unknown attacks performed upon these services without the general public knowing. Domestic and International Terrorism are typically referred to in Risk Analyses, but many overlook the more common occurrence of Copper Theft and weekend sharpshooters from local population.

THE HOW - Reviewing how organizations might approach Security for Utilities

First, establish a Physical Perimeter. The easiest, and usually most convenient way to do this is to build a fence. Whether a large, plant-like installation, or a small pumping or transfer station, the logic is the same - install a fence to restrict entry. With new technologies, an alternative or supplement may also be considered - a Virtual Fence, using CCTV cameras and an alerting system. Specifically in small, remote locations where building fences may not be an effective use of budget, or where existing fences may need additional security practices applied, the end user may consider using IP CCTV, Alarm and Access Control to protect the sites. Strategically located cameras, integrated access control, wireless communications and Digital Video Recording Platforms can be built to establish a highly effective alerting tool, which can be monitored and manged centrally. Upon illegal entry into a restricted area, a system can respond with a multitude of tasks:

- Automatically upload multiple snapshots to a central monitoring station, and/ or law enforcement

- Automatically enunciate an on-site alert, notifying the potential aggressor that pictures have been sent to local authorities

- Automatically trigger additional security procedures, such as alerting local law enforcement or move PTZ Cameras to defined presets

In larger, plant-like environments, additional cameras with perimeter analytics (like tripwires, objects approaching, object left behind, and object taken away) would certainly provide increased security for a very reasonable financial investment. As well, it might not be financially prudent to trench up the ground to add new cameras, access control, or even just new buildings. This has been an issue in the past considering all the logistics involved. But using new wireless technologies, simple point-to-point and point-to-multi-point platforms provide a means by which networking (video, alarms, audio, web, LAN/ WAN) may be added quickly and cost-effectively. In fact, wireless applications, if designed and implemented correctly, provide a tremendous advantage in time and overall cost when considering traditional means of networking. This is one of the reasons why in most buildings today wireless networks are installed (whether we see them or not, they are there).

Once Physical Perimeter is established, next consider Critical Assets and how they might be protected. In a Water/ Wastewater Plant, Critical Assets may be define by the larger pumps and control stations inside buildings, or by overflow channels where a person might approach and inject hazardous materials into the Water System. Integrated Access Control and CCTV cameras at strategically located can accomplish most deterrent as well as prosecutorial effect.

In Electric, Natural Gas and Telecommunications Stations and Plants, the issue starts to become more "cyber" in nature. Providing security to those Critical Assets inside the building and on a network become very important. On May 29, 2009, President Obama presented a stirring speech referencing the many risks and challenges we as a country face in securing these Critical Assets. Many federal efforts are being put in place to provide additional budgetary dollars for this purpose. Included in this will be dollars for adding physical security to protect the cyber interests. Very good news to those impacted so severely by the recent economic downturns. Still, providing fully integrated systems of Access Control, Alarm and CCTV become incredibly important. No more is it acceptable to simply add a few cameras or Access Control points to hopefully be deterrents to criminals. By integrating Access Control, Alarm and CCTV, the organization can be made aware immediately of changes and respond appropriately with accuracy. The organization can also manage these system over readily available IP Networks if the correct solution is applied.

There are many different items to be considered when securing utilities. Fundamentally, those making the decisions should consider organizations experienced in just that and have a Risk Assessment performed to give an adequate well thought out plan.

Happy Protecting...

Security Caffeine

Strategies to Optimize Every Customer Interaction