A substantial focus of the security industry is on the selection and installation of security systems, and there is no doubt that this is a critical element of the process. However, in order to ensure that security systems such as access control, video surveillance, intrusion detection and panic alarms deliver on ‘game day’, an equal if not greater emphasis has to be put on the actions that are taken after the installers have closed the doors on the truck and driven away. This article covers some important issues that were covered at the 2019 International Association of Professional Security Consultants (IAPSC) annual conference in Miami, Florida, where Frank Pisciotta, CSC, Business Protection Specialists, Inc. and Michael Silva, CPP, Silva Consultants, facilitated a discussion among security professionals on the topic. Backwards compatibility in access control solutions David Barnard of RS2 security highlighted the importance of backwards compatibility in access control solutions David Barnard of RS2 Technologies LLC highlighted the importance of backwards compatibility in access control software solutions. Reputable manufacturers are constantly evolving software products and it is critical that software continues to work with all installed hardware or owners will find themselves purchasing equipment a second time, which is never good news. An example, a case study with a client where the video management software upgrades were not backwards compatible through the mobile app and a small manufacturing site was looking at a US$ 75,000 price tag to upgrade cameras to make them compatible with the ‘updated software’. Risks of failures in door hardware products Jim Primovic from ASSA ABLOY cautioned about the risks of failures in door hardware products resulting in a failure to attention to detail in the selection and, in particular, the installation process. He explained the importance of using certified installers to avoid operation problems. In light of constantly evolving software revisions, how often does one see any additional training provided to end users when software updates are released? Charles Johnson of Open Options raised this important point and it is an excellent one. As organisations think about structuring maintenance agreements, it might be wise to consider ongoing training to cover software updates and ensure that end users can continue to optimise the features and benefits of software revisions. Software Support Kim Kornmaier of Honeywell mentioned another element of security system lifecycle consideration, which is ‘Software Support’. Maintenance agreements are available and will likely be offered from every installer and come in a variety of flavours. However, care needs to be exercised to ensure that whatever services and support are included, in the scope of a maintenance agreement, have a clear correlation between service and software upgrades versus the fee charged. Software upgrades and system testing Maintenance agreements should be avoided that simply guarantee the free replacement of parts (which may or may not ever get used, even after you pay for it). Services that should be considered include software upgrades, system testing and replacement of consumable parts, like back up batteries. Another key issue ties directly to periodically measuring and ensuring the risk reduction results of security systems, for example, with an access control system, there are several actions recommended for system owners, including: Conduct periodic door and alarm testing - This presumes users have installed all of the necessary parts to enable alarm monitoring). These tests should include the mechanical testing of doors and confirming door-held-open-too-long and forced-door alarms are properly reporting to the alarm client. Importance of harnessing door alarming capacity Excessive door alarms are an indication of either a user or system problem Excessive door alarms are an indication of either a user or system problem or all alarms should be investigated to determine root cause and corrective action needed. Organisations who fail to harness door alarming capability are giving away up to 50 percent of the system's potential benefit. Ensuring the integrity of the access control database is of prime importance. The failure to manage this can lead to unauthorised access and serious security incidents. This can be achieved in a variety of ways, but in the majority of risk assessments they have conducted over the years, it is common to find separated employees and contractor records with active credentials in the database. Ways to mitigate this risk include: Integrating your access control database with active directory (works for employees, not so well for contractors); Utilising expiration dates on contractor credentials; Periodically manually auditing contractor and employee active badge reports for anomalies, which may indicate process weaknesses in the change management process; Utilising the ‘use it or lose it’ feature in many software programs that automatically disable a credential after a set period of non-use (e.g., 90 days); and Establishing processes to limit the removal of certain badges from the site (e.g., those issued to contractors or temporary employees). ‘First Card Unlock’ feature Irregular schedules, holidays and natural disasters can result in access vulnerability. For instance, if access-controlled doors at a site are programmed to open on a timer and something prevents persons from arriving at work (e.g., snowstorm), a site may be left exposed. A mitigation technique against this type of risk would be to employ a concept called ‘First Card Unlock’. Under this feature, a lobby entrance to an office, for instance, would not enter into an unlocked state, until the first authorised employee presented a card and entered the workplace. Changing holiday programming in security systems Holiday programming in some systems needs to be changed on an annual basis Holiday programming in some systems needs to be changed on an annual basis. Managing holidays in an access control system results in doors staying secure which would otherwise be unlocked on a normal business day. Similarly, intrusion detection, duress devices and video surveillance systems can let users down without the proper care and feeding. Examples would include: A panic device fails to communicate an emergency situation because it was not properly reset or the wiring has been damaged due to poor installation. Panic devices should be regularly tested and ideally the activation during testing should be by a person who would be required to use the device in an actual incident. The objective here is to build competency in the persons who may need to activate a device discretely. Similarly, intrusion detection systems should be carefully tested to ensure that all devices are properly reporting to the panel and that the panel is communicating properly to the central station. If there are redundant communications channels, each should be verified. In the same way someone would conduct audits of active credentials in an access control system, it is strongly recommended that users perform a similar review with PIN codes, which have been assigned and would allow for an unauthorised person to disarm a system. Utilising the failure-to-close feature to ensure that through collusion or negligence, if the last person out of a restricted area fails to arm the panel, the central station will notify a responsible party about the omission. Further, reviewing opening and closing reports might well detect inappropriate entries by authorised personnel which are indicative of suspicious or illegal activity. These features and reports will likely be at an additional cost, but they are important insurance to protect against insider threat. It is not uncommon to hear about an incident happening and during the investigation, the owner of the system discovers that the needed camera was not recording. Where video is not under routine observation, it is recommended to determine if your video management system can send an alarm in the event of video loss. This would allow for rapid remediation before the video loss is discovered in the course of an investigation. Avoiding degraded video quality over time In almost every case, degraded video quality is directly related to resource saturation With respect to video surveillance, as systems grow and evolve over the life of the system, organisations may experience degradation. Darren Giacomini of BCDVideo has studied this issue extensively and concludes that in many cases, installers or others are simply putting too many devices on a VLAN, which results in latency and other conflicts. Degraded video quality has a finite number of potential root causes. In almost every case, degraded video quality is directly related to resource saturation. The resources on a surveillance network consist of IP cameras, network switches, network uplinks, viewing stations, database management and archives. Resource depletions According to Giacomini, each of the resource shares a common thread. And, at the basic level, each of those items is nothing more than a purpose-built computer with limited CPU, memory and network capacity. When any of these resources exceed their capacity, the quality of service delivered will degrade. The following are common resource depletions that can degrade video quality and require a much deeper dive, but are included here as a starting point: IP camera CPU utilisation is in excess of 85 percent; CPU elevation in the decoder or workstation decoding the video; and Network congestion or CPU elevation in the network switch. Maintaining the integrity of archived video data Giacomini indicated that the majority of the time degraded video is associated with resource depletion Giacomini indicated that the majority of the time degraded video is associated with resource depletion in one of these key components. Investigation of the potential causes can save time and effort, and prevent a video management software application from unduly being blamed for poor performance during its lifecycle. Also, on the topic of video, John Kampfhenkel, Director of Technical Sales at Veracity discussed the challenges that organisations face when video management system storage is undersized and the need to carefully plan for video retention of existing recorded data when the video system has to be expanded. This can be a problem organisations face and when they do, it is best to involve a video storage expert to determine options, costs and potential legal requirements for maintaining the integrity of archived video data. Selecting the right security technology Dependent on the level and type of integration between various systems, another challenge may be to preserve the integration between the two systems. System owners will need to coordinate carefully with installer(s) to ensure that a software revision to one system will not result in a disruption to a software level integration. This type of integration may require a delay in being able to upgrade one or the other application software versions until the integration can again be certified. Selecting the right security technology is an important element of an organisation's security risk management. However, experts would argue that in terms of getting measurable results from technology, there needs to be a keen focus on sustaining activities after the installer closes the doors and drives away. By adhering to the consultant and manufacturers' guidance in this article, organisations can substantially reduce the risk to people, assets and information, and prevent criminal and terrorist incidents in the workplace.
The statistics are staggering. The death tolls are rising. And those who now fear environments that were once thought to be safe zones like school campuses, factories, commercial businesses and government facilities, find themselves having to add the routine of active-shooter drills into their traditional fire drill protocols. The latest active shooter statistics released by the FBI earlier this year in their annual active-shooter report designated 27 events as active shooter incidents in 2018. The report reveals that 16 of the 27 incidents occurred in areas of commerce, seven incidents occurred in business environments, and five incidents occurred in education environments. Deadly active-shooter events Six of the 12 deadliest shootings in the country have taken place in the past five years Six of the 12 deadliest shootings in the country have taken place in the past five years, including Sutherland Springs church, Marjory Stoneman Douglas High School, the San Bernardino regional center, the Walmart in El Paso and the Tree of Life Synagogue in Pittsburgh, which have all occurred since 2015. Although these incidents occurred in facilities with designated entry points common to churches, schools and businesses, the two most deadly active-shooter events since 2015 were the Route 91 Harvest music festival shooting in Las Vegas that left 58 dead and the Pulse nightclub killings in Orlando where 49 perished. As Christopher Combs, special agent in charge of the FBI field office in San Antonio, Texas, said during a news conference following the August 31 mass shooting in Odessa, Texas that claimed seven lives: “We are now at almost every two weeks seeing an active shooter in this country." Active shooter incidents Between December 2000 and December 2018, the FBI’s distribution of active shooter incidents by location looks like this: Businesses Open to Pedestrian Traffic (74) Businesses Closed to Pedestrian Traffic (43) K-12 Schools (39) Institutions of Higher Learning (16) Non-Military Government Properties (28) Military Properties—Restricted (5) Healthcare Facilities (11) Houses of Worship (10) Private Properties (12) Malls (6) What the majority of these venues have in common is they all have a front entrance or chokepoint for anyone entering the facilities, which is why any active-shooter plan must include a strategy to secure that entry point. Situational awareness in perimeter and door security Preventing people with the wrong intentions from entering the space is the goal" According to Paul Franco, an A&E with more than 28 years of experience as a consultant and systems integrator focusing on schools, healthcare and large public and private facilities, that while active shooter incidents continue to rise, the residual effect has been an increase in situational awareness in perimeter and door security. “Certainly, protecting people and assets is the number one goal of all our clients. There are multiple considerations in facilities like K-12 and Healthcare. Preventing people with the wrong intentions from entering the space is the goal. But a critical consideration to emphasise to your client is getting that person out of your facility and not creating a more dangerous situation by locking the person in your facility,” says Franco. High-security turnstiles “Schools today are creating a space for vetting visitors prior to allowing access into the main facility. Using technology properly like high-security turnstiles offer great benefits in existing schools where space constraints and renovation costs can be impractical.” What steps should they be taken when recommending the proper door security to ensure the building is safe As a consultant/integrator, when discussions are had with a client that has a facility in a public space like a corporate building, government centre or industrial facility, what steps should they be taken when recommending the proper door security to ensure the building is safe and can protect its people and assets? For Frank Pisciotta, President and CEO of Business Protection Specialists, Inc. in Raleigh, North Carolina, a fundamental element of his security strategy is making appropriate recommendations that are broad-based and proactive. Properly identifying the adversaries “As a consultant, my recommendations must include properly identifying the adversaries who may show up at a client’s door, the likelihood of that event occurring, the consequences of that event occurring, determining if there are tripwires that can be set so an organisation can move their line of defence away from the door, educating employees to report potential threats and creating real-time actionable plans to respond to threats. A more reactionary posture might include such thing as target hardening such as ballistic resistant materials at entry access points to a facility,” Pisciotta says. Veteran consultant David Aggleton of Aggleton & Associates of Mission Viejo, California recommends that clients compartmentalise their higher security areas for limited access by adding multiple credential controls (card + keypad + biometric), along with ‘positive’ access systems that inhibit tailgating/piggybacking such as secure turnstiles, revolving door and mantrap if your entrances and security needs meet the required space and access throughput rates. Integrated solution of electronic access control Defining a single point of entry in some public facilities is becoming the new standard of care according to many A&Es and security consultants, especially in a school environment. This approach allows a concerted effort when it comes to staffing, visitor monitoring and an integrated technology solution. The bottom line remains: most buildings are vulnerable to a security breach A proactive stance to securing a door entryway will use an integrated solution of electronic access control, turnstiles, revolving doors and mantraps that can substantially improve a facility’s security profile. The bottom line remains: most buildings are vulnerable to a security breach, so it’s not a matter of if there will be a next active shooter tragedy, it’s only a matter of where. Enhancing access control assurance “There is no easy answer to this question,” says Pisciotta referring to how a secured entrance can deter an active shooter. “There have been at least two high-profile incidents of adversaries shooting their way into a facility through access control barriers. So, if the threat so dictates, a ballistic resistant might be required.” He concludes: “There is obviously no question that turnstiles, revolving doors and man traps enhance access control assurance. Electronic access control is easy to integrate with these devices and providing that credentials are secure, approval processes are in place, change management is properly managed and the appropriate auditing measures in place, access control objectives can be met.”