Defining Network Responsibilities Is A Key Component Of IT, Security Convergence
Defining network responsibilities is a critical part of IT-security convergence, but it can sometimes lead to tension. Sako recalls a project where he was meeting with IT to discuss network and server decisions. Security wanted to put a server on the network, and IT wanted to know if they would be able to have access to it. When the answer was "no," IT had a simple response: Put your own network in.
The crossover between departments and the potential sticking points certainly apply to surveillance, which is one area of security that is seeing a definite trend of convergence. Even a few years ago, closed-circuit TV systems ran on their own network — almost always managed by security — and video was stored on VCRs or DVRs. Now, Internet Protocol (IP)-based cameras record video to dedicated servers, often over the main building network; these systems tend to be more complex than previous systems due to the additional pieces involved, and often they fall under the umbrella of IT.
IP-based cameras offer a number of advantages, but remember that if you have an outdoor security camera plugged into the network, it's a potential access point if the network isn't properly secured. (It could also be a potential point of failure due to a lightning strike, Ahrens points out.)
The good news is that it's easy to fix by setting up the network to lock out the port if the camera is disconnected, but it's also the type of thing that could fall through the cracks if the responsibilities aren't examined closely enough when it's time for the division of labor.
There are other basic considerations as well. Consider wiring and cabling. Who runs the network cable for a new, IP-based surveillance system? The same department or contractor who handles running the power to a new access-control compatible door? If so, you have to know if they are qualified to run network cable, says Ahrens.
"If you make a right angle with a Cat6 cable, you're not doing a good thing," he says, pointing out that when these factors come into play, simply making sure that IT is kept in the loop on who's doing what and why they're qualified to do it can prevent a lot of headaches.
Another area requiring attention is how the systems are powered and what systems can stay up and running during a power outage. If there's an hour of battery life, that's fine for computers used by employees. But the security system needs to be powered beyond that so you still have surveillance, access control and monitoring capabilities, says Sako.
"A short-term battery doesn't cut it," he says. "It cuts it for orderly shutdown for data users, but not for security and other systems (such as fire/life safety) that are on those networks. They have to stay up continually."
Regardless of how you define security and how you divide up the responsibilities, it simply isn't enough anymore to have IT and security acting completely independently, says David Duda, associate partner, Newcomb and Boyd. As more and more elements of the security system go on the network or otherwise fall under IT's territory, there has to be an effort to speak the same language.
"One of two things has to happen: Either the maintenance, configuration, and upkeep of the electronic security system moves into the IT arena, or the security staff basically gets their own IT department," he says.