Showing posts with label CCTV Audit. Show all posts
Showing posts with label CCTV Audit. Show all posts

Saturday, January 26, 2019

CCTV Control Room Operator selection - A best practice guide

CCTV Control Room Operator selection - A best practice guide
By Arindam Bhadra
A doctor; a teacher; an environmentalist. There is one common motivation why you would choose one of these careers: to help people. But there’s one more career that sits in the background and doesn’t get as much limelight as it probably deserves.


BS EN 50132-7: 2012 and BS EN 62676-4 clause 12.1 state: “If the CCTV (closed circuit television) system has a requirement for live viewing, camera control, system management, or any other human intensive tasks, a control room should be specified to house these functions. The ‘control room’ could be a single workstation, or a large operations centre.” The effectiveness of Video surveillance / CCTV control rooms is influenced by a variety of factors. CCTV operators are usually technology buffs who love the technological side of Video surveillance systems. CCTV operators at CCTV Control Room face several issues ranging from poor attention span, video blindness, fatigue, boredom, lack of situational awareness, bias and false alerts. There is, however, another side to the CCTV Video surveillance sector that the world desperately needs. Keeping people safe from harm and maintaining order in our society has become a lot easier as CCTV technology advances. However, the ‘human factor’ within the CCTV system is equally as important in achieving the objectives of the CCTV function. The capacity of the person selected in any job will determine the success of that person in the position, no matter what kind of environment it is. I’ve heard it mentioned that CCTV is as simple as watching TV, including by a senior police officer in the India who should have known better. Similarly, the placement of contract guards into CCTV positions when they have received no training and don’t know what to look for is also common. Where detection is critical will know that the operator is the most essential part in CCTV service delivery. "Cameras never lie". but, how will you know? ‘see’ what the cameras ‘saw'. Do audit your CCTV–why suffer? The CCTV Control room should be set up, or redesigned, according to a CCTV operational requirements plan and the CCTV room staff, as end-users, should participate in this process. BS EN ISO 11064-1 says Ergonomic design of control centers Principles for the design of control centers.
A CCTV video footage auditor can be defined as one who audits, reviews, examines closely, CCTV footage daily, at periodical intervals, with an intent to discover the ‘unknown’. Using all the tools available at her/his disposal, she/he ‘looks out’ for exceptions, process violations, abnormalities, performance lapses, behavioral patterns, potential threats, risks and so on. She/he de-bugs bytes of visual information multi-tasks by comparing past cases. ‘Auditing’ means 'seeing' what the cameras 'saw'. CCTV video footage should be audited daily; several times a day if need be. Depending on the requirements, auditing of CCTV footage of critical cameras on a daily basis must become an SOP.


“The capacity of the person selected in any job will determine the success of that person.” Says Mr. Shankar Mallik, Director - Uma Enterprise. Leading System integrator Security Automation field.
Selection of CCTV operators
The selection of CCTV operators should follow a formal process and be based on a sound analysis of the job tasks. It is acknowledged that in some cases CCTV operators are selected and employed by third party contractors. Nevertheless, there may still be opportunities for CCTV managers to influence the appointment and training of these individuals.
Selecting the right people for the CCTV operator role will help to maximize the motivation and job performance of the operator team. Within larger organizations the recruitment and selection of personnel is often the responsibility of the human resources function. However, depending on the context, managers may exert a degree of influence on the selection process for CCTV room staff. CCTV roles will differ across sites, and the actual job requirements should flow from the organisation’s goals and the operational requirements of the CCTV room. In line with this, the selection process should begin with a suitable examination of what the role entails via an analysis of the job.
Job Profile could be:
  1. ·        Sitting in front of a bank of up to 15 screens, constantly monitoring the live pictures that come in from the surveillance cameras
  2. ·        Operating the position of the cameras, for example if a cash machine is about to be emptied, you would focus the camera on the security guard
  3. ·        Monitoring anyone acting suspiciously, and alerting security staff or police if you see an act of theft, vandalism or any other crime
  4. ·        Monitoring cleaning staff working in large empty buildings for their safety
  5. ·        Notifying the police of any anti-social behaviour
  6. ·        Keeping a log of all incidents to pass onto police
  7. ·        Called to give evidence in court as a witness.

Job analysis:
Job analysis is designed to produce systematic and reliable information about a particular role. It provides the basis for writing an accurate job description, will assist in developing a structured interview and serve as a basis for any selection tests which might be used. The aim of the job analysis is to derive a comprehensive list of job tasks, how they are carried out and the worker characteristics – aptitudes, skills and experience – which are necessary to perform them. As well as covering the current role it is a good idea to consider how the job may change in the foreseeable future. The organisation’s human resources department may have a preferred method for carrying out job analyses. For the CCTV operator role (compared to say, a senior management role) the job analysis may not need to be very complex. Since any amount of footage from any given day could be required at any given time, properly storing footage is one of the most important roles of a CCTV Operator. Storage policy can vary slightly from company to company, but in general CCTV Operators will need to correctly catalog all footage so that it can be easily recalled at a later time.

Selection process
Once the job has been adequately defined, selection of candidates can begin. The interview is still by far the most widely used method of selection; however evidence suggests that the traditional ‘unstructured’ interview is not a particularly good predictor of job performance. Structured interviews have been found to be twice as valid (i.e. predictive of future job performance) than unstructured interviews.

Tests
Tests fall broadly into two categories. The first category includes tests of cognitive ability such as aptitude tests and tests of general mental ability (for example numerical reasoning, verbal and non-verbal reasoning, visualspatial abilities). The second consists of personality tests that aim to measure personal traits and preferences; for example a person who measures high on the trait of ‘conscientiousness’ is likely to demonstrate a reasonable level of persistence when performing a variety of tasks.

Operator Skills
Successful CCTV Operators are mindful, alert and scrupulous individuals who are highly dedicating to protecting others. In addition to having a talent for all things technical, they also have the ability to quickly identify patterns and abnormalities. In addition to these general personality traits and abilities, employers are looking for CCTV Operators with the following skills:
  1. ·        Surveillance System Knowledge: Because extensive knowledge of video surveillance systems is to crucial to the job of a CCTV Operator, many employers required CCTV Operators to have video surveillance certification of some kind.
  2. ·        Attention to Detail: CCTV Operators must be able to identify small, seemingly insignificant details that most people would overlook. This ability allows them to keep the area as safe as possible.
  3. ·        Ability to Multitask: Even when a CCTV Operator receives a phone call or has to speak to a colleague, they must always be keeping an eye on the monitors.
  4. ·        Ability to Work Independently: For the most part, CCTV Operators will not be required to interact with very many people. Because of this, it is important that they’re able to work and stay alert without constant supervision.
  5. ·        Communication Skills: Since CCTV Operators will occasionally have to give statements to police officers, communicate with emergency services or even appear in court, they need to have strong written and verbal communication skills.

Training
Training is important for motivation and performance and should be designed to meet operational needs. Where CCTV operators are employed directly by the organization /site at which they work, there will be greater scope for influencing training in comparison to where the operator/guard force function is sub-contracted to an external organization. However, contracted operators should have received at least basic training in CCTV.
Methods for carrying out the training needs analysis include interviews, observations, focus group discussions and questionnaires with job incumbents and other stakeholders. Existing job analyses/person analyses may not be up to date so it could be worth taking a current view of the job role.
Since the exact role of a CCTV operator will differ from organisation to organisation, detailed training needs will necessarily differ. However, as a minimum, it is recommended that training should cover the areas in the following list.     
  1. ·        Induction into the CCTV role, CCTV team and the wider organization Operation of all CCTV room equipment Team building with the immediate team.
  2. ·        Detailed knowledge of camera positions and of the site(s) to be monitored – in practice this means getting out and ‘walking the plot’ wherever possible – including visits to remotely monitored sites.
  3. ·        Detailed knowledge of camera positions and of the site(s) to be monitored – in practice this means getting out and ‘walking the plot’ wherever possible – including visits to remotely monitored sites.
  4. ·        Knowledge of the current nature and level of security threat to the site(s) – Local police authority, Intelligence Bureau can provide advice on this.
  5. ·        Knowledge of the nature of unwanted or suspicious behaviors/incidents as they relate to the site.
  6. ·        Knowledge of the current nature and level of security threat to the site(s) – Local police authority, Intelligence Bureau can provide advice on this. Knowledge of the nature of unwanted or suspicious behaviors/incidents as they relate to the site.
  7. ·        Understanding of the role of relevant external teams, agencies and/or networks. It can be beneficial to operate a policy requiring operators to regularly visit members of the team who are based ‘on the ground’ in the site being monitored, or even those in related agencies or organizations.
  8. ·        Preparation for emergencies. Such training is often achieved using incident simulations / scenarios that attempt to model the conditions of a real emergency.

Spatial awareness
We find that often the 80/20 rule applies in surveillance, with about 80% of the incidents being detected by 20% of personnel. I can often see the motivation differences within the training environment as well where people committed to detection have a different philosophy. So one of the first criteria I would want in any operator who would work for me would be to be able to demonstrate a history of detection. Not ‘we detected’ which often covers up a lack of individual involvement, but ‘I detected’. By keeping an eye on them, criminals can be stopped the moment they want to perform a crime. The increased attention may even stop them in their tracks. A CCTV operator who is motivated by his or her moral values finds excessive joy in using expert skills to protect people and their possessions in public venues. Good quality cameras and monitors, along with effective placement, will allow operators to observe the environment well and support their ability to understand the location and likely direction of targets during a dynamic incident – i.e. maintain ‘spatial awareness’. Spatial awareness is an understanding of our location in space and the organisation of objects around us. What operators need to see in the environment will depend on their tasks, which should link to the operational requirements of the control room. Ideal specification and positioning of cameras is dependent on operational requirements but also on what an operator needs to complete a task successfully.

Leadership and management
Research indicates that highly motivated employees perform better and show more commitment to the organisation than unmotivated employees. The way that people are managed and led can significantly affect their perceptions about their job, and in turn their job motivation. Motivation can be a personal trait (i.e. be part of someone’s personality) but it is strongly influenced by elements of the job itself. It is also associated with the rewards a person receives from doing the job. Rewards include the personal satisfaction from a job well-done, as well as recognition from the organisation’s customers, team members and managers.
The minimum recommendation here is that first line supervisors and/or managers should receive formal leadership training which is aimed at achieving effective team and individual performance and which is appropriate for the context in which they work.

Appraisal
Regular appraisals help encourage employee motivation and maintain commitment. At minimum:
·      Appraisers should receive appropriate training for conducting company appraisals.
·    Appraisals should identify mutually acceptable performance and development goals. These individual goals are often linked to the goals of the team, department and/or organization
·        Appraisals may or may not be linked with rewards (including pay); however where they are linked with rewards care should be taken to ensure that the process of reward distribution is systematic and fair, and also perceived as such by all team members

Pay
The figures below are only a guide. Actual pay rates may vary, depending on:
·        where you work.
·        the size of the company or organization you work for.
·        the demand for the job.
CCTV operators can earn from around ₹ 14,500 to ₹ 15,800 per month. With experience, this could raise to ₹ 17,000 per month basis. You may get a shift allowance.

Ref:
BS EN ISO 11064 books.
BS EN 50132-7 Books.
BS EN 62676-4 Books.

This artical published on safe secure magazine Volume 10-issue 1- January 2019 issue.

Saturday, November 3, 2018

Video Security Dual Responsibility GDPR

Video Security Organizations’ Dual Responsibility Under GDPR

GDPR - the EU General Data Protection Regulation - is now in effect (on May 25th, 2018). The regulations are designed to protect the data privacy of European Union (EU) residents, but because the rules affect  any company handling EU data, the true influence of the GDPR is international in scope.

GDPR affects security technologies like video surveillance systems. Here’s what you need to know to improve your GDPR compliance.
GDPR is a regulation set forth to protect personal data and ensure the privacy of individuals within the European Union (EU), which is deemed to be a fundamental human right. The primary driver behind the regulation is to give individuals greater control over their personal data and how it is used. Despite its roots in the EU, GDPR also addresses the collection or storage of personal data from any EU citizen, as well as the export of data outside the region. Therefore, given the scope of GDPR, compliance is a global concern.

Because cybersecurity was a main driver behind GDPR, one of its mandates is that in the event that a data breach occurs, companies that collect personal data are mandated to report it in to the supervisory authority within 72 hours. Failure to comply with this regulation could result in penalties equaling 4 percent of a company’s global annual revenues or 20 million euros, whichever is greater.

Given the importance of individuals’ privacy and the potential penalties for non-compliance, these are important discussions; however, this focus is not enough for those of us in the security industry, who have a dual responsibility under GDPR. Why is that?

In practical terms of protecting individual privacy, GDPR places much of the responsibility and obligation on businesses and other organizations that deal with personal data. One of the key features of the new regulation is that those who are being monitored need to be fully informed about what data is being held on them and how it is being used.

Under GDPR, this “personal data” is defined very broadly as “any information relating to an identified or identifiable natural person,” referred to as the “data subject.” Naturally, the first types of personal data that come to mind are the classic examples such as name, physical address, phone number and email address, all of which meet the criteria. But these are only starting points, as the range of personal data types is expansive, encompassing more than simply text-based data.

As security professionals, we must recognize the reality that video in which a person can be identified is also considered personal data and is therefore subject to GDPR guidelines and requirements. Therefore, as organizations, we need to determine how best to become compliant with how we handle customer and employee data, including surveillance video. This dual responsibility must come into play when we consider how we design and operate security systems and collect video data through surveillance, including how we store and manage that video data after collection.

To do so, it is important to explore how many of the steps organizations must take to become GDPR compliant are also necessary to ensure that video surveillance data is compliant as well. These steps surveillance operators must take – and how they can be applied to collected video – are outlined below.

Administration
In general, the first step in ensuring GDPR compliance is to choose an administrator and record data processing activities. As an organization seeking to become GDPR compliant, it is essential to have a person on staff – known as a data processing officer – who will ultimately be responsible for data integrity. Each company providing video surveillance must choose an administrator.

In a security environment, choosing this administrator allows for an open way to publicly identify the person who is responsible for data collected from the surveillance systems and provide that detail to anyone who is monitored by video upon their request. In doing so, it is key to also make the name of this data processing officer available to every person who requests data as prescribed under GDPR.

Every organization should also have a procedure in place for when an individual chooses to exercise their right of access to personal data or request its deletion, which allows them to stay within the monthlong window within which GDPR requires them to comply with these requests. When making such a request, it is reasonable to expect an individual to provide adequate information in order to locate this data – for example, an approximate timeframe, and the location where the footage was captured.

Documentation

GDPR also recommends that record of processing activities (ROPA) documentation be maintained and the following information be made available upon request:
  • Category of individuals that processed personal data relates to
  • Purpose for which collected data is used
  • Whether personal data will be transferred (to whom and for what reason)
  • How long personal data will be stored
  • Description of technical and organizational measures to ensure privacy

According to GDPR, administrators should take all appropriate measures to provide this information concerning the processing of their data by surveillance systems to monitored individuals in a brief, transparent, comprehensible and easily accessible manner.


ROPA documentation must also include a risk assessment for individuals’ rights and freedoms and planned measures to address these risks, which include safeguards and mechanisms to ensure the protection of personal data and compliance with GDPR. This should take into account the rights and legitimate interests of individuals and other affected persons.

In a surveillance environment, these items are equally important. Focusing for a moment on purpose and extent of surveillance, it must be clear why and how much video is being collected, and for what reason. One thing to discuss with potential solution providers is the concept of privacy by design and “GDPR-ready” product features. In evaluating solutions, organizations should look for those that will help them more easily become GDPR compliant. An example would be technology supporting defined view of a specific perimeter. By leveraging solutions to define the perimeter, organizations adhere to GDPR in that they can more easily specify the extent of video surveillance.

Data Processing Inventory Assessment (DPIA)
Once an administrator has been chosen and ROPA documentation is complete, a DPIA is required for cases of “extensive systematic monitoring of publicly accessible premises.”


This requires specifying in writing why and for what purposes the camera system is recording. For example, a city needs to manage electrical and water utility stations and must ensure the utilities provide residents with dependable service. Therefore, the perimeter of these utility stations must be protected against crime and theft. Under GDPR, the city can specify that the surveillance is provided for this purpose. Another example would be to ensure the safety of citizens during public events, as surveillance video may be used by the police to provide real-time situational awareness for officers in the field. In this case, it can be specified, in accordance with GDPR guidelines, that video is being collected to support public safety.


This information directly correlates to ROPA documentation, so again we can see the connection between becoming compliant as an organization overall, as well as ensuring compliance for GDPR with information and data collected in a surveillance environment.

Data Security
Cybersecurity has been a major topic within the security industry for some years now. The importance of a surveillance system being cyber secure extends to compliance with GDPR, with tight control of video data being another key recommendation. It is vitally important when specifying a system that these critical measures are taken into account. The less data that is readily accessible to those outside the scope of an organization’s video data management procedures, the less risk there is of becoming non-compliant. The same philosophy applies to data breaches; administrators must report any leaks within 72 hours of notification.


To ensure GDPR compliance, companies should employ strong measures to prevent unauthorized access to the personal data they store, including video. The specific tools and tactics used by each company will be unique to the challenges they face. In all situations, however, companies must employ robust security controls, stay up to date with cybersecurity best practices and ensure they are working with trusted partners that provide secure hardware and software, as well as thorough aftercare. Therefore, organizations must work with security professionals and partners to better understand potential cybersecurity risks and talk about ways they can harden their systems to ensure GDPR compliance.

From a compliance perspective, the processes that must be put in place to ensure the “right to be forgotten” in an organization are very similar to those necessary to ensure a surveillance system is also in compliance. This requires taking a systematic approach to how video data is stored, transferred and deleted. These methodologies will ensure that if an individual requests his or her video footage be deleted, business systems and organizational structure will be in place to adhere to this request in an efficient manner. The concept of “right to be forgotten” is a significant part of the GDPR guidelines, and as we are just months into this new guideline, the impact on organizations and system operators after requests are submitted still remains to be seen.

Data audit
The first step toward cybersecurity risk management knows what data your company is collecting and how it is stored. A comprehensive data audit is fundamental because you’ll need to discover what information your company handles that could create liability under the GDPR. The GDPR is very inclusive in its scope, so a data audit should look at all platforms, device types and departments.

Risk assessment

Once you've done a data audit to establish a clear picture of how your company’s data management works, you’ll be in a position to make a risk assessment:
  • What cyber-threats could your company face?
  • Where are the security weak-points in your technology infrastructure?
  • Do you have effective cybersecurity measures in place?

End-to-End Compliance
It is important to consider the full scope of video surveillance. As a surveillance operator collecting video about living individuals, an organization will fall under the category of data controller and be held responsible for data management in accordance with GDPR. Anyone having access to video data, including subcontractors and hosted service providers, must meet requirements as well. These companies or individuals who have access to recorded video on behalf of an organization, such as hosting providers, fall under the category of data processors. In terms of company compliance, when reviewing contracts to ensure all companies comply in the same way as an organization has planned. In terms of surveillance, be sure to check that any persons or organizations who have access to video are also compliant and that contractual relationships reflect these obligations.

Ultimately, it is the surveillance system user (i.e., data controller) who is responsible for GDPR compliance and safeguarding the rights of individuals whose personal data the user collects and processes. While the data controller has ultimate responsibility to follow GDPR, data privacy is a team effort. Remember: We are all in this together.

Therefore, for users of surveillance equipment, solutions and services, it is important to partner with suppliers that are committed to respecting and safeguarding individuals’ privacy and protecting personal data. Users should also be able to rely on suppliers and vendors for the support and technical assistance necessary to facilitate GDPR compliance.

Due to its intent, the onset of GDPR is a positive one. It will allow data processors and controllers to use data in appropriate ways and have clear guidelines/procedures in place for data collection, management and surveillance. Many companies follow guidelines such as the UN Global Compact when it comes to sustainability and environmental responsibility. The UN Global Compact provides 10 clear principles to help guide companies in their sustainability efforts. GDPR provides similar clear direction to companies looking to protect individual privacy, a fundamental human right.

Information on individuals is a valuable asset and needs to be properly protected. Apart from making good business sense, the reputation and success of your organization can be under threat if personal information isn’t managed appropriately. Organizations can demonstrate effective management of personal information with BS 10012 from BSI.

It helps you:
  • Identify risks to personal information and put controls in place to manage or reduce them
  • Demonstrate compliance with data protection legislation and gain preferred supplier status
  • Gain stakeholder and customer trust that their personal data is protected 
  • Gain a tender advantage and win new business
  • Safeguard your organizations reputation and avoid adverse publicity
  • Protect you and your organization against civil and criminal liability
  • Benchmark your own personal information management practices with recognized best practice.

Basic Principles of the GDPR

Clearly Justified Purpose

All organizations must have a valid lawful basis for collecting and processing personal data
·         
Privacy by Design

The GDPR mandates that privacy must be a priority throughout system design and commissioning. The approach taken with respect to data privacy must be proactive, not reactive. Risks should be anticipated and the objective must be preventing events before they occur.
  
Right to Access

Under Article 15, the GDPR gives individuals control over their personal data including the right to see that data.

Right to be Forgotten

Under Article 17, the GDPR gives individuals control over their personal data including the right to have their personal data erased if it is no longer necessary for the intended purpose of the system.

Security

The GDPR requires organizations have comprehensive policies and procedures ensuring personal data remains within control of the organization at all times. Additionally, personal data breaches must be reported within 72 hours to the competent supervisory authority appointed by their country’s government.

Reference:
  1. https://www.mailguard.com.au/blog/gdpr-security-responsibility
  2. https://www.bsigroup.com/en-IN/
  3. https://edps.europa.eu/sites/edp/files/publication/10-03-17_video-surveillance_guidelines_en.pdf
  4. https://gdpr-info.eu/art-13-gdpr/