Educause Security Discussion mailing list archives
Re: Share with us a copy of your Security Cameras Policy
From: Jeff Kell <jeff-kell () UTC EDU>
Date: Tue, 27 Mar 2012 15:45:27 -0400
On 3/27/2012 3:06 PM, Carlos Lobato wrote:
Hello All, NMSU is currently having some discussion about the possibility to install "Security Cameras" at various places throughout campus such as parking lots, etc., but would like to inquire from those of you who have already installed cameras to share with us a copy of your policies and/or other feedback that would be helpful.
We don't have a formal "policy" but there have been some reactive practices that have developed over the years. Not sure if you are after network, security, policy, access, or other guidelines, but I can address the networking concerns. The initial camera deployment was in a housing unit (reactive to an incident) under some special funding. It was contracted out, cameras run back to our communication closets, contractors supplied PoE switches and/or injectors, and NVRs for recording. After a few hundred were deployed, we were finally asked "Where do we plug these in to the network so we can watch them". :( To make a long story as short as possible, the NVRs have two NICs as standard, one side for vendor video (camera-facing), and the other side on the campus network in a private VRF. Only authorized "viewers" can actually reach the NVRs. In some cases, we have backhauled the camera video as well over our network, using another vlan in the same private VRF. You will want to keep this off the campus network as much as possible - the devices, the vendors, the other equipment, were all designed for a closed network... It sounded good on paper, but in practice, if there is any issue with the cameras, video, etc., the blame goes on "our network" and we're guilty until proven innocent. For that reason we have tried to go back and add some passive visibility to our network management, e.g., management interface on the camera-side switches. In general, the "separation" works well, but you will end up inheriting more of the responsibility for ongoing operation that you might imagine. If I had it to do over again, and the opportunity to provide some insight in advance, I would have preferred getting things setup better under our control and oversight to begin with (e.g., IP ranges, subnetting, address assignments, management, etc done by the vendor on "their" network can/will come back to haunt you). Jeff
Current thread:
- Share with us a copy of your Security Cameras Policy Carlos Lobato (Mar 27)
- Re: Share with us a copy of your Security Cameras Policy Valdis Kletnieks (Mar 27)
- Re: Share with us a copy of your Security Cameras Policy Jeff Kell (Mar 27)
- Re: Share with us a copy of your Security Cameras Policy Davis, Thomas R (Mar 28)
- <Possible follow-ups>
- Re: Share with us a copy of your Security Cameras Policy Geoffrey Steven Nathan (Mar 28)