CCTV
systems collect all types of information for a wide range of reasons. While the
equipment is valuable, it is almost always the records, and the information
they hold, that matter the most.
Many
CCTV systems record images of people, especially if they are set up in a public
space. This type of record is 'personal information', which is protected under
privacy legislation. As a result, every effort should be made to keep the
records secure and avoid misuse.
Managing
the risk to records protects the CCTV owner as well as the individual being
recorded. CCTV records may be used as evidence in criminal proceedings. They
can also be used to demonstrate that an innocent activity was genuinely
innocent. Either way, the records should be stored securely until they are
handed over to the police. For private operators, there may also be good
commercial reasons for ensuring confidentiality of the records.
At
a basic level, the question is: what can go wrong, and how much does it matter?
CCTV
systems are exposed to a range of intentional physical security risks such as
tampering with camera placement, power supplies, communications cabling and
controlling equipment. These risks may be prevented with physical control
measures, such as housing these items in locked enclosures appropriate to the
risk and environment (such as equipment that is accessible to the
public). Procedural security can be used to deter and detect attacks on
CCTV infrastructure by visual inspection and review of indicative alarms.
Natural
disasters also present risks. You can't prevent fires, floods, or earthquakes,
but you can minimise the risk of damage or loss of data from your CCTV system.
While insurance can cover the loss of equipment, data is not replaceable.
A good offsite backup system for electronic data, such as CCTV video,
configuration data, usage logs etc, can reduce this risk. Systems that
instantaneously backup data provide less likelihood of data loss when compared
to scheduled periodic backups.
Modern
digital CCTV systems are typically dependent on computing equipment performing
continuously. Protection from inevitable hard disk failure is usually
provided with redundant disk storage systems (using RAID arrays). Once a
disk failure has been detected (automated detections should be tested
regularly) it can be substituted with a replacement disk onto which the missing
data is automatically copied. This rebuilding process can take many hours due
to the large storage capacity which presents additional risks; the storage
system may not cope with rebuilding load resulting in missing data, and data
from any further coincidental disk failure(s) may not be protected (depending
on the redundancy design). Whilst it may be impractical to have
full CCTV system redundancy it may be prudent to maintain service spares of
essential components. For example, power supplies are required for
interrogation of system data or access live CCTV resources. As such
battery backup and/or alternate utility supplies may be warranted.
Attacks
on CCTV information from human threats can be grouped as:
- Availability; the information is not required when needed. Information may have been deleted accidentally or maliciously, or normal access prevented through disruption to normal processes, such as physically damaging equipment and communications or inundating communication channels.
- Accuracy; the information has been compromised. This may include substitution of real data with artificial data, or breaching evidential requirements for handling information that casts doubt on its authenticity.
- Confidentiality; the information has been disclosed to unauthorized persons. This may have occurred with or without knowledge of the CCTV system owner. An obvious example of this is the unauthorized duplication and dissemination of video to media outlets - made easier if operators have ready access to high speed internet connections. A less obvious example may be an unauthorized access by computer 'hackers' where CCTV systems are interconnected with other data networks.
- Integrity; the information has been compromised. This may include substitution of real data with artificial data, or breaching evidential requirements for handling information that casts doubt on its authenticity.
Even
with the best of intentions, mistakes can and do happen. They include
accidentally deleting records or even entire hard drives, overwriting backups,
forgetting to maintain a system, placing cameras in the wrong place, or
forgetting to make a regular, scheduled backup. Some of these can be prevented
by information management policies that include user training and restricting
access to system resources, usually with logical access control (such as user
sign log-on accounts). This can also help reduce the chances of deliberate
actions aimed at destroying or stealing data or equipment. Personnel
security vetting is often included in licensing requirements and can reduce
risks of inappropriate usage by CCTV operatives.
It
is worth considering how you will manage these and other risks to the security
of your CCTV equipment and records. Most strategies fall into one of four
categories:
- Avoid the risk - for example, by moving a camera out of reach of vandals, or locking a door after hours.
- Transfer the risk - for example, by outsourcing the CCTV system and ensuring that contracting organizations, within the contract, are responsible for the security of records.
- Accept the risk - for example, by relying on default settings in CCTV equipment because you believe the risk is low.
- Reduce the risk - for example, ensuring only authorized people have access to CCTV computer systems and information.
In
most cases, the final approach uses several strategies and depends on
individual circumstances. It ultimately depends on the value of the records,
the risk of loss or damage, and the consequences. These decisions are best made
before the records are collected and, if possible, before a CCTV system is even
installed. It is advisable to have an Information Security Management
Plan that includes CCTV systems to ensure that risks are treated
appropriately. The policies and procedures used to apply information
security should be competently reviewed and executed.
Government
organizations have an additional obligation to consider the security
classification of CCTV records and may consider implementing an information
classification policy in accordance with the relevant government regulations.
The agency's security officer should be contacted for advice in these
cases.
Information
classification should be considered by private CCTV system owners, particularly
with the advent of computer based CCTV system designs and high capacity
portable media.
This
process helps provide assurance that CCTV records information will be handled
appropriately to reduce negative risks.
This is so cool! thanks for sharing
ReplyDeleteCCTV surveillance cameras Rockland
fire alarm systems Rockland
CCTV system is essential for security reasons. But yes, this also needs to be properly managed for several reasons. Thank you for pointing that out in your post.
ReplyDeleteThis is really amazing and with this i would also say that you must get the best security for your place
ReplyDeleteThis blog is really a resource for us.
ReplyDeleteSafe Home security systems
You can't deny the fact that these days, CCTV is slowly becoming a necessity for business owners to provide additional security measures within their premises.
ReplyDeleteThanks for sharing CCTV bus solutions in dubai
ReplyDeleteThanks for sharing Home Security Cameras Installation
ReplyDeleteTHANKS FOR SHARING SUCH A GREAT WORK
ReplyDeleteGOOD CONTENT!!
Dubai Ip Camera
These Lock Systems Replacement Parts the traditional keys with better and more secure automation features like remote locking and unlocking. In these locks, a latch or bolt is made to cross the opening between the side of the door and the doorframe, thereby preventing access.
ReplyDeleteAwesome Post! I appreciate you sharing. Swiftit.ae, one of the top CCTV installation companies in Abu Dhabi, where they offer excellent software for your IT administration. You could think about looking them up.
ReplyDelete