Showing posts with label CCTV Data. Show all posts
Showing posts with label CCTV Data. Show all posts

Saturday, November 10, 2012

Managing risks to CCTV data and systems



CCTV systems collect all types of information for a wide range of reasons. While the equipment is valuable, it is almost always the records, and the information they hold, that matter the most.
Many CCTV systems record images of people, especially if they are set up in a public space. This type of record is 'personal information', which is protected under privacy legislation. As a result, every effort should be made to keep the records secure and avoid misuse.
Managing the risk to records protects the CCTV owner as well as the individual being recorded. CCTV records may be used as evidence in criminal proceedings. They can also be used to demonstrate that an innocent activity was genuinely innocent. Either way, the records should be stored securely until they are handed over to the police. For private operators, there may also be good commercial reasons for ensuring confidentiality of the records.
At a basic level, the question is: what can go wrong, and how much does it matter?
CCTV systems are exposed to a range of intentional physical security risks such as tampering with camera placement, power supplies, communications cabling and controlling equipment.  These risks may be prevented with physical control measures, such as housing these items in locked enclosures appropriate to the risk and environment (such as equipment that is accessible to the public).  Procedural security can be used to deter and detect attacks on CCTV infrastructure by visual inspection and review of indicative alarms.
Natural disasters also present risks. You can't prevent fires, floods, or earthquakes, but you can minimise the risk of damage or loss of data from your CCTV system.  While insurance can cover the loss of equipment, data is not replaceable. A good offsite backup system for electronic data, such as CCTV video, configuration data, usage logs etc, can reduce this risk.  Systems that instantaneously backup data provide less likelihood of data loss when compared to scheduled periodic backups.
Modern digital CCTV systems are typically dependent on computing equipment performing continuously.  Protection from inevitable hard disk failure is usually provided with redundant disk storage systems (using RAID arrays).  Once a disk failure has been detected (automated detections should be tested regularly) it can be substituted with a replacement disk onto which the missing data is automatically copied. This rebuilding process can take many hours due to the large storage capacity which presents additional risks; the storage system may not cope with rebuilding load resulting in missing data, and data from any further coincidental disk failure(s) may not be protected (depending on the redundancy design).   Whilst it may be impractical to have full CCTV system redundancy it may be prudent to maintain service spares of essential components.  For example, power supplies are required for interrogation of system data or access live CCTV resources.  As such battery backup and/or alternate utility supplies may be warranted.
Attacks on CCTV information from human threats can be grouped as:
  • Availability; the information is not required when needed.  Information may have been deleted accidentally or maliciously, or normal access prevented through disruption to normal processes, such as physically damaging equipment and communications or inundating communication channels.
  •  Accuracy; the information has been compromised. This may include substitution of real data with artificial data, or breaching evidential requirements for handling information that casts doubt on its authenticity.
  • Confidentiality; the information has been disclosed to unauthorized persons.  This may have occurred with or without knowledge of the CCTV system owner.  An obvious example of this is the unauthorized duplication and dissemination of video to media outlets - made easier if operators have ready access to high speed internet connections.  A less obvious example may be an unauthorized access by computer 'hackers' where CCTV systems are interconnected with other data networks.
  • Integrity; the information has been compromised. This may include substitution of real data with artificial data, or breaching evidential requirements for handling information that casts doubt on its authenticity.
Even with the best of intentions, mistakes can and do happen. They include accidentally deleting records or even entire hard drives, overwriting backups, forgetting to maintain a system, placing cameras in the wrong place, or forgetting to make a regular, scheduled backup. Some of these can be prevented by information management policies that include user training and restricting access to system resources, usually with logical access control (such as user sign log-on accounts). This can also help reduce the chances of deliberate actions aimed at destroying or stealing data or equipment.  Personnel security vetting is often included in licensing requirements and can reduce risks of inappropriate usage by CCTV operatives.
It is worth considering how you will manage these and other risks to the security of your CCTV equipment and records. Most strategies fall into one of four categories:
  • Avoid the risk - for example, by moving a camera out of reach of vandals, or locking a door after hours.
  • Transfer the risk - for example, by outsourcing the CCTV system and ensuring that contracting organizations, within the contract, are responsible for the security of records.
  • Accept the risk - for example, by relying on default settings in CCTV equipment because you believe the risk is low.
  • Reduce the risk - for example, ensuring only authorized people have access to CCTV computer systems and information.
In most cases, the final approach uses several strategies and depends on individual circumstances. It ultimately depends on the value of the records, the risk of loss or damage, and the consequences. These decisions are best made before the records are collected and, if possible, before a CCTV system is even installed.  It is advisable to have an Information Security Management Plan that includes CCTV systems to ensure that risks are treated appropriately.  The policies and procedures used to apply information security should be competently reviewed and executed.
Government organizations have an additional obligation to consider the security classification of CCTV records and may consider implementing an information classification policy in accordance with the relevant government regulations. The agency's security officer should be contacted for advice in these cases. 
Information classification should be considered by private CCTV system owners, particularly with the advent of computer based CCTV system designs and high capacity portable media.
This process helps provide assurance that CCTV records information will be handled appropriately to reduce negative risks.