and Data

2. Put the policy in your employee handbook and require an employee signature.

3. Periodically remind people being monitored of what the policy says. This helps with legal liability

(so that, for example, an employee fired for breaking the policy can’t file an effective ‘wrongful termination’ lawsuit using the “I wasn’t notified of the policy” excuse). Also, simply communicating the fact that a company has a policy can act as a deterrent to potential wrongdoers.

4. Enforce the policy consistently and fairly.

Otherwise, you send a confusing message to your employees and risk creating the appearance of favoritism. (This also means the policy needs genuine buy-in from upper management.)

I am concerned about employee morale if we institute a strict policy.

A key strategy is to communicate not only your policies and practices, but also the reasoning behind them. Here’s a great example. In 199, software company SAS built what’s known as Building R on its Cary, N.C., campus. A security control center was located in the subbasement to monitor the new CCTV cameras that were being installed around the campus in lobbies, entry points and the campus day care. (Before 199, SAS use of CCTV was minor.) However, SAS failed to anticipate the displeasure that spread its way through the employee ranks. Soon rumors started floating around that there were covert cameras. Questions arose: Why are they putting in cameras? What are they watching? Why do we need so much surveillance? “I had done my best to develop a relationship with the employees,” says Miles Bielec, head of security at SAS. When the cameras came on

the scene, he worried that he was about to take a giant step backwards.

Then Bielec had an inspiration. Because two sides of the control center were glass, he decided to turn the monitor banks around, so that the monitor screens faced outward. With this change, any SAS employee walking by the control center can see exactly what the cameras are being used to observe. “I told employees, come on down, you can see what we’re looking at. We can show you how [the system] works; we’ll let you play with the joysticks,” he says. “That alone allayed the monitoring fears.”

What Bielec came up against was a very open, creative corporate environment, not unlike that found on a college campus. To many employees, the installation of cameras screamed of Big Brother syndrome. Bielec assured employees that the system was more about customer service (such as letting employees back in the building if they accidentally got locked out during a smoking break), to give employees peace of mind and to keep an eye on more places than was otherwise humanly possible (data centers, for example). If your policy is strict, but the reasoning and motivation is clearly explained, and if you also demonstrate a certain level of reasonableness in the way you handle surveillance and monitoring matters, it’s likely that employees will understand.

On the technology side, the choices between CCTV and newer digital systems is difficult. How about some guidance?

Experts say video surveillance technology adoption is progressing over three phases:

Phase 1: Standalone CCTV systems. These are

5

It’s getting easier to keep an eye on employees and customers, both in terms

of video surveillance, with ever smaller and cheaper digital cameras, and data

monitoring, with powerful tools for examining emails, web activity, and network

packets. Done correctly, these surveillance activities can help deter or catch theft

and fraud. Done poorly, however, surveillance can be expensive and ineffective,

and can create legal risks and morale problems. Here are pointers on creating

and communicating your policy, determining return on investment, and other

video surveillance basics.

Video Surveillance

and Data

FOCUS

SECURITY

6

regarded as relative dinosaurs, but sturdy and simple. They will fade as surely as typewriters did.

Phase : Hybrid digital-analog systems. Sometimes networked, they use black-box digital video recorders (DVRs, essentially TiVo boxes). This represents the transition between old and new— such as those word processors that came after typewriters, but before PC programs.

Phase : Fully digital, networked IP-based surveillance. Here, video surveillance is just another node on the IT network. Cameras have IP addresses, controlled centrally with any number of software applications on top of the raw visual data.

Joseph Freeman’s market research shows that CIOs are certain that they want to move off standalone closed circuit TV, but unsure that they’re ready to move on to what they’re being told is the more powerful, more dynamic future of video surveillance—fully digital systems. So they network their DVRs to get a few benefits of the new technology without a real commitment. They add some digital systems, while keeping CCTV with DVR. They’re milking their old investments.

New digital technologies can pack some punch. One example: Pedro Ramos, director of loss prevention for Pathmark Stores, identified a problem universal to grocery stores. Most inventory shrink—shoplifting, employee theft and damaged goods—occurs at the point of sale. So he installed digital video that links to the cash registers at all of his stores. “I can look at the [the digital archive of the] register tape, pick out any item on that tape and be taken to the archived video of that moment in that transaction.” This allows quicker response to incidents and deters theft. Recurring problems (such as a cashier who

repeatedly mishandles egg cartons during scanning) can be identified and ameliorated quickly. “Almost immediately,” says Ramos, “we’ve seen a significant decline in shrink.”

Here are four considerations in support of newer technology.

1. Better visual data. Optics have vastly improved

with the new generation of cameras, which, are more widely available. Dave Kent, CSO of Genzyme, says, “You can now buy equipment online that you used to have to go to some custom shop in an alley in New York to get. Good lenses. Low light. Thermal imaging. This stuff is smoking.” Director of Corporate Security Sheila Bramlitt’s bank, First Horizon National, helped solve a case involving kidnapping and homicide by using pictures captured from a camera at one of its ATM machines. “It looked like the person was posing for a portrait,” she says. “We’ve come a long way from the blue-gray fuzzy blurs.” With better resolution, one camera can cover a wider area, or digitally zoom for fine detail. Casinos love this.

2. Standard IT infrastructure. Historically, “You

were tied to your supplier,” says Joe Freeman, a security industry consultant and president and CEO of J.P. Freeman. IP-based video will allow CSOs to use the same servers and bandwidth as the rest of the company. What’s more, cameras running IP over ethernet can have both data and power go through the same ethernet cable, with backup power on the same supply as the IT systems backup power supply. Prisons and areas vulnerable to wide-scale natural disasters love this.

3. Efficiency through centralized monitoring and automation. Simple math: When you have 0 sites



instead of having 0 control rooms creates efficiency. Automated alarming further reduces the need to keep eyeballs fixed to screens everywhere. Digital archives are easier to access (“Tape,” says one integrator, “basically requires a full-time employee.”) Global companies with small sites love this.

4. New applications. It is software that will finally

revolutionize video surveillance. Vendors are promising seemingly limitless applications to make video smart: Motion triggers, which can tell cameras to jump into high-resolution mode and track objects; software which can discriminate between a human form and, say, a skunk (thus reducing false alarms); applications which link video surveillance to access systems and safety systems, so that the surveillance system could call the fire department or help turn on sprinklers. Insurance companies love this.

Four caveats on digital IP video:

1. Digital IP surveillance requires a higher capital investment. The vendors will promise that despite

this, they’ll also provide higher returns faster. Make them prove it, like Pedro Ramos, director of loss prevention at Pathmark Stores, did. The cost of the cameras is actually negligible compared to application costs, storage costs, bandwidth costs, training costs, and, critically, security costs of using the Web to transmit image data and other security data. “They’re making money in this industry, believe me,” Genzyme CSO Dave Kent says.

2. New skill sets are needed. While CCTV was

largely a monitoring game, the whole point of digital video surveillance is to reduce the need for eyeballs plastered to screens. It’s a rules-based game. What triggers an alarm? A moving object? What kind? How is it moving? And when does it trigger? Only

after hours or all day? It will require intense review and possibly modification of business processes. “What we’re looking for is actionable intelligence,” says Sandra Jones, a security industry consultant for Sandra Jones and Co. “That means we have to filter, filter, filter.” IT expertise will also be required.

3. Information overload is a real threat. Sheila

Bramlitt, director of corporate security at First Horizon National, says she could put surveillance everywhere, but that’s just asking for trouble. A company would drown in visual data and false alarms. “That’s where we go to risk analysis,” she says. “We use our own case intelligence, public crime stats, lots of sources. We form this picture of where we need it most and start there. It’s easy to use video surveillance. Using it efficiently is the challenge.”

4. Buying now means not buying something better three months from now. Like a consumer buying a

PC knowing faster, cheaper ones will be out tomorrow, CSOs have to make a leap of faith to get into digital video surveillance. This is a fact: The technology will continue to improve and come down in price. So when do you make that leap?

What are the best practices for handling and storing CCTV tapes?

According to consultant John Kingsley-Hefty: “The key is building a tape swap and storage schedule that rerecords the tapes equitably. Tapes will wear, over time, to the point of failure. Color-coding by day and/ or shifts, and numbering by week works well. The key is designing your system around your required video storage retention schedule. To ensure that tapes are rerecorded according to the proper sequence and schedule, shuttling tapes per day or week to a separate secure area—or in some cases, offsite—works well.”

FOCUS

SECURITY



A big cost consideration is frame rate, which affects our tape requirements or storage and bandwidth requirements.

How many frames per second do you need for your surveillance project? It depends. Thirty frames per second, used by televisions in the U.S., is the gold standard, but it’s often unnecessary, says Aaron Chesler, NiceVision’s director of sales for the Eastern region. But video quality with 15 fps is usually good enough he says. With 15 fps, you also use only half as much bandwidth and disk space.

You can use various architectural tricks for helping reduce storage and bandwidth requirements. For example, you may find that in some instances you can store digital video locally (on a DVR near each camera) rather than streaming it all back over the network to a central location.

What about using fake cameras, deactivated cameras, or hidden cameras?

All of these strategies may have a place in your overall surveillance plan. Fake or deactivated cameras are an attempt get the deterrence value of surveillance without incurring the expense of video storage and maintenance. Hidden cameras, obviously, aim not to stop illicit behavior but to catch it on tape.

However, all of these strategies create risks of different sorts. Douglas Durden, manager of safety, security and asset retention at Mallory Alexander International Logistics, thinks fake cameras can impart a false sense of security. “Let’s say someone is standing in front of what appears to be a camera. If a guy pulls a gun and takes a person’s wallet, you should be able to pull it up on tape [but you can’t]. Then you have to tell the person it was a fake camera,” he says. Lawsuit, anyone?

Walter Palmer, founder and principal of PCGsolutions, a retail loss-prevention consultancy, also advises caution. “One of the things you have to be careful of is, do you have an obligation to provide certain levels of security? If you don’t have cameras and something occurs or you have dummy cameras, could you be liable for negligent security?” he asks. The short answer is yes.

All things considered, attorney Jennifer Shaw of Jackson Lewis thinks there are limited circumstances in which fake cameras are appropriate, but generally they do more harm than good.

Here’s an illustration of similar risks created through covert surveillance. In November 00, nurses at Good Samaritan Hospital in Los Angeles were in a break room when, according to accounts, they spied a thin beam of light coming from a clock. They were shocked to discover a hidden camera with a tiny lens behind the number nine. The nurses immediately spread the word to their colleagues; eventually they discovered a total of 16 hidden cameras in the clocks of break rooms, a pharmacy and a fitness center, among other locations.

In addition to the fact that the nurses hadn’t been informed about the cameras, they were also upset because some of them changed their clothes in the break rooms. They felt that their right to privacy had been violated. In a press release, a California Nurses Association spokesperson said, “This is a pervasive problem throughout the hospital that is a disgraceful violation of the legal privacy rights of the RNs and reflects a deplorable attitude of the hospital administration towards its caregivers.”

Hospital officials defended their actions—they claimed the cameras were installed for security reasons, that

9

In document CIO Focus Security Black Book (Page 44-49)