Corporate Risk Solutions
Download
Report
Transcript Corporate Risk Solutions
CREATING AN EFFECTIVE
SECURITY PROGRAM
Sunday, June 20, 2010
1
Designing Efficiencies and Performance
into Your Security Platform
• Introductions
• Fundamentals of Creating an Effective Program
• Three Fundamentals of Campus Security Programs
• Integration versus Interfacing
• The value of a Roles-Based Systems Approach
• Questions & Answers
2
CRSI Team Introductions
Michael Tibbs
Vice President – Operations
Senior Managing Consultant
Professional Experience
36+ years of security consulting experience in higher education, industrial, and corporate security settings,
including work in investigations, security management, and consulting.
Specializes in providing consulting services in the following areas: regulatory compliance; security master
planning; physical and information protection programs (assessments, systems design, and policy and
procedures); security project management; business continuity planning; security awareness and training
programs.
Managed security forces for Penn Valley Community College, Cleveland Chiropractic College, Brown
Mackie College and Maranatha Baptist Bible College. Managed security for the University of Wisconsin Madison athletic events including football, basketball, swimming, and hockey venues. Project manager for
a large security risk assessment and lighting design project for the State University of New York at Buffalo
(SUNY UB).
Developed and managed security programs for hundreds of clients, many of the Fortune 100, including the
nation’s leading auto manufacturer, one of the top three telecommunications companies, numerous
electric, natural gas, and water treatment utilities, hospitals, high-rise office buildings, college campuses,
retail distribution centers, apartment complexes, stores, railroads, trucking companies and manufacturing
plants.
Certified Protection Professional (CPP)
Certified Security Project Manager (CSPM)
Certified in Risk Assessment Methodology for the Security of High Voltage Electric Transmission Systems
(Sandia National Laboratories)
Advanced CPTED Practitioner
3
CRSI Team Introductions
D. Clay Shropshire, MBA, CPP, PSP, CSPM
Security Consultant/Auditor
Systems Design / Systems Engineering Credentials
Completed Design & Engineering Projects for the State University of New York at
Buffalo, Brigham Young University, Hallmark Cards, Blue Cross & Blue Shield, Sprint,
American Express, Missouri Western Correctional Facility, Potosi Prison, the US Postal
Service, the City of Tallahassee, Oklahoma Gas Electric, Kansas City Power & Light,
Black & Decker, Whiteman Air Force Base B2 Bomber Support, Charlotte Motor
Speedway, JCPenney Company, SD Army Reserve National Guard
Masters of Business Administration
27 Years Experience in Security Systems Design, Systems Engineering, Project
Management, and Consulting, Primarily in Designated US Critical Infrastructure
Industries
Specializes in Physical and Information Protection Programs (Assessments, Systems
Design, Systems Engineering, and Policy & Procedures); Security Master Planning;
Security Project Management; Regulatory Compliance; Security Awareness & Training
Advanced CPTED Practitioner
Certified Protection Professional (CPP)
Professional Security Professional (PSP)
Certified Security Project Manager (CSPM)
Completed Factory Training Schools through Pelco, Lenel, Software House, Commend,
Stentofon, AMAG, Panasonic, International Fiber Systems, Anixter, Bosch, Axis
4
Security Planning
There is no free lunch or painless approach to security.
Security, along with network capacities and capabilities, are just like facilities,
parking areas, or green space. They must be planned and coordinated in
the beginning of the planning and design phase for maximum effectiveness.
This means that they must be designed and planned with an eye towards the
future and the big picture.
The future and the big picture must be understood and communicated to all
participants of the planning process.
The big picture is a fully integrated systems approach seamlessly sharing
data across the network managing exceptions to the norm.
5
Work Function Differences
There is a difference between police functions and security functions.
Police functions include dispatching, incident response at the scene, crowd
control, traffic control, incident investigation, and arrest powers
Security functions include alarm monitoring, alarm assessment, systems
management, and the notification of authorities
6
Current State
Many colleges and universities combine police and security functions tasking
dispatchers monitor alarms, assess alarms, and notify other authorities.
The biggest problem with this approach regards the various disparate
systems installed across the footprint with little or no ability for the dispatcher
to quickly and easily navigate through them to get the needed information.
Universities tend to be enclaves of autonomous departments, each vying for
limited funds to expand their programs to attract the best and the brightest
students and faculty.
7
Current State
The Science Department, by upgrading its labs, can bring in tuition dollars
through increased enrollment so it can be viewed as a money generating
center.
The Athletics Department, by upgrading its training & practice facilities, can
improve its sports teams bringing in funds through higher ticket prices and
filled venues so it can also be viewed as a money generating center.
The Student Housing Department, by updating dormitory rooms, buildings,
and food service facilities, can cause a student or parent to prefer your
University over another, again increasing tuition dollars so it can be viewed
as a money generating center.
8
Current State
The University Police Department is viewed as a cost center.
There has probably been no student or parent who decided upon enrollment
at a particular institution of higher learning because of the quality or quantity
of Campus Police.
There have been parents who have decided that their child would not attend a
particular college or university because of their perceived lack of general
security across campus or in the dormitories.
9
Current State
Since University Police Departments tend to be viewed as cost centers, they
may not have been included in discussions regarding future plans.
When the Science Department decides to upgrade its labs, the Police
Department gets tasked with monitoring alarms from systems included in the
bid specs. These systems may not match any other system installed at
present on campus, thus creating another legacy system.
When Student Housing decides to upgrade its dormitories to add physical
access control and/or closed circuit television systems, these systems may
be managed by this department. University Police may be allowed into
Student Housing systems but it may require special permissions or changes
in software. This system could be a totally independent system used only by
this department.
10
Legacy Systems
•
•
•
•
•
•
•
•
Physical Access Control Systems
Intrusion Detection Systems
Closed Circuit Television Systems
Video Recording Systems
Intercom Systems
Incident Reporting Systems
Fire and Life Safety Systems
Emergency Communications Systems
11
12
Legacy Systems
The most common state of affairs for a campus will have existing systems
installed throughout the footprint based on the desires of the various
autonomous departments.
Systems could be old style that are processor based requiring human
interface at the control equipment, such as a voice evacuation system
requiring local microphone announcements.
Systems could be newer network systems that are dissimilar from others of
the same type, like having different manufacturers of access control.
13
Legacy Systems
They could consist of equipment that does not integrate or was not properly
sized for the total application, such as a 16 channel digital video recorder
installed instead of connecting cameras to a network video recorder.
Legacy systems could include cutting edge equipment with little thought given
to other system constraints, like installing several mega-pixel cameras
across the campus only to find out that the video streams bring the network
to a crawl.
There could be multiple independent packages of the same type of equipment
as used by different campus departments, like using a specific brand of
access control but each department has their own license.
14
Security & Computers
In the early days of computers, each group or department could purchase
their own computer equipment and software because the different systems
could not communicate with each other. Accounting ran on a token ring
independent from Food Service running on SNA.
As Ethernet networks became more widely used and interconnected,
standards had to be established as to equipment, software, and
infrastructure due to management and security of the network.
Campus security has not fully made this leap by establishing standards as to
equipment, software, and infrastructure due to management and security of
the campus.
15
Future State
As stated earlier, the big picture is a fully integrated systems approach
seamlessly sharing data managed by trained security operators.
There are two ways to achieve this future state.
First, plan and design for it now as legacy systems are replaced or facilities
are constructed.
Second, purchase an over-arching integrated multi-systems management
package.
16
Achieving Broad Based Support
Since colleges and universities have had independent departments for many
years, they want to continue to silo all decisions and control their own
systems.
As computer networks came on the scene, campus-wide standards had to be
set for the Networks Department to properly manage the network. That
meant taking over control as to the equipment types that the departments
are allowed to connect to the network.
By the same token, Campus Police must insist on campus-wide standards as
to equipment due to systems management. They are tasked with efficiently
and effectively managing a crisis situation, which can be next to impossible if
equipment and systems are not compatible or independently owned and
controlled by various departments on campus.
17
How to Not “Reinvent the Wheel”
Fixed Cameras
•
Always “watch” a single scene
•
Can record and trigger an alarm based on motion in the area
•
Generally requires less bandwidth
•
Generally requires less video storage capacity
•
Fairly inexpensive
Pan, Tilt, and Zoom Cameras
•
Have the ability to “watch” many area, but only one at a time
•
Can not record based on motion since the camera moving creates its
own motion
•
Generally requires more bandwidth
•
Generally requires more video storage capacity
•
Can snap to a preset based on an external trigger like a door position
switch or emergency button activation
•
Fairly expensive plus requires additional infrastructure for telemetry
18
Lighting Types
Sodium Vapor – Casts a yellowish tint on the scene with higher infrared levels
making them good for monochrome cameras but bad for color cameras.
Metal Halide – Casts a white light on the scene for good color rendition at
night
Halogen – Casts a white light on the scene with instant on capabilities
Infrared Illumination – Casts invisible light on the scene allowing a
monochrome camera to view dark areas as if it was bright sunshine
LED Illumination – Casts IR illumination on the scene with instant on
capabilities for close subjects
19
Lighting Characteristics
There is a difference between light levels required for the human eye to “see”
a scene at night and the levels required for a camera to produce a usable
image of the same scene.
Camera specifications show the minimum illumination – based on 75% - 90%
reflectance of the subject back to the camera.
Backgrounds make a big difference at night
•
Asphalt = 5%
•
Brick = 25%
•
Grass = 40%
•
Snow = 90%
20
Campus Culture
The campus is supposed to be open and welcoming, offering freedom of
movement and the exchange of ideas.
Challenge for Campus Police, administration, and staff is to facilitate this
feeling of freedom while securing the people, buildings and grounds.
21
Technology – Selection & Life Cycle
Question that must be addressed…
Who decides what systems will be incorporated into the total footprint?
Who will own the systems?
Who will actually manage the systems, both from a head end equipment
perspective and from a programming perspective?
Will this new system aid or hinder the Campus Police from effectively
performing their functions?
What is the future plans for this system?
What policies and procedures have been created or need to be created
regarding this system?
22
Technology – Selection & Life Cycle
Question that must be addressed…
Should this system be connected to emergency power?
If so, what parts must be connected, where will those parts be located, and
from where will they derive their power?
If the system depends on the campus network for signal or data transmission,
are the various data switch closets also on emergency power circuits?
23
Campus IT Networks’ Concerns
Bandwidth – driven heavily by video compression.
• H.264
• MJPEG
• MPEG4
Standard Cameras versus Mega Pixel Cameras
IP Cameras versus Analog Cameras
Independent Power versus PoE
24
25
Campus IT Networks’ Concerns
Servers & Switches Manufacturers and Model Numbers
Storage Method & Amount
• RAID5
• Storage Area Network
System Head End Management
Cable Management
26
Where do we go from here?
The first order of business is to evaluate all legacy systems with an eye
toward using them for assessment purposes in the event of an actual
emergency situation.
If a system, such as the CCTV system, has several independent sub-systems
being used by various departments across the campus, upgrade to an
Enterprise or Corporate edition for master system administration and
management.
If the various departments have purchased different manufacturers, replace
older systems with a single platform as planned obsolesce occurs.
If systems are connected via inputs to outputs, upgrade systems to allow data
to be transferred and shared across the platforms for seamless integration.
If the systems are too varied and numerous, look to an over-arching rules
manager system that has the ability to integrate data exchanges.
27
Systems Acquisition
Areas of concern during the planning and design phase would include:
•
•
•
•
•
•
•
•
•
•
Bandwidth required for field devices
Systems licensing for field devices & head end servers
Server platforms
Computing power
Ability to integrate with other installed or planned systems
Systems back-up or redundancy
Network firewall and cyber security compatible
Database compatible (Oracle or SQL)
Identity management systems compatible
HR management systems compatible (SAP, PeopleSoft)
28
Maintenance
Ongoing maintenance is vital for properly functioning systems.
•
Annual licensing requirements for software
•
Patch management
•
Periodic equipment cleaning (camera housings & light fixtures)
•
Periodic maintenance (replacement of non-functioning devices)
29
Integration versus Interfacing
Interfacing of systems means that inputs from one system are connected to
outputs to another system but there is no sharing of data. Each system acts
independently of each other performing the assigned functions based on
their connected inputs and outputs. Each separate system must be viewed
in separate windows or head end equipment.
Integration of systems means that data is transferred and shared among
software packages with interconnections such that an action through one
system automatically triggers events in associated systems bringing all of
the information onto a single screen for operator use in assessment of the
incident.
30
Convergence
1. Interfacing of mission critical systems
- Zero time provisioning and de-provisioning
- Employees continue to use the tools that they’ve always used
- Event correlation and forensics
2. One card solutions for physical security and IT
- Leverage investments
- Reduced total cost of ownership
3. Software controlled processes
- User self-service web portals with e-mail notifications
- Automation with audit trails (e.g. – compliance ready)
- Risk management
31
Convergence Reduces Costs & Risks
32
1+1>2
33
Benefits of Convergence
34
Roles-Based Access
The best practices future state would build access databases based upon the
role the individual has at the institution. As their role changes throughout
their career, their access would change based upon their new roles. This
helps to ensure that no person continues to have access to areas no longer
needed by their job function.
Roles based access helps to eliminate or at least control the habit of giving
people access on a door by door basis. Each member of the faculty or staff
has a role that should be able to be defined for access just like their role is
defined for job function.
35
Roles-Based Access
Roles based access control could be automatically driven by changes to the
HR system as promotions occur.
Roles for access control could be specified as a part of the people information
system just like a job title or duties.
Every member of the faculty and staff has a role associated with specific
buildings and rooms within.
Students also have roles such as assigned dorms and possible labs or rooms
based on class schedule.
36
Higher “Aligned” User Acceptance
With a common platform being used, operators spend less time fighting the
differences among various packages when trying to accomplish a task like
calling up a field device or entering a response into an incident management
database.
Training costs are reduced for new operators since they do not have to learn
software packages from multiple manufacturers.
With a common platform running all information management systems, the IT
and Networks departments have an easier task of managing the head end
equipment and backing up data.
37
Reduced Systems Operations & Maintenance
Systems working on a common platform allow operators to manage the
situation instead of the technologies.
Systems sharing data allow multiple packages to cross-monitor various
pieces of equipment.
With multiple systems displaying their combined information on a single
screen, the operator can more easily call out maintenance issues as they
occur and track the progress until completion.
38
Self-Enforcing
An over-arching information management system allow for programmed
responses to incidents with the controls necessary to not allow an event to
be closed until completed.
Operator action tracking is easily performed by management to ensure that
policies and procedures are followed without having to generate reports from
several different packages such as changes made in the physical access
control system and the identity management system.
39
Event-Based Reporting
This is monitoring by exception. The operator is not spending time watching
cameras or alarm screens that have normal activities occurring.
If an event or incident happens, a device such as a door contact, an
emergency phone call button, or tamper switch triggers an alarm. The
various systems involved or interconnected in the area perform their tasks
like a PTZ camera spinning to a preset.
The operator screen displays the alarm condition, a graphic map showing the
area involved, and the nearby cameras display scenes for assessment. As
the operator moves to another part of the building, the new cameras and
graphic maps update as the task is performed.
40
The Test
The fateful day arrives when the University must contend with an actual
incident such as the threat of a potential shooter on campus OR an
actual shooter.
University Police, who have been kept out of the loop regarding most every
decision regarding security and systems in the past, must now marshal
their forces and efficiently and effectively perform all of their duties.
•
Assess the situation
•
Alert students, faculty, staff, and visitors
•
Bring a swift conclusion to the incident
41
The Test
Dispatch operators may have to call-up several versions of the same software
or several different software packages trying to perform a building lock-down
or camera video assessment.
They may have to enter the same emergency alert message into several
broadcast systems to cover the campus.
Police officers may have to physically go to a building or dormitory to make
announcements because of existing legacy systems with no ability to
integrate or be managed through Campus Police.
All this during a period of time the Dispatch operator is under extreme stress
trying to perform their dispatch and police duties.
42
Questions?
43