DESIGNING EFFICIENCIES AND PERFORMANCE INTO YOUR SECURITY PLATFORM Sunday, June 20, 2010 1 Designing Efficiencies and Performance into Your Security Platform • Introductions • Fundamentals of Creating an Effective Program • Current State - Legacy Systems • Future State - Integration versus Interfacing • The Value of a Role-Based Systems Approach • Questions & Answers 2 CRSI Team Introductions Michael Tibbs Vice President – Operations Senior Managing Consultant Professional Experience 36+ years of security consulting experience in higher education, industrial, and corporate security settings, including work in investigations, security management, and consulting. Specializes in providing consulting services in the following areas: regulatory compliance; security master planning; physical and information protection programs (assessments, systems design, and policy and procedures); security project management; business continuity planning; security awareness and training programs. Managed security forces for Penn Valley Community College, Cleveland Chiropractic College, Brown Mackie College and Maranatha Baptist Bible College. Managed security for the University of Wisconsin - Madison athletic events including football, basketball, swimming, and hockey venues. Project manager for a large security risk assessment and lighting design project for the State University of New York at Buffalo (SUNY UB). Developed and managed security programs for hundreds of clients, many of the Fortune 100, including the nation’s leading auto manufacturer, one of the top three telecommunications companies, numerous electric, natural gas, and water treatment utilities, hospitals, high-rise office buildings, college campuses, retail distribution centers, apartment complexes, stores, railroads, trucking companies and manufacturing plants. Certified Protection Professional (CPP) Certified Security Project Manager (CSPM) Certified in Risk Assessment Methodology for the Security of High Voltage Electric Transmission Systems (Sandia National Laboratories) Advanced CPTED Practitioner 3 CRSI Team Introductions D. Clay Shropshire, MBA, CPP, PSP, CSPM Security Consultant/Auditor Systems Design / Systems Engineering Credentials Completed Design & Engineering Projects for the State University of New York at Buffalo, Brigham Young University, Hallmark Cards, Blue Cross & Blue Shield, Sprint, American Express, Missouri Western Correctional Facility, Potosi Prison, the US Postal Service, the City of Tallahassee, Oklahoma Gas Electric, Kansas City Power & Light, Black & Decker, Whiteman Air Force Base B2 Bomber Support, Charlotte Motor Speedway, JC Penney Company, SD Army Reserve National Guard Masters of Business Administration 27 Years Experience in Security Systems Design, Systems Engineering, Project Management, and Consulting, Primarily in Designated US Critical Infrastructure Industries Specializes in Physical and Information Protection Programs (Assessments, Systems Design, Systems Engineering, and Policy & Procedures); Security Master Planning; Security Project Management; Regulatory Compliance; Security Awareness & Training Advanced CPTED Practitioner Certified Protection Professional (CPP) Professional Security Professional (PSP) Certified Security Project Manager (CSPM) Completed Factory Training Schools through Pelco, Lenel, Software House, Commend, Stentofon, AMAG, Panasonic, International Fiber Systems, Anixter, Bosch, Axis 4 Security Planning There is no free lunch or painless approach to security. Security, along with network capacities and capabilities, are just like facilities, parking areas, or green space. They must be planned and coordinated in the beginning of the planning and design phase for maximum effectiveness. This means that they must be designed and planned with an eye towards the future and the big picture. The future and the big picture must be understood and communicated to all participants of the planning process. The big picture is a fully integrated systems approach seamlessly sharing data across the network managing exceptions to the norm. 5 Work Function Differences There is a difference between police functions and security functions. Police functions include dispatching, incident response at the scene, crowd control, traffic control, incident investigation, and arrest powers Security functions include alarm monitoring, alarm assessment, systems management, and the notification of authorities 6 Current State Many colleges and universities combine police and security functions tasking dispatchers monitor alarms, assess alarms, and notify other authorities. The biggest problem with this approach regards the various disparate systems installed across the footprint with little or no ability for the dispatcher to quickly and easily navigate through them to get the needed information. Universities tend to be enclaves of autonomous departments, each vying for limited funds to expand their programs to attract the best and the brightest students and faculty. 7 Current State The Science Department, by upgrading its labs, can bring in tuition dollars through increased enrollment so it can be viewed as a money generating center. The Athletics Department, by upgrading its training & practice facilities, can improve its sports teams bringing in funds through higher ticket prices and filled venues so it can also be viewed as a money generating center. The Student Housing Department, by updating dormitory rooms, buildings, and food service facilities, can cause a student or parent to prefer your University over another, again increasing tuition dollars so it can be viewed as a money generating center. 8 Current State The University Police Department is viewed as a cost center. There has probably been no student or parent who decided upon enrollment at a particular institution of higher learning because of the quality or quantity of Campus Police. There have been parents who have decided that their child would not attend a particular college or university because of their perceived lack of general security across campus or in the dormitories. 9 Current State Since University Police Departments tend to be viewed as cost centers, they may not have been included in discussions regarding future plans. When the Science Department decides to upgrade its labs, the Police Department gets tasked with monitoring alarms from systems included in the bid specs. These systems may not match any other system installed at present on campus, thus creating another legacy system. When Student Housing decides to upgrade its dormitories to add physical access control and/or closed circuit television systems, these systems may be managed by this department. University Police may be allowed into Student Housing systems but it may require special permissions or changes in software. This system could be a totally independent system used only by this department. 10 Legacy Systems • • • • • • • • Physical Access Control Systems Intrusion Detection Systems Closed Circuit Television Systems Video Recording Systems Intercom Systems Incident Reporting Systems Fire and Life Safety Systems Emergency Communications Systems 11 12 Legacy Systems The most common state of affairs for a campus will have existing systems installed throughout the footprint based on the desires of the various autonomous departments. Systems could be old style that are processor based requiring human interface at the control equipment, such as a voice evacuation system requiring local microphone announcements. Systems could be newer network systems that are dissimilar from others of the same type, like having different manufacturers of access control. 13 Legacy Systems They could consist of equipment that does not integrate or was not properly sized for the total application, such as a 16 channel digital video recorder installed instead of connecting cameras to a network video recorder. Legacy systems could include cutting edge equipment with little thought given to other system constraints, like installing several mega-pixel cameras across the campus only to find out that the video streams bring the network to a crawl. There could be multiple independent packages of the same type of equipment as used by different campus departments, like using a specific brand of access control but each department has their own license. 14 Security & Computers In the early days of computers, each group or department could purchase their own computer equipment and software because the different systems could not communicate with each other. Accounting ran on a token ring independent from Food Service running on SNA. As Ethernet networks became more widely used and interconnected, standards had to be established as to equipment, software, and infrastructure due to management and security of the network. Campus security has not fully made this leap by establishing standards as to equipment, software, and infrastructure due to management and security of the campus. 15 Future State As stated earlier, the big picture is a fully integrated systems approach seamlessly sharing data managed by trained security operators. There are two ways to achieve this future state. First, plan and design for it now as legacy systems are replaced or facilities are constructed. Second, purchase an over-arching integrated multi-systems management package. 16 Achieving Broad Based Support Since colleges and universities have had independent departments for many years, they want to continue to silo all decisions and control their own systems. As computer networks came on the scene, campus-wide standards had to be set for the Networks Department to properly manage the network. That meant taking over control as to the equipment types that the departments are allowed to connect to the network. By the same token, Campus Police must insist on campus-wide standards as to equipment due to systems management. They are tasked with efficiently and effectively managing a crisis situation, which can be next to impossible if equipment and systems are not compatible or independently owned and controlled by various departments on campus. 17 How to Not “Reinvent the Wheel” Fixed Cameras • Always “watch” a single scene • Can record and trigger an alarm based on motion in the area • Generally requires less bandwidth • Generally requires less video storage capacity • Fairly inexpensive Pan, Tilt, and Zoom Cameras • Have the ability to “watch” many area, but only one at a time • Can not record based on motion since the camera moving creates its own motion • Generally requires more bandwidth • Generally requires more video storage capacity • Can snap to a preset based on an external trigger like a door position switch or emergency button activation • Fairly expensive plus requires additional infrastructure for telemetry 18 Lighting Types Sodium Vapor – Casts a yellowish tint on the scene with higher infrared levels making them good for monochrome cameras but bad for color cameras. Metal Halide – Casts a white light on the scene for good color rendition at night Halogen – Casts a white light on the scene with instant on capabilities Infrared Illumination – Casts invisible light on the scene allowing a monochrome camera to view dark areas as if it was bright sunshine LED Illumination – Casts IR illumination on the scene with instant on capabilities for close subjects 19 Lighting Characteristics There is a difference between light levels required for the human eye to “see” a scene at night and the levels required for a camera to produce a usable image of the same scene. Camera specifications show the minimum illumination – based on 75% - 90% reflectance of the subject back to the camera. Backgrounds make a big difference at night • Asphalt = 5% • Brick = 25% • Grass = 40% • Snow = 90% 20 Campus Culture The campus is supposed to be open and welcoming, offering freedom of movement and the exchange of ideas. Challenge for Campus Police, administration, and staff is to facilitate this feeling of freedom while securing the people, buildings and grounds. 21 Technology – Selection & Life Cycle Question that must be addressed… Who will own the systems? Who decides what systems will be incorporated into the total footprint? Who will actually manage the systems, both from a head end equipment perspective and from a programming perspective? Will this new system aid or hinder the Campus Police from effectively performing their functions? What is the future plans for this system? What policies and procedures have been created or need to be created regarding this system? 22 Technology – Selection & Life Cycle Question that must be addressed… Should this system be connected to emergency power? If so, what parts must be connected, where will those parts be located, and from where will they derive their power? If the system depends on the campus network for signal or data transmission, are the various data switch closets also on emergency power circuits? 23 Campus IT Networks’ Concerns Bandwidth – driven heavily by video compression. • H.264 • MJPEG • MPEG4 Standard Cameras versus Mega Pixel Cameras IP Cameras versus Analog Cameras Independent Power versus PoE 24 25 Campus IT Networks’ Concerns Servers & Switches Manufacturers and Model Numbers Storage Method & Amount • RAID5 • Storage Area Network System Head End Management Cable Management 26 Where do we go from here? The first order of business is to evaluate all legacy systems with an eye toward using them for assessment purposes in the event of an actual emergency situation. If a system, such as the CCTV system, has several independent sub-systems being used by various departments across the campus, upgrade to an Enterprise or Corporate edition for master system administration and management. If the various departments have purchased different manufacturers, replace older systems with a single platform as planned obsolesce occurs. If systems are connected via inputs to outputs, upgrade systems to allow data to be transferred and shared across the platforms for seamless integration. If the systems are too varied and numerous, look to an over-arching rules manager system that has the ability to integrate data exchanges. 27 Systems Acquisition Areas of concern during the planning and design phase would include: • • • • • • • • • • Bandwidth required for field devices Systems licensing for field devices & head end servers HR management systems compatible (SAP, PeopleSoft) Ability to integrate with other installed or planned systems Systems back-up or redundancy Network firewall and cyber security compatible Database compatible (Oracle or SQL) Identity management systems compatible Server platforms Computing power 28 Maintenance Ongoing maintenance is vital for properly functioning systems. • Annual licensing requirements for software • Patch management • Periodic equipment cleaning (camera housings & light fixtures) • Periodic maintenance (replacement of non-functioning devices) 29 Integration versus Interfacing Interfacing of systems means that inputs from one system are connected to outputs to another system but there is no sharing of data. Each system acts independently of each other performing the assigned functions based on their connected inputs and outputs. Each separate system must be viewed in separate windows or head end equipment. Integration of systems means that data is transferred and shared among software packages with interconnections such that an action through one system automatically triggers events in associated systems bringing all of the information onto a single screen for operator use in assessment of the incident. 30 Convergence 1. Interfacing of mission critical systems - Zero time provisioning and de-provisioning - Employees continue to use the tools that they’ve always used - Event correlation and forensics 2. One card solutions for physical security and IT - Leverage investments - Reduced total cost of ownership 3. Software controlled processes - User self-service web portals with e-mail notifications - Automation with audit trails (e.g. – compliance ready) - Risk management 31 Convergence Reduces Costs & Risks 32 1+1>2 33 Benefits of Convergence 34 Role-Based Access The best practices future state would build access databases based upon the role the individual has at the institution. As their role changes throughout their career, their access would change based upon their new Role. This helps to ensure that no person continues to have access to areas no longer needed by their job function. Role based access helps to eliminate or at least control the habit of giving people access on a door by door basis. Each member of the faculty or staff has a role that should be able to be defined for access just like their role is defined for job function. 35 Role-Based Access Role based access control could be automatically driven by changes to the HR system as promotions occur. Role for access control could be specified as a part of the people information system just like a job title or duties. Every member of the faculty and staff has a role associated with specific buildings and rooms within. Students also have roles such as assigned dorms and possible labs or rooms based on class schedule. 36 Higher “Aligned” User Acceptance With a common platform being used, operators spend less time fighting the differences among various packages when trying to accomplish a task like calling up a field device or entering a response into an incident management database. Training costs are reduced for new operators since they do not have to learn software packages from multiple manufacturers. With a common platform running all information management systems, the IT and Networks departments have an easier task of managing the head end equipment and backing up data. 37 Reduced Systems Operations & Maintenance Systems working on a common platform allow operators to manage the situation instead of the technologies. Systems sharing data allow multiple packages to cross-monitor various pieces of equipment. With multiple systems displaying their combined information on a single screen, the operator can more easily call out maintenance issues as they occur and track the progress until completion. 38 Self-Enforcing An over-arching information management system allow for programmed responses to incidents with the controls necessary to not allow an event to be closed until completed. Operator action tracking is easily performed by management to ensure that policies and procedures are followed without having to generate reports from several different packages such as changes made in the physical access control system and the identity management system. 39 Event-Based Reporting This is monitoring by exception. The operator is not spending time watching cameras or alarm screens that have normal activities occurring. If an event or incident happens, a device such as a door contact, an emergency phone call button, or tamper switch triggers an alarm. The various systems involved or interconnected in the area perform their tasks like a PTZ camera spinning to a preset. The operator screen displays the alarm condition, a graphic map showing the area involved, and the nearby cameras display scenes for assessment. As the operator moves to another part of the building, the new cameras and graphic maps update as the task is performed. 40 Would Your Team Pass The Test? The fateful day arrives when the University must contend with an actual incident such as the threat of a potential shooter on campus OR an actual shooter. University Police, who have been kept out of the loop regarding most every decision regarding security and systems in the past, must now marshal their forces and efficiently and effectively perform all of their duties. • Assess the situation • Alert students, faculty, staff, and visitors • Bring a swift conclusion to the incident 41 Would Your Team Pass The Test? Dispatch operators may have to call-up several versions of the same software or several different software packages trying to perform a building lock-down or camera video assessment. They may have to enter the same emergency alert message into several broadcast systems to cover the campus. Police officers may have to physically go to a building or dormitory to make announcements because of existing legacy systems with no ability to integrate or be managed through Campus Police. All this during a period of time the Dispatch operator is under extreme stress trying to perform their dispatch and police duties. 42 Questions? Michael W. Tibbs, CPP, CSPM Mtibbs@corprisk.net 913-422-0410 D. Clay Shropshire, MBA, CPP, CSPM, PSP Cshropshire@corprisk.net 913-422-0410 43