A substantial focus of the security industry is on the selection and installation of security systems, and there is no doubt that this is a critical element of the process. However, in order to ensure that security systems such as access control, video surveillance, intrusion detection and panic alarms deliver on ‘game day’, an equal if not greater emphasis has to be put on the actions that are taken after the installers have closed the doors on the truck and driven away. This article covers some important issues that were covered at the 2019 International Association of Professional Security Consultants (IAPSC) annual conference in Miami, Florida, where Frank Pisciotta, CSC, Business Protection Specialists, Inc. and Michael Silva, CPP, Silva Consultants, facilitated a discussion among security professionals on the topic. Backwards compatibility in access control solutions David Barnard of RS2 security highlighted the importance of backwards compatibility in access control solutions David Barnard of RS2 Technologies LLC highlighted the importance of backwards compatibility in access control software solutions. Reputable manufacturers are constantly evolving software products and it is critical that software continues to work with all installed hardware or owners will find themselves purchasing equipment a second time, which is never good news. An example, a case study with a client where the video management software upgrades were not backwards compatible through the mobile app and a small manufacturing site was looking at a US$ 75,000 price tag to upgrade cameras to make them compatible with the ‘updated software’. Risks of failures in door hardware products Jim Primovic from ASSA ABLOY cautioned about the risks of failures in door hardware products resulting in a failure to attention to detail in the selection and, in particular, the installation process. He explained the importance of using certified installers to avoid operation problems. In light of constantly evolving software revisions, how often does one see any additional training provided to end users when software updates are released? Charles Johnson of Open Options raised this important point and it is an excellent one. As organisations think about structuring maintenance agreements, it might be wise to consider ongoing training to cover software updates and ensure that end users can continue to optimise the features and benefits of software revisions. Software Support Kim Kornmaier of Honeywell mentioned another element of security system lifecycle consideration, which is ‘Software Support’. Maintenance agreements are available and will likely be offered from every installer and come in a variety of flavours. However, care needs to be exercised to ensure that whatever services and support are included, in the scope of a maintenance agreement, have a clear correlation between service and software upgrades versus the fee charged. Software upgrades and system testing Maintenance agreements should be avoided that simply guarantee the free replacement of parts (which may or may not ever get used, even after you pay for it). Services that should be considered include software upgrades, system testing and replacement of consumable parts, like back up batteries. Another key issue ties directly to periodically measuring and ensuring the risk reduction results of security systems, for example, with an access control system, there are several actions recommended for system owners, including: Conduct periodic door and alarm testing - This presumes users have installed all of the necessary parts to enable alarm monitoring). These tests should include the mechanical testing of doors and confirming door-held-open-too-long and forced-door alarms are properly reporting to the alarm client. Importance of harnessing door alarming capacity Excessive door alarms are an indication of either a user or system problem Excessive door alarms are an indication of either a user or system problem or all alarms should be investigated to determine root cause and corrective action needed. Organisations who fail to harness door alarming capability are giving away up to 50 percent of the system's potential benefit. Ensuring the integrity of the access control database is of prime importance. The failure to manage this can lead to unauthorised access and serious security incidents. This can be achieved in a variety of ways, but in the majority of risk assessments they have conducted over the years, it is common to find separated employees and contractor records with active credentials in the database. Ways to mitigate this risk include: Integrating your access control database with active directory (works for employees, not so well for contractors); Utilising expiration dates on contractor credentials; Periodically manually auditing contractor and employee active badge reports for anomalies, which may indicate process weaknesses in the change management process; Utilising the ‘use it or lose it’ feature in many software programs that automatically disable a credential after a set period of non-use (e.g., 90 days); and Establishing processes to limit the removal of certain badges from the site (e.g., those issued to contractors or temporary employees). ‘First Card Unlock’ feature Irregular schedules, holidays and natural disasters can result in access vulnerability. For instance, if access-controlled doors at a site are programmed to open on a timer and something prevents persons from arriving at work (e.g., snowstorm), a site may be left exposed. A mitigation technique against this type of risk would be to employ a concept called ‘First Card Unlock’. Under this feature, a lobby entrance to an office, for instance, would not enter into an unlocked state, until the first authorised employee presented a card and entered the workplace. Changing holiday programming in security systems Holiday programming in some systems needs to be changed on an annual basis Holiday programming in some systems needs to be changed on an annual basis. Managing holidays in an access control system results in doors staying secure which would otherwise be unlocked on a normal business day. Similarly, intrusion detection, duress devices and video surveillance systems can let users down without the proper care and feeding. Examples would include: A panic device fails to communicate an emergency situation because it was not properly reset or the wiring has been damaged due to poor installation. Panic devices should be regularly tested and ideally the activation during testing should be by a person who would be required to use the device in an actual incident. The objective here is to build competency in the persons who may need to activate a device discretely. Similarly, intrusion detection systems should be carefully tested to ensure that all devices are properly reporting to the panel and that the panel is communicating properly to the central station. If there are redundant communications channels, each should be verified. In the same way someone would conduct audits of active credentials in an access control system, it is strongly recommended that users perform a similar review with PIN codes, which have been assigned and would allow for an unauthorised person to disarm a system. Utilising the failure-to-close feature to ensure that through collusion or negligence, if the last person out of a restricted area fails to arm the panel, the central station will notify a responsible party about the omission. Further, reviewing opening and closing reports might well detect inappropriate entries by authorised personnel which are indicative of suspicious or illegal activity. These features and reports will likely be at an additional cost, but they are important insurance to protect against insider threat. It is not uncommon to hear about an incident happening and during the investigation, the owner of the system discovers that the needed camera was not recording. Where video is not under routine observation, it is recommended to determine if your video management system can send an alarm in the event of video loss. This would allow for rapid remediation before the video loss is discovered in the course of an investigation. Avoiding degraded video quality over time In almost every case, degraded video quality is directly related to resource saturation With respect to video surveillance, as systems grow and evolve over the life of the system, organisations may experience degradation. Darren Giacomini of BCDVideo has studied this issue extensively and concludes that in many cases, installers or others are simply putting too many devices on a VLAN, which results in latency and other conflicts. Degraded video quality has a finite number of potential root causes. In almost every case, degraded video quality is directly related to resource saturation. The resources on a surveillance network consist of IP cameras, network switches, network uplinks, viewing stations, database management and archives. Resource depletions According to Giacomini, each of the resource shares a common thread. And, at the basic level, each of those items is nothing more than a purpose-built computer with limited CPU, memory and network capacity. When any of these resources exceed their capacity, the quality of service delivered will degrade. The following are common resource depletions that can degrade video quality and require a much deeper dive, but are included here as a starting point: IP camera CPU utilisation is in excess of 85 percent; CPU elevation in the decoder or workstation decoding the video; and Network congestion or CPU elevation in the network switch. Maintaining the integrity of archived video data Giacomini indicated that the majority of the time degraded video is associated with resource depletion Giacomini indicated that the majority of the time degraded video is associated with resource depletion in one of these key components. Investigation of the potential causes can save time and effort, and prevent a video management software application from unduly being blamed for poor performance during its lifecycle. Also, on the topic of video, John Kampfhenkel, Director of Technical Sales at Veracity discussed the challenges that organisations face when video management system storage is undersized and the need to carefully plan for video retention of existing recorded data when the video system has to be expanded. This can be a problem organisations face and when they do, it is best to involve a video storage expert to determine options, costs and potential legal requirements for maintaining the integrity of archived video data. Selecting the right security technology Dependent on the level and type of integration between various systems, another challenge may be to preserve the integration between the two systems. System owners will need to coordinate carefully with installer(s) to ensure that a software revision to one system will not result in a disruption to a software level integration. This type of integration may require a delay in being able to upgrade one or the other application software versions until the integration can again be certified. Selecting the right security technology is an important element of an organisation's security risk management. However, experts would argue that in terms of getting measurable results from technology, there needs to be a keen focus on sustaining activities after the installer closes the doors and drives away. By adhering to the consultant and manufacturers' guidance in this article, organisations can substantially reduce the risk to people, assets and information, and prevent criminal and terrorist incidents in the workplace.
Simplified security for utilities & critical infrastructureDownload
Best practices for migrating to an IP-based access control systemDownload
Access control: Bringing efficiency to your lifts' automatic destination systemDownload
Webcast: Save time and money with Wireless Access ControlDownload