- Security TWENTY
- Women in Security
Dr Peter Speight (Securitas) and Peter Consterdine (Future Risk Management Ltd) discuss security and Enterprise Risk Management (ERM); prioritising risk management Issues and risk response; Operational Requirements (OR); cyber threats; and PSIM (Physical Security Information Management). Peter is the author of Why Security Fails (pictured).
Security and Enterprise Risk Management (ERM)
Security services, products and procedures are increasingly seen as servants of wider risk management issues. Companies have learnt to be suspicious of security providers who emphasise products and services absent of any cognisance of identified risk issues, especially technical security systems such as CCTV. Enterprise risk management (ERM) approaches organisational risk in a catholic manner, incorporating the traditional ‘downside‘ security risks alongside the potential ‘upside‘ operational risks, more core to the day-to-day business operations.
As with all multi-national, complex businesses, there is a recognition that risks are an essential part of everyday life and are unavoidable. Taking control of informed risks is part of good business practice, and allows for risks to be identified, analysed, evaluated and treated.
Access controls, intrusion detection, and CCTV as security tools all have their place, but unless the complete systems are designed and installed based on a sound risk-informed platform they will result in little more than illusion of protection. Real security can be achieved only when resources are carefully allocated to security’s most pressing needs. Systems and even manpower resources should be informed by both the understanding of the organisation’s risks and the Operational Requirement (OR) for the resource allocation. We outline the purpose of the OR in more detail below.
To establish the requirement for the four broad facets of security – manpower, technical systems, physical security assets and procedures and in particular the proportions required of each in an integrated manner demands in-depth audits and assessments are a pre-requisite for developing a risk-informed security strategy.
Risk to Strategy – Overview
The process of conducting these ‘operational surveys’ from which will be produced site Risk Assessment & Security Audit reports and which, moving forward, will inform the development of the Security Strategy and its Operational Plan are all designed to support the business in providing a first class integrated security ‘solution’ to protect people, property and assets based on sound security risk management.
One primary goal of these operational surveys, therefore, is the production of a Security Strategy document. This needs to start with an understanding of the threats and hazards to the organisation, be they external/internal, – Threats (the ‘product of man’), Hazards (e.g. natural events such as extreme weather, pandemics etc), Accidents (e.g structural collapse, death on site), or Technical events (eg malfunctioning systems). Assets at risk would then be identified, their vulnerability to the threats and hazards assessed, so as to arrive at a risk overview.
Two factors are fundamental to the process of establishing risk profiles:
Consequence (Impact) of a risk event occurring; and Likelihood (Probability); will be estimated, thereby providing a Risk Rating, or Risk Profile.
This latter is usually illustrated in a management tool called a Risk Matrix, illustrated by means of what is referred to as a ‘Heat Map’. This is the risk assessment and analysis process. Influencing both of these factors is the issue of Vulnerability. For example, poor security controls may well affect the likelihood of a threat occurring and poor continuity arrangements may well increase the consequence (impact), so understanding in detail current security arrangements – good and bad is essential.
Enterprise Risk Management (ERM)
ERM is the process of planning, organising, leading and controlling the activities of an organisation in order to minimise the effects of risks on an organisation’s capital and earnings. It expands the process to include not just risks associated with accidental losses, or traditional threats and hazards, but also financial, strategic, operational and other risks. ERM is defined as “an organisational-wide approach to developing techniques that assist to have the culture, processes and structures that are directed towards the effective management of potential opportunities and adverse effects.”
Traditionally, organisations develop an Enterprise Risk Management Framework based on, and consistent with, the internationally recognized principles and processes of ISO 31000 (Risk Management – principles and guidelines) to manage change and uncertainty. The ERM framework should to all operational and business unit levels, and assists in achieving the organisation’s strategic objectives by bringing a leading practice and a systematic approach to identifying, analysing, mitigating and reporting risk and control. Adopting an ERM process will lead to enhanced and proactive decision making and improve the organisation’s performance, since it combines governance, risk and opportunity management, compliance, and financial reporting.
So, the next stage of the process is to assess how the management of the four areas of security – manpower, technical systems, physical security and security procedures help, or hinder the management of the identified risks. This process, the Security Audit, is likely to expose vulnerabilities and, moving forward, produce a summary of recommendations. The conclusion to the investigative aspect should be the production of comprehensive risk matrix tables.
Prioritising risk management Issues and risk response
At this juncture, discussions can be generated around priorities for addressing those risks where existing management actions, when set against risk tolerance and appetite, leave the business exposed. These discussions and workshops will enable the construction of a Security Strategy document and develop a range of tasks to achieve the desired security framework.
Purpose – Socio-Political Risk Assessment
The purpose of this assessment is to highlight the conditions in respect of the socio-political climate that currently may, or may not make a particular site and operation a vulnerable environment. The political segment concentrates on how affairs at home and abroad worsen or improve the possibility of terrorist activities. Additionally, there will be an overview on crime and social disorder locally and regionally, and the existing social conditions that could impact on the site. The risk issues addressed are those which feature in the National Risk Register and regional Community Risk Register.
Purpose – Site/Business Risk Assessment
In summary, the purpose of the site risk assessment is to outline:
– What assets a site/business are at risk from;
– What hazards, threats, accidents and technical issues; and
– What severity of damage (what is referred to as ‘consequence’) may flow from the event; which in turn leads on to …
– The likelihood of such an event occurring; and
– The risk quantification/assessment illustrated by means of a risk matrix; and, finally…
– The priority for action and risk management.
Purpose – Security Audit
In parallel with the assessment of risk, the Security Audit will identify how the environment and current security arrangements – physical, systems, manpower and procedural, either help or hinder the management of the identified risks – often referred to as Impact Factors. Impact factors may be internal and as such within the influence of the business to control, or external and, therefore, broadly out with an organisation’s ability to influence.
Many of the external threats and hazards are often of the High Impact/Low Probability (HILP) character and these well be captured in the accompanying Socio-Political Risk Assessment. Organisations are often of the belief that in respect of these risks there is little they can do, rather leave their protection in the hands of a range of official agencies. This is not in fact the case and there are many strategies that will help the business feel it has some control over its destiny in this regard.
Purpose – Operational Requirements (OR)
Based upon the risks identified during the risk assessment and the existing measures currently in place to mitigate those risks identified during the security audit, the next step is to develop a detailed operational requirement for each security measure (CCTV, Access Controls, Manpower) required to mitigate the identified risks. This will establish these operational requirements based upon two alternative criteria:
• Develop the best possible operational requirements, given existing available resources; and
• Develop operational requirements based on a ‘green field’ site, starting with a clean sheet of paper and producing effectively a ‘wish list’.
The operational requirements will, where appropriate:
• Set out the steps that must be taken to effectively mitigate the various security threats facing the organisation’s operational capabilities, employees, contractors, visitors, property and assets.
• Utilise technologies and innovation to produce cost-effective processes designed to mitigate the security threats identified.
• Ensure that all recommendations are, broadly, aligned with any pertinent national and international security standard (we outline below those standards which have resonance for this work).
Operational Requirement (OR)
A well-written OR can be an effective vehicle or tool to relay the needs of the organisation’s security systems in an easily understood format to sedulously avoid the countless hours of time and other resources wasted speculating needs. Research conclusively shows that the foremost reason why programmes or projects do not succeed is due to the lack of detailed requirements at the initiation of a program or project. Efforts invested up front to develop a clear understanding of the requirements pay dividends in the positive outcome of programmes — not to mention the savings in both time and money in corrective actions taken to get a programme back on track (if it is even possible!).
For example, faced with the problem of potential intruders to a sensitive facility, we might define the requirement as “build a wall” whereas the real requirement is “detect, thwart, and capture intruders.” Our wall might “thwart” intruders (or might not, if they’re adept at tunneling), but it would not detect them or facilitate their capture. In short, the solution would not solve the problem.
The robust capability gap to “detect, thwart, and capture intruders” includes no
preconceived solutions and prompts us to analyze alternative conceptual solutions and choose the best.
One way to ensure that we are defining a problem, rather than a solution is to begin the statement of the requirement with the phrase “we need the capability to …” It’s nearly impossible to complete this sentence with a solution (“a wall”), and much easier to complete the sentence with a problem (“capability to detect intruders”). Capability gaps and requirements should address what a system should do, rather than how to do it. This approach is sometimes called ‘capability-based planning.’ It is a very simple, yet powerful concept.
Addressing Requirements versus Proposing Solutions
When employing efforts to elicit and explain requirements using any of these methods, it is imperative to steadfastly avoid requirements that define potential solutions or otherwise restrict the potential solution space. While it is necessary and useful to understand the current state-of-the-art within a given technology space and knowledge about potential solutions that may already be in development, requirements are meant to simply define problems. Properly drafted requirements allow for a variety of solutions, each with their own advantages and disadvantages, to be considered as potential ways to address a problem. Solution-agnostic requirements prevent limiting and defining the outcome of product realisation.
This is useful given that an open and honest review of one’s needs might show that a preconceived notion about a desired solution may turn out not to be the best solution, or that modifications to existing products or services may be necessary and useful to end users.
A requirement is an attribute of a product, service or system necessary to produce an outcome(s) that satisfies the needs of a person, group or organization. Requirements therefore define “the problem.” In contrast, “the solution” is defined by technical specifications.
Defining requirements is the process of determining what to make before making it. Requirements definition creates a method in which appropriate decisions about product or system functionality and performance can be made before investing the time and money to develop it. Understanding requirements early removes a great deal of guesswork in the planning stages and helps to ensure that the end-users and product developers, or systems integrators/installers are “on the same page.”
Requirements provide criteria against which solutions can be tested and evaluated. They offer detailed metrics that can be used to objectively measure a possible solution’s effectiveness, ensuring informed purchasing decisions on products, systems or services that achieve the stated operational goals. A detailed requirements analysis can uncover hidden requirements as well as discover common problems across programmes and various operating components. Detailed operational requirements will guide product development so that solutions specifications actively solve the stated problems.
We could save ourselves a lot of work if we jump straight to “the solution” without
defining “the problem.” Why don’t we do that? Because if we take that shortcut we are likely to find that our solution may not be the best choice among possible alternatives or, even worse we’re likely to find that our “solution” doesn’t even solve the problem!
Defining requirements and adhering to developing solutions to address those needs is often referred to as “requirements-pull.” In this situation, user requirements drive product development and equipment installation and guide the path forward as the requirements dictate. This is a powerful circumstance in which fulfilling requirements becomes the central focus of product development and no possible solution is disregarded given it facilitates.
At the other extreme from the “requirements-pull”, approach is its opposite:
“technology push.” Here we start with a solution (perhaps a new technology) and see what problems it might enable us to solve. The danger in this approach is to become enamored of “the solution” and neglect to ensure that it actually solves a problem. With technology push, it is likely that actual user requirements may be modified, or even ignored in order to “force-fit” the desired solution.
Technology push should not be ignored, but if the goal is successful transition to the field with acceptable risk, the technology being pushed must be compared with alternative solutions against a real set of user requirements.
Aside from assuring that the “solution” actually solves the “problem,” requirements- driven design has a further advantage in that the requirements provide criteria against which a product’s successful deployment can be measured. Specifically, if the product was developed to address a set of quantified operational requirements, then its success is measured by Operational Test and Evaluation (OT&E) to validate that an end-user can use the product and achieve the stated operational goals.
Recent terrorist attacks have highlighted the risks associated with ‘home-grown’ Islamic, extremist terrorism in the form of shootings and bombings, but computers and terrorism: what’s the worry? When a number of businesses were asked what action they have taken in response to the risk of political violence, companies in the survey, interestingly, are most likely to refer to increased computer security. As many as 40 per cent of all firms and 55pc of large companies say they have raised IT security spending to confront these threats.
There is no doubt that today’s violent groups are adept at using IT for communication and networking, and that some of them use online sources to market their cause or to recruit and train members. However this kind of activity must be distinguished from an attack that is designed to disrupt or damage the victims’ IT networks. There are some politically motivated hackers who have defaced websites or launched ‘denial of service’ attacks on corporate IT systems. These cyber-crimes are potentially expensive, but they are much more likely to be initiated by ordinary hackers. Usually the definition of cyber-terrorism is restricted to infiltration of IT systems to damage whatever they control.
Overall, there are a host of good reasons to invest in IT security. Terrorists and other violent groups may not alter significantly the kind of risks faced or solutions needed, but they add to the urgency of the problem. With this in mind, this article includes the following specific section on Cyber Threats.
The cost to businesses in the UK of cyber attacks has been calculated at around £21bn annually (source: The cost of cyber crime, Detica and the Cabinet Office), and the NSS categorises cyber attacks as a Tier One threat to our national security, alongside the international terrorist threat; 93pc of large corporations and 87pc of small businesses reported a cyber breach in 2012. On average, 33,000 malicious emails are blocked at the Gateway to the Government Secure Intranet (GSI) every month. These are likely to contain – or link to – sophisticated malware.
• A cyber attack can have a major impact on the business, supply chains and customers;
• Monetary theft by accessing financial systems
• Hackers accessing systems to steal trade secrets or valuable intellectual property (IP)
• Business interruption by shutting down critical systems
• Loss of customer, employee or other commercially sensitive data; and
• Damage to brand through loss of customer trust or malicious attack.
Cyber attacks are now endemic, with over 90pc of large companies likely to have suffered a breach in the year 2011-2012. Some reports estimate that global companies are suffering ‘15,000 attacks a day’ reaching ‘ten times that’ for organisations such as a large global bank. (Sources; PeC Info Security Survey 2012/FT 24th January 2013).
Resilience and Cyber Security of Technology in the Built Environment
In November 2011 the Government launched the ‘UK Cyber Security Strategy: Protecting and promoting the UK in a digital world’. The strategy acknowledges the importance of a safe cyber environment for business. Cyber-crime is today the world’s fastest-growing crime sector. Its purpose is to inform professionals involved in the development and operation of intelligent or smart buildings about the resilience and cyber security issues that arise from a convergence of the technical infrastructure and computer-based systems.
The cyber risks include viruses, identity theft (spyware, wifi eavesdropping, hacking) and threats to wealth (fraud, identity theft, spam emails).
Creation of intelligent or smart buildings requires greater integration of systems, both the operational and business systems used by the buildings occupants and a wide range of infrastructure systems. This is typically being achieved through the convergence of the technical infrastructure and the widespread use of readily available commercial and open source technologies.
Although the initial focus of the designers of intelligent or smart buildings has been on developing solutions to make them more energy-efficient, there is an increasing focus on the interaction of systems. The drivers for intelligent buildings and thus systems integration arise from the need for new energy-efficient interventions, real-time decision support systems, enhanced building and personnel security, and better management information dashboards that offer easy access to key performance indicators.
The key points that we highlight in this appendix are as follows:
– Economic and environmental factors place increasing pressure on building owners and operators to adopt a converged (ie. common or shared) IT infrastructure and to achieve integration between multiple electronic systems supporting building management functions and business applications.
– Given that systems integration blurs the boundaries between traditional roles and responsibilities in any organisation, it is important to adapt the business practices and governance processes to work effectively across organisational boundaries.
– In view of the significant level of systems convergence in intelligent buildings and the consequent higher probability of systems failure, the design of the built environment should take resilience into account.
– Sharing of IT infrastructure and the integration of corporate IT and industrial control systems (ICS), including building systems, in an intelligent building poses a number of design and operational challenges if a safe, secure and resilient environment is to be achieved. Thus whenever upgrades or new investment are planned, a strategic review of new or upgraded threats should inform the requirements and design brief.
– From a resilience perspective the greatest threat to the building is likely to come from single points of failure, which may be the building fabric or structure, utilities, infrastructure, systems or processes.
– When considering the potential threats to a building, the assessment should take into account non-malicious acts, malicious acts (from employees, contractors, visitors and, in open access buildings, from the public) and the potential effects of natural causes.
– A serious challenge with some incidents, particularly those that are cyber security-related, may be identifying the cause of an incident. The task is particularly difficult where there is a lack of logs or system logging and audit.
– During the design phase of a building project, appropriate solutions to the resilience and cyber security requirements should be developed. As part of a design assurance exercise, the proposed design should be assessed to ensure that it has not introduced any new or unforeseen risks. Assuring the continuity of intent through the construction phase may require investment in competent resources.
– During construction of the building, resilience and cyber security issues need to be addressed while managing the supply chain, monitoring design integrity, maintaining physical security and implementing systems security.
– Once the building is in operational use, its resilience should be proactively managed to prevent any unforeseen or emergent loss of resilience and to identify any additional requirements arising from changes in the building’s use.
– The building’s IT systems are at risk from the outset. Application of some 20 developed critical controls can provide protection by detecting reconnaissance, preventing unauthorised access or actions, detecting unauthorised access or actions and mitigating cyber security events.
– When changes to the building, its infrastructure, systems and use are being planned and implemented, the impact on resilience and cyber security should be assessed and appropriate steps taken to address any new or modified risks. This should include assessment of the impact of any decommissioning.
A key theme in these solutions is the increased IT-based interaction between physical assets with supporting communications, energy and transport infrastructures. Examples of this integration would include an intelligent building interacting with the smart grid to manage energy demand and ensure the most economic use of supply tariffs. In future it could include interaction with urban transport systems to inform building users of the current local transport situation.
This integration affects both the operational and business systems used by the buildings’ occupants and a wide range of infrastructure systems that maintain a comfortable, safe and secure environment. Historically this integration has been difficult due to the proprietary nature of many building systems. However, the increasing adoption of open standards and commercial ‘off the shelf’ products to build these systems, for example TCP/IP networking and the use of commercial operating systems, has made the integration much easier.
Unfortunately the use of these technologies can create significant issues from a resilience and security perspective. For example, some software products have ‘remote access’ links inbuilt, connecting them to their suppliers for upgrade and maintenance support by default, and the increasing use of browser-based control interfaces has encouraged some manufacturers to require Internet access to their systems for condition monitoring and diagnostic purposes. If these remote connections are not adequately protected and managed, they create vulnerabilities and adversely affect system security and resilience.
The greatest economic and environmental benefits are likely to be derived from deployment of new automation and control systems that take information from business systems and data from sensor networks and building systems, to automate routine functions, maintain an optimum environment and achieve improved performance.
In an office, an example of intelligent building technologies could be the management of meeting rooms. If a building management system has access to meeting room booking information, it could be configured to reduce energy use by turning off non-essential equipment in the room and limiting environmental conditioning until the room is required and the first occupants arrive. This would require interaction between building systems and the room-booking service, which may be part of the organisation’s email or operational systems. In a factory, or wharehouse environment, similar integration might be used to control the heating and lighting of operational areas based on shift patterns, operational demand and the presence of the workforce in a particular area.
Provided that these features work reliably they can offer significant user benefits, but chaos can result when there are system failures or unwanted/unauthorised human intervention. Therefore, the more complex the technology and the greater the reliance on its fault-free operation, the greater the need will be for integrity, availability and confidentiality from a safety, security and reputational perspective.
Any IT system is potentially at risk, regardless of whether it is standalone or part of an integrated system. The increased systems integration required to deliver an intelligent building is therefore not without risk even when carefully managed and monitored. We need to recognise that intelligent buildings are complex systems. This document outlines the key factors that need to be addressed to identify and manage the resilience and cyber security factors, and risks to an intelligent building.
What is an intelligent building?
The precise definition of an intelligent building varies around the world. Although there is no agreed definition, there is a common theme – the integration of technologies. For the purpose of this article we define an intelligent building as one that provides a responsive, effective and supportive environment within which an organisation can achieve its business objectives. Intelligent buildings may also be referred to as smart buildings.
The fact that a building contains some of the listed systems ( HVAC controls, access control, lighting control, intruder alarm, security/CCTV, fire alarm, water management, waste management utilities, stand-by generators, UPS) does not make it an intelligent building: it is the systems integration to achieve operational efficiencies, energy efficiency, additional functionality or other user benefits that delivers the intelligent element. An issue that potentially increases the operational complexity of managing an intelligent building is the organisational and often contractual boundaries between those responsible for the different elements of infrastructure, building, ICT and business systems. A key principle for an intelligent building is that it needs to be designed and operated so that it provides a safe, secure and resilient environment, and to the extent that is practical, it needs to include a degree of future-proofing.
PSIM (Physical Security Information Management)
From a technology perspective, there are two new capabilities making integration across physical security devices easier today. First, with the advent of IP networking for security devices and systems there are now common networks in place to easily collect information. Secondly, there is software technology available to integrate any number and variety of disparate physical security devices into one intelligent security system that leverages one common operating picture. This technology, Physical Security Information Management or PSIM, applies experience from the software networking and security industries to the physical security market to optimise device integration, analysis, and end-to-end situation management and resolution.
Migrating security systems to an IT network should acknowledge that an enterprise requires more from these systems than simple alerts of events and incidents – it needs information, and often it needs decision making at a systems level. PSIM is the latest independent software designed to achieve these seemingly impossible goals. PSIM is a category of software that integrates all security devices and operational data into one common view; applies intelligence to identify situations and presents step-by-step instructions for situation analysis, management, tracking and resolution that are effective, compliant and timely.
PSIM should accomplish five goals;
· interfacing with all devices,
· analyse incoming data and correlate events or alarms,
· collect all data and send it to a centralised location to be verified by a control centre operator,
· provide users with the ability to resolve the situation, and gather all information related to the event for report and compliance purposes.
“The goal of PSIM is not just to integrate (systems), but to provide intelligence.”
PSIM software is based on what was originally a military term for attempting to consolidate the plethora of battlefield information into one, encapsulated view, referred to as a Common Operational Picture (COP). The term has migrated to the world of security, specifically how it has informed the development of PSIM software. Another description for this consolidated view is ‘situational awareness,’ in other words, achieving by means of the grouping of all event signals into one common view, an immediate grasp of the situation and its implications, together with pre-arranged response action operator guidance.
Many access control and video management products perform very basic situation management. They may link video of someone walking through a door, to a log of when a keycard is swiped, but situation management software is far more sophisticated, capable of visually presenting multiple, but related events in a single group. PSIM has been described as the glue that brings the entire technology infrastructure together.
It’s now not sufficient to be able to answer the question “What’s happening,” the system should now answer the questions, ”How important is it?” and “What should I Do about it”?
“A Situational Awareness Platform”
This requires the correlation of all activities. PSIM can combine the several sets of information registered during a break-in, for example: the door alert from access control; the lock-failure alert from a keycard system; the motion detection alert from a hallway sensor; the video feeds from two or three nearby cameras. The software combines all this into a single view of all the available information.
A PSIM system combines several technologies to:
~ Aggregate, correlate and analyse data from various systems, including alarms, environmental sensors, intrusion detection systems and video surveillance, access controls, networks, BMS etc.
~ Provide solutions which are also very cost effective, allowing a customer to monitor and control a variety of systems and sensors from a centralised location, or remotely in some cases.
~ Become the foundation of the next generation of security and risk management. It’s not a single product but rather a set of processes governing the management of operational data.
~ Instantly places instructions, information and tools to control security devices in the hands of security personnel and first responders across multiple operations.
~ Enables forward and backward “tracking” of suspects as they move on live and recorded video.
~ Monitor and adapt to a situation as it unfolds, providing updated information, additional tools and policies, and coordination with multiple agencies and field teams.
~ Sort through a vast stream of device data as well as IT security systems to identify and prioritise situations in real time.
A key differential between PSIM based integration is the ability for a PSIM platform to connect to systems at a data level, contrasting other forms of integration that interface a limited number of products. PSIM software provides a platform and applications that collect and correlate events from existing disparate security devices and information systems (video, access control, sensors, analytics, networks, building systems, etc.) to empower personnel to identify and proactively resolve situations.
The result is lower risk, increased security, faster response to situations, better compliance with policies, and lower operational costs. So we now have the option to not be constrained to have CCTV, or Access as the management ‘hub’, but now PSIM as the hub. Most security systems have, in the past been ‘locked out’ proprietary systems and some vendors who purport to have a PSIM solution simply have a ‘vertical integration’ of their own devices and systems. A true PSIM.
Effective PSIM requires both integration of technologies and coordination with IT and security processes governing the management of operational data. The theory has thrived amid dynamic change in the security industry precisely because of its composite nature and multiple benefits. PSIM helps extend security services, improve efficiency and effectiveness, and allow for better accountability. There are several key trends making it more valuable and affordable:
• Data management best practices are more pervasive. Regulatory compliance and management best
practices dictate that computer systems and data be handled in standardised ways, such as according
to guidelines established by the International Organisation for Standardisation. Security
departments, in general, are not compliant with these best practices.
• Business leaders are demanding more data. Business decisions are made throughout organisations
by analysing data. Security departments will be forced to share security and risk data in ways
business managers can understand and appreciate.
PSIM Reduces Operation Costs
PSIM software integrates and analyzes information from disparate traditional physical security devices thereby allowing organizations to leverage existing security investments and not have to spend additional money on new or different technology. It also eliminates the requirement for operators to manually review and correlate data from multiple systems, including video, thereby saving time and resources which translates to cost savings.
“Now we have the bridge between security and information technology”
To overcome today’s security and safety challenges and issues, careful attention should be made when selecting a PSIM solution. This decision has significant impact on the future efficiency, effectiveness and accountability of a security organisation as well as its success with minimising risk to the organisation and its assets.
Key areas to focus on when evaluating a PSIM solution are the platform, architecture, and solution completeness as well as the company’s reputation and commitment to security and safety. In terms of the platform, consider asking these questions to separate the true PSIM solutions from those manufacturers looking to simply leverage the growing interest around PSIM:
· Does the solution support an unlimited number of devices as well as a framework for easily and dynamically adding new devices, versions, and systems in the future?
· Does the architecture allow device updates to be made without having to install new software on desktops or bring down the mission-critical PSIM solution?
· Is the solution a true web-based architecture that allows easy distributed, remote or mobile access via a web browser?
· Do all of the capabilities – collecting, analysing, verifying, resolving, and tracking exist within the solution?
The potential benefits of a PSIM open platform software solution are many when it comes to managing the information from complex and disparate systems, but it would be inappropriate to engage with a management system which is overly-sophisticated in relation to an organisation’s more simple requirements, that may very well be satisfied with a less complex solution, and on this we will report further as we establish the specific systems which will require integration.