Showing posts with label Security Audit. Show all posts
Showing posts with label Security Audit. Show all posts

Friday, July 1, 2022

Security Assessment Vs Security Audit

Security Assessment Versus Security Audit 

It is not often that security organizations purchase professional security services.  Perhaps once every five to ten years.  As such, consumers may not know exactly what service to request to best align to their physical security needs.  This article is intended to clarify the difference between a security audit and a security assessment for organizations trying to validate the effectiveness of their security program to enable the appropriate choice to be made when the time comes.

Let’s start with two questions managers should ask themselves about their security program:

1.   Are we doing the right things to protect our people, assets and information?

2. For the things we are doing in our security program, are we meeting the commitments we have made to security and are we doing things in a way that achieves desirable outcomes?

The security audit answers the second question, and the security risk assessment answers the first.  Let’s start with a view of the many things that should be looked at to determine security adequacy. The following formula illustrates the three areas of security risk that are typically analyzed.

Risk = Threat + Consequence + Vulnerability

A security audit is only going to be focused on one of these elements of the security risk formula as shown below.  An audit is not necessarily designed to diagnose criminal and terrorist risk, but certainly mitigates non-compliance risk.

Risk = Threat + Consequence + Vulnerability (or effectiveness of security)

Security Audit Focus

Security Audit By comparison, a security audit is probably the easiest methodology to execute for the consultant as it is simply a verification that all security measures which are supposed to be in place are in fact in place, functioning and documented correctly.  The security audit will focus on the effectiveness of security or confirm whether vulnerability is being properly mitigated.  This as opposed to a security risk assessment which is intended to be much more diagnostic and predictive into the future, typically five years or more.  The security audit is a point in time check only.  If the basis of design for the security program is incorrect, the audit may not shed light on this.  However, the security audit is an important tool in the toolbox as an agent of positive change to protect people, assets and information.  Refer also to Physical Security Audit for a video discussion by a Certified Security Professional and Certified Security Consultant.

The challenge when organizations ask for an audit and have no established security standard, what is the security professional using as the benchmark against which the security audit results will be measured?  Some considerations if you face this common scenario:

·        If your organization does not have a set of security standards, you must ask your prospective security professional what methodology will be used to audit your organization. Ask to see the methodology so that you can review it and ensure you will be satisfied with the outcome.  Will it cover all the necessary elements of your physical security program?  For instance, at a minimum, a proper physical security audit should include within its scope thee following (note this list is by no means all inclusive):

o   Governance

o   Access control – site perimeter, building perimeter, restricted internal areas

o   Security systems installation, operation and maintenance

o   Security related policies and procedures

o   Security awareness training and education

o   Information protection

o   Asset protection

o   Security officer utilization (if applicable)

o   Competency of non-security persons in key security roles

o   Crisis and emergency management protocols

o   Security change management

·        If you are going to request an audit from an outside security professional without having organizational security standards, you will want to ensure that the security professional has some experience in the following areas:

o   Prior similar work within your industry (for example, if you are a chemical plant, the consultant should have some level of experience in the oil, gas or chemical arena).

o   Setting up corporate or global security programs for organizations.

o   Reporting out on audits with a methodology that supports a stratification of the findings. Some findings are going to be more important than others.  There should be a means to classify gaps.  For instance, the following definitions for high and lower priority observations and findings is shown below.

Findings – represent clear departures from, or exceptions to, existing applicable federal or state laws or established audit security standards, where such departures or exceptions can be confirmed.  Exceptions may include any issues that were previously discovered in prior audits that are still open or were improperly or incompletely closed.

Suggestions – represent options for enhancing the plan and/or plant security to reduce the possibility of any exceptions or vulnerability to a security incident in the future.

Another caution is the type of audit that conducted as this will have a direct correlation to the validity of the outcome.  Two types of audits are discussed below.

First-Party Audits

First-party audits are often called self-audits. This is when someone from the organization itself will audit a process or set of processes to ensure it meets the expectations set forth in the audit protocol.  This person would typically be an employee of the organization.  In some cases, particularly under some counter-terrorism regulations such as the Marine Transportation Security Act (MTSA), first party audits are prohibited and persons with any affiliation with the security program may not audit the program.

A first party audit might be appropriate as a rehearsal for a more robust audit conducted by a third party.  Otherwise it could be argued that there could be a potential conflict of interest by auditing oneself.

I would consider an audit by an internal audit group to be a step up from the self-audit as the internal auditors are typically strict and objective.  The problem with internal auditors doing physical security audits is the lack of knowledge of the subject matter.  If internal auditor is going to be involved in physical security audits, it is important to carefully script what will be their scope so that they are looking at things they can fairly judge that are simple and high impact.

Third-Party Audits

A third-party audit occurs when a company hires an independent entity to perform an audit to verify that the company is executing a security program consistent with regulatory expectations, internal standards or the methodology agreed with the auditor up front.  Some would argue that this is the best and most stringent means of conducting an audit to ensure objectivity.  But it also comes with a cost.

To close out the audit discussion, this type of physical security review is intended to answer the question, “For the things we are doing in our security program, are we meeting the commitments we have made to security and are we doing things in a manner that achieves the desired outcomes?”  You state that you do A, B, C and D in your security program and you have or pay someone to come in and verify that you are doing A, B, C and D.

The Security Risk Assessment

Continuing with the A, B, C, and D discussion, the audit will not necessarily tell you if A, B, C, and D are the right things to be doing in your security program.  To get this type of diagnostic insight, organizations need to be asking their consultant for a security risk assessment versus a security audit.

Risk = Threat + Consequence + Vulnerability

The security risk assessment is going to analyze all elements of the risk formula shown above.  The predictive nature of the risk assessment is borne out of the threat assessment and pairing threats with critical assets to formulate future security scenarios that will be analyzed for consequences (how bad would it be if it occurred) and vulnerability (how susceptible is the organization to a criminal or terrorist attack or conversely, how well prepared is thee organization to prevent a security incident).  Risk assessments are forward looking, but of course will take into account historical security incidents which are one of the best predictors for future incidents.  Security risk assessments can nicely inform a security master plan versus the security audit which may generate some findings and corrective actions to remediate shortcomings in existing security measures.

There are many benefits of a security risk assessment:

·        Prevent incidents and criminal activity.

·        Compliance with the OSHA General Duty Clause.

·        Identify to all stakeholders what needs to be protected, why and from whom.

·        Learn where you can be victimized by criminals or terrorists.

·        Identify holistic mitigation strategies to reduce security risk to people, assets and information.

·        Stage implementation of recommendations at your own pace rather than hastily responding or overreacting after a security incident.

·        Secure funding for security improvements by making a compelling business case. (Management will sometimes react more rapidly to third party recommendations or those that are well supported with crime and other data analysis).

·        Implement many improvements without a capital investment. There are always easy, inexpensive and impactful recommendations that can be implemented at a low or even no cost.

·        Identify emergency scenarios and calibrate emergency response and business continuity plans accordingly.

·        Defend against frivolous litigation.

The illustration below shows how scenarios can be analyzed and scored to identify the highest concerns to an organization.

Security Audit

·        Point in time assessment

·        Verifies security commitments are being met

·        Leads to potential action items where gaps are identified

·        Less expensive typically that a risk assessment

·        Does not validate that the security program is aligned with risk

·        Does not provide a basis of design for an organizational security program

Security Risk Assessment

·        Forward looking methodology

·        Verifies security commitments are being met

·        Leads to a long-term security master plan and cost staging

·        More expensive than a security audit

·        Validate that the security program is aligned with risk

·        Provides a better defense of conformance to the OSHA General Duty Clause

·        Provides a better defense against frivolous premises liability claims

·        Provides a basis of design for an organizational security program

·        Enhances crisis management and resiliency

Sunday, March 3, 2019

Guide of IP Camera’s Footage Storage

Guide of IP Camera’s Footage Storage


If you are end-user then you may make question “if somebody destroy or theft my NVR/DVR then how we get video footage”. Question is very much true. Analog camera store / record there motion event on DVR & IP Camera store / record there NVR, some IP camera store limited data to there internal microSD card.
Or, Is there a camera that saves the footage on a host with FTP? Can I use my computer to store surveillance videos or footage? Are there any cameras that support cloud storage? Is there any camera that has a built-in memory card?

Or, you may say I am looking for a camera that can store up to a few days of data or a camera that uploads footage offsite or to a cloud or server.
How Can you Store Footage and Video Recordings
Generally speaking, you can store footage and recordings on an SD card, cloud, NVRs/DVRs, FTP or NAS. It comes down to what you are looking for. That being said , it’s still very important to weigh on differences and conveniences of each solution to narrow down growing pool of models available and find the best match.
·         Option 1. Micro SD Card
·         Option 2. NVRs/DVRs
·         Option 3. FTP Server
·         Option 4. Cloud-Based Storage
·         Option 5. Workstation Computer

Option 1. Micro SD Card

People will be opting for onboard SD storage when they are just looking for cameras that save motion-triggered footage or don’t want to subscribe to cloud service. For example, users said
“I want to store footage locally instead of uploading to a cloud or getting a DVR/NVR.”
“I intend to keep and save footage but don’t want to subscribe to a cloud service for storage. “
Or people who are looking for cameras that will be used in a location where internet access is limited but still want to store motion-based footage. For example, one user explained that
“I have a rural property and only have power at the house and barn. Best option would be a motion activated cam outside that I could attach to a tree. Wifi at my house is only available very close to the house and we are on satellite internet, so no real broadband for cloud solutions.”
The obvious benefit of storing via SD card is that it’s relatively safe and inaccessible by others, micro SD card storage option is extraordinarily popular with homeowners for surveillance on the front doorbackyardapartmentremote areasvacation home, oany place that doesn’t require constant 24/7 recording.

Option 2. NVR's/DVR's

Standalone NVRs and DVRs, as offsite storage solutions, are increasingly popular and widely used among home security systemsmall businessworkshop and etc.
If you are looking for a security system that can record video constantly and be able to save weeks of footages, standalone NVR's/DVR's with a built-in hard drive are what you need. For example, users expressed their needs, saying
“No need for motion activation but constant recording. And must have ability to review footage without needing to pause or stop recording”, “I need 30-day non-stop recording and want to record and save more than 3 cameras’ footages to a hard drive”
NVRs/DVRs are not just for storage, they are also embedded with the operating system to multi-task including managing multiple cameras simultaneously, motion-triggered recording & alarm, scheduling recording, 24/7 recording.
NVRs can also be accessed remotely from a Smartphone, tablet or personal computer.
One piece of advice after buying NVRs/DVRs would be keeping them safe from burglars orthieves as well as backing them up regularly to FTP server if needed.

Option 3. FTP Server

FTP server is a great footage storage option for those who have a reservation for cloud storage but don’t want local network drive or built-in memory card. For example, many homeowners expressed their thoughts on , saying
“I don’t want to go down the road of paying for monthly memberships to a cloud storage option for recording. I am looking for FTP or some other generic protocol method that is NOT a subscription based ‘cloud’ solution.”
Or
“I would like to save the footage on a host with FTP instead of storing the footage on a local network drive that could just be taken. or I have a FTP server and want to manage the footages or videos on FTP server, configuring security cameras to upload event-based recordings or snapshot or recorded images and videos to a FTP server.”
FTP server is, without any doubt, a good solution. Security cameras such as Reolink cameras are proving to be increasingly popular with homeowners. Many Reolink security cameras do support FTP storage, both motion-based footage and constant video recordings.

Option 4. Cloud-Based Storage

Cloud-based storage is gaining popularity among users who are looking for an alternative to NVR/DVR, SD card, and NAS and there are growing numbers of cloud-based video surveillance cameras and IP camera with cloud storage available on the market.
Cloud-based storage is relatively convenient and safer; however, cloud services are commonly charged and require a varied monthly subscription fee.
Cloud-based storage is also potentially putting a strain on the home network by putting pressure on network bandwidth, as well as compromising photo or video quality to achieve optimal performance.

Option 5. Workstation Computer

Of course, you can always turn your personal computer into a storage unit by configuring storage path to your computer; however, massive data storage could slow your computer down and eat up storage space rapidly.
Not only that, CCTV forage auditing you can do from computer. You need window license based software only. That software takes screenshot of your open Camera Viewing window. In this scenario you can see what camera saw. Camera see 24Hr, you are able to see within 24min, I am confirm your DVR / NVR can’t do it. ‘Auditing’ means 'seeing' what the cameras 'saw'. CCTV video footage should be audited daily; several times a day if need be. Depending on the requirements, auditing of CCTV footage of critical cameras on a daily basis must become an SOP. Auditing will help relevant stakeholders to ‘discover’ the 'unknown'. Auditing as an activity may be manual, it may be post-facto, but it is a very dedicated and systematic process, which helps address some of the challenges of live monitoring (video blindness, poor attention span, boredom, bias, fatigue etc.), as well as the challenges related to alert-based systems (how often has one faced false alerts, or what is called the ‘cry-wolf’ effect). Auditing will help discover issues as mentioned above as well as in identifying and analysing threats and hazards (THIRA/HIRA) of various kinds. Auditing CCTV video footage will also be extremely helpful in waste reduction and following the 5S philosophy, i.e. sort, set, shine, standardize and sustain (all part of Six Sigma practices).  Moreover, in case of an accident/incident, relevant authorities can analyse CCTV video footage to determine whether implementing or improving existing policies, procedures, and processes could help reduce the potential for future occurrences.
And you can transfer those recordings from your computer to hard drive, pen drive, USB and etc accordingly.

The Tradeoff

There’s no right answer here. It’s really a matter of preference and there are plenty of models out there to suit either taste. Understanding each footage storage option will help you narrow down the growing pool of models available today and it will help you understand the features that matter to you most. Camera saw everything, but we can’t see what camera saw.
This Artical published on March 2019 on safe secure magazine 2019.


Saturday, January 26, 2019

CCTV Control Room Operator selection - A best practice guide

CCTV Control Room Operator selection - A best practice guide
By Arindam Bhadra
A doctor; a teacher; an environmentalist. There is one common motivation why you would choose one of these careers: to help people. But there’s one more career that sits in the background and doesn’t get as much limelight as it probably deserves.


BS EN 50132-7: 2012 and BS EN 62676-4 clause 12.1 state: “If the CCTV (closed circuit television) system has a requirement for live viewing, camera control, system management, or any other human intensive tasks, a control room should be specified to house these functions. The ‘control room’ could be a single workstation, or a large operations centre.” The effectiveness of Video surveillance / CCTV control rooms is influenced by a variety of factors. CCTV operators are usually technology buffs who love the technological side of Video surveillance systems. CCTV operators at CCTV Control Room face several issues ranging from poor attention span, video blindness, fatigue, boredom, lack of situational awareness, bias and false alerts. There is, however, another side to the CCTV Video surveillance sector that the world desperately needs. Keeping people safe from harm and maintaining order in our society has become a lot easier as CCTV technology advances. However, the ‘human factor’ within the CCTV system is equally as important in achieving the objectives of the CCTV function. The capacity of the person selected in any job will determine the success of that person in the position, no matter what kind of environment it is. I’ve heard it mentioned that CCTV is as simple as watching TV, including by a senior police officer in the India who should have known better. Similarly, the placement of contract guards into CCTV positions when they have received no training and don’t know what to look for is also common. Where detection is critical will know that the operator is the most essential part in CCTV service delivery. "Cameras never lie". but, how will you know? ‘see’ what the cameras ‘saw'. Do audit your CCTV–why suffer? The CCTV Control room should be set up, or redesigned, according to a CCTV operational requirements plan and the CCTV room staff, as end-users, should participate in this process. BS EN ISO 11064-1 says Ergonomic design of control centers Principles for the design of control centers.
A CCTV video footage auditor can be defined as one who audits, reviews, examines closely, CCTV footage daily, at periodical intervals, with an intent to discover the ‘unknown’. Using all the tools available at her/his disposal, she/he ‘looks out’ for exceptions, process violations, abnormalities, performance lapses, behavioral patterns, potential threats, risks and so on. She/he de-bugs bytes of visual information multi-tasks by comparing past cases. ‘Auditing’ means 'seeing' what the cameras 'saw'. CCTV video footage should be audited daily; several times a day if need be. Depending on the requirements, auditing of CCTV footage of critical cameras on a daily basis must become an SOP.


“The capacity of the person selected in any job will determine the success of that person.” Says Mr. Shankar Mallik, Director - Uma Enterprise. Leading System integrator Security Automation field.
Selection of CCTV operators
The selection of CCTV operators should follow a formal process and be based on a sound analysis of the job tasks. It is acknowledged that in some cases CCTV operators are selected and employed by third party contractors. Nevertheless, there may still be opportunities for CCTV managers to influence the appointment and training of these individuals.
Selecting the right people for the CCTV operator role will help to maximize the motivation and job performance of the operator team. Within larger organizations the recruitment and selection of personnel is often the responsibility of the human resources function. However, depending on the context, managers may exert a degree of influence on the selection process for CCTV room staff. CCTV roles will differ across sites, and the actual job requirements should flow from the organisation’s goals and the operational requirements of the CCTV room. In line with this, the selection process should begin with a suitable examination of what the role entails via an analysis of the job.
Job Profile could be:
  1. ·        Sitting in front of a bank of up to 15 screens, constantly monitoring the live pictures that come in from the surveillance cameras
  2. ·        Operating the position of the cameras, for example if a cash machine is about to be emptied, you would focus the camera on the security guard
  3. ·        Monitoring anyone acting suspiciously, and alerting security staff or police if you see an act of theft, vandalism or any other crime
  4. ·        Monitoring cleaning staff working in large empty buildings for their safety
  5. ·        Notifying the police of any anti-social behaviour
  6. ·        Keeping a log of all incidents to pass onto police
  7. ·        Called to give evidence in court as a witness.

Job analysis:
Job analysis is designed to produce systematic and reliable information about a particular role. It provides the basis for writing an accurate job description, will assist in developing a structured interview and serve as a basis for any selection tests which might be used. The aim of the job analysis is to derive a comprehensive list of job tasks, how they are carried out and the worker characteristics – aptitudes, skills and experience – which are necessary to perform them. As well as covering the current role it is a good idea to consider how the job may change in the foreseeable future. The organisation’s human resources department may have a preferred method for carrying out job analyses. For the CCTV operator role (compared to say, a senior management role) the job analysis may not need to be very complex. Since any amount of footage from any given day could be required at any given time, properly storing footage is one of the most important roles of a CCTV Operator. Storage policy can vary slightly from company to company, but in general CCTV Operators will need to correctly catalog all footage so that it can be easily recalled at a later time.

Selection process
Once the job has been adequately defined, selection of candidates can begin. The interview is still by far the most widely used method of selection; however evidence suggests that the traditional ‘unstructured’ interview is not a particularly good predictor of job performance. Structured interviews have been found to be twice as valid (i.e. predictive of future job performance) than unstructured interviews.

Tests
Tests fall broadly into two categories. The first category includes tests of cognitive ability such as aptitude tests and tests of general mental ability (for example numerical reasoning, verbal and non-verbal reasoning, visualspatial abilities). The second consists of personality tests that aim to measure personal traits and preferences; for example a person who measures high on the trait of ‘conscientiousness’ is likely to demonstrate a reasonable level of persistence when performing a variety of tasks.

Operator Skills
Successful CCTV Operators are mindful, alert and scrupulous individuals who are highly dedicating to protecting others. In addition to having a talent for all things technical, they also have the ability to quickly identify patterns and abnormalities. In addition to these general personality traits and abilities, employers are looking for CCTV Operators with the following skills:
  1. ·        Surveillance System Knowledge: Because extensive knowledge of video surveillance systems is to crucial to the job of a CCTV Operator, many employers required CCTV Operators to have video surveillance certification of some kind.
  2. ·        Attention to Detail: CCTV Operators must be able to identify small, seemingly insignificant details that most people would overlook. This ability allows them to keep the area as safe as possible.
  3. ·        Ability to Multitask: Even when a CCTV Operator receives a phone call or has to speak to a colleague, they must always be keeping an eye on the monitors.
  4. ·        Ability to Work Independently: For the most part, CCTV Operators will not be required to interact with very many people. Because of this, it is important that they’re able to work and stay alert without constant supervision.
  5. ·        Communication Skills: Since CCTV Operators will occasionally have to give statements to police officers, communicate with emergency services or even appear in court, they need to have strong written and verbal communication skills.

Training
Training is important for motivation and performance and should be designed to meet operational needs. Where CCTV operators are employed directly by the organization /site at which they work, there will be greater scope for influencing training in comparison to where the operator/guard force function is sub-contracted to an external organization. However, contracted operators should have received at least basic training in CCTV.
Methods for carrying out the training needs analysis include interviews, observations, focus group discussions and questionnaires with job incumbents and other stakeholders. Existing job analyses/person analyses may not be up to date so it could be worth taking a current view of the job role.
Since the exact role of a CCTV operator will differ from organisation to organisation, detailed training needs will necessarily differ. However, as a minimum, it is recommended that training should cover the areas in the following list.     
  1. ·        Induction into the CCTV role, CCTV team and the wider organization Operation of all CCTV room equipment Team building with the immediate team.
  2. ·        Detailed knowledge of camera positions and of the site(s) to be monitored – in practice this means getting out and ‘walking the plot’ wherever possible – including visits to remotely monitored sites.
  3. ·        Detailed knowledge of camera positions and of the site(s) to be monitored – in practice this means getting out and ‘walking the plot’ wherever possible – including visits to remotely monitored sites.
  4. ·        Knowledge of the current nature and level of security threat to the site(s) – Local police authority, Intelligence Bureau can provide advice on this.
  5. ·        Knowledge of the nature of unwanted or suspicious behaviors/incidents as they relate to the site.
  6. ·        Knowledge of the current nature and level of security threat to the site(s) – Local police authority, Intelligence Bureau can provide advice on this. Knowledge of the nature of unwanted or suspicious behaviors/incidents as they relate to the site.
  7. ·        Understanding of the role of relevant external teams, agencies and/or networks. It can be beneficial to operate a policy requiring operators to regularly visit members of the team who are based ‘on the ground’ in the site being monitored, or even those in related agencies or organizations.
  8. ·        Preparation for emergencies. Such training is often achieved using incident simulations / scenarios that attempt to model the conditions of a real emergency.

Spatial awareness
We find that often the 80/20 rule applies in surveillance, with about 80% of the incidents being detected by 20% of personnel. I can often see the motivation differences within the training environment as well where people committed to detection have a different philosophy. So one of the first criteria I would want in any operator who would work for me would be to be able to demonstrate a history of detection. Not ‘we detected’ which often covers up a lack of individual involvement, but ‘I detected’. By keeping an eye on them, criminals can be stopped the moment they want to perform a crime. The increased attention may even stop them in their tracks. A CCTV operator who is motivated by his or her moral values finds excessive joy in using expert skills to protect people and their possessions in public venues. Good quality cameras and monitors, along with effective placement, will allow operators to observe the environment well and support their ability to understand the location and likely direction of targets during a dynamic incident – i.e. maintain ‘spatial awareness’. Spatial awareness is an understanding of our location in space and the organisation of objects around us. What operators need to see in the environment will depend on their tasks, which should link to the operational requirements of the control room. Ideal specification and positioning of cameras is dependent on operational requirements but also on what an operator needs to complete a task successfully.

Leadership and management
Research indicates that highly motivated employees perform better and show more commitment to the organisation than unmotivated employees. The way that people are managed and led can significantly affect their perceptions about their job, and in turn their job motivation. Motivation can be a personal trait (i.e. be part of someone’s personality) but it is strongly influenced by elements of the job itself. It is also associated with the rewards a person receives from doing the job. Rewards include the personal satisfaction from a job well-done, as well as recognition from the organisation’s customers, team members and managers.
The minimum recommendation here is that first line supervisors and/or managers should receive formal leadership training which is aimed at achieving effective team and individual performance and which is appropriate for the context in which they work.

Appraisal
Regular appraisals help encourage employee motivation and maintain commitment. At minimum:
·      Appraisers should receive appropriate training for conducting company appraisals.
·    Appraisals should identify mutually acceptable performance and development goals. These individual goals are often linked to the goals of the team, department and/or organization
·        Appraisals may or may not be linked with rewards (including pay); however where they are linked with rewards care should be taken to ensure that the process of reward distribution is systematic and fair, and also perceived as such by all team members

Pay
The figures below are only a guide. Actual pay rates may vary, depending on:
·        where you work.
·        the size of the company or organization you work for.
·        the demand for the job.
CCTV operators can earn from around ₹ 14,500 to ₹ 15,800 per month. With experience, this could raise to ₹ 17,000 per month basis. You may get a shift allowance.

Ref:
BS EN ISO 11064 books.
BS EN 50132-7 Books.
BS EN 62676-4 Books.

This artical published on safe secure magazine Volume 10-issue 1- January 2019 issue.