By AMAG Technology, Vice President of Products and Partner Programs, Dave Ella
Organizations using AMAG’s Symmetry Security Systems throughout the European Union [EU] are preparing for the new General Data Protection Regulations (GDPR) which take effect from May 2018. GDPR will require organizations who control or process personal data from EU residents to obtain consent from employees, visitors and contractors for data stored in physical access control systems. Organizations will need to define why the data is needed and when it will be removed. The new regulations reflect the cloud hosted nature of many current information systems, but also have implications for on premise installations which are typical of security systems. Fines for non-compliance are steep – up to 4% of annual global revenue – so these are regulations which organizations must take seriously.
Multi-national organizations with a single access control system spanning North America and Europe will potentially be affected by the new regulations, as a database held on premise by an organization in North America will be subject to the new regulations in the same way. If a third party organization such as a security integrator is either hosting the server or managing it on a day to day basis, there are potential implications for that third party, even if they are not situated in the EU.
Access control systems are capable of holding extensive levels of personal data and as with previous regulation, organizations need to ensure that the data held is relevant and justifiable. It is easy for an organization to import data from an HR system which is not directly necessary to the specific security application. Retention periods, particularly for former employees, contractors and visitor’s personal data, also need to be considered.
An important new aspect of the GDPR regulation includes data from which a person’s location can be calculated. While this is presumably targeted at web applications which track cell phone location, physical access control systems do hold data related to who has gone where and when, so the responsible parties within an organization need to take this into account. As with any new regulation, it is unclear how this will be interpreted in a real-world scenario.
GDPR broadens the definition of ‘personal data’ to mean anything that could identity a person. For example, an email address, home address, job title or type of car one drives. Other identifiers could include gender, political views, biometric information and personal interests.
There is a strong link between GDPR and cyber security since security of the data being held is understandably seen of great importance under the regulations. It is important that AMAG customers have hardened their system using IT best practices and considered using the encryption mechanisms within the Symmetry system.
With web based applications in mind, the regulations now insist that people explicitly agree for their personal data to be held by a system – typically by proactively ticking a box in a sign-up screen which must be empty by default. How that will be interpreted for the systems of organizations which require to hold personal data such as HR and payroll systems – and security systems – is not yet totally clear, and statements in employee terms and conditions of employment may still be sufficient. Visitor Management systems need to be considered too, as some personal data of visitors either in a Symmetry database or as video will also normally be held.
Video Management Systems, and the retention periods for storage of video data fall under the GDPR regulations as well. As with all personal data recorded by business systems, as long as there is a genuine need for the data to be held for a given length of time, and the systems have been considered and recorded by the organization’s data protection officer in line with the new regulations, there should be no major implication for the Symmetry user in terms of the continuation of their physical security arrangements.
AMAG certified resellers with customer sites in Europe, and security managers in Europe should familiarize themselves with the new regulations and co-ordinate with each organization’s data protection team to ensure that their activities are fully compliant.
To learn more visit: http://www.eugdpr.org/
By Ryan Howarth
General Manager – Technical Support
The recent security threat that has come via virus/malware has brought the needs of security and securing systems to the forefront. Below is some guidance that can be followed to ensure your Symmetry system is kept safe and secure.
The Ransomware attack was based off a vulnerability found in the Windows Server Message Block (SMB) 1.0. Symmetry only uses SMB for file sharing for backup locations and NVR if the video files are saved on a separate file Server. If you do not have this defined, you can remove this Service from Windows or update it to a newer version.
MS patch updates – AMAG provides a monthly list of tested patch updates. We recommend that these patches are regularly applied to your system. Visit our Partner Site to see if you are up to date.
AntiVirus – Ensure that Antivirus is installed and updated with the required exclusions for where Symmetry is installed to remove the need for re-scanning:
Program File\Security Management System (from V7 > Application Server / Client / NVR)
ProgramData\Security Management System (from version 8> Application Server / Client / NVR)
Program Files\Microsoft SQL Server\MSSQL\Data (Microsoft KB309422 Database)
Windows\System32\msmq (Microsoft KB829259 clients\Application Server)
ProgramData\Symmetry (from version 8> for NVR’s)
Port listing – Please refer to the Software Installation Manual Appendix E, as this will provide the port listing that Symmetry requires depending on what has been setup and configured.
Symmetry files/patches – Ensure you only load Symmetry files from either the Partner website or supplied via our AMAG team. All software supplied by AMAG is code-signed, so please check the validity, and review any Microsoft security messages that are displayed as part of the installation process.
Database Backups – Ensure at a minimum that a daily Symmetry database backup occurs and that these backups are stored off the network. In an event of a required full-rebuild of your system, you will have a backup of your database if the database computer becomes unusable.
Upgrading – As older versions of Symmetry and Microsoft products reach the end of their Support and Maintenance lifecycle, it is increasingly important to upgrade Symmetry and the underlying OS to ensure the health and security of your system. As part of your maintenance program, upgrades should be planned for on a regular basis.
For more information about Symmetry Server maintenance best practices, a more detailed guide has been compiled by the Support Team and is freely available on the AMAG support site.
By AMAG Technology, Sr. Systems Design Architect, Adam Shane
I recently read an article in a security industry trade journal that talked about the importance of becoming familiar with the Department of Defense Information Assurance Certification and Accreditation Process, DIACAP. The author failed to explain what DIACAP was and provided considerable misinformation regarding how a successful certification could be used or marketed.
The main point in the article was that Department of Defense customers should work with integrators and manufacturers that are familiar with DIACAP because that will simplify the process of getting their new system certified. This point is true, and AMAG Technology has helped a number of DOD customers through the DIACAP process. The following is our understanding of the processes and sequence of events required to get approval to use IT equipment on a government network.
The US Federal Government is required by law (Federal Information Security Management Act, FISMA) to certify and accredit all IT systems that are deployed on government networks. In the most basic sense, certification and accreditation is the process by which an IT system is tested against known vulnerabilities. Appropriate measures must be taken to mitigate identified vulnerabilities – this could be shutting down services and ports that aren’t used by the system, applying security patches, or adding encryption to otherwise unencrypted communications. The process of certification usually consists of scanning a system with Commercial Off-The-Shelf (COTS) software, NIST certified tools, or agency-specific tools. The scanners will list vulnerabilities found in the system and assign a severity to them. In some cases issues of little consequence are documented but not mitigated.
In the DOD, an Authority to Operate, ATO, is required before a system can be used operationally. The system will need to be installed and configured before it can be scanned and tested, so generally an interim ATO, IATO, is issued to get the ball rolling. The results of system scanning, documentation of the system, the purpose it serves, and how it is connected into other systems is submitted to the Defense Information Systems Agency, DISA. Once the system is approved there may be other certifications required before a full ATO is issued. For instance, in the US Army a Certificate of Networthiness, CoN, is required; and in the Navy and Marine Corps the system generally must be certified to run on the Navy-Marine Corps Internet, NMCI. AMAG’s Symmetry system has completed all of these certifications.
Recently the DOD announced that it favored a transition from DIACAP to a new process based on the NIST Risk Management Framework, DIARMF. The basics of DIARMF are similar to DIACAP, however more of an emphasis is put on the on-going assessment of risk over the life of the system rather than a one-time assessment.
In this age of cyber warfare, the importance of network-hardened solutions is more apparent to a wider range of folks. Therefore, AMAG has been developing a design guide to assist customers in hardening the OS, SQL Server, and the Symmetry application. Integrators selling to the Federal government will appreciate the exceptional customer service offered by AMAG Technology as they proceed through the certification and accreditation process.
By AMAG Technology, VP of International Sales, Ramon Grado
An industry colleague recently reminded me, “Perfection is the enemy of ‘Good Enough’.” So what does that have to do with Physical Security and Physical Security Information Management (PSIM)? As security professionals, shouldn’t we strive to do our very best to protect people, property, assets and reputations?
The answer is a resounding “Yes, but…” Most of us work under the constraints of limited resources, be they CAPEX and OPEX funds, time, personnel or energy. So, as a result, expenses get spared, people get cut, projects get scaled back or delayed and the goal of increased Situational Awareness and an improved response to threats becomes a faded or distant vision.
Borrowing from a fellow blogger, “PSIM systems are ungodly expensive. Not only that, but they take 12-18 months on average to implement. And at the end of the day, for all that valuable Security budget, PSIM doesn’t provide a complete solution.” While not all PSIM projects go that way, it is a fair description of most large-scale attempts to connect the unconnected. Most of you already manage physical security information to some degree. Increased Situational Awareness begins with defining objectives. The next step should be looking at existing tools, not always looking to place an overhead layer above them.
Surprise: some of the tools you are using, including AMAG’s Symmetry access control system, have the capability to provide increased Situational Awareness by allowing users to better manage the information they already capture, transmit, analyze, display and store. It is often a matter of adding context, not necessarily cost. This can be accomplished by activating existing functionality such as Visitor Management, Threat Level, Video Analytics or Workflows. Symmetry also offers integration with complementary systems such as VMS, intercom, biometrics, EAS, IDS and yes, if you require it and have the budget, full-blown PSIM systems.
So we return to my original point: what is good enough? This begs the question, “What are you trying to accomplish?” If we cannot define what we are trying to accomplish, then we are not prepared to evaluate solutions. As some end users of security systems are finding, often the solution to their particular security problem is just an enhancement to their existing system(s) or simply taking advantage of the features that are already embedded and available in them. Often all that is needed is some additional training or orientation, worst case a minor investment in expansion modules and/or Professional Services to create increased Situational Awareness.
Food for thought for next time: why do end users spend so much time, effort and money on systems to record and playback video of the horses leaving the barn instead of spending a little more on systems aimed at controlling access and keeping the barn door closed in the first place?
By AMAG Technology, Public Relations Manager, Kim Rahfaldt
Selling in the security industry can be a challenge. Many different organizations need security, and those organizations often need to meet complicated government regulations or standards. Where can a person new to the security industry or even a veteran in the industry go to learn that hospitals must meet strict privacy requirements and financial institutions need to maintain U.S. OSHA code compliance along with many international, state and local fire and emergency preparedness codes? Where are those types of classes offered in the security industry?
PSA Tec is offering a NEW Vertical Market Specialist Workshop this year, and AMAG Technology’s Senior Systems Design Architect, Adam Shane is one of the presenters. The day long workshop is designed to offer strategic training for sales, technical and hybrid positions. Adam is part of an expert team of presenters that include HID Global, Arecont, 3xLogic, March Networks plus others that will be discussing how to tackle the healthcare, manufacturing and financial markets, and will teach resellers the end user’s pain points so they leave the class with the facts needed to solve their challenges.
Adam will teach resellers how network access control systems offer solutions to help healthcare, manufacturing and financial verticals meet government and compliance standards and effectively secure buildings, employees and assets. Students will have the opportunity to ask questions and design a complete system, and will receive coaching on product strategies they can employ against typical risk profiles. Resellers will leave prepared to tackle the healthcare, manufacturing and financial markets.
Visit AMAG at booth A46 on Wednesday at PSA-TEC’s exhibit day and see our new products:
- Symmetry™ SR Controller Family of Products -Delivering the best upgrade solution for Casi Rusco™ systems of any size, the expanded the product line includes the SR-OCS16 for elevator control and the SR-2000 four door controller. Customers can upgrade their systems quickly, easily and affordably while protecting their hardware investment.
- Symmetry V8 – Supports the ONVIF Profile S camera plug-in, greatly expanding camera support, and offers new card holder features to more easily manage vacations and temporary cards.
- Symmetry EN-2DBC- The new intelligent Symmetry™ EN-2DBC Power over Ethernet Controller supports two doors and 90,000 card holders, providing another upgrade choice for your customers. Wired at the door, it installs easily and saves on cost.
- Symmetry HD Cameras include advanced motion detection, automated video streaming to Symmetry software, and are available with 1080p, high-quality onboard video content analytics. These true day/night cameras will optimize your system by delivering clear video in various lighting conditions.
- Aperio Wireless Lock technology integrates with Symmetry to offer a range of locks that supports almost every opening. AMAG’s new EN-LDBU controller supports 16 locks for easy, affordable expansion.
Please register today for PSA Tec’s Vertical Market Specialist Workshop, scheduled for Tuesday, May 6 at PSA Tec at the Westin, Westminster, Colorado. Visit AMAG at booth A46 on Wednesday, May 7. Hope to see you there!
By EBS Program Manager, Shae Taylor
AMAG works to provide exceptional customer service to our customers every day. With so many technologies available to customers, it’s important to work with third party companies to meet the changing demands of customers and provide a cohesive and supportable multi-technology environment. AMAG’s Extended Business Solution Program does just that. It offers a clear integration path, certified by AMAG, to offer customers the integrated solutions they want. I am proud to say that 2013 was a successful year. Twenty-two new partners signed up for the EBS program, and 14 certified integrations were added to our list of integration offerings. A few partners are highlighted below. For a complete listing, visit the EBS webpage.
Salient – Symmetry integrates with Salient’s CompleteView v4.0 product to provide live and recorded video in the Symmetry video matrix, the ability to associate video to access control events, and receive motion alarms from the Salient NVR.
Entertech – Integrating Entertech’s BioConnect v2.0, Symmetry customers can utilize Entertech’s Suprema biometric readers for enhanced access control solutions.
PPM 2000 – Symmetry’s integration with PPM2000’s Perspective v3.3 allows Symmetry users to take advantage of Perspective’s powerful user account control and incident reporting capabilities to bring a complete workflow and situational awareness to our mutual customers.
Future Fiber Technologies – With FFT CAM v3 and Symmetry integrated, customers can take advantage of the robust perimeter detection offered by FFT and maintain a cohesive user experience by receiving those alarms through the Symmetry Alarms screen.
We are continually adding more integrations to our Extended Business Solutions program in an effort to provide our customers with choices that meet their unique needs.
For more information please contact Shae Taylor, Extended Business Solutions Manager firstname.lastname@example.org.
Or visit our website www.amag.com for more information on the program and a full list of our integration partners.