by Ray Bernard PSP, CHS-III
In our September/October issue’s column, “What Are the Risks Involved in Sharing Video?”, we looked at some practical reasons for providing other business units with access to security video, and what risks can be involved. This column addresses issues of corporate liability, and presents some measures that can be used to mitigate those risks.
Q: I’m a security manager, and we have business unit managers requesting access to security video for various facility areas. Our corporate risk officer asked me to give him an analysis of the risks involved. How do I do that?
A: One approach is to make a list of the business unit stakeholders who have requested access to video, identify the business benefits and the risks involved, and see if the risks can be reduced to acceptable levels at an acceptable cost.
In this case, the security manager can support the corporate risk officer’s request by helping the business unit stakeholders develop the business case for sharing security video, and outlining a plan to implement video sharing. Here are some basic steps to do that.
Important Note: If you are already sharing video outside of security, and you didn’t perform all the steps below, you may need to go back and do the omitted actions to make sure that you are covering all the potential business liabilities.
- Determine the business value of sharing video with selected personnel in each business unit requesting video.
- Define the video usage scenarios to determine the video system capabilities required.
- Verify the that video system capabilities are suitable, including camera coverage and video management software capabilities.
- Identify the business risks involved, including security risks, and collaborate with business unit personnel to find ways that the risks can be eliminated or reduced to acceptable levels, at an acceptable cost.
- Outline a plan that shows how the use of video will be establish and maintain to achieve the desired business benefits.
- Collaborate with the business unit stakeholders to identify sources of funding.
- Perform a 90-day or 120-day review, and adjust the program if needed to achieve the full results, or cancel the video sharing program if it can’t be made successful for some reason.
Business Value of Sharing Video
For example, retail businesses use security video as part of their cashier training to improve employee performance, by providing both good and bad examples of handling customers. Facilities departments may be able to use video to inspect stairwells more frequently, saving time and helping to keep stairwells cleaner. The business units who want to use video will have their reasons, which need to be described and have the benefits to the business, not just the business unit personnel, included. If it appears that employees want to use the cameras to just make their jobs easier, the business may be reluctant to approve the initiative. However, if use of the cameras allows personnel to do more work in the same time, or to take on additional tasks or responsibilities, then that is a value to the business. If camera video can be used to improve customer service, that’s a benefit. Retail stores use video analytics to obtain data about in-store customer behavior and customer response to store displays, that helps marketing improve their campaigns, and store management improve service.
Video Usage Scenarios
It is important to describe each way in which video will be used, whether it involves live and/or recorded video, whether video images and clips need to be exported, and how often these actions will be performed. At one organization, the real estate group wanted to use security video cameras to check on its significant construction project activities. Several users wanted to continuously monitor the construction sites during business hours, and streaming high-quality megapixel video was consuming excessive network capacity and causing a problem for business applications. This was corrected by upgrading the video software to a version that could stream low-resolution video to match the size of the screen displays. Such problems can be avoided by defining the video usage scenarios in advance, and working out their technical requirements.
Verifying Video System Capabilities
Sometimes to fit the business needs well, cameras must be moved or adjusted to improve their field of view, or additional cameras must be added. Sometimes the “home position” of PTZ cameras must be changed to provide the desired default view. Video management software capabilities must include the ability to limit user access to only the cameras they need, and to restrict PTZ camera control as required.
Due to continuous video technology improvements, some organizations have benefitted by relocating some of their older standard resolution cameras for the business use applications, and putting newer cameras in the original locations for improved security functionality. For example, HD or megapixel cameras can improve visual identification capabilities. High-dynamic-range cameras can improve image quality in challenging lighting situations. Once video coverage has been verified, and any additional camera coverage needs identified, document the changes that will be made along with their costs.
Remember to determine whether additional video management software annual license fees will be involved.
Sharing access to video outside of security introduces new insider threats, both human intentional and accidental. Typically, the risks that come to mind first are related to potential misuse of video, including video clips being displayed on a public website or shared via social media, and the potential for personnel to share their video access credentials with unauthorized personnel. There have been incidents of non-security personnel using video images to tease, harass or intimidate other personnel, including subordinates.
Under no circumstances should business users be given the ability to delete recorded video, or to turn video recording off. Does the video management software (VMS) generate details user activity logs, including the details of video clips and images saved or exported? Part of the video sharing program should include the auditing of such logs on a regular basis. Even if such user privileges are restricted, there are free computer screen recording applications available that can capture still images and record video from the screen, and such activity will not be captured in the VMS’s user activity logs.
Several important risk reduction measures must be put into place, including specific policies, procedures and training. Most organizations have an acceptable computer use policy that governs the use of the organization’s computers, networks, and information systems. This can provide a model starting point for an acceptable video use policy.
Training on the use of the video system for business purposes must include what constitutes acceptable use of video, and trainees should sign off on receiving the training, and be tested on their comprehension of it. Managers of personnel who have access to video should also be required to take the training. Access to video should be covered by an appropriate non-disclosure agreement, that includes strong penalties for misuse of video. Thus, the HR and Legal departments must be involved and have a good understanding of the video usage scenarios.
Outlining a Plan
A simple plan outline that includes a short description of the key actions involved in implementing video sharing, should be shared with all video usage stakeholders, including HR and Legal and senior risk management personnel. Business usage of security video increases the return on the security video investment. Properly implementing the plan assures that the business benefits will be achieved and will remain uncompromised, which is a security responsibility.
Collaborate on Funding
When the video sharing business stakeholders have a good understanding of the video sharing program, it’s usually not difficult to identify sources of funding. If the costs will be considered a general business expense, completing the previously described steps will enable the business stakeholders to appropriately advocate for approval of the costs and implementation plan. That should be their responsibility, not the job of the Security department.
90-Day or 120-Day Review
During the first 90 or 120 days of video sharing, adjustments may need to be made to the program. Document whatever changes are made, and at the end of the review period, verify that all objectives are being achieved and that the program can be continued as implemented. Provide the business stakeholders and senior management with a summary report on the program, emphasizing the business benefits that are now being received.
Write to Ray about this column at ConvergenceQA@go-rbcs.com. Ray Bernard, PSP, CHS-III is the principal consultant for Ray Bernard Consulting Services (RBCS), a firm that provides security consulting services for public and private facilities. For more information about Ray Bernard and RBCS go to www.go-rbcs.com or call 949-831-6788. Mr. Bernard is also a member of the Content Expert Faculty of the Security Executive Council (www.SecurityExecutiveCouncil.com). Follow Ray on Twitter: @RayBernardRBCS
© 2016 Ray Bernard