Legacy Systems

Sunday, June 20, 2010
Designing Efficiencies and Performance
into Your Security Platform
• Introductions
• Fundamentals of Creating an Effective Program
• Current State - Legacy Systems
• Future State - Integration versus Interfacing
• The Value of a Role-Based Systems Approach
• Questions & Answers
CRSI Team Introductions
Michael Tibbs
Vice President – Operations
Senior Managing Consultant
Professional Experience
36+ years of security consulting experience in higher education, industrial, and corporate security settings,
including work in investigations, security management, and consulting.
Specializes in providing consulting services in the following areas: regulatory compliance; security master planning;
physical and information protection programs (assessments, systems design, and policy and procedures);
security project management; business continuity planning; security awareness and training programs.
Managed security forces for Penn Valley Community College, Cleveland Chiropractic College, Brown Mackie
College and Maranatha Baptist Bible College. Managed security for the University of Wisconsin - Madison
athletic events including football, basketball, swimming, and hockey venues. Project manager for a large
security risk assessment and lighting design project for the State University of New York at Buffalo (SUNY UB).
Developed and managed security programs for hundreds of clients, many of the Fortune 100, including the nation’s
leading auto manufacturer, one of the top three telecommunications companies, numerous electric, natural gas,
and water treatment utilities, hospitals, high-rise office buildings, college campuses, retail distribution centers,
apartment complexes, stores, railroads, trucking companies and manufacturing plants.
Certified Protection Professional (CPP)
Certified Security Project Manager (CSPM)
Certified in Risk Assessment Methodology for the Security of High Voltage Electric Transmission Systems (Sandia
National Laboratories)
Advanced CPTED Practitioner
CRSI Team Introductions
D. Clay Shropshire, MBA, CPP, PSP, CSPM
Security Consultant/Auditor
Systems Design / Systems Engineering Credentials
Completed Design & Engineering Projects for the State University of New York at Buffalo,
Brigham Young University, Hallmark Cards, Blue Cross & Blue Shield, Sprint, American
Express, Missouri Western Correctional Facility, Potosi Prison, the US Postal Service,
the City of Tallahassee, Oklahoma Gas Electric, Kansas City Power & Light, Black &
Decker, Whiteman Air Force Base B2 Bomber Support, Charlotte Motor Speedway, JC
Penney Company, SD Army Reserve National Guard
Masters of Business Administration
27 Years Experience in Security Systems Design, Systems Engineering, Project
Management, and Consulting, Primarily in Designated US Critical Infrastructure
Specializes in Physical and Information Protection Programs (Assessments, Systems
Design, Systems Engineering, and Policy & Procedures); Security Master Planning;
Security Project Management; Regulatory Compliance; Security Awareness & Training
Advanced CPTED Practitioner
Certified Protection Professional (CPP)
Professional Security Professional (PSP)
Certified Security Project Manager (CSPM)
Completed Factory Training Schools through Pelco, Lenel, Software House, Commend,
Stentofon, AMAG, Panasonic, International Fiber Systems, Anixter, Bosch, Axis
Security Planning
There is no free lunch or painless approach to security.
Security, along with network capacities and capabilities, are just like facilities,
parking areas, or green space. They must be planned and coordinated in
the beginning of the planning and design phase for maximum effectiveness.
This means that they must be designed and planned with an eye towards the
future and the big picture.
The future and the big picture must be understood and communicated to all
participants of the planning process.
The big picture is a fully integrated systems approach seamlessly sharing
data across the network managing exceptions to the norm.
Work Function Differences
There is a difference between police functions and security functions.
Police functions include dispatching, incident response at the scene, crowd
control, traffic control, incident investigation, and arrest powers
Security functions include alarm monitoring, alarm assessment, systems
management, and the notification of authorities
Current State
Many colleges and universities combine police and security functions tasking
dispatchers monitor alarms, assess alarms, and notify other authorities.
The biggest problem with this approach regards the various disparate
systems installed across the footprint with little or no ability for the dispatcher
to quickly and easily navigate through them to get the needed information.
Universities tend to be enclaves of autonomous departments, each vying for
limited funds to expand their programs to attract the best and the brightest
students and faculty.
Current State
The Science Department, by upgrading its labs, can bring in tuition dollars
through increased enrollment so it can be viewed as a money generating
The Athletics Department, by upgrading its training & practice facilities, can
improve its sports teams bringing in funds through higher ticket prices and
filled venues so it can also be viewed as a money generating center.
The Student Housing Department, by
updating dormitory rooms, buildings,
and food service facilities, can cause a
student or parent to prefer your
University over another, again
increasing tuition dollars so it can be
viewed as a money generating center.
Current State
The University Police Department is viewed as a cost center.
There has probably been no student or parent who decided upon enrollment
at a particular institution of higher learning because of the quality or quantity
of Campus Police.
There have been parents who have decided that their child would not attend a
particular college or university because of their perceived lack of general
security across campus or in the dormitories.
Current State
Since University Police Departments tend to be viewed as
cost centers, they may not have been included in
discussions regarding future plans.
When the Science Department decides to upgrade its labs, the Police
Department gets tasked with monitoring alarms from systems included in the
bid specs. These systems may not match any other system installed at
present on campus, thus creating another legacy system.
When Student Housing decides to upgrade its dormitories to add physical
access control and/or closed circuit television systems, these systems may
be managed by this department. University Police may be allowed into
Student Housing systems but it may require special permissions or changes
in software. This system could be a totally independent system used only by
this department.
Legacy Systems
Physical Access Control Systems
Intrusion Detection Systems
Closed Circuit Television Systems
Video Recording Systems
Intercom Systems
Incident Reporting Systems
Fire and Life Safety Systems
Emergency Communications Systems
Legacy Systems
The most common state of affairs for a campus will have existing systems
installed throughout the footprint based on the desires of the various
autonomous departments.
Systems could be old style that are processor based requiring human
interface at the control equipment, such as a voice evacuation system
requiring local microphone announcements.
Systems could be newer network systems that are dissimilar from others of
the same type, like having different manufacturers of access control.
Legacy Systems
They could consist of equipment that does not
integrate or was not properly sized for the total
application, such as a 16 channel digital video
recorder installed instead of connecting cameras to
a network video recorder.
Legacy systems could include cutting edge
equipment with little thought given to other system
constraints, like installing several mega-pixel
cameras across the campus only to find out that
the video streams bring the network to a crawl.
There could be multiple independent packages of
the same type of equipment as used by different
campus departments, like using a specific brand of
access control but each department has their own
Security & Computers
In the early days of computers, each group or department could purchase
their own computer equipment and software because the different systems
could not communicate with each other. Accounting ran on a token ring
independent from Food Service running on SNA.
As Ethernet networks became more widely used and interconnected,
standards had to be established as to equipment, software, and
infrastructure due to management and security of the network.
Campus security has not fully
made this leap by establishing
standards as to equipment,
software, and infrastructure due
to management and security of
the campus.
Future State
As stated earlier, the big picture is a fully integrated systems approach
seamlessly sharing data managed by trained security operators.
There are two ways to achieve this future state.
First, plan and design for it now as legacy systems are replaced or facilities
are constructed.
Second, purchase an over-arching integrated multi-systems management
Achieving Broad Based Support
Since colleges and universities have had independent
departments for many years, they want to continue to silo
all decisions and control their own systems.
As computer networks came on the scene, campus-wide standards had to be
set for the Networks Department to properly manage the network. That
meant taking over control as to the equipment types that the departments
are allowed to connect to the network.
By the same token, Campus Police must insist on campus-wide standards as
to equipment due to systems management. They are tasked with efficiently
and effectively managing a crisis situation, which can be next to impossible if
equipment and systems are not compatible or independently owned and
controlled by various departments on campus.
How to Not “Reinvent the Wheel”
Fixed Cameras
Always “watch” a single scene
Can record and trigger an alarm based on motion in the area
Generally requires less bandwidth
Generally requires less video storage capacity
Fairly inexpensive
Pan, Tilt, and Zoom Cameras
Have the ability to “watch” many area, but only one at a time
Can not record based on motion since the camera moving creates its
own motion
Generally requires more bandwidth
Generally requires more video storage capacity
Can snap to a preset based on an external trigger like a door position
switch or emergency button activation
Fairly expensive plus requires additional infrastructure for telemetry
Lighting Types
Sodium Vapor – Casts a yellowish tint on the scene with higher
infrared levels making them good for monochrome cameras
but bad for color cameras.
Metal Halide – Casts a white light on the scene for good color
rendition at night
Halogen – Casts a white light on the scene with instant on
Infrared Illumination – Casts invisible light on the scene
allowing a monochrome camera to view dark areas as if it
was bright sunshine
LED Illumination – Casts IR illumination on the scene with
instant on capabilities for close subjects
Lighting Characteristics
There is a difference between light levels required for the human eye to “see”
a scene at night and the levels required for a camera to produce a usable
image of the same scene.
Camera specifications show the minimum illumination – based on 75% - 90%
reflectance of the subject back to the camera.
Backgrounds make a big difference at night
Asphalt = 5%
Brick = 25%
Grass = 40%
Snow = 90%
Campus Culture
The campus is supposed to be open and welcoming, offering freedom of
movement and the exchange of ideas.
Challenge for Campus Police, administration, and staff is to facilitate this
feeling of freedom while securing the people, buildings and grounds.
Technology – Selection & Life Cycle
Question that must be addressed…
Who will own the systems?
Who decides what systems will be incorporated into the total footprint?
Who will actually manage the systems, both from a head end equipment
perspective and from a programming perspective?
Will this new system aid or hinder the Campus Police from effectively
performing their functions?
What is the future plans for this system?
What policies and procedures have been created or need to be created
regarding this system?
Technology – Selection & Life Cycle
Question that must be addressed…
Should this system be connected to emergency power?
If so, what parts must be connected, where will those parts be located, and
from where will they derive their power?
If the system depends on the campus network for signal or data transmission,
are the various data switch closets also on emergency power circuits?
Campus IT Networks’ Concerns
Bandwidth – driven heavily by video compression.
• H.264
Standard Cameras versus Mega Pixel Cameras
IP Cameras versus Analog Cameras
Independent Power versus PoE
Campus IT Networks’ Concerns
Servers & Switches Manufacturers and Model Numbers
Storage Method & Amount
• Storage Area Network
System Head End Management
Cable Management
Where do we go from here?
The first order of business is to evaluate all legacy systems with an eye
toward using them for assessment purposes in the event of an actual
emergency situation.
If a system, such as the CCTV system, has several independent sub-systems
being used by various departments across the campus, upgrade to an
Enterprise or Corporate edition for master system administration and
If the various departments have purchased different manufacturers, replace
older systems with a single platform as planned obsolesce occurs.
If systems are connected via inputs to outputs, upgrade systems to allow data
to be transferred and shared across the platforms for seamless integration.
If the systems are too varied and numerous, look to an over-arching rules
manager system that has the ability to integrate data exchanges.
Systems Acquisition
Areas of concern during the planning and design phase would include:
Bandwidth required for field devices
Systems licensing for field devices & head end servers
HR management systems compatible (SAP, PeopleSoft)
Ability to integrate with other installed or planned systems
Systems back-up or redundancy
Network firewall and cyber security compatible
Database compatible (Oracle or SQL)
Identity management systems compatible
Server platforms
Computing power
Ongoing maintenance is vital for properly functioning systems.
Annual licensing requirements for software
Patch management
Periodic equipment cleaning (camera housings & light fixtures)
Periodic maintenance (replacement of non-functioning devices)
Integration versus Interfacing
Interfacing of systems means that inputs from one system are connected to
outputs to another system but there is no sharing of data. Each system acts
independently of each other performing the assigned functions based on
their connected inputs and outputs. Each separate system must be viewed
in separate windows or head end equipment.
Integration of systems means that data is transferred and shared among
software packages with interconnections such that an action through one
system automatically triggers events in associated systems bringing all of
the information onto a single screen for operator use in assessment of the
1. Interfacing of mission critical systems
- Zero time provisioning and de-provisioning
- Employees continue to use the tools that they’ve always used
- Event correlation and forensics
2. One card solutions for physical security and IT
- Leverage investments
- Reduced total cost of ownership
3. Software controlled processes
- User self-service web portals with e-mail notifications
- Automation with audit trails (e.g. – compliance ready)
- Risk management
Convergence Reduces Costs & Risks
Benefits of Convergence
Role-Based Access
The best practices future state would build access databases based upon the
role the individual has at the institution. As their role changes throughout
their career, their access would change based upon their new Role. This
helps to ensure that no person continues to have access to areas no longer
needed by their job function.
Role based access helps to eliminate or at least control the habit of giving
people access on a door by door basis. Each member of the faculty or staff
has a role that should be able to be defined for access just like their role is
defined for job function.
Role-Based Access
Role based access control could be automatically
driven by changes to the HR system as promotions
Role for access control could be specified as a part of
the people information system just like a job title or
Every member of the faculty and staff has a role
associated with specific buildings and rooms within.
Students also have roles such as assigned dorms and
possible labs or rooms based on class schedule.
Higher “Aligned” User Acceptance
With a common platform being used, operators spend less time fighting the
differences among various packages when trying to accomplish a task like
calling up a field device or entering a response into an incident management
Training costs are reduced for new operators since they do not have to learn
software packages from multiple manufacturers.
With a common platform running all
information management systems, the
IT and Networks departments have an
easier task of managing the head end
equipment and backing up data.
Reduced Systems Operations & Maintenance
Systems working on a common platform allow operators to manage the
situation instead of the technologies.
Systems sharing data allow multiple packages to cross-monitor various
pieces of equipment.
With multiple systems displaying their combined information on a single
screen, the operator can more easily call out maintenance issues as they
occur and track the progress until completion.
An over-arching information management system allow for programmed
responses to incidents with the controls necessary to not allow an event to
be closed until completed.
Operator action tracking is easily performed by management to ensure that
policies and procedures are followed without having to generate reports from
several different packages such as changes made in the physical access
control system and the identity management system.
Event-Based Reporting
This is monitoring by exception. The operator is not spending time watching
cameras or alarm screens that have normal activities occurring.
If an event or incident happens, a device such as a door contact, an
emergency phone call button, or tamper switch triggers an alarm. The
various systems involved or interconnected in the area perform their tasks
like a PTZ camera spinning to a preset.
The operator screen displays the alarm
condition, a graphic map showing the area
involved, and the nearby cameras display
scenes for assessment. As the operator
moves to another part of the building, the
new cameras and graphic maps update as
the task is performed.
Would Your Team Pass The Test?
The fateful day arrives when the University must contend with
an actual incident such as the threat of a potential shooter
on campus OR an actual shooter.
University Police, who have been kept out of the loop
regarding most every decision regarding security and
systems in the past, must now marshal their forces and
efficiently and effectively perform all of their duties.
Assess the situation
Alert students, faculty, staff, and visitors
Bring a swift conclusion to the incident
Would Your Team Pass The Test?
Dispatch operators may have to call-up several versions of the
same software or several different software packages trying to
perform a building lock-down or camera video assessment.
They may have to enter the same emergency alert message into several
broadcast systems to cover the campus.
Police officers may have to physically go to a building or dormitory to make
announcements because of existing legacy systems with no ability to
integrate or be managed through Campus Police.
All this during a period of time the Dispatch operator is under extreme stress
trying to perform their dispatch and police duties.
Michael W. Tibbs, CPP, CSPM
D. Clay Shropshire, MBA, CPP, CSPM, PSP