Every year half of all organizations suffer a security breach, said Michael Peele, associate engineer for facility and security systems at Georgetown University in Washington D.C. “Of those, 99% had both firewalls and anti-virus protection in place,” he adds. “There has been a shift from glory motivated vandals to those seeking financial gain,” he told attendees at a National association of Campus Card Users sponsored webinar on campus security trends.
One of the goals in implementing a security system is to reduce your vulnerabilities. “Threats are everywhere. You should remove data from where it doesn’t need to be.” The simple cure, he adds, is to physically secure, encrypt and firewall everything and use a separate network for security related data, such as CCTV, VoIP and access control files.
Still, having the best computer security means nothing if campuses don’t have physical security protecting facilities. “Which is why you need card readers on your doors,” says Peele.
Still, no matter how sophisticated or state-of-the-art your campus security system is, if your staff hasn’t been properly vetted, the money spent on security could be wasted. He suggests background checks on everyone who might be able to access your computer servers. “Your staff is your number one weak point. Perform background checks on all security staff, executives, management, auditors.”
No security system should be installed without a plan. “You should plan any security system in excruciating detail,” said Peele. “Start out by creating a model security facility without regard to budget or technology. Look at the existing structure and your model and prioritize with an eye towards closing the gap.”
Features of an integrated security management system include alarm management, access control and video surveillance. Integration and convergence of all these pieces includes monitoring, alarm management, computer aided dispatch and emergency response.
While video surveillance on campus has become increasingly popular, it’s most often used as a forensic tool after the fact, said Peele. Even if someone is watching, a guard can only monitor about eight screens at a time. After just 12 minutes of monitoring, he will miss 45% of activity. “After only 22 minutes the operator will miss 95%. Don’t assume someone is watching the screen,” he adds.
He suggests employing a video analytics system which analyzes activity and notifies security if there is something out of the ordinary. “You tell it what to look for, for example someone hopping a fence or someone going in a certain direction,” said Peele. “When the event the software is monitoring occurs, an alarm will sound.”
The analytics software could work for pedestrian safety, jaywalkers, running red lights, long lines in the cafeteria or bookstores, even students sneaking into the cafeteria, he added. Video analytics can be used with what he calls “dark screen monitoring. All the screens can be dark until you have actionable intelligence.” When the event occurs, the screen comes to life, showing the video of that event, said Peele.
He also suggested colleges be aware of Homeland Security Presidential Directive 12 and Federal Information Processing Standard 201. Both involve identification credentials being issued to federal employees and many of the new products in the market reference these initiatives.
“(FIPS 201) is an excellent resource for best practices,” said Peele. “These standards cover everything, including how to do background checks, the format of your ID card, whether bar code, mag strip, or contactless, the placement of the chip, etc.”