The security market is currently changing and monitoring centers will play an increasingly important role. Therefore, the security of monitoring centers will become more and more important from the point of view of customers who use monitoring services.
CMA security consists of three main areas.
CMA security areas are indicated in the PN-EN 50518 standard. Many requirements are also included in other standards: PN-EN 50131 Alarm systems, PN-EN 50136 Alarm transmission systems, or ISO 27001.
Following the PN-EN 50518 standard, we distinguish three main areas of security:
Part 1: Location and construction requirements
The security of the monitoring center largely depends on its location and building structure. This part of the standard sets out minimum requirements for the location, design, construction and operation of monitoring station premises. These include rooms in which monitoring, receiving and processing of alarm signals and technical rooms take place.
Part 2: Technical requirements
The technical requirements for CMA relate to the operation of the entire monitoring center and define the most important criteria, which are CMA performance and availability. A little attention was devoted to IT issues, which are currently the basis for the operation of CMA. It is important to know how to do it from other sources. We will write about other IT solutions that should be used in CMA and about the security of these solutions.
Part 3: Operating procedures and requirements
This section sets out the minimum procedures and requirements for personnel monitoring center and receive the alarm. Specifically, the procedures by which the monitoring center staff perform their duties.
It is worth noting that according to the nomenclature, the term Emergency Receiving Center (ACO) or Alarm Receiving Center (ARC) should be used. In Poland, however, these names are relatively unpopular, so we will use the term Alarm Monitoring Center (CMA).
See the webinar on the security of Monitoring Centers.
The right location
The location should take into account the risk of fire, explosion, flooding, vandalism and danger from other locations - e.g. from neighboring buildings or other types of facilities. In the most common case, CMA does not occupy the entire building. In such a case, they should be separated from the rest of the building by a physical border consisting of walls, floors, ceilings and necessary openings according to the guidelines of the standard. Access to CMA and to the part of the building where the CMA is located should be restricted to employees of the CMA operating company.
The first step in determining a location for a CMA should be estimating the risk associated with that location. Examples of hazards that should be considered during the risk assessment process:
- criminal attack, bomb threats or other situations;
- availability and possible damage to supply lines;
- availability and possible damage to telecommunications links;
- fire, including an explosion, in adjacent properties;
- flood or other water intrusion;
- storm damage and lightning,
- traffic hazards, vehicle, aircraft, etc. intrusion
The external structure of the object
When designing the CMA architecture, external walls, floors, ceilings, entrance and exit doors, ventilation inlets and outlets, cable and pipe entry points, glazed surfaces, sluices and feeding vents should be taken into account. The outer contour (shell) of the CMA is to be a kind of shell, with specific resistance to burglary (physical attack), e.g. walls:
- full brick> 200 mm,
- concrete> 150 mm,
- or other materials with adequate strength.
The CMA shell must also have adequate door and glazing resistance (FB3 EN1522) and fire resistance not less than 30 min. It is also important to anticipate the lightning and surge protection issues of the facility.
The standard allows only specific hole types in the CMA structure:
- entrance to / from the vestibule (commonly referred to as a sluice);
- safety exit;
- installation inlets and outlets;
- loading chute;
To each of the above Hole types specify the specific requirements to be met. For example, what the doors in the lock should be, which way they should open and what mechanical locks should be. The standard specifies exactly how to construct and secure an emergency exit, feed launcher, installation inlets and outlets. The requirements also specify the functioning of the ventilation, including that the air inlets are protected against throwing the gas container.
Electronic security systems
The security of the monitoring center also depends on the ones used there. CMA electronic security should be equipped with virtually all common electronic security systems: burglary and assault signaling system, personnel monitoring system, fire signaling system, access control, CCTV and gas detection. All these systems should be installed and maintained in accordance with the relevant standards. CMA protection by means of an intrusion alarm system should comply with EN 50131-1, grade 3 (including floor and ceiling).
Signals from security systems should be transmitted to another CMA via a dual track system in accordance with EN 50136-1, grade 3.
Video surveillance is also an obligatory element of security. It should provide monitoring of the building environment. It should also allow CMA staff to identify authorized persons before allowing them to enter the entrance hall and observe their behavior in this zone, and ensure safe entry. Video surveillance should also give CMA staff the opportunity to identify each person using the airlock / loading chute.
CMA power is a key element of security. The classic power supply network should be used as the primary source of electricity (but alternative energy sources may be used). The mains should be capable of providing sufficient power at normal CMA load, while recharging UPS energy storage devices (batteries) to the required capacity within 24 hours. You always need to know what the power supply system looks like for an object - how many power lines are there? where do you switch them How are the switchgears secured? etc. You have to assess how emergency this system is - because if after each storm there is a power outage, we should not organize a CMA there.
The mandatory back-up power supply should have sufficient capacity estimated as an opportunity to ensure uninterrupted operation of all monitoring devices, telecommunications, signaling, recording, basic ventilation and basic lighting for a minimum period of 24 hours with a demand 1.5 times higher than average.
Switching to and from the back-up power supply should not affect the normal operation of the devices. Reserve power should be provided by means of an aggregate or aggregates assisted by UPS. Importantly - the UPS and automatic switching device should be in a place with the same level of security as CMA.
The emergency power supply should turn on and off automatically. If an aggregate is used, the capacity of the UPS should be sufficient to power CMA devices for at least 10 min - until the aggregate reaches full power. Aggregates should have in place fuel for the aggregate for at least 24 hours. Aggregates should be monitored in CMA. Adequate conditions for starting the generator should be ensured, e.g. predict the type of fuel if the generator would be exposed to very low temperatures.
Part of the standard regarding technical requirements does not give us the right answer on how to perform monitoring systems (for more detailed guidelines you should look in the PN-EN 50136 standard). However, the PN-EN 50518 standard specifies two basic parameters important for the functioning of the monitoring center, which combine elements related to the technical issues of alarm transmission systems and the functioning of the center as a whole. They can be calculated quite simply and compared with the requirements of the standard.
The secure monitoring center is efficient and accessible. What does this mean in practice?
The performance of the monitoring center can be determined by the maximum time during which the event should be handled. This time is counted from the moment it is received at the receiver (Receiving Center Transceiver) until the operator takes action.
On the abovementioned time consist of two parameters:
- the time the system processes the information and displays it to the operator;
- the time at which the operator "clicks" on the alarm appearing on the monitor.
It is important to measure the time to handle each alarm, create appropriate statistics and archive them for a period of 12 months.
Availability is defined as the percentage of time during which the alarm transmitting systems and the monitoring center operate normally without disturbances. The discussed PN-EN 50518 standard refers in this respect to another standard: PN-EN50136-1, where such availability is defined.
What does this mean in practice? First of all, we should register every tiniest break in CMA work in order to be able to determine the actual availability. Thus, the time of each restart of receiving devices, routers, servers, computers, updates, etc. should be measured. The same principle applies to every failure.
At the same time, when declaring a given accessibility, we should ensure that it really is. This means that if we would like to declare A4 availability, our IT systems must be adapted in such a way that the disaster recovery time is within a few hours.
Operating procedures and requirements
The security of the Alarm Monitoring Center is highly dependent on operational procedures and requirements. CMA should be manned with at least two operators. One operator can be filled if CMA works in conjunction with another, and operational methods ensure that the result of this collaboration is equivalent to a CMA manned by at least two operators. The standard specifies that employees should be verified prior to employing CMA for a period of at least 5 years back.
The security of data collected in a secure monitoring center is particularly important. We devoted the following article to this issue: https://dmsi.pl/ochrona-danych-i-ciaglosc-dzialania/
It is important to provide CMA employees with appropriate training. In particular, care is taken that novice operators cannot handle alarms without proper preparation and training. Training should be documented.
Procedures for its functioning should be prepared for CMA. These procedures should govern the following areas:
Equipment used in CMA should be tested in specific ranges daily and weekly. This procedure should include checking and synchronizing electronic clocks at least every 24 hours.
Entry and exit from the CMA
Entry and exit from the CMA is subject to a documented procedure available to all operators. This procedure should specify the methods used to identify applicants for CMA entry. Identify people before granting access. Access to CMA should be controlled by operator action inside the CMA upon entry. The register of all CMA visitors should be archived.
The standard draws attention to data protection, dividing them into three areas:
- customer data (personal);
- CMA external communication data;
- operator action log.
All data should be secured and stored in accordance with the standards quoted above. Customer data should be kept for a minimum of two years. Recordings of conversations and emails for at least three months, and a record of operator's activities for a period of at least two years. Now comes to this GDPR, i.e. the regulation on the protection of personal data, which will come into force on May 25 this year.
It is worth knowing how modern monitoring systems ensure security at the appropriate level. We devoted another article on our blog to this: https://dmsi.pl/bezpieczenstwo-w-safestar/
Business continuity and emergency situations
The security of the monitoring center is also ensuring business continuity and efficient emergency management are key tasks for each CMA head. Appropriate procedures should be developed in this regard. These procedures should also be compatible with the procedures functioning at CMA subcontractors and clients.
A contingency plan should be prepared for each CMA and response procedures should be agreed with the relevant services. In the event of a CMA immobilization, the contingency plan must provide for actions to be restored as soon as possible. A detailed action plan including partial and full evacuation should be documented.
All received alarm signals as well as actions taken by center operators should be recorded automatically. External communication (voice and electronic) should be automatically recorded with date and time. The storage period should be at least 3 months.
To our knowledge, there is no in Poland monitoring centerwhich would strictly meet all the guidelines of the standard. Unfortunately, in our business conditions, the guidelines for standards are so abstract that hardly any company could meet them all. However, the standard sets standards that security companies dealing with alarm monitoring should know and meet. The requirements set out in the standard guarantee 100% security, in our Polish conditions we meet them at the beginning at least in 50%. We should strive for excellence in providing security.