Physical security systems can be managed and operated in a variety of ways – some methods lead to flawless operation, and some lead to quite the opposite. But when having an operational physical security system is critical – for life safety, business impact of a failure, or other unacceptable outcomes – then it becomes important to know that the system is in fact operating exactly as it should. This is the domain of compliance.
As defined by TechTarget:
Compliance is either a state of being in accordance with established guidelines or specifications, or the process of becoming so. The definition of compliance can also encompass efforts to ensure that organizations are abiding by both industry regulations and government legislation.
What compliance means specifically for physical security is somewhat vague. Many industries have compliance requirements on what forms of physical security are needed and what minimum standards they must meet. For example, organizations like retailers or data centers that handle credit card data must be compliant to the PCI (Payment Card Industry) standards which include 38 specific controls for physical security. Likewise there are energy, healthcare, and other industry-mandated checks on physical security operations, and ASIS publishes guidelines. But to date there are no auditable standards to govern physical security systems – for example, is there an “acceptable” amount of downtime and how should it be measured, or is there a requirement for detecting security system failures and tracking the time to resolve the failure?
Unless there is an industry-level or internal compliance standard, most physical security system operators are not subject to audits or testing. That means for many organizations the only “audit” of the system is the commissioning report, where the integrator checks that everything is installed and working properly. But commissioning reports do not show compliance – they show that everything was installed properly. For example, to be compliant the system may need to operational more than 99% of the time, which would not be shown through just proper installation.
If there is an issue with judging compliance of physical security system, it would be in when the system is assessed. If it is assessed only at installation, what is to say it remains in compliance. In the IT community an often-used concept is “configuration drift”. Here’s the TechTarget definition:
“Configuration drift occurs naturally in data center environments when changes to software and hardware are made ad hoc and are not recorded or tracked in a comprehensive and systematic fashion. Configuration drift accounts for many high availability and disaster recovery system failures.”
With physical security systems there are many opportunities for configuration drift. To start, it is not one system; it’s a set of devices and systems coordinated together to make the application (recording video or granting access) function as it should. Motherboard temperature fluctuations, POE switch overloading, memory corruption, bad sectors in storage, and a host of other device-level issues can impact the security application’s ability to run successfully on that infrastructure.
Compliance-as-a-service, where compliance is assessed in an ongoing manner, is a way to make sure the small and subtle variations that happen don’t accumulate to the point where undetected system failures occur. In addition to the reduced risk, improved security, and operational efficiencies that come with knowing security is working as it should, other benefits can emerge like:
- What if you could attract employees to work in your facility because amongst the other choices they have your building is proven to be the safest for them?
- What if you paid lower insurance rates because your organization has a high security rating?
- What if there was a way to benchmark across your industry, so you could assess your security in a broader context?
- What if you had ongoing measures of your security effectiveness, so you can plan your security more strategically?
The final point I’d like to make is that by-and-large physical security professionals like order, structure, and rules. This is a “by-the-book” industry and has many practitioners who developed their skills in military or law enforcement. With the move to IP-based solutions the industry has just gone through a major disruption, where new technology doesn’t work like it used to. Getting past that disruption means getting to new and stable methods of operating physical security systems. That is exactly what a focus on standards and compliance will bring, allowing time and resources to remain focused on what is important – improved safety and security.
Viakoo is committed to making physical security systems inherently more stable, cost-effective, and resilient. Compliance goes hand-in-hand with that mission, which is why we’re honored to be working with Underwriters Laboratories on enabling physical security compliance as a service. For more background check out our announcement with UL at GSX last month, or visit www.viakoo.com to learn more.