CREATING AN EFFECTIVE SECURITY PROGRAM. Sunday, June 20, 2010. 1. Designing Efficiencies and Performance into Your Security Platform. Introductions Fundamentals of Creating an Effective Program Three Fundamentals of Campus Security Programs Integration versus Interfacing
Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
Sunday, June 20, 2010
into Your Security Platform
Vice President – Operations
Senior Managing Consultant
36+ years of security consulting experience in higher education, industrial, and corporate security settings, including work in investigations, security management, and consulting.
Specializes in providing consulting services in the following areas: regulatory compliance; security master planning; physical and information protection programs (assessments, systems design, and policy and procedures); security project management; business continuity planning; security awareness and training programs.
Managed security forces for Penn Valley Community College, Cleveland Chiropractic College, Brown Mackie College and Maranatha Baptist Bible College. Managed security for the University of Wisconsin - Madison athletic events including football, basketball, swimming, and hockey venues. Project manager for a large security risk assessment and lighting design project for the State University of New York at Buffalo (SUNY UB).
Developed and managed security programs for hundreds of clients, many of the Fortune 100, including the nation’s leading auto manufacturer, one of the top three telecommunications companies, numerous electric, natural gas, and water treatment utilities, hospitals, high-rise office buildings, college campuses, retail distribution centers, apartment complexes, stores, railroads, trucking companies and manufacturing plants.
Certified Protection Professional (CPP)
Certified Security Project Manager (CSPM)
Certified in Risk Assessment Methodology for the Security of High Voltage Electric Transmission Systems (Sandia National Laboratories)
Advanced CPTED Practitioner
D. Clay Shropshire, MBA, CPP, PSP, CSPM
Systems Design / Systems Engineering Credentials
Completed Design & Engineering Projects for the State University of New York at Buffalo, Brigham Young University, Hallmark Cards, Blue Cross & Blue Shield, Sprint, American Express, Missouri Western Correctional Facility, Potosi Prison, the US Postal Service, the City of Tallahassee, Oklahoma Gas Electric, Kansas City Power & Light, Black & Decker, Whiteman Air Force Base B2 Bomber Support, Charlotte Motor Speedway, JCPenney Company, SD Army Reserve National Guard
Masters of Business Administration
27 Years Experience in Security Systems Design, Systems Engineering, Project Management, and Consulting, Primarily in Designated US Critical Infrastructure Industries
Specializes in Physical and Information Protection Programs (Assessments, Systems Design, Systems Engineering, and Policy & Procedures); Security Master Planning; Security Project Management; Regulatory Compliance; Security Awareness & Training
Advanced CPTED Practitioner
Certified Protection Professional (CPP)
Professional Security Professional (PSP)
Certified Security Project Manager (CSPM)
Completed Factory Training Schools through Pelco, Lenel, Software House, Commend, Stentofon, AMAG, Panasonic, International Fiber Systems, Anixter, Bosch, Axis
There is no free lunch or painless approach to security.
Security, along with network capacities and capabilities, are just like facilities, parking areas, or green space. They must be planned and coordinated in the beginning of the planning and design phase for maximum effectiveness.
This means that they must be designed and planned with an eye towards the future and the big picture.
The future and the big picture must be understood and communicated to all participants of the planning process.
The big picture is a fully integrated systems approach seamlessly sharing data across the network managing exceptions to the norm.
There is a difference between police functions and security functions.
Police functions include dispatching, incident response at the scene, crowd control, traffic control, incident investigation, and arrest powers
Security functions include alarm monitoring, alarm assessment, systems management, and the notification of authorities
Many colleges and universities combine police and security functions tasking dispatchers monitor alarms, assess alarms, and notify other authorities.
The biggest problem with this approach regards the various disparate systems installed across the footprint with little or no ability for the dispatcher to quickly and easily navigate through them to get the needed information.
Universities tend to be enclaves of autonomous departments, each vying for limited funds to expand their programs to attract the best and the brightest students and faculty.
The Science Department, by upgrading its labs, can bring in tuition dollars through increased enrollment so it can be viewed as a money generating center.
The Athletics Department, by upgrading its training & practice facilities, can improve its sports teams bringing in funds through higher ticket prices and filled venues so it can also be viewed as a money generating center.
The Student Housing Department, by updating dormitory rooms, buildings, and food service facilities, can cause a student or parent to prefer your University over another, again increasing tuition dollars so it can be viewed as a money generating center.
The University Police Department is viewed as a cost center.
There has probably been no student or parent who decided upon enrollment at a particular institution of higher learning because of the quality or quantity of Campus Police.
There have been parents who have decided that their child would not attend a particular college or university because of their perceived lack of general security across campus or in the dormitories.
Since University Police Departments tend to be viewed as cost centers, they may not have been included in discussions regarding future plans.
When the Science Department decides to upgrade its labs, the Police Department gets tasked with monitoring alarms from systems included in the bid specs. These systems may not match any other system installed at present on campus, thus creating another legacy system.
When Student Housing decides to upgrade its dormitories to add physical access control and/or closed circuit television systems, these systems may be managed by this department. University Police may be allowed into Student Housing systems but it may require special permissions or changes in software. This system could be a totally independent system used only by this department.
Physical Access Control Systems
Intrusion Detection Systems
Closed Circuit Television Systems
Video Recording Systems
Incident Reporting Systems
Fire and Life Safety Systems
Emergency Communications Systems
The most common state of affairs for a campus will have existing systems installed throughout the footprint based on the desires of the various autonomous departments.
Systems could be old style that are processor based requiring human interface at the control equipment, such as a voice evacuation system requiring local microphone announcements.
Systems could be newer network systems that are dissimilar from others of the same type, like having different manufacturers of access control.
They could consist of equipment that does not integrate or was not properly sized for the total application, such as a 16 channel digital video recorder installed instead of connecting cameras to a network video recorder.
Legacy systems could include cutting edge equipment with little thought given to other system constraints, like installing several mega-pixel cameras across the campus only to find out that the video streams bring the network to a crawl.
There could be multiple independent packages of the same type of equipment as used by different campus departments, like using a specific brand of access control but each department has their own license.
In the early days of computers, each group or department could purchase their own computer equipment and software because the different systems could not communicate with each other. Accounting ran on a token ring independent from Food Service running on SNA.
As Ethernet networks became more widely used and interconnected, standards had to be established as to equipment, software, and infrastructure due to management and security of the network.
Campus security has not fully made this leap by establishing standards as to equipment, software, and infrastructure due to management and security of the campus.
As stated earlier, the big picture is a fully integrated systems approach seamlessly sharing data managed by trained security operators.
There are two ways to achieve this future state.
First, plan and design for it now as legacy systems are replaced or facilities are constructed.
Second, purchase an over-arching integrated multi-systems management package.
Since colleges and universities have had independent departments for many years, they want to continue to silo all decisions and control their own systems.
As computer networks came on the scene, campus-wide standards had to be set for the Networks Department to properly manage the network. That meant taking over control as to the equipment types that the departments are allowed to connect to the network.
By the same token, Campus Police must insist on campus-wide standards as to equipment due to systems management. They are tasked with efficiently and effectively managing a crisis situation, which can be next to impossible if equipment and systems are not compatible or independently owned and controlled by various departments on campus.
Sodium Vapor – Casts a yellowish tint on the scene with higher infrared levels making them good for monochrome cameras but bad for color cameras.
Metal Halide – Casts a white light on the scene for good color rendition at night
Halogen – Casts a white light on the scene with instant on capabilities
Infrared Illumination – Casts invisible light on the scene allowing a monochrome camera to view dark areas as if it was bright sunshine
LED Illumination – Casts IR illumination on the scene with instant on capabilities for close subjects
The campus is supposed to be open and welcoming, offering freedom of movement and the exchange of ideas.
Challenge for Campus Police, administration, and staff is to facilitate this feeling of freedom while securing the people, buildings and grounds.
Question that must be addressed…
Who decides what systems will be incorporated into the total footprint?
Who will own the systems?
Who will actually manage the systems, both from a head end equipment perspective and from a programming perspective?
Will this new system aid or hinder the Campus Police from effectively performing their functions?
What is the future plans for this system?
What policies and procedures have been created or need to be created regarding this system?
Question that must be addressed…
Should this system be connected to emergency power?
If so, what parts must be connected, where will those parts be located, and from where will they derive their power?
If the system depends on the campus network for signal or data transmission, are the various data switch closets also on emergency power circuits?
The first order of business is to evaluate all legacy systems with an eye toward using them for assessment purposes in the event of an actual emergency situation.
If a system, such as the CCTV system, has several independent sub-systems being used by various departments across the campus, upgrade to an Enterprise or Corporate edition for master system administration and management.
If the various departments have purchased different manufacturers, replace older systems with a single platform as planned obsolesce occurs.
If systems are connected via inputs to outputs, upgrade systems to allow data to be transferred and shared across the platforms for seamless integration.
If the systems are too varied and numerous, look to an over-arching rules manager system that has the ability to integrate data exchanges.
Interfacing of systems means that inputs from one system are connected to outputs to another system but there is no sharing of data. Each system acts independently of each other performing the assigned functions based on their connected inputs and outputs. Each separate system must be viewed in separate windows or head end equipment.
Integration of systems means that data is transferred and shared among software packages with interconnections such that an action through one system automatically triggers events in associated systems bringing all of the information onto a single screen for operator use in assessment of the incident.
The best practices future state would build access databases based upon the role the individual has at the institution. As their role changes throughout their career, their access would change based upon their new roles. This helps to ensure that no person continues to have access to areas no longer needed by their job function.
Roles based access helps to eliminate or at least control the habit of giving people access on a door by door basis. Each member of the faculty or staff has a role that should be able to be defined for access just like their role is defined for job function.
Roles based access control could be automatically driven by changes to the HR system as promotions occur.
Roles for access control could be specified as a part of the people information system just like a job title or duties.
Every member of the faculty and staff has a role associated with specific buildings and rooms within.
Students also have roles such as assigned dorms and possible labs or rooms based on class schedule.
With a common platform being used, operators spend less time fighting the differences among various packages when trying to accomplish a task like calling up a field device or entering a response into an incident management database.
Training costs are reduced for new operators since they do not have to learn software packages from multiple manufacturers.
With a common platform running all information management systems, the IT and Networks departments have an easier task of managing the head end equipment and backing up data.
Systems working on a common platform allow operators to manage the situation instead of the technologies.
Systems sharing data allow multiple packages to cross-monitor various pieces of equipment.
With multiple systems displaying their combined information on a single screen, the operator can more easily call out maintenance issues as they occur and track the progress until completion.
An over-arching information management system allow for programmed responses to incidents with the controls necessary to not allow an event to be closed until completed.
Operator action tracking is easily performed by management to ensure that policies and procedures are followed without having to generate reports from several different packages such as changes made in the physical access control system and the identity management system.
This is monitoring by exception. The operator is not spending time watching cameras or alarm screens that have normal activities occurring.
If an event or incident happens, a device such as a door contact, an emergency phone call button, or tamper switch triggers an alarm. The various systems involved or interconnected in the area perform their tasks like a PTZ camera spinning to a preset.
The operator screen displays the alarm condition, a graphic map showing the area involved, and the nearby cameras display scenes for assessment. As the operator moves to another part of the building, the new cameras and graphic maps update as the task is performed.
Dispatch operators may have to call-up several versions of the same software or several different software packages trying to perform a building lock-down or camera video assessment.
They may have to enter the same emergency alert message into several broadcast systems to cover the campus.
Police officers may have to physically go to a building or dormitory to make announcements because of existing legacy systems with no ability to integrate or be managed through Campus Police.
All this during a period of time the Dispatch operator is under extreme stress trying to perform their dispatch and police duties.