A substantial focus of the security industry is on the selection and installation of security systems, and there is no doubt that this is a critical element of the process. However, in order to ensure that security systems such as access control, video surveillance, intrusion detection and panic alarms deliver on ‘game day’, an equal if not greater emphasis has to be put on the actions that are taken after the installers have closed the doors on the truck and driven away. This article covers some important issues that were covered at the 2019 International Association of Professional Security Consultants (IAPSC) annual conference in Miami, Florida, where Frank Pisciotta, CSC, Business Protection Specialists, Inc. and Michael Silva, CPP, Silva Consultants, facilitated a discussion among security professionals on the topic. Backwards compatibility in access control solutions David Barnard of RS2 security highlighted the importance of backwards compatibility in access control solutions David Barnard of RS2 Technologies LLC highlighted the importance of backwards compatibility in access control software solutions. Reputable manufacturers are constantly evolving software products and it is critical that software continues to work with all installed hardware or owners will find themselves purchasing equipment a second time, which is never good news. An example, a case study with a client where the video management software upgrades were not backwards compatible through the mobile app and a small manufacturing site was looking at a US$ 75,000 price tag to upgrade cameras to make them compatible with the ‘updated software’. Risks of failures in door hardware products Jim Primovic from ASSA ABLOY cautioned about the risks of failures in door hardware products resulting in a failure to attention to detail in the selection and, in particular, the installation process. He explained the importance of using certified installers to avoid operation problems. In light of constantly evolving software revisions, how often does one see any additional training provided to end users when software updates are released? Charles Johnson of Open Options raised this important point and it is an excellent one. As organizations think about structuring maintenance agreements, it might be wise to consider ongoing training to cover software updates and ensure that end users can continue to optimize the features and benefits of software revisions. Software Support Kim Kornmaier of Honeywell mentioned another element of security system lifecycle consideration, which is ‘Software Support’. Maintenance agreements are available and will likely be offered from every installer and come in a variety of flavors. However, care needs to be exercised to ensure that whatever services and support are included, in the scope of a maintenance agreement, have a clear correlation between service and software upgrades versus the fee charged. Software upgrades and system testing Maintenance agreements should be avoided that simply guarantee the free replacement of parts (which may or may not ever get used, even after you pay for it). Services that should be considered include software upgrades, system testing and replacement of consumable parts, like back up batteries. Another key issue ties directly to periodically measuring and ensuring the risk reduction results of security systems, for example, with an access control system, there are several actions recommended for system owners, including: Conduct periodic door and alarm testing - This presumes users have installed all of the necessary parts to enable alarm monitoring). These tests should include the mechanical testing of doors and confirming door-held-open-too-long and forced-door alarms are properly reporting to the alarm client. Importance of harnessing door alarming capacity Excessive door alarms are an indication of either a user or system problem Excessive door alarms are an indication of either a user or system problem or all alarms should be investigated to determine root cause and corrective action needed. Organizations who fail to harness door alarming capability are giving away up to 50 percent of the system's potential benefit. Ensuring the integrity of the access control database is of prime importance. The failure to manage this can lead to unauthorized access and serious security incidents. This can be achieved in a variety of ways, but in the majority of risk assessments they have conducted over the years, it is common to find separated employees and contractor records with active credentials in the database. Ways to mitigate this risk include: Integrating your access control database with active directory (works for employees, not so well for contractors); Utilizing expiration dates on contractor credentials; Periodically manually auditing contractor and employee active badge reports for anomalies, which may indicate process weaknesses in the change management process; Utilizing the ‘use it or lose it’ feature in many software programs that automatically disable a credential after a set period of non-use (e.g., 90 days); and Establishing processes to limit the removal of certain badges from the site (e.g., those issued to contractors or temporary employees). ‘First Card Unlock’ feature Irregular schedules, holidays and natural disasters can result in access vulnerability. For instance, if access-controlled doors at a site are programmed to open on a timer and something prevents persons from arriving at work (e.g., snowstorm), a site may be left exposed. A mitigation technique against this type of risk would be to employ a concept called ‘First Card Unlock’. Under this feature, a lobby entrance to an office, for instance, would not enter into an unlocked state, until the first authorized employee presented a card and entered the workplace. Changing holiday programming in security systems Holiday programming in some systems needs to be changed on an annual basis Holiday programming in some systems needs to be changed on an annual basis. Managing holidays in an access control system results in doors staying secure which would otherwise be unlocked on a normal business day. Similarly, intrusion detection, duress devices and video surveillance systems can let users down without the proper care and feeding. Examples would include: A panic device fails to communicate an emergency situation because it was not properly reset or the wiring has been damaged due to poor installation. Panic devices should be regularly tested and ideally the activation during testing should be by a person who would be required to use the device in an actual incident. The objective here is to build competency in the persons who may need to activate a device discretely. Similarly, intrusion detection systems should be carefully tested to ensure that all devices are properly reporting to the panel and that the panel is communicating properly to the central station. If there are redundant communications channels, each should be verified. In the same way someone would conduct audits of active credentials in an access control system, it is strongly recommended that users perform a similar review with PIN codes, which have been assigned and would allow for an unauthorized person to disarm a system. Utilizing the failure-to-close feature to ensure that through collusion or negligence, if the last person out of a restricted area fails to arm the panel, the central station will notify a responsible party about the omission. Further, reviewing opening and closing reports might well detect inappropriate entries by authorized personnel which are indicative of suspicious or illegal activity. These features and reports will likely be at an additional cost, but they are important insurance to protect against insider threat. It is not uncommon to hear about an incident happening and during the investigation, the owner of the system discovers that the needed camera was not recording. Where video is not under routine observation, it is recommended to determine if your video management system can send an alarm in the event of video loss. This would allow for rapid remediation before the video loss is discovered in the course of an investigation. Avoiding degraded video quality over time In almost every case, degraded video quality is directly related to resource saturation With respect to video surveillance, as systems grow and evolve over the life of the system, organizations may experience degradation. Darren Giacomini of BCDVideo has studied this issue extensively and concludes that in many cases, installers or others are simply putting too many devices on a VLAN, which results in latency and other conflicts. Degraded video quality has a finite number of potential root causes. In almost every case, degraded video quality is directly related to resource saturation. The resources on a surveillance network consist of IP cameras, network switches, network uplinks, viewing stations, database management and archives. Resource depletions According to Giacomini, each of the resource shares a common thread. And, at the basic level, each of those items is nothing more than a purpose-built computer with limited CPU, memory and network capacity. When any of these resources exceed their capacity, the quality of service delivered will degrade. The following are common resource depletions that can degrade video quality and require a much deeper dive, but are included here as a starting point: IP camera CPU utilization is in excess of 85 percent; CPU elevation in the decoder or workstation decoding the video; and Network congestion or CPU elevation in the network switch. Maintaining the integrity of archived video data Giacomini indicated that the majority of the time degraded video is associated with resource depletion Giacomini indicated that the majority of the time degraded video is associated with resource depletion in one of these key components. Investigation of the potential causes can save time and effort, and prevent a video management software application from unduly being blamed for poor performance during its lifecycle. Also, on the topic of video, John Kampfhenkel, Director of Technical Sales at Veracity discussed the challenges that organizations face when video management system storage is undersized and the need to carefully plan for video retention of existing recorded data when the video system has to be expanded. This can be a problem organizations face and when they do, it is best to involve a video storage expert to determine options, costs and potential legal requirements for maintaining the integrity of archived video data. Selecting the right security technology Dependent on the level and type of integration between various systems, another challenge may be to preserve the integration between the two systems. System owners will need to coordinate carefully with installer(s) to ensure that a software revision to one system will not result in a disruption to a software level integration. This type of integration may require a delay in being able to upgrade one or the other application software versions until the integration can again be certified. Selecting the right security technology is an important element of an organization's security risk management. However, experts would argue that in terms of getting measurable results from technology, there needs to be a keen focus on sustaining activities after the installer closes the doors and drives away. By adhering to the consultant and manufacturers' guidance in this article, organizations can substantially reduce the risk to people, assets and information, and prevent criminal and terrorist incidents in the workplace.
CSS provides the perfect opportunity to network, share ideas, and learn from industry subject matter experts Charles Johnson, Open Options’ Southeast Sales Manager, will be showcasing DNA Fusion at the inaugural Converged Security Summit (CSS) to be held on March 1, 2017, at the Georgia Aquarium in Atlanta, Georgia, from 8:00 am to 3:00 pm. Information And Physical Security Hosted by GC&E Systems Group, an Open Options-certified dealer company, CSS is a one-day comprehensive program that will bring together experts in information and physical security to discuss best-practice countermeasures to safeguarding IT infrastructure and information assets, as well as proven solutions for perimeter security, intrusion and personal safety in public and private sectors. Learning From Subject Matter Experts Bringing together approximately 200 IT and security professionals, more than 20 best-of-class security and IT vendors, and industry-recognized leaders to speak and provide insight on the constantly evolving state of information and physical security, CSS is the not-to-be-missed event of 2017. Through the convergence of security and IT professionals, speakers, and vendors, CSS provides the perfect opportunity to network, share ideas, and learn from industry subject matter experts and other industry professionals on ways to better manage and mitigate risks associated with information and physical security assets. Notable Speakers Moses Anderson, Chief Technology Officer, Shield IS, will discuss leveraging best practices for collaboration and trust on the Internet of Things. Jim Crumbly, President & CEO, Risk Response Team, will discuss about how to get cooperation between the IT and Public Safety/Security departments Mr. Kenrick Bagnall, Detective Constable, Computer Cyber Crime, Toronto Police Service, will examine cybercrime and the threat to critical infrastructure.
At ASCUE, Johnson will discuss Open Options’ flagship producy, DNA Fusion access control software Open Options’ Southeast Regional Sales Manager Charles Johnson has been invited to share innovative campus security solutions to educators and administrators representing all areas of North America at the Association Supporting Computer Users in Education (ASCUE) conference to be held June 14-18, in Myrtle Beach, South Carolina. ASCUE is an international community of individuals committed to the innovation, implementation, and furtherance of technology trends, equipment, and practices within higher education. ASCUE is a major catalyst for technology innovation and, as such, provides leadership and opportunities for collaboration to members. “I’m excited to share our many campus security solutions with a key group of educators and IT administrators who understand the importance of technology in safety,” said Johnson. “There are a variety of safety concerns that are unique to the campus environment and Open Options has a great deal of experience in successfully providing access control to end users in higher education.” Access Control Solution At ASCUE, Johnson will discuss Open Options’ flagship product — DNA Fusion access control software — and its suite of supporting applications including Fusion Mobile, Fusion Web, and Fusion ID. Together these applications with hardware and badges can provide a campus-wide solution that includes building access, dorm security, and student safety. Johnson was invited to the conference by existing Open Options Customer and ASCUE member Hollis Townsend with Young Harris College. Townsend will also give a presentation at the ASCUE conference on how Young Harris College has transitioned from a proprietary access control solution to Open Options and DNA Fusion — an open architecture solution. “There are so many benefits to an open architecture access control system like Open Options and DNA Fusion in the education environment,” said Johnson. “Access control technology, for example, can help law enforcement to lock down a door, building, or campus while at the same time allow for a first responder to have access to the area that might be locked down. These issues are so relevant to today’s campus safety threats and we are grateful for the opportunity to share this valuable information with this select group.”