Showing posts with label CCTV Data Protection Act. Show all posts
Showing posts with label CCTV Data Protection Act. Show all posts

Saturday, December 19, 2015

Arguments Against Video Surveillance

Arguments Against Video Surveillance

As the use of CCTV cameras increases across the globe, so does the debate over their numbers and motives. In a previous post, Arguments for Video Surveillance, we looked at four arguments for video surveillance. These arguments included peace of mind, loss prevention, crime deterrent, and crime solving.
But what about the other side of the fence? The ACLU has an entire Web site, You Are Being Watched, devoted to the “high costs of camera surveillance systems, both in terms of money and civil liberties,” and there are a large number of individuals and other groups out there that oppose “big brother” watching our every move.
So, what are some of the arguments against the use of CCTV surveillance systems?
  1. Invasion of Privacy – This is the most common argument against surveillance systems. While video surveillance is more commonly accepted in public areas, this sentiment comes into play with the use of covert and hidden cameras in almost every case.
  2. Mistrust – The use of security cameras in your home or business can make its occupants feel mistrusted. If your family members or employees are under constant surveillance, there is likely to be hostility and animosity in the air.
  3. Not Proven Effective – Studies done in California and London have found that security cameras had little to no effect on reducing the crime rate. With an increase in the sheer number of cameras in many large cities, many replacing human security guards, this is a strong argument that will be the main target of many opposing groups.
  4. Misuse and Abuse – The footage captured by CCTV cameras becomes susceptible to abuse and misuse by those who have access to it. For instance, the footage can be used to discriminate against people and for voyeurism. In the age of the internet, this is another huge deal, as can be seen by all of the “hilarious” YouTube videos out there. I doubt the subjects would find most of them as funny.
All of these reasons are valid arguments against CCTV surveillance. There are many cities and countries that have massive surveillance systems, and we will likely see a large increase in public monitoring in the near future, so the more the public knows about the industry and their rights, etc, the more everyone can prepare for when it happens in your little corner of the globe.
Do you have any additional arguments against the use of security camera systems? What are your thoughts? Will you fight them, or open your “public” life up willingly to being observed? Let us know – we’d love to hear from you.

Saturday, November 10, 2012

Managing risks to CCTV data and systems



CCTV systems collect all types of information for a wide range of reasons. While the equipment is valuable, it is almost always the records, and the information they hold, that matter the most.
Many CCTV systems record images of people, especially if they are set up in a public space. This type of record is 'personal information', which is protected under privacy legislation. As a result, every effort should be made to keep the records secure and avoid misuse.
Managing the risk to records protects the CCTV owner as well as the individual being recorded. CCTV records may be used as evidence in criminal proceedings. They can also be used to demonstrate that an innocent activity was genuinely innocent. Either way, the records should be stored securely until they are handed over to the police. For private operators, there may also be good commercial reasons for ensuring confidentiality of the records.
At a basic level, the question is: what can go wrong, and how much does it matter?
CCTV systems are exposed to a range of intentional physical security risks such as tampering with camera placement, power supplies, communications cabling and controlling equipment.  These risks may be prevented with physical control measures, such as housing these items in locked enclosures appropriate to the risk and environment (such as equipment that is accessible to the public).  Procedural security can be used to deter and detect attacks on CCTV infrastructure by visual inspection and review of indicative alarms.
Natural disasters also present risks. You can't prevent fires, floods, or earthquakes, but you can minimise the risk of damage or loss of data from your CCTV system.  While insurance can cover the loss of equipment, data is not replaceable. A good offsite backup system for electronic data, such as CCTV video, configuration data, usage logs etc, can reduce this risk.  Systems that instantaneously backup data provide less likelihood of data loss when compared to scheduled periodic backups.
Modern digital CCTV systems are typically dependent on computing equipment performing continuously.  Protection from inevitable hard disk failure is usually provided with redundant disk storage systems (using RAID arrays).  Once a disk failure has been detected (automated detections should be tested regularly) it can be substituted with a replacement disk onto which the missing data is automatically copied. This rebuilding process can take many hours due to the large storage capacity which presents additional risks; the storage system may not cope with rebuilding load resulting in missing data, and data from any further coincidental disk failure(s) may not be protected (depending on the redundancy design).   Whilst it may be impractical to have full CCTV system redundancy it may be prudent to maintain service spares of essential components.  For example, power supplies are required for interrogation of system data or access live CCTV resources.  As such battery backup and/or alternate utility supplies may be warranted.
Attacks on CCTV information from human threats can be grouped as:
  • Availability; the information is not required when needed.  Information may have been deleted accidentally or maliciously, or normal access prevented through disruption to normal processes, such as physically damaging equipment and communications or inundating communication channels.
  •  Accuracy; the information has been compromised. This may include substitution of real data with artificial data, or breaching evidential requirements for handling information that casts doubt on its authenticity.
  • Confidentiality; the information has been disclosed to unauthorized persons.  This may have occurred with or without knowledge of the CCTV system owner.  An obvious example of this is the unauthorized duplication and dissemination of video to media outlets - made easier if operators have ready access to high speed internet connections.  A less obvious example may be an unauthorized access by computer 'hackers' where CCTV systems are interconnected with other data networks.
  • Integrity; the information has been compromised. This may include substitution of real data with artificial data, or breaching evidential requirements for handling information that casts doubt on its authenticity.
Even with the best of intentions, mistakes can and do happen. They include accidentally deleting records or even entire hard drives, overwriting backups, forgetting to maintain a system, placing cameras in the wrong place, or forgetting to make a regular, scheduled backup. Some of these can be prevented by information management policies that include user training and restricting access to system resources, usually with logical access control (such as user sign log-on accounts). This can also help reduce the chances of deliberate actions aimed at destroying or stealing data or equipment.  Personnel security vetting is often included in licensing requirements and can reduce risks of inappropriate usage by CCTV operatives.
It is worth considering how you will manage these and other risks to the security of your CCTV equipment and records. Most strategies fall into one of four categories:
  • Avoid the risk - for example, by moving a camera out of reach of vandals, or locking a door after hours.
  • Transfer the risk - for example, by outsourcing the CCTV system and ensuring that contracting organizations, within the contract, are responsible for the security of records.
  • Accept the risk - for example, by relying on default settings in CCTV equipment because you believe the risk is low.
  • Reduce the risk - for example, ensuring only authorized people have access to CCTV computer systems and information.
In most cases, the final approach uses several strategies and depends on individual circumstances. It ultimately depends on the value of the records, the risk of loss or damage, and the consequences. These decisions are best made before the records are collected and, if possible, before a CCTV system is even installed.  It is advisable to have an Information Security Management Plan that includes CCTV systems to ensure that risks are treated appropriately.  The policies and procedures used to apply information security should be competently reviewed and executed.
Government organizations have an additional obligation to consider the security classification of CCTV records and may consider implementing an information classification policy in accordance with the relevant government regulations. The agency's security officer should be contacted for advice in these cases. 
Information classification should be considered by private CCTV system owners, particularly with the advent of computer based CCTV system designs and high capacity portable media.
This process helps provide assurance that CCTV records information will be handled appropriately to reduce negative risks.

Wednesday, March 14, 2012

CCTV Data Protection Act

CCTV Data Protection Act

Since the 24th October 2001 it has been a criminal offense to use an unregistered CCTV system to record people in a public or private place unless it meets certain criteria.
The introduction of the Data Protection Act 1998 and other related legislation has had far reaching consequences for those who own, manage or operate CCTV systems. Every aspect of this new legislation impacts upon your use of CCTV.

The Code of Practice contains 62 legally enforceable 'Standards' that must be met to ensure compliance with the Data Protection Act 1998. The Commissioner includes a further 30 points of good practice, which together with the standards, are designed to build and maintain public confidence in CCTV systems and to ensure that they operate within the law.
The Data Protection Act (DPA) 1998 came into force on March 1st 2000 and the Information Commissioner has issued a Code of Practice for CCTV systems. This Code was updated on July 14th 2000 and again in January 2008 and is available from us as part of our Data Protection Information Pack.

You will find at The Data Protection Act and CCTV our own interpretation and summary of the requirements of the act. This however still leaves a number of questions unanswered so we have prepared a Data Protection Information Pack for visitors to this site. This should answer most of the questions that you may have concerning The Data Protection Act and CCTV as well as providing an extensive checklist enabling you to ensure that your organization is fully complying with the requirements of the legislation.
Information Pack contains the following:
1. DPA Code of Practice from the Information Commissioner's Office. This explains what the law requires of you if you have a CCTV System.
2. DPA Self Assessment Pack providing further details on the law and a simple checklist for you to ensure that your organization is complying with the DPA.
3. DPA Catalogue of items that you may need in order to comply with the requirements of the DPA. e.g. Signs, Download CD's or DVD's, necessary forms, etc.
4. An order form should you wish to order any of the catalogue items.

Ensuring that an organization’s CCTV system is fully compliant with the Data Protection Act can often involve weeks of work. Very often this time is spent reinventing the wheel as VeriFi can conduct a full professional assessment of your system and provide full documentation and comprehensive advice on where your system meets or fails to meet current legislation and official guidelines. However, a VeriFi Assessment goes much further than this in that it sets up a complete framework on which to base your CCTV management.

The VeriFi solution
VeriFi can supply an Independent Consultant to conduct a CCTV Compliance Assessment, provide full documentation and comprehensive advice on where your system meets or fails to meet current legislation and official guidelines. However, a VeriFi Assessment goes much further than this in that it sets up a complete framework on which to base your CCTV management. The following are all covered by the VeriFi service.
Information Commissioners Office
Almost all CCTV systems must be registered with the Information Commissioners Office. VeriFi will inform you of shortcomings in regard to your ICO notification.
Policy Document
You will require a statement itemising how your CCTV system is to be managed and stating who is fulfilling the roles of Data Controller and Data Processor.
Operational Requirement
According to the Home Office an Operational Requirement should be drawn up before any CCTV system is specified and form the basis for the design of the system. This document then provides evidence for the relevance of your system in respect to the DPA. VeriFi will reverse engineer an Operational Requirement and advise you of any shortfalls or redundancy within the system.
Privacy
It is a serious infringement of the DPA for your CCTV system to invade the privacy of other people and their property. VeriFi will inform you of any such breaches and advise on the steps that should be taken to correct the situation.
CCTV Signage
You must ensure that you inform people before, or as, they enter an area where there is CCTV surveillance. As you can only use your CCTV system for the purposes which are stated on the signage it is important that the correct wording is used. VeriFi advise you on the correct wording for your organization and can arrange the purchase of all necessary signage.
Annual CCTV Audit
To comply with the Information Commissioners Office CCTV Policy Document VeriFi undertakes a manual audit on behalf of its clients and provides them with comprehensive advice on any shortcomings. This is designed to ensure that your staff for contractors will effectively manage your CCTV on a continuing basis.
Management Documentation
Clients of VeriFi receive, free of charge, a comprehensive package of the necessary documentation required under the DPA as well is training in its use.
Recording Media
To help ensure that images are usable in a court of law it is essential that any CDs or DVDs are Data Compliant (media purchased from retail outlets will not be suitable). Also supplied free of charge to VeriFi clients are the necessary compliant CD's/DVDs. Should you require more documentation or recording media this can be ordered online and is normally supplied on the next working day.
Right of Access Management
Under the DPA members of the public have a right to access of their recorded images. The VeriFi Application Form that is supplied as part of this service includes a statement of the individual's rights and how Subject Access Requests are managed. This service is designed to ensure full legal compliance.
Public Information
As you must provide for the public a statement of how you manage and operate your CCTV this can be provided to VeriFi clients in either an online or paper format.
Staff Awareness
If you have not made your workforce fully aware of the purpose of the system and how it may apply to them video evidence may be ruled inadmissible. VeriFi clients receive as part of the package, a specific sign for display in staff areas.
Public Complaints Procedure
As it is rare to receive a complaint from the public with regard to the management of CCTV companies normally have no complaints procedure put in place. Where VeriFi manage enquiries on your behalf this includes complaints logging and resolution.
Security of Images
VeriFi will provide an audit of the method you use to secure recorded images. This will include, logging of those people allowed access, the method of access & control of images taken from the system and the tracking any hard disk drives that have been removed from the site.

Other Services:
Although not part of the above Compliance Assessment, the Following Services Are Also Available from VeriFi:
Discreet Evidence Download Service
It is sometimes necessary that evidence be downloaded from the system by someone who is independent from the day-to-day management. A reliable and effective service can be provided by VeriFi should such an event to occur.
Professional Evidence Editing
Where substantial amounts of irrelevant information are downloaded the result is often a noble long and complicated presentation of the facts. To avoid this VeriFi can offer a professional evidence editing service.

The police(Globally) say that 80% of CCTV evidence is inadmissible in court. Causes of such failures include inadequate documentation, lack of audit trail and incorrect recording of evidence.
We recommend that you ensure that you are fully compliant with the DPA as having spent thousands of currency on the installation of a CCTV system it is indefensible to then have the evidence rendered unusable by the relatively small lack of investment in procedural items.
Almost all CCTV systems are required by law to register under the Data Protection Act with the Information Commissioner's Office as well as having, as a minimum, the following items:
1. A Small System Checklist. We supply this free of charge with our Management & Download Pack below.
2. When recording a Compliant CD's or DVD's for recording incidents as well as the necessary forms that you need to log system maintenance, the passing on of evidence to the Police or a third party and other items that may require an audit trail in the event of recordings being required as evidence.
3. The Correct Signage. This may need to include your organization’s name and contact details.

Checklist for users of limited CCTV systems monitoring small retail and business premises
This CCTV system and the images produced by it are controlled by ………………….. who is responsible for how the system is used and for notifying the Information Commissioner about the CCTV system and its purpose (which is a legal requirement of the Data Protection Act 1998).
We (……) have considered the need for using CCTV and have decided it is required for the prevention and detection of crime and for protecting the safety of customers. It will not be used for other purposes. We conduct an annual review of our use of CCTV.


Checked (Date)
By
Date of next review
Notification has been submitted to the Information Commissioner and the next renewal date recorded.



There is a named individual who is responsible for the operation of the system.



A system has been chosen which produces clear images which the law enforcement bodies (usually the police) can use to investigate crime and these can easily be taken from the system when required.



Cameras have been sited so that they provide clear images.



Cameras have been positioned to avoid capturing the images of persons not visiting the premises.



There are visible signs showing that CCTV is in operation. Where it is not obvious who is responsible for the system contact details are displayed on the sign(s).



Images from this CCTV system are securely stored, where only a limited number of authorised persons may have access to them.



The recorded images will only be retained long enough for any incident to come to light (e.g. for a theft to be noticed) and the incident to be investigated.



Except for law enforcement bodies, images will not be provided to third parties.



The organisation knows how to respond to individuals making requests for copies of their own images. If unsure the controller knows to seek advice from the Information Commissioner as soon as such a request is made.



Regular checks are carried out to ensure that the system is working properly and produces high quality images.



Please keep this checklist in a safe place until the date of the next review.

Monitoring your workforce

When you install CCTV in a workplace, such as a shop, it is likely to capture pictures of workers, even if they are not the main subject of surveillance. If the purpose of the CCTV is solely to prevent and detect crime, then you should not use it for monitoring the amount of work done or compliance with company procedures.
  • Have the cameras been installed so they are not directed specifically to capture images of workers?
  • Are the recorded images viewed only when there is suspected criminal activity, and not just for routine monitoring of workers? Cameras installed for preventing and detecting crime should not be used for non-criminal matters.
  • Are images of workers used only if you see something you cannot be expected to ignore, such as criminal activity, gross misconduct, or behaviour which puts others at risk?
  • If these images are used in disciplinary proceedings, is the footage retained so that the worker can see it and respond? A still image is unlikely to be enough.
In some cases, it may be appropriate to install CCTV specifically for workforce monitoring. You should go through the decision making process in section 4 of this code and consider whether it is justified. In particular, consider whether better training or greater supervision would be a more appropriate solution.

Example: You suspect that your workers are stealing goods from the store room. It would be appropriate to install CCTV in this room, as it will not involve continuous or intrusive monitoring and is proportionate to the problem.

Example: You suspect that your workers are making mobile phone calls during working hours, against company policy, and you consider installing CCTV cameras on their desks to monitor them throughout the day. This would be intrusive and disproportionate. Continuous monitoring should only be used in very exceptional circumstances, for example where hazardous substances are used and failure to follow procedures would pose a serious risk to life.
  • Is CCTV limited to areas which workers would not expect to be private? CCTV should not be used in toilet areas or private offices.
  • Are workers made aware that the CCTV is for staff monitoring and how it will be used? How are visitors informed that CCTV is in operation?
  • If CCTV is used to enforce internal policies, are workers fully aware of these policies and have they had sufficient training?
  • Do you have procedures to deal appropriately with subject access requests from workers?
Workers should normally be aware that they are being monitored, but in exceptional circumstances, covert monitoring may be used as part of a specific investigation. Covert monitoring is where video or audio recording equipment is used, and those being monitored are unaware that this is taking place. Before approving covert monitoring, you should ask yourself:
  • Is this an exceptional circumstance, and is there is reason to suspect criminal activity or equivalent malpractice?
  • Will the cameras only be used for a specific investigation, and will they be removed once the investigation is complete?
  • Would it prejudice the investigation to tell workers that cameras are being used?
  • Have you taken into account the intrusion on innocent workers?
  • Has the decision been taken by senior management?
Cameras and listening devices should not be installed in private areas such as toilets and private offices, except in the most exceptional circumstances where serious crime is suspected. This should only happen where there is an intention to involve the police, not where it is a purely internal disciplinary matter.
In some cases, covert cameras installed for one investigation may turn up evidence of other criminal behavior or disciplinary offenses. You should only make use of this where the offence is serious, for example, gross misconduct or misconduct putting others at risk. It would be unfair to use evidence obtained covertly for minor disciplinary matters.
In some cases, covert monitoring may be covered by the Regulation of Investigatory Powers Act 2000 or the Regulation of Investigatory Powers (Scotland) Act 2000 (RIPA / RIPSA). You may wish to seek advice.











Tuesday, August 16, 2011

NAS, DAS, or SAN? - Choosing the Right Storage Technology ?

Data is unquestionably the lifeblood of today's digital organization. Storage solutions remain a top priority in IT budgets precisely because the integrity, availability and protection of data are vital to business productivity and success. But the role of information storage far exceeds day to day functions. Enterprises are also operating in an era of increased uncertainty. IT personnel find themselves assessing and planning for more potential risks than ever before, ranging from acts of terrorism to network security threats. A backup and disaster recovery plan is essential, and information storage solutions provide the basis for its execution.

Businesses are also subject to a new wave of regulatory compliance legislation that directly affects the process of storing, managing and archiving data. This is especially true for the financial services and healthcare industries, which handle highly sensitive information and bear extra responsibility for maintaining data integrity and privacy.

Although the need for storage is evident, it is not always clear which solution is right for your organization. There are a variety of options available, the most prevalent being direct-attached storage (DAS), network-attached storage (NAS) and storage area networks (SAN). Choosing the right storage solution can be as personal and individual a decision as buying a home. There is no one right answer for everyone. Instead, it is important to focus on the specific needs and long-term business goals of your organization. Several key criteria to consider include:
• Capacity - the amount and type of data (file level or block level) that needs to be stored and shared
• Performance - I/O and throughput requirements
• Scalability - Long-term data growth
• Availability and Reliability - how mission-critical are your applications?
• Data protection - Backup and recovery requirements
• IT staff and resources available
• Budget concerns
While one type of storage media is usually sufficient for smaller companies, large enterprises will often have a mixed storage environment, implementing different mediums for specific departments, workgroups and remote offices. In this paper, we will provide an overview of DAS, NAS and SAN to help you determine which solution, or combination of solutions, will best help you achieve your business goals.


DAS: Ideal for Local Data Sharing Requirements

Direct-attached storage, or DAS, is the most basic level of storage, in which storage devices are part of the host computer, as with drives, or directly connected to a single server, as with RAID arrays or tape libraries. Network workstations must therefore access the server in order to connect to the storage device. This is in contrast to networked storage such as NAS and SAN, which are connected to workstations and servers over a network. As the first widely popular storage model, DAS products still comprise a large majority of the installed base of storage systems in today's IT infrastructures. Although the implementation of networked storage is growing at a faster rate than that of direct-attached storage, it is still a viable option by virtue of being simple to deploy and having a lower initial cost when compared to networked storage. When considering DAS, it is important to know what your data availability requirements are. In order for clients on the network to access the storage device in the DAS model, they must be able to access the server it is connected to. If the server is down or experiencing problems, it will have a direct impact on users' ability to store and access data. In addition to storing and retrieving files, the server also bears the load of processing applications such as e-mail and databases. Network bottlenecks and slowdowns in data availability may occur as server bandwidth is consumed by applications, especially if there is a lot of data being shared from workstation to workstation.

DAS is ideal for localized file sharing in environments with a single server or a few servers - for example, small businesses or departments and workgroups that do not need to share information over long distances or across an enterprise. Small companies traditionally utilize DAS for file serving and e-mail, while larger enterprises may leverage DAS in a mixed storage environment that likely includes NAS and SAN. DAS also offers ease of management and administration in this scenario, since it can be managed using the network operating system of the attached server. However, management complexity can escalate quickly with the addition of new servers, since storage for each server must be administered separately.

From an economical perspective, the initial investment in direct-attached storage is cheaper. This is a great benefit for IT managers faced with shrinking budgets, who can quickly add storage capacity without the planning, expense, and greater complexity involved with networked storage. DAS can also serve as an interim solution for those planning to migrate to networked storage in the future. For organizations that anticipate rapid data growth, it is important to keep in mind that DAS is limited in its scalability. From both a cost efficiency and administration perspective, networked storage models are much more suited to high scalability requirements.

Organizations that do eventually transition to networked storage can protect their investment in legacy DAS. One option is to place it on the network via bridge devices, which allows current storage resources to be used in a networked infrastructure without incurring the immediate costs of networked storage. Once the transition is made, DAS can still be used locally to store less critical data.
NAS: File-Level Data Sharing Across the Enterprise

Networked storage was developed to address the challenges inherent in a server- based infrastructure such as direct-attached storage. Network-attached storage, or NAS, is a special purpose device, comprised of both hard disks and management software, which is 100% dedicated to serving files over a network. As discussed earlier, a server has the dual functions of file sharing and application serving in the DAS model, potentially causing network slowdowns. NAS relieves the server of storage and file serving responsibilities, and provides a lot more flexibility in data access by virtue of being independent.

NAS is an ideal choice for organizations looking for a simple and cost-effective way to achieve fast data access for multiple clients at the file level. Implementers of NAS benefit from performance and productivity gains. First popularized as an entry-level or midrange solution, NAS still has its largest install base in the small to medium sized business sector. Yet the hallmarks of NAS - simplicity and value - are equally applicable for the enterprise market. Smaller companies find NAS to be a plug and play solution that is easy to install, deploy and manage, with or without IT staff at hand. Thanks to advances in disk drive technology, they also benefit from a lower cost of entry.

In recent years, NAS has developed more sophisticated functionality, leading to its growing adoption in enterprise departments and workgroups. It is not uncommon for NAS to go head to head with storage area networks in the purchasing decision, or become part of a NAS/SAN convergence scheme. High reliability features such as RAID and hot swappable drives and components are standard even in lower end NAS systems, while midrange offerings provide enterprise data protection features such as replication and mirroring for business continuance. NAS also makes sense for enterprises looking to consolidate their direct-attached storage resources for better utilization. Since resources cannot be shared beyond a single server in DAS, systems may be using as little as half of their full capacity. With NAS, the utilization rate is high since storage is shared across multiple servers.

The perception of value in enterprise IT infrastructures has also shifted over the years. A business and ROI case must be made to justify technology investments. Considering the downsizing of IT budgets in recent years, this is no easy task. NAS is an attractive investment that provides tremendous value, considering that the main alternatives are adding new servers, which is an expensive proposition, or expanding the capacity of existing servers, a long and arduous process that is usually more trouble than it's worth. NAS systems can provide many terabytes of storage in high density form factors, making efficient use of data center space. As the volume of digital information continues to grow, organizations with high scalability requirements will find it much more cost-effective to expand upon NAS than DAS. Multiple NAS systems can also be centrally managed, conserving time and resources.

Another important consideration for a medium sized business or large enterprise is heterogeneous data sharing. With DAS, each server is running its own operating platform, so there is no common storage in an environment that may include a mix of Windows, Mac and Linux workstations. NAS systems can integrate into any environment and serve files across all operating platforms. On the network, a NAS system appears like a native file server to each of its different clients. That means that files are saved on the NAS system, as well as retrieved from the NAS system, in their native file formats. NAS is also based on industry standard network protocols such as TCP/IP, FC and CIFS.

SANs: High Availability for Block-Level Data Transfer

A storage area network, or SAN, is a dedicated, high performance storage network that transfers data between servers and storage devices, separate from the local area network. With their high degree of sophistication, management complexity and cost, SANs are traditionally implemented for mission-critical applications in the enterprise space. In a SAN infrastructure, storage devices such as NAS, DAS, RAID arrays or tape libraries are connected to servers using Fibre Channel. Fibre Channel is a highly reliable, gigabit interconnect technology that enables simultaneous communication among workstations, mainframes, servers, data storage systems and other peripherals. Without the distance and bandwidth limitations of SCSI, Fibre Channel is ideal for moving large volumes of data across long distances quickly and reliably.

In contrast to DAS or NAS, which is optimized for data sharing at the file level, the strength of SANs lies in its ability to move large blocks of data. This is especially important for bandwidth-intensive applications such as database, imaging and transaction processing. The distributed architecture of a SAN also enables it to offer higher levels of performance and availability than any other storage medium today. By dynamically balancing loads across the network, SANs provide fast data transfer while reducing I/O latency and server workload. The benefit is that large numbers of users can simultaneously access data without creating bottlenecks on the local area network and servers.

SANs are the best way to ensure predictable performance and 24x7 data availability and reliability. The importance of this is obvious for companies that conduct business on the web and require high volume transaction processing. Another example would be contractors that are bound to service-level agreements (SLAs) and must maintain certain performance levels when delivering IT services. SANs have built in a wide variety of failover and fault tolerance features to ensure maximum uptime. They also offer excellent scalability for large enterprises that anticipate significant growth in information storage requirements. And unlike direct-attached storage, excess capacity in SANs can be pooled, resulting in a very high utilization of resources. There has been much debate in recent times about choosing SAN or NAS in the purchasing decision, but the truth is that the two technologies can prove quite complementary. Today, SANs are increasingly implemented in conjunction with NAS. With SAN/NAS convergence, companies can consolidate block-level and file-level data on common arrays.

Even with all the benefits of SANs, several factors have slowed their adoption, including cost, management complexity and a lack of standardization. The backbone of a SAN is management software. A large investment is required to design, develop and deploy a SAN, which has limited its market to the enterprise space. A majority of the costs can be attributed to software, considering the complexity that is required to manage such a wide scope of devices. Additionally, a lack of standardization has resulted in interoperability concerns, where products from different hardware and software vendors may not work together as needed. Potential SAN customers are rightfully concerned about investment protection and many may choose to wait until standards become defined.

Conclusion

With such a variety of information storage technologies available, what is the best way to determine which one is right for your organization? DAS, NAS and SAN all offer tremendous benefits, but each is best suited for a particular environment. Consider the nature of your data and applications. How critical and processing-intensive are they? What are your minimum acceptable levels of performance and availability? Is your information sharing environment localized, or must data be distributed across the enterprise? IT professionals must make a comprehensive assessment of current requirements while also keeping long-term business goals in mind.

Like all industries, storage networking is in a constant state of change. It's easy to fall into the trap of choosing the emerging or disruptive storage technology at the time. But the best chance for success comes with choosing a solution that is cost-correct and provides long term investment protection for your organization. Digital assets will only continue to grow in the future. Make sure your storage infrastructure is conducive to cost-effective expansion and scalability. It is also important to implement technologies that are based on open industry standards, which will minimize interoperability concerns as you expand your network.

Tuesday, March 15, 2011

CCTV Illegal (90%) Ineffective (80%)


Whether CCTV is an existing element of your security/management strategy or you are considering investing in CCTV, you need to be sure that the system will provide unequivocal evidence.

Imagine your frustration at having your CCTV evidence rejected in a health & safety claim or employment law dispute due to poor quality images or procedural mistakes. The financial impact of such cases could amount to tens if not hundreds of thousands of currency; by comparison most instances of theft can appear almost inconsequential in terms of loss.

The quality of images as seen on TV News and crime reporting programmers is a damning indictment of CCTV standards. Consider the numbers quoted in the headline, 90% Illegal stated by CameraWatch is based on ‘initial research’ and refers to total or partial shortfall in Data Protection Act compliance. 80% Ineffective refers to the efficacy of CCTV evidence examined by the Police and is stated in the Home Office National CCTV Strategy.

These statistics are largely based on anecdotal evidence, nevertheless practical experience of those professionally involved in the assessment of CCTV systems would broadly agree with these estimates.

Another interesting number is the 3.2 to 4.2 million CCTV surveillance cameras employed in the India. Which figure is closest to reality no one knows, but there is probably 1 camera for every 15 members of the population, capturing our images as we go about our lives.

According to current folklore our image is captured 300 times a day and stored for a month or more. Should we be worried?
Provided that CCTV images are managed in accordance with Data Protection Act principles and you are a law abiding citizen, there should be no concern and in countless high profile cases CCTV has proven to be an invaluable aid to investigation. Evidence of the immediately preceding terrorist bombings was of fundamental importance to the Police investigation.

Data Protection Act legislation is at the very core of protecting our Human Rights when it comes to the use of CCTV, so are we safe to assume we are protected from its misuse? The law is certainly adequate and has been since the 1998 Data Protection Act encompassed CCTV images. The Information Commissioner is responsible for enforcement and serious cases of non compliance can result in a substantial fine or even a custodial sentence.

You must let people know that they are in an area where CCTV surveillance is being carried out. The most effective way of doing this is by prominently placed signs at the entrance to the CCTV zone and reinforcing this with further signs inside the area. The signs should contain details of the organization responsible for operating the system, the purposes for using CCTV and contact details.

The Data Protection Act does not prescribe any specific minimum or maximum periods which images should be retained for, the archive period should reflect the organization’s own purposes although 30 days is the accepted norm.
A little known aspect of DPA law is Right of Subject Access, you have a legal right to request a copy of your images captured on CCTV and subject to certain reasonable conditions the organization responsible for the CCTV system (the Data Controller) must provide a copy.

You will need to make the application in writing: stating where you were, the time & date and provide photographic identity so that the relevant images can be searched for. The Data Controller is entitled to charge something for the search including the cost of providing a CD or DVD. The images must be provided to the applicant within 40 days of the date of application or a valid reason for not being able to comply must be given within 21 days.

Legislation is weighted in favor of the applicant and the Data Controller can incur substantial costs in producing the copy recording, particularly if it is found to include images of third parties as well as the applicant. These third party images must be masked in order to protect the identities of others.
A frequent dilemma faced by Security / Facilities Managers of multi tenanted buildings is when a tenant demands access to recordings that may assist them in criminal or civil law matters. In the case of criminal investigation the response is clear cut, the tenant must report the matter to the Police who will request a copy of any video evidence they may require.

Non criminal cases are more complex and disclosure of images directly to the tenant may result in a breach of Data Protection Act law, on the other hand refusal may result in bad feeling if tenant holds the reasonable view that; ‘security is included in the service charge that I am paying and I should be allowed access to CCTV recordings that relate to my business’.

A reasonable response would be to establish the parameters of the recording; date, time and cameras. Then download images in the same manner as for a criminal investigation, but without allowing the applicant to view the images. You have at this point protected the required images from being overwritten by the recording equipment. The next move is to suggest that the tenant instruct their lawyer to request a copy, subject to an undertaking that the law firm becomes Data Controller for the issued copy.
In this article we refer to digital recording only, on the basis that video tape is redundant technology that is no longer serviceable and unlikely to be effective.

Digital images are primarily recorded to hard drive and are only downloaded on demand, the recording equipment should be held in a secure enclosure fixed to the building fabric or located in a security control room. Access to the system to download images should be password protected and only available to nominated Data Processors.

Images should be downloaded to non rewritable media such as CD or DVD and be playable on any video enabled PC or laptop without the need for additional software. It is good practice to download two copies of an incident, one being the Working Copy for issue and the other being an Archive copy held securely on site for backup or verification purposes. It is vital that a robust audit trail is created by means of Unique Reference Numbers printed on the disc during the printing process. The audit trail should be supported by suitable documentation. Download to memory stick, re-recordable media or the internet without secure encryption will compromise the veracity of the evidence.

If CCTV is an existing element within your security & management strategy, make sure that you have a CCTV policy in place describing how it should be managed in compliance with Data Protection Act law. Don’t then file and forget, but ensure that your security staff are issued with a copy and carry out an annual assessment of management and equipment performance, thereby ensuring that your CCTV continues to meet current needs and best practice.

If you are considering the installation of CCTV get a professional to assess your risks and system requirements in the form of an Operational Requirement based on the Home Office model. This is in effect a performance specification that can be issued to those responsible for the technical design and bid process, you can thus be sure of obtaining comparable quotations on which to base your buying decision. Furthermore you will have created a benchmark against which performance can be objectively assessed as a part of an effective professional handover process that will include; System Operating Manual, CCTV Policy, Management Documentation, Statutory CCTV Warning Signs and training of those responsible for managing the system.