Security and IT, Together at Last
- By Michael Fickes
- March 1st, 2011
Not long ago at a university on the West Coast, the chief of campus police bought several network video recorders (NVRs), plugged them into the campus computer network, and then connected them to video surveillance cameras.
A couple weeks later, the IT director discovered the NVRs and unplugged them. The explanation? Since IT did not know about the NVRs, the department had no opportunity to balance the network for the increased bandwidth needs. What’s more, no one knew to scan the NVRs for viruses or to provide the operating systems with virus patches. Hey: if you’re going to connect stuff to my network, you’ll do it with my permission and under my supervision.
This is the problem with an excellent idea called convergence
, which has come to be understood as a way to improve security by connecting security technology to IT networks.
But convergence is more than that. The original concept had three parts. It started with personal relationships between the security director and the IT director, who could guide the second step of installing security technology on the campus network.
Once the devices were connected, the IT department and security department could work together to program systems to compel students, faculty, and staff to follow security as well as safety procedures.
The Journey of Just One Card
Consider this successful three-step converged security/IT system: A state university on the east coast with 12,000-plus students today enrolls each student in a provisioning system each year. Data recorded for the students include class schedule, residence hall address, and dining hall and meal program. Once recorded, all of this data rides across the campus network to the security department, where a computer automatically prepares an identification card.
When the student arrives to pick up the card, a security staffer snaps a photo and prints it on the ID.
The card’s magnetic strip or other storage medium will admit the student to the appropriate dining hall to receive meals and open the front door of the student’s residence hall and residence. The card will also enable the student to enter access-controlled academic areas — like the chemistry lab — and to borrow books and use technology in the media center.
The card may also note special privileges. For example, a student may be allowed access to a chemistry lab only after passing a course on laboratory safety. The course instructor will enter the certification into the student’s record. When the student swipes in at the lab, the system will check the student’s record for the necessary certification. If it is there, the system will admit the student. If the student has neglected to take the safety course, the door won’t open.
Suppose a student drops the chemistry course and picks up a biology course. When an administrator enters the change in the student’s schedule, the IT system sees the change and automatically adjusts the way it will respond to that student’s card. The access card reader at the chemistry lab will not respond to the student’s card, while the reader at the biology lab will recognize the student and open the door.
Upon seeing data indicating that a student has graduated or perhaps dropped out, the IT system will automatically deactivate the card and the new alum or former student won’t be able to enter a residence hall, lab, or classroom with access-controlled doors. The same thing would go for faculty and staff that had resigned or been terminated and might pose a threat to people on campus.
Bringing Other Systems Into the Mix
“This university has focused on data-side convergence,” says Elliot Boxerbaum, CPP, CSC, president and CEO of Columbus, OH-based Security Risk Management Consultants, Inc., the firm that designed the system.
“We’re working with another state university that is converging its access control and video systems,” continues Boxerbaum.
While that system is still in the design stage, it might incorporate a number of convergence concepts. Chances are, it will use IP cameras connected directly to the university’s IT network. This basic convergence idea eliminates the expense of laying coaxial cable to connect cameras. Network cabling already exists across campus.
If the access control system also operates across the network, the two systems — access control and video surveillance — can communicate with each other.
So when the access control system alarms because a door is forced open, a security officer monitoring the system will dispatch officers to investigate. At the same time, the access control system can tell the video surveillance system to aim a camera at the door. Another command could tell the video recording system to start recording. It is even possible to program the cameras to follow an intruder through a facility.
Start With Lunch
“I think the first thing a security director and IT director should do is make lunch plans,” says Jack Turley, vice president, sales and marketing for Gallagher Security in Redmond, WA. “Maybe these two old foes can stop annoying each other and work out how they can improve the services they offer their organization.”
The second step is technical: connect the security technology to the network.
Finally comes the integration of policies and procedures into security technology, to ensure observance. “Remember the BP accident?” Turley asks. “There were policies and procedures that would have prevented the accident, but they were on a shelf in binders. As a result, people failed to respond to many alarms.
“People developed those policies and procedures when everyone was calm, when there were no flashing lights and panic-stricken people trying to remember what they were supposed to do.”
Security directors and IT directors can program procedures into security devices, continues Turley. Converged, pre-programmed security technology can implement life-saving procedures as soon as an emergency, say a shooting, is reported. At the touch of a button, digital signs across campus can flash pre-set emergency messages. Pre-recorded emails, phone calls, and Website messages can flow across campus. Video cameras equipped with intelligent video analytics can look for people running and transmit video to dispatchers. Nearby officers can receive automated dispatches. The police and emergency medical responders will receive automated messages.
No one will forget what he or she must do. It was done — during programming. Of course, nothing is perfect. There will always be omissions and anomalies, but people experienced with campus emergencies are now lending their expertise to help get the right policies and procedures into converged security and IT systems.