Arindam Bhadra: HIPAA

Showing posts with label HIPAA. Show all posts

Saturday, November 15, 2025

How ISO Support to Secure Your Business Video Footage Data

In today’s digital-first world, cybersecurity threats are at an all-time high. Data breaches, ransomware attacks, and insider threats put businesses at risk of financial losses, legal penalties, and reputational damage.

To combat these risks, companies need a structured approach to information security—and that’s where ISO/IEC 27001 comes in.

ISO 27001 is a widely acknowledged ISO standard that defines best practices for Information Security Management Systems (ISMS), providing a comprehensive framework to protect business data, manage cyber risks, and ensure compliance with global security regulations.

An ISO 27001 audit of video footage involves verifying the implementation and effectiveness of Annex A.7.4 Physical security monitoring controls, which require organizations to monitor restricted areas using tools like CCTV and alarms to detect and deter unauthorized access. Auditors will review policies, check footage, inspect systems, and interview staff to ensure the organization meets the standard's requirements for protecting information assets.

What ISO 27001 is

· An international standard for information security management systems (ISMS).

· A framework for an ISMS that uses a systematic approach to manage and protect an organization's sensitive data.

· A standard that focuses on the "CIA triad": confidentiality, integrity, and availability of information.

· A way for organizations to demonstrate to customers and regulators that they take information security seriously.

But how does ISO 27001 help secure your business, and why is it essential in 2025? Let’s explore.

1. Why Cybersecurity is a Top Priority for Businesses

Cyberattacks are becoming more frequent, sophisticated, and costly. Businesses face risks such as:

🔹 Ransomware attacks – Hackers encrypt business data and demand payment.

🔹 Phishing scams – Employees unknowingly share sensitive information.

🔹 Data breaches – Exposing customer and financial data.

🔹 Insider threats – Employees or partners mishandle or leak confidential information.

🔹 Regulatory penalties – Non-compliance with GDPR, HIPAA, and CCPA leads to legal fines.

ISO 27001 provides a proactive defense against these threats, ensuring data confidentiality, integrity, and availability.

2. What is ISO 27001?

ISO 27001 is an international cybersecurity standard that helps organizations:

✅ Protect sensitive business and customer data from cyber threats.

✅ Identify and manage security risks before they lead to breaches.

✅ Comply with global regulations (GDPR, HIPAA, PCI-DSS, SOC 2, etc.).

✅ Implement strong access controls and encryption methods.

✅ Ensure business continuity and disaster recovery planning.

Unlike traditional cybersecurity measures, ISO 27001 is a risk-based framework that focuses on continuous monitoring and improvement of security policies.

3. Key aspects of the standard

· Scope:

It applies to all types of information, including digital, paper-based, and cloud-stored data.

· Risk management:

It requires organizations to identify, assess, and treat information security risks in a systematic and cost-effective way.

· Compliance:

It helps organizations comply with legal and regulatory requirements, such as GDPR.

· Certification:

An organization can get certified by undergoing an independent audit to prove its compliance.

· Flexibility:

The standard is technology-neutral and allows organizations to choose controls that are applicable to them from the Annex A controls, which provides a catalog of safeguards.

4. How ISO 27001 Secures Your Business Data

a) Risk Assessment & Threat Identification

ISO 27001 requires businesses to analyze risks, such as:

🔹 External cyberattacks (hacking, malware, phishing).

🔹 Internal vulnerabilities (employee errors, weak passwords, unauthorized access).

🔹 Third-party risks (vendors, cloud providers, remote access).

Businesses must document, evaluate, and address security threats proactively.

b) Strong Data Protection Policies

ISO 27001 ensures businesses implement:

✔ Access control measures – Restricting sensitive data access to authorized users.

✔ Encryption & data masking – Securing data both in transit and at rest.

✔ Multi-factor authentication (MFA) – Preventing unauthorized logins.

c) Compliance with Global Cybersecurity Regulations

ISO 27001 helps organizations align with key security laws:

📌 GDPR (Europe) – Protects personal data and privacy.

📌 CCPA (California, USA) – Regulates consumer data protection.

📌 HIPAA (Healthcare) – Ensures security of patient records.

📌 PCI-DSS (Payments) – Secures credit card transactions.

By complying with ISO 27001, businesses avoid fines, lawsuits, and data breaches.

d) Employee Cybersecurity Training & Awareness

ISO 27001 requires businesses to:

✔ Train employees on phishing, social engineering, and password security.

✔ Conduct cybersecurity drills and simulated attacks to test readiness.

✔ Establish a culture of security awareness across departments.

e) Incident Response & Business Continuity Planning

ISO 27001 ensures businesses have:

✅ Incident response plans – Quick action against cyberattacks.

✅ Backup & disaster recovery solutions – Avoiding data loss.

✅ Regular cybersecurity audits & vulnerability testing – Preventing security gaps.

By implementing these, businesses can recover quickly from cyber incidents.

5. How to Implement ISO 27001 for Maximum Cybersecurity

Step 1: Conduct a Cyber Risk Assessment

🔍 Identify potential cyber threats and data vulnerabilities.

🔍 Assess network security, cloud storage, and endpoint protection.

Step 2: Develop an Information Security Policy (ISP)

📌 Establish guidelines for password policies, device security, and data sharing.

📌 Implement role-based access controls (RBAC) to limit data access.

Step 3: Secure IT Infrastructure & Cloud Systems

✅ Encrypt sensitive business and customer data.

✅ Use firewalls, intrusion detection, and VPNs for remote work security.

✅ Implement real-time security monitoring tools for threat detection.

Step 4: Train Employees & Conduct Cyber Drills

📚 Provide ongoing cybersecurity awareness training.

📚 Simulate phishing attacks to test employee response.

Step 5: Perform Regular Cybersecurity Audits & Updates

✔ Conduct internal and third-party security audits.

✔ Update security policies based on new cyber threats and trends.

Step 6: Achieve ISO 27001 Certification

📜 Work with an ISO-certified auditor to assess compliance.

📜 Obtain ISO 27001 certification to showcase cybersecurity commitment.

6. The Future of Cybersecurity & ISO 27001

As cyber threats evolve, businesses must stay ahead of hackers and data breaches. Future trends include:

🚀 AI-driven cybersecurity – Using machine learning to detect and stop threats in real-time.

🚀 Zero Trust Security Model – Businesses moving to never trust, always verify frameworks.

🚀 Integration of ISO 27001 with other security standards (ISO 27701 for privacy, SOC 2 for cloud security).

🚀 Cyber insurance becoming essential for risk management.

By adopting ISO 27001 now, businesses can future-proof their cybersecurity strategy.

7. Conclusion: Why ISO 27001 is a Must for Businesses

Cybersecurity is no longer an IT issue—it’s a business survival necessity. Companies that ignore data security risks face:

🚨 Financial losses from cyberattacks and data breaches.

🚨 Legal fines due to non-compliance with global security regulations.

🚨 Loss of customer trust and damage to brand reputation.

On the other hand, ISO 27001-certified businesses gain:

✅ Stronger cybersecurity defenses.

✅ Compliance with global regulations.

✅ A reputation as a trustworthy, security-conscious company.

💡 Ready to secure your business data? Contact us today to implement ISO 27001 and protect your organization from cyber threats! 🔐🚀

An ISO/IEC 27001 audit is a systematic review of an organization's Information Security Management System (ISMS) to ensure it complies with the ISO 27001 standard. This process involves various types of audits, including internal audits for self-assessment, external certification audits to achieve certification, and recurring surveillance audits to maintain it. The audits evaluate the effectiveness of security controls, risk management, and compliance with policies.

ISO/IEC 27001 audits are important because they verify an organization's compliance with international information security standards, build trust with clients and partners, help prevent costly data breaches, and drive continuous improvement of security practices. These audits are crucial for gaining or maintaining certification and demonstrating a robust, proactive approach to managing sensitive data and risks.

Types of ISO/IEC 27001 audits

✅Internal Audit:

A mandatory, self-conducted review to check if the ISMS is compliant with the standard and the organization's own requirements. This helps identify gaps and prepare for external audits.

✅Certification Audit:

An external audit performed by an accredited certification body to determine if the ISMS is ready for certification. This is a formal process that issues the ISO 27001 certificate if successful.

✅Surveillance Audit:

A periodic audit conducted by the certification body after certification to ensure the ISMS continues to function effectively and remains compliant.

✅Recertification Audit:

A full recertification audit that occurs every three years to renew the ISO 27001 certificate.

What an audit involves

📌 Documentation Review:

Reviewing policies, procedures, and other documentation to ensure they meet the standard.

📌 Evidence-Based Assessment:

Checking that the documented processes are being followed in practice and that there is evidence to prove it, such as risk logs and corrective actions.

📌 Control Effectiveness:

Evaluating the effectiveness of the security controls in place to protect information assets.

📌 Risk Management:

Assessing the organization's risk assessment and treatment processes to ensure they are properly identifying and mitigating risks.

📌 Management Review:

Ensuring that management is involved in reviewing the ISMS performance and taking appropriate action.

Benefits of ISO/IEC 27001 audits

✅ Establishes trust and credibility:

Certification through a successful audit shows that an organization has implemented best practices for protecting sensitive data, which builds trust with customers, partners, and stakeholders.

✅ Improves the security framework:

Audits help an organization systematically manage and reduce security risks by identifying vulnerabilities and ensuring that controls are effective.

✅ Ensures compliance:

Regular audits ensure ongoing compliance with legal and regulatory requirements, such as GDPR, which helps organizations avoid fines and penalties.

✅ Drives business growth:

Achieving certification can provide a competitive advantage, open up new markets, and fulfill contractual requirements that mandate ISO 27001 compliance for doing business.

✅ Mitigates costs:

By preventing security incidents, audits help reduce the costs associated with data breaches, business disruptions, and non-compliance fines.

✅ Promotes continuous improvement:

Audits assess the effectiveness of security controls and identify opportunities for improvement, ensuring the Information Security Management System (ISMS) remains strong and resilient over time.

How to audit video footage for ISO 27001

✅ Review documentation:

Check that the organization has a formal policy for video surveillance and has documented the restricted areas that are being monitored.

✅ Check surveillance tools:

Verify that the surveillance tools, such as CCTV cameras, are properly installed and functioning.

✅ Inspect physical security controls:

Look for and confirm the presence of detectors and alarms, and check that they are configured correctly.

✅ Confirm access controls:

Ensure that video footage is only accessible to authorized personnel and is protected against unauthorized viewing or modification.

✅ Check retention policies:

Review the organization's policies for retaining and securely disposing of video footage.

✅ Review internal processes:

Examine how the organization handles incidents detected via video footage and review any logs or reports of such incidents.

During the audit, an auditor will typically review:

✅ Physical security controls:

The auditor will verify the effective implementation of controls for the CCTV system, which can include aspects like data handling, storage, access control, and monitoring.

✅ Risk management:

The auditor will assess if the risks associated with the CCTV system have been continuously reviewed and if the risk treatment plans are still relevant and effective.

✅ Incident management:

They will check if any security incidents involving the CCTV system have occurred and if the organization has followed its incident response procedures.

✅ Compliance with ISO 27001 requirements:

The auditor will ensure that the CCTV system is still compliant with the relevant clauses of the ISO 27001 standard, especially the physical security controls outlined in Annex A.

✅ Documentation and procedures:

The audit will include a review of the documentation related to the CCTV system, such as policies, procedures, and logs, to ensure they are up-to-date and reflect current practices.

IMS Auditor Qualifications:

✅An educational background in IT or a related field, professional experience in information security, and specific training and certification, most commonly the ISO 27001 Lead Auditor certification. This certification proves your ability to plan, conduct, and report on ISMS audits, aligning with international standards like ISO 19011. If certification from QCI-IRCA will get extra value.

✅A minimum of 2-5 years of experience in Video information security, IT compliance, or risk management is often required. Experience with IT infrastructure or cybersecurity controls is highly advantageous.

✅You should have knowledge of the ISMS framework, including risk assessment, risk treatment, and the Statement of Applicability (SoA). You must also be familiar with auditing principles and techniques, as defined in ISO 19011.

About Author:

Dr. Arindam Bhadra is a Security consultant & ISO Auditor based in Kolkata, India, with over 20 years of experience in Security systems. He’s currently founding director of SSA Integrate. He working on CCTV Security awareness, training, consultancy & Audit in same field. He is a Lead Auditor of ISO 27001. He is Member of FSAI, NFPA, Conformity Assessment Society (CAS) etc.

He Audit for

Risk Assessment Audit.
Information System Audit
Operational Audit
Compliance Audit
ISO 9001: 2015 QMS Audit
ISO 14001: 2015 EMS Audit
ISO 27001: 2022 ISMS Audit
Security & Cyber Security Assessment
CCTV Security Audit / Video Surveillance System Audit
Access Control System Audit
Intrusion Detection Alarm System Audit
BMS Audit.

Saturday, October 1, 2022

Electronic Surveillance Threats

In 2017 the Supreme Court ruled in a landmark judgment that privacy is a fundamental right. From sophisticated spyware attacks to mass phishing via smartphones and the rise of facial recognition technology, the range and reach of surveillance threats to human rights defenders is growing.

For security teams trying to keep activists safe, it is a cat-and-mouse game as attackers rapidly adapt to developments aimed at protection.

“When cyber-attackers see people are switching to using (messaging app) Signal, for example, then they will try to target Signal. If people start changing to VPN technology, they will start blocking VPN technology. If people are using Tor browser, they will target Tor traffic,” says Ramy Raoof, tactical technologist with Amnesty Tech.

Automated surveillance equipment has become increasingly common and connected, making the technique more covert and pervasive. Mobile hacking, social engineering, network monitoring, face recognition technologies, GPS tracking, and various other methods commonly employed to catch and prevent crime and terrorism can also be used against civilians.

Electronic surveillance threats – defending a facility against electronic surveillance is a serious challenge and one that hasn’t been made any easier by the proliferation of computer networks and wireless. Not only are businesses under threat from phone tapping, and video and audio surveillance, wired and wireless computer networks offer attackers a new dimension of intrusion.

Even the simplest electronic surveillance devices are diverse, with room transmitters being among the most common. Their role is to detect all the environmental noise emanating from the location in which they’re planted.

Primary variations with room transmitters relate to differences in power sources. In this case, either battery or mains power and it’s the battery powered devices that are most diverse. Such devices can be secreted inside almost any object allowing for their minimal space requirements. Examples include the inside of pens, calculators, clocks, photo frames, under carpet, behind curtains and underneath or inside furniture.

The types of battery used to power these devices varies too, depending on the design, size and planned use of the device. Self-contained transmitters designed for surreptitious surveillance favour small button batteries or higher performance hearing aid batteries. When size is less of a concern and length of transmission a higher priority, larger and longer lasting batteries can be used, including the latest lithium types.

Average transmission devices typically have dimensions around 19mm x 12mm x 9mm. Should a small transmitter be built into a pen or a calculator, transmission range will be limited, around 15-20m, though the use of lithium batteries will increase the range.

Mains-powered room transmitters draw current either directly from the mains voltage or trickle charge a battery that’s also used to power the device. The advantages of this technique where electronic intruders are concerned include the fact there will be less impact on main power sources that could be monitored for fluctuations. Should mains power be lost the device will continue to operate.

The key technical issue for mains powered transmitters is to reduce 240V of alternating current to a direct current, low voltage output of 6-18V. Designers are required to combine transmission circuitry along with a voltage dropper, rectification, smoothing and voltage stabilization circuits.

As a rule, the most popular way to get the small current and voltage requirements is to use a high voltage capacitor to act as resistance at the 50/60Hz mains supply frequency. Low power can be partially offset by injecting some radio power into the mains.

Should there be enough room and a sufficiently low risk of detection, it’s sometimes possible for a stepdown transformer to be used – this is inherently more reliable that capacitor leakage or dropper resistance techniques. It’s also possible for a transformer to supply a far greater level of power to a strong transmitter.

AC units can be located inside walls, ceilings, under floors, inside office equipment, in mains-powered clocks and within lamps and lamp holders to name just a few possibilities. One of the favoured methods of installing an AC bug is to simply plug in a dummy double adaptor to a power point in the room you wish monitor. Despite the simplicity of this technique, only the most observant would notice and even then, would be most unlikely to consider the appearance of the unit a threat to security.

Electronic intruders wishing to secure a standalone mains-powered transmitter are usually supplied with a square plastic box about 50mm x 50mm x 18mm, or an encapsulating board. There will be a pair of trailing leads coming from these units for connection to the live and neutral lines of domestic AC.

There are still PSTN telephone transmitters. These are connected to target telephone systems and transmit information to a receiving station located nearby. The 2 basic models are the series-connected transmitter and the parallel-connected transmitter. Both types either draw their operating voltage from the PSTN phone line itself, or carry their own batteries that may be trickle-charged from the phone line.

Series connected transmitters are connected between a telephone socket and a telephone. In this configuration, only that extension will be accessed by the listener. But in the event a series transmitter is used and located on the incoming wires of a 2-pair cable on the other side of a telephone socket, all extensions of the line can be accessed.

Muliplex telephone systems make life extremely hard for electronic intruders trying to record communications. Because these systems multiplex more than one signal onto a 2-pair cable, an intruder would need to employ a de-multiplexer to access phones.

Partially connected transmitters are different. Both incoming feed wires are connected to the parallel connected device, and this means the information will be transmitted if either phone is used. With a series device, the wiring of the telephone must be disconnected to allow insertion of the transmitter. But installation doesn’t mean cutting and stripping of feed wires. Instead, the device can be installed in a junction box that offers sufficient room, or even in a telephone.

Series devices are easiest for security managers to detect using one of the counter surveillance devices on the market that alert security staff to temporary disconnection of phone lines. It’s possible for alarm panels monitoring alarm systems to also monitor phone lines for integrity, with any breaches then reported.

Parallel series devices, however, can be installed without temporary line breaks and without effect on resistance. This makes them harder to detect, though if the unit is drawing power from its host, this will cause a voltage drop. Parallel devices are often equipped with alligator clips requiring no more than a few millimetres of cable to be stripped or a pair of bare terminals.

Battery-powered types are harder to detect and more effective in their operation. With their greater operating current, they can achieve greater operating ranges than bugs, giving 500-1000m ranges instead of 25-50m. Even harder to detect are small rain-proof telephone transmitters that can be connected to any point of the exterior wiring as it leaves a building or joins a telephone pole. Such a device might never be detected.

Mobile phones are usually tapped using spyware. This is a whole other science – it’s possible for experts to search for spyware and users might notice quirks like rapid battery drain, though it can be difficult to know whether this is caused by an illicit piece of software, too many open apps, or simply an aging battery.

There are 2 primary groups of microphones available to an individual or organization seeking illicit access to communications. These are omnidirectional and unidirectional. Unidirectional microphones are portable and can be aimed at a target. They’re a parabolic dish-mount device that can be hand-held or tripod mounted. Such units offer excellent results for the electronic intruder. Using a 45cm reflector, high quality sound can be obtained at 250m. This performance increases fourfold if the reflector size is doubled but the unit becomes much more visible.

Omnidirectional units pick up audio signals coming from any point of the compass and in surveillance devices they usually have a diameter of about 6mm. As a rule, these devices will be more effective towards the front. Another type of microphone, the spike mike, is mounted on the end of a spike or probe. Microphones can be connected to the audio input of a miniature transmitter, allowing remote monitoring of conversations.

Like any other internet-connected device, surveillance systems can be vulnerable to attacks without the right cyber-security measures in place. Hackers can easily gain access to poorly configured devices with design flaws or faulty firmware and manipulate or steal data. With cyber-attacks accelerating, surveillance systems need to be protected from vulnerabilities, and require the same vigilance provided to IT systems.

Closed-circuit video cameras to transmit a signal to a specific place, on a limited set of monitors. It differs from broadcast television in that the signal is not openly transmitted, though it may employ point-to-point (P2P), point-to-multipoint (P2MP), or mesh wired or wireless links but transmit a signal to a specific place only. Not for open to all.

Cities in at least 56 countries worldwide have deployed surveillance technologies powered by automatic data mining, facial recognition, and other forms of artificial intelligence.

The ban that prohibits the purchase and installation of video surveillance equipment from HikVision, Dahua and Hytera Communications in federal installations – passed on year 2018 National Defense Authorization Act (NDAA). In conjunction with the ban’s implementation, the government has also published a Federal Acquisition Regulation (FAR) that outlines interim rules for how it will be applied moving forward. Like NFPA, now NDAA law accept globally.

Rules outlined in this FAR include:

· A “solicitation provision” that requires government contractors to declare whether a bid includes covered equipment under the act;

· Defines covered equipment to include commercial items, including commercially available off-the-shelf (COTS) items, which the rule says, “may have a significant economic impact on a substantial number of small entities;”

· Requires government procurement officers to modify indefinite delivery contracts to include the FAR clause for future orders;

· Extends the ban to contracts at or below both the Micro-Purchase Threshold ($10,000) and Simplified Acquisition Threshold ($250,000), which typically gives agencies the ability to make purchases without federal acquisition rules applying.

· Prohibits the purchase and installation of equipment from Chinese telecom giants Huawei and ZTE Corporation. This would also presumably extend to Huawei subsidiary Hisilicon, whose chips are found in many network cameras;

· And, gives executive agency heads the ability grant a one-time waiver on a case-by-case basis for up to a two-year period.

Specifically, NDAA Section 889 creates a general prohibition on telecommunications or video surveillance equipment or services produced or provided by the following companies (and associated subsidiaries or affiliates):

· Huawei Technologies Company; or

· ZTE Corporation

It also prohibits equipment or services used specifically for national security purposes, such as public safety or security of government facilities, provided by the following companies (and associated subsidiaries or affiliates):

· Hytera Communications Corporation;

· Hangzhou HikVision Digital Technology Company; or

· Dahua Technology Company

While the prohibitions are initially limited to the five named companies, Section 889 authorizes the Secretary of Defense, in consultation with the Director of National Intelligence or the Director of the FBI, to extend these restrictions to additional companies based on their relationships to the Chinese Government. The prohibitions will take effect for executive-branch agencies on August 13, 2019, one year after the date of the enactment of the 2019 NDAA, and will extend to beneficiaries of any grants, loans, or subsidies from such agencies after an additional year.

The provisions of Section 889 are quite broad, and key concepts are left undefined, such as how the Secretary of Defense is to determine what constitutes an entity that is “owned or controlled by, or otherwise connected to” a covered foreign country, or how the head of an agency should determine whether a component is “substantial,” “essential,” or “critical” to the system of which it is part. The statute also fails to address the application of the prohibitions to equipment produced by U.S. manufacturers that incorporate elements supplied by the covered entities as original equipment manufacturers (“OEMs”) or other kinds of supplier relationships.

Section 889 contains two exceptions under which its prohibitions do not apply:

(1) It allows Executive agencies to procure services that connect to the facilities of a third party, “such as backhaul, roaming, or interconnection arrangements.” This likely means telecommunications providers are permitted to maintain common network arrangements with the covered entities.

(2) It permits covered telecommunications equipment that is unable to “route or redirect user data traffic or permit visibility into any user data or packets” it might handle, meaning a contractor may still be able to provide services to the Government so long as any covered equipment provided is unable to interact or access the data it handles.

The Constitution of India guarantees every citizen the right to life and personal liberty under Article 21. The Supreme Court, in Justice K.S. Puttaswamy v. Union of India (2017), ruled that privacy is a fundamental right. But this right is not unbridled or absolute. The Central government, under Section 69 of the Information Technology (IT) Act, 2000, has the power to impose reasonable restrictions on this right and intercept, decrypt or monitor Internet traffic or electronic data whenever there is a threat to national security, national integrity, security of the state, and friendly relations with other countries, or in the interest of public order and decency, or to prevent incitement to commission of an offence.

Only in such exceptional circumstances, however, can an individual’s right to privacy be superseded to protect national interest. The Central government passed the IT (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009, that allow the Secretary in the Home Ministry/Home Departments to authorise agencies to intercept, decrypt or monitor Internet traffic or electronic data. In emergency situations, such approval can be given by a person not below the Joint Secretary in the Indian government. In today’s times, when fake news and illegal activities such as cyber terrorism on the dark web are on the rise, the importance of reserving such powers to conduct surveillance cannot be undermined.

Risk of Electronic Security Threats to EHR/HIS is a critical issue because as per the privacy and security rule of The Health Insurance Portability and Accountability Act (HIPAA) the patient’s medical records are to be secured and private which can be accessible only the hospital authorities and the doctors in charge of the patient and the patient himself.

More advanced techniques now no longer require a target to actively click on a link in order to infect a device, explains Amnesty Tech security researcher Etienne Maynier. An attack using NSO spyware on an activist in Morocco covertly intercepted the activist’s web browsing to infect their phone with spyware. “Instead of waiting for you to click on a link, they instead hijack your web browser’s traffic and redirect you to a malicious website which tries to secretly install spyware,” says Maynier.

Successful targeting of well-protected phones is becoming more common and security teams are under added pressure from a burgeoning industry in so-called ‘zero-day’ exploits, in which unscrupulous hackers seek to find unknown vulnerabilities in software to sell. In May 2019, NSO Group exploited a zero-day vulnerability in WhatsApp that was used to target more than 100 human rights activists across the world with spyware.

How to keep your communications safe:

Using public Wi-Fi and VPNs: When you connect to Wi-Fi in a cafe or airport your internet activities are routed through that network. If attackers are on the network, they could capture your personal data. By using a VPN app on your devices, you protect your online activities when accessing public connections, preventing your internet activities from being seen by others on the same network. If you want to explore options, try NordVPN and TunnelBear.

Password management: Using a password manager means you don’t have to worry about forgetting passwords and can avoid using the same ones. It’s a tool that creates and safely stores strong passwords for you, so you can use many different passwords on different sites and services. There are various password managers such as KeePassXC , 1Password or Lastpass. Remember to back up your password manager database. Do not use password like password, ddmmyyyy, admin@123, administrator, administrator1, Super@1234 etc.

Messaging apps: When we advise human rights defenders about messaging apps, we assess each app on its policies (such as terms of service, privacy agreement), its technology (if it’s open source, available for review, has been audited, security) and finally the situation (if the app provides the features and functionality that fits the need and threat model). Generally speaking, Signal and Wire are two apps with strong privacy features. Remember: Signal requires a SIM card to register, and for Wire you can sign up with a username/email.

Phone basics for iPhone or Android: Only download apps from the official app store to prevent your personal information from being accessed without your consent and to minimise the risk of attacks. Update your system and apps frequently to ensure they have the latest security patches. Enable ‘account recovery’ in case you lose access to your phone. Finally, choose a mobile screen lock that is not easily guessed, such as an 8-digit pin or an alphanumeric code.

Sunday, June 30, 2019

System Integrators tips to win Sales Proposals for New Access Control Systems

System Integrator tips to win Sales Proposals for New Access Control Systems

Access control provides the ability to control, monitor and restrict the movement of people, assets or vehicles, in, out and round a building or site. It is only a matter of time before you receive the highest compliment from one of your customers when they say: “We need a completely new access control system, and we want you to design and implement it.”

Any security systems integrator (Security Safety Automation Integrate - SSA Integrate) who has ever worked on an “enterprise-level” access control project will tell you it is not just standard access control, only larger. There are a host of requirements, challenges and issues that come with true enterprise access control.

Today’s enterprise-level projects are more complex than ever, with an emphasis on integration with not only other security systems such as video, but also Active Directory, building control and even beyond — in some cases going to PSIM-level integration. Technologies such as mobile credentialing, PoE and convergence have all to greatly impact this space in recent years, requiring more technical expertise than ever before on the part of the security systems integrator. I am always with you, in case of any designing issue / guide is required, just give me a mail – I work for smarter & safer future – Arindam Bhadra.

Now I share some Checklist to win sales proposal for New Access Control Systems. If you approach it methodically, you can reduce error and ensure that your customer gets the exact system they require.

Questions to ask include:

• What is the short-, mid- and long- range vision for the access control system? Is it based on open standards, like 802.11b/g or 802.3af, for the most affordable infrastructure? Is it scalable enough to support possible mergers and acquisitions?

• What type of Access Card / credential(s) will be used? How many are issued? What type of format will be used, and can it support a projected card-holder population? Is it controlled to ensure there are no duplicate IDs?

• What investment has already been made? Is the current system upgradeable? Or completely new.

• What assets does the end-user have, and what value do these assets have in relation to the operation or business? These range from physical assets like computers to patient records, employee records and client data.

Observe the End-User

Essentially, the integrator should be trying to find out about the culture at the end-user’s location. It can range from an open, accommodating environment, to one with strict and limiting access controls. There will always be a conflict between convenience and security — the challenge is to create procedures and rules that balance these disparate goals.

Did you observe the employees holding doors open for each other? If so, how are they able to verify their current employment status? Did they open the door for persons carrying large packages?

If so, did they check their IDs? Did visitors sign in at the reception desk? Did they wear ID badges? Were they escorted by staff members? Did students have a habit of leaving their rooms unsecure? If so, what sort of liabilities fall on school administration if a theft occurs and they knowingly allowed that practice to continue?

Conduct a Site Survey and Security Audit

Walking through a customer’s facilities can be invaluable when developing a comprehensive access control plan. Here are a few things to look for:

• Mechanical Security: If the openings are not mechanically secure, any additional funds spent on electronic access control are wasted. The following must be addressed before moving forward on an advanced access control system: Are the doors, frames, and hinges in good condition? Are they rugged enough for the application and durable enough for the traffic? Are the frames mortar-filled?

> What key system is in use? Is it a patented, high-security type? How often are locks re-cored? How many master keys have been issued? Have any been lost? How easy is it to reproduce the keys?

> Is there accommodation for the handicapped to ensure compliance with the Local Act?

> Are cross-corridor fire doors in place? Do they have magnetic door holders tied to the fire system?

• Identify the Threat: Consider the enduser’s surroundings: Have you noticed any evidence of gang activity? Have you noticed an increase in shuttered businesses?

If so, perhaps an increase in perimeter security is in order, potentially including increased lighting, cameras and gated access.

• Evaluate the Facility(s): This will help you identify product options. How old is the building? Does it have architectural or historical significance? How thick are the walls? Was asbestos used as an insulating material? If so, it may be difficult and costly to install conventional, wired access control devices. Perhaps a WiFi solution will be a good alternative.

• Identify Assets and Value: Many consider assets to be tangible items that can be sold for quick cash. But assets include anything that someone might want to steal or destroy, and vary among end-users. The important thing is to put a price tag on the loss of the asset, plus the cost of lost productivity and potential liability that could result.

Get the Technical Details

For each opening requiring access control, you’ll need the following details to ensure you order the right product for the given application:

• Does the door swing in or out? Is it leftor right-handed?

• What’s the finish of the existing hardware? What’s the lever style? Would the end-user prefer a more modern look?

• How is each door expected to operate? Ensure that an operational narrative is written for each opening that covers the following conditions, and have the customer sign off on it. This should include: normal state; authorized/unauthorized access and egress; monitoring and signaling; and power failure, fire alarm and mechanical operation.

• Determine where to place access control equipment. This could be an IT closets, server rooms, administrators’ offices or under BMS Room. Make sure your staff will have access for installation, and later for service and maintenance. Also, make sure there is enough space on the wall to mount access control panels, interface modules and power supplies.

• Determine network coverage. Are IP drops where you need them? Is there sufficient WiFi coverage where you need it should you opt for WiFi locksets?

Validate the Security Requirements

Different applications and clients have differing security requirements. Verify these needs with the end-user before starting the system design; otherwise, you could be in for a lot of extra work. The following considerations should be factored into an overall access control plan, as they have a direct impact on product selection and system configuration:

• Lockdown: Is lockdown capability needed in the interior or just the exterior — or at all?

• Real Time: Is real-time communications to the access control system a critical requirement? Perhaps it is for perimeter doors, but what about interior doors?

• Monitoring Requirements: How much monitoring does the end-user need? In most cases, a door position switch will suffice; however, some clients want to know that the door is both closed AND secured — these are not necessarily the same thing.

• Audit Trail Requirements: How important is it to know who and when someone

entered a building or room? For code compliance, this feature is always mandatory, such as accessing computer rooms, personnel records and patient records; however, some companies use audit trail reports to validate employee activity.

• High-Security and Classified Areas: For increased security, there are several options. Is multi-factor authentication a requirement, such as card and PIN or even a biometric verification? Should there be a two-man rule?

• Special Considerations: Some areas, require valid access credentials from both sides of the door — keeping the right people in and the wrong people out. This requirement takes different hardware than a typical free-egress lock or exit device.

Determine Business Requirements

Consider the final details that will allow you to complete your system design:

• Aesthetics: Many high-profile building owners use architectural design to make their facilities stand apart. This extends to the interior space as well. So, is a black wall reader the right choice? Or will an elegant lock with integrated card reader and designer lever be a better option?

• Infectious Disease Control: Some locks and doors are available with an anti-microbial finish designed to inhibit the growth of bacteria.

• Turnover: What kind of turnover does the facility experience? Heavy turnover would be difficult to manage with a PDA-programmable offline lock; however, one-card systems program access privileges onto the card, virtually eliminating the need to tour the doors to reprogram them. Of course, online solutions could address this as well.

• Applications: It is inevitable that a variety of applications will converge into a single system. That’s why it is important to select an access control system that can grow by providing application support for parking access, visitor badging, integrated video and other needs as required.

• System Management: It is important to determine who, how and where the enduser will manage the new access control system. For enterprise-class systems, it might mean multiple departments will manage their own people, while a system administrator will maintain and manage the main, centralized system.

• Budget: You ultimately need to know your customer’s budget; however, with all the upfront research, your findings might be beyond their initial scope. This is how long-term planning comes into play so you can develop a priority list over several phases to ensure the end user gets the access control system that fully meets their requirements

Ensure Code Compliance

Several agencies have issued codes and standards over the years to enhance life safety, improve privacy and reduce fraud. They need to be factored into an overall access control plan, and the Health Insurance Portability and Accountability Act (HIPAA). National Building Code of India 2016; Life-Safety (NFPA 101) — Means of Egress; Fire (NFPA 80) — Retro-fitting, Sprinkler Systems; Accessibility (ANSI A117.1) — Operators, Credentials; and Electrical (NEC NFPA 70) — Installation, Wiring, Products. Select products and services that meet the design requirements and comply with current standards, such as EN50133 European Access Control Standards and Electrical wiring regulations.

Suppose you need to design 2door, where both side card reader for 100nos Card holder. What is the MOQ.
Option 1:

Sl No	Short Description	Long Descriptions	Unit	Total Qty.
1	Door Controller	2 Door / 2 reader Door Controller	No.	2
2	Power Supply	Power Supply for controller	No.	2
3	Proximity Reader	Proximity Readers for Entry & Exit	No.	4
4	Proximity Card	Proximity Cards	No.	100
5	EM Lock	Singe leaf lock ( 600 lbs)	No.	2
6	EDR	Emergency Break glass switch	No.	2
7	MC	Magnatic Contuct	No.	2
8	Access Software	Access Control Software	Set	1
9	Patch Cord	Patch Cord 3 M	No.	2
10	Network Switch	4port Network Switcher	No.	1
11	Access Workstation	PC i5 with windows operating system, complete with keyboard, mouse	No.	1
12	4C Cable	Supply, Laying & Testing of 4cx1.5 sq.mm cable	RM	30
13	2C Cable	Supply, Laying & Testing of 2cx1.5 sq.mm cable	RM	40
14	25mm PVC Conduit	Supply, Laying & Testing of 25mm dia. PVC type conduit	RM	60

Option 2:

Sl No	Short Description	Long Descriptions	Unit	Total Qty.
1	Door Controller	Standalone Door Controller cum reader.	No.	2
2	Power Supply	Power Supply for controller	No.	2
3	Proximity Reader	Proximity Readers for Entry & Exit	No.	2
4	Proximity Card	Proximity Cards	No.	100
5	EM Lock	Singe leaf lock ( 600 lbs)	No.	2
6	EDR	Emergency Break glass switch	No.	2
7	MC	Magnatic Contuct	No.	2
8	Access Software	Access Control Software	Set	1
9	Patch Cord	Cat6a Cable	RM	30
10	Network Switch	4port Network Switcher	No.	1
11	Access Workstation	PC i5 with windows operating system, complete with keyboard, mouse	No.	1
12	4C Cable	Supply, Laying & Testing of 4cx1.5 sq.mm cable	RM	30
13	2C Cable	Supply, Laying & Testing of 2cx1.5 sq.mm cable	RM	40
14	25mm PVC Conduit	Supply, Laying & Testing of 25mm dia. PVC type conduit	RM	60

For Design of Access Control please visit: http://arindamcctvaccesscontrol.blogspot.com/2018/06/guide-to-design-access-control.html

Ref:
Access & Identity Management Handbook.

https://www.securitysales.com/integration/systems-integrators-sales-proposals/

https://ipvm.com/reports/video-surveillance--access-control-integration

BS EN 50133-2-1:2000 British Standards Institution 2018.

https://www.securityindustry.org › Solutions › Access Control