Menu
Log in
Forgot password


INTERNATIONAL FOUNDATION FOR
CULTURAL PROPERTY PROTECTION

Log in
Forgot password

On the Point of a Double-Edged Sword: Technical Standards Protect and Defend

August 09, 2023 8:11 AM | Anonymous

Reposted from Security Managment Magazine

Today’s video management, access control, and intrusion detection systems are incredibly complex and provide unique challenges in product selection, networking, maintenance, and support. Features within these systems are extremely functional and may also provide some of the greatest opportunities to demonstrate value to one’s organization. But it can be a double-edged sword—if one chooses poorly or networks incorrectly, the very tools used to help secure a facility may also render it vulnerable and invite risk. Hence, strict technical standards are an absolute must for any organization.

This is the fourth in a five-part series on security governance. The first article, “Setting the Bar for Strong Governance in Security Management,” makes the case for establishing a governance program within your organization’s security department. The second article, “For Effective Governance, Start with Why,” implores you to ask yourself why you need a security program in the first place and then provides an outline for your program standards as to how you can communicate your why to the rest of the organization. The third article, “The How of Security Governance: Procedures Provide Support,”makes the case for tactical-level guidance on completing the most common tasks at your sites.

Technology is the application of knowledge for achieving practical goals in a reproducible way. The word can also mean the products resulting from such efforts, including both tangible tools like utensils or machines, and intangible ones like software. In the physical security world, complex modern technology includes video management, access control, and intrusion detection systems and the less complex like barriers, lighting, locks, keys, glazing, and signage. For all of this, we must provide our teams guidance in the selection, application, installation, integration, operation, protection, and maintenance of our security tools. These are our technical security standards—the third leg of our fundamental security governance products. 

“Technical security standards provide a strategic vision for an organization as to how they want to employ tools in the safeguarding of their assets,” says Wade Pinnell, CPP, CEO of Virtual Software Equipment and Consulting (VSEC), a technical security consultancy specializing in hospitality and manufacturing security systems. “If employed and integrated properly, these systems not only safeguard against loss, but enhance business objectives and can even help to exploit opportunities, giving organizations market advantages. 

“Today’s cameras, employing analytics, can do things like count people, capture demographic information, discern humans from animals, trigger alarms, ‘see’ heat before there’s even a wisp of smoke, and spot anomalies, going far beyond traditional security applications,” he continues.  “These are just some of the value-adds video management systems can deliver today.  Finally, technical standards consolidate brand usage and therein present economic advantages in negotiating enterprise pricing with manufacturers.  This can realistically generate savings of 15 percent to 25 percent in hardware/software purchases.”

Like your operations procedures, technical standards will be based upon established industry guidelines, best practices, and standards from organizations like ISO, ANSI, ASIS, and NIST, providing legal protections for our teams and organizations. And also like your operations procedures, this product should establish a baseline from which regional and area guidance can be created and better aligned—more prescriptive—with business units, countries, facilities, and cultures. 

But technical security standardization can provide significant economic advantages as well.  By selecting one or a limited range of products for your enterprise, you can become masters of support rather than generalists with a wider range of products. 

Further, you can negotiate for economies of scale.  For example, I’ve found that by selecting just three options of camera manufacturers at the good, better, and best levels, discounts upwards of 40 percent can sometimes be negotiated with manufacturers. When committing to just one access control or video management system, even greater discounts may exist. Using cloud-based servers may enable even more savings and provide more security.  

Finally, one may avoid the potential pitfalls of selecting poor products which may actually place your organization at risk.  

“The proper installation and integration of systems is critical to a system's integrity,” Pinnell says.  “More than once I’ve had cases in which clients said their systems were networked correctly and safe.  However, when inspected, they were completely vulnerable and exposed. You’re only one network switch port away from being completely open to the world.”

So, what might a technical security standard product look like?  This is by no means a comprehensive list, but it might include the following:

Introduction

  • A high-level leadership statement. This outlines the importance of the security program and your security governance products. It tells a casual reader why the department exists and what the organization can expect of it.
  • Application of the document. Explain where within the organizational ecosystem this document applies, doesn’t apply, or may be in conflict with other governance products. It also describes the process for determining what to do if other guidance is in conflict.
  • Terminology and definitions. Include titles of the members in the department, regularly used industry terms, and the sometimes-esoteric terms used within technical security. 
  • Roles and responsibilities. Who is responsible for the vision and leadership of the technical security program? Who is responsible for project management and support? 
  • Preferred/approved partner programs. The organization will exclusively select certain products based upon best value and capacities for support and these will be designated as the preferred or approved product(s) for the organization. 
  • Reference/source guidance. What are the foundational sources of information which have led to the formation of these standards?

Video Management Systems (VMS)

  • System technical objectives. Explain why a certain product should be implemented and the intended outcomes.
  • Sourcing. How will VMS technology be reviewed and approved?
  • Management of legacy systems.
  • Monitoring. How should the system be monitored locally, regionally, and globally?
  • Architecture. Include guidance on the VMS server and recording architecture hierarchy.
  • Use of cameras, encoders, intercoms, speakers, and strobes. Include guidance on types of cameras to be used, resolution, pixel count, frame rate, edge storage, stream profiles, compression, motion detection, encoders, video intercom systems, speakers, and strobe lights.
  • Storage requirements. What is the minimum time imagery is stored, and how it will be deleted?
  • Client access. Address full, web, and mobile client options.
  • Monitoring protocols. Will imagery be monitored continuously, interactively, casually, scheduled, and/or irregularly?
  • Export and release guidelines. Share guidance for the legal and reasonable protection and release of imagery to outside organizations.
  • Guidance for the use of mobile access devices.
  • Reporting and management of data.
  • Coverage tables. Outline coverage areas grouped as administrative offices, warehouses, manufacturing facilities, distribution centers, sub-stations, high-security facilities, etc., with columns for areas to be monitored, camera placement (required, encouraged, and prohibited), pixel count, minimum resolution, and frame rate.

Access Control Systems (ACS)

  • System technical objectives. Explain why a certain product should be implemented and the intended outcomes.
  • Approved and prohibited platforms.
  • Sourcing. How is ACS technology reviewed and approved?
  • Architecture. Explain expectations for administration and monitoring of clients.
  • Management of legacy systems.
  • Integrations with VMS.
  • Reporting and management of data.
  • Best practices in selection and application for specific areas (e.g., vehicle and pedestrian gates, turnstiles, doors, etc.).
  • Locks. Explain the expected hardware used to physically control a door opening/closing (e.g., purely mechanical, electromagnetic, request-exit devices, door position sensors, etc).
  • Credential management. This involves the issuance, management, and control of access control credentials. Explain protocols, distinguishing between those for employees, contractors, interns, and guards.
  • Reporting and management of data.
  • Coverage tables. Outline coverage areas grouped as administrative offices, warehouses, manufacturing facilities, distribution centers, sub-stations, high-security facilities, etc., with columns for areas to be monitored, lock control (required, encouraged, and prohibited), monitoring protocol required, reader type, and door/gate construction.

Intrusion Detection Systems (IDS)

  • System technical objectives. Explain why a certain product should be implemented and the intended outcomes.
  • Approved and prohibited platforms.
  • Sourcing. How is IDS technology reviewed and approved?
  • Architecture. Explain expectations for administration and monitoring of clients.
  • Management of legacy systems.
  • Contacts, input buttons, and motion detection. Explain expectations for the selection, installation, installation, and maintenance of approved systems;
  • Monitoring protocols. What are the protocols for externally or internally monitored IDS, permitted and prohibited guidelines, and timetables for implementation?
  • Reporting and management of data.

Security Networking Sections

  • System technical objectives. The strategic vision for selection, implementation, and management of VMS, ACS, IDS, and networking. Include guidance for legacy systems.
  • How will the systems be structured?
  • Devices/cameras, encoders, intercoms, speakers/strobes, and readers.List the makes/models, types, and features of each approved product.
  • Storage requirements. List parameters for each system. 
  • Client access. How will imagery and data be viewed and reviewed? 
  • Monitoring protocols. How will cameras, access controls, and detection systems monitor their objectives?
  • Export and release guidelines. How will recorded imagery and data be released in a safe and legal manner?
  • Mobile device access. If imagery and data is monitored using mobile devices, how will this be managed?
  • Coverage tables. Created by facility type (e.g., office, warehouse, store, distribution center, parking lot, etc.), these tables should include columns for areas, placement (e.g., required, encouraged, and prohibited), monitoring protocol required, reader type, construction materials, pixel count, minimum resolution, motion frame rate, and comments or clarifying notes.

Cyber Protection for Security Systems

  • System technical objectives. Protocols and controls which will ensure system integrity and safeguard against cyber intrusions. Layered protection rather than a single measure.
  • Remote access to security systems. How will these systems be accessed and managed remotely? 
  • Cloud-based protocols. If systems are running on cloud-based virtual servers, how will they be managed? What is the correct balance of on-premise and cloud.

Physical Security System Technical Standards

Guidance in the selection, implementation, and management of less complex, non-electronic physical security controls (e.g., doors, locks and keys, lighting, parking and traffic control, signage, gates, bollards, and barriers).

Security Operations Centers (SOCs)

The role security operations centers serve at the regional and global levels (e.g., technical objectives, layouts and systems, staffing, operations and procedures).

Managing Technical Security Systems

Strategic and operational guidance for supporting, and sunsetting new and legacy systems.

Addendums

This may include more details on approved manufacturers, technology partners, and devices, fee schedules, project estimation tools, service bulletins, basic how-to user guides, and links to technical manuals.  

Given the persistent developments in technology and threats to exploit these systems, enlisting the help of a technical security consultant or specialist to produce and update this document may be crucial. Like with all of your governance products, submit this for legal review and consider creating a website where the latest copy will reside and be available to your global teammates, contracted partners, and service providers. 

With technical standards established, your foundational governance products will be complete, but without enforcement, they’re nothing more than good ideas.  The next step in evolution is the creation of a security audit program, and beyond that, maturity modeling.  Those are the topics of our next and final article in this series.

See Original Post

  
 

1305 Krameria, Unit H-129, Denver, CO  80220  Local: 303.322.9667
Copyright © 2015 - 2018 International Foundation for Cultural Property Protection.  All Rights Reserved