The Seattle Times has an interesting story about the King County Library System removing their security cameras. This is an excellent case study to illustrate that more security equipment does not always lead to better security. The case stems from an incident where a patron was mugged in the parking lot. The Des Moines Police asked to see the security footage from the cameras, but the library refused, presumably citing the need to protect their customers’ privacy. The police obtained a court order to review the footage and eventually caught the suspect. The police were not happy with the library’s cooperation.
The decision to remove the security cameras "hinders our ability to do police work," Collins (Des Moines PD Spokesperson) said.
The library made the decision to remove the security cameras to prevent similar incidents in the future. Does removing the security cameras actually present a problem from a security professionals point of view? We can perform an assessment of the situation to determine if the library is making a prudent decision. Top management at the library has decided that the confidentiality of the library patrons outweighs any benefit that the security cameras provide. Under a security management framework such as ISO 27001, top management determines the goals for an organization’s security program. In this case library management is correct in making the decision to remove the security cameras since the security framework leaves all decisions to top management.
Under the ISO 27001 framework risk assessments must be conducted on a periodic basis. To visually express top management’s decision we can use CIA in a risk matrix to illustrate their concerns. The following examples are illustrative only.
|Customer Reading Choice Compromise||High||Low||Low|
In this case management has decided that the risk all of a patron’s reading choices being recorded by surveillance cameras is of greater concern than other things that may be seen by the cameras. Based on the risks it would be logical to remove the cameras. What about hindering the police in their line of work? That should not be a concern of a security professional consulting on behalf of or employed by the library. There are numerous reasons why this is true. Management at the library has decided there are certain things that the police should not have access to. This is no different than protecting the physical premises of a business or using logical access controls to prohibit viewing of specific files. Who the outside threat is should not be a concern to the security professional under the ISO 27001 framework.
There also financial reasons that weigh into the decision to remove the cameras. In most businesses a compliance professional or paralegal will be fielding court orders for data. A fulltime resource would cost a minimum of $30,000 a year. Does spending that $30,000 a year bring $30,000 worth of value to the customer? It does not bring benefit to the customer, but it does benefit the police. Since the police are not part of the same organization it makes very little sense to help them from a security professional or management accountant’s point of view. If the video footage is that important to the police they should provide the equipment and manpower to monitor it or the library should invoice the police for their costs of maintaining the equipment.
If we take off our security hats for a moment and put on our management accounting hats we can see that helping law enforcement does not provide economic benefit to the organization. Therefore in order to save $30,000 by not hiring a fulltime resource we would need to remove the reason for hiring a resource. We now have a business reason to remove the cameras.
Critics may argue that the cameras are already paid for and removing them wastes taxpayer money. Once again we will need to do a financial analysis to determine whether or not the cameras should stay. Most camera systems today are linked into a DVR which is usually supported by an organization’s IT department. For purposes of this illustration we will assume that the camera systems are basically computers. Computers have a five year depreciation before they are scrapped and removed from an organization’s financial books. How many companies keep computers more than five years? From a practical and a financial standpoint we can assume that the camera system would be replaced every five years much like a computer would.
The library system has also stated that the cost of maintaining the camera system is $30,000 per year. Presumably this is the cost of a maintenance contract. By removing the cameras the library immediately starts saving $30,000 a year. One way to express loss of value is to take the current depreciation value of the cameras, subtract the value the library receives from selling the equipment, and subtract the $30,000 a year in maintenance savings. If the cameras are very old and have a little financial value that it is possible that we will have a negative number, which means that the removal of the cameras provide immediate payoff. Without knowing the details of the original purchase it is reasonable to assume that if the cameras are one or two years old we would obtain immediate ROI by removing the cameras, selling them, then begin booking the savings from canceling the maintenance contract. If factoring in the cost of a compliance professional or paralegal is done, it is possible the camera system could be scrapped in its first year of operation based on the savings that would occur in years two and beyond. There is also the capital budget savings from not purchasing a new camera system every five years.
Security and privacy professionals should not assume that more is always better. Introducing additional equipment and processes can compromise the security and privacy of a client’s customers. Top management at the organization determines what risks face that organization. While it may be unconventional to assume that law enforcement is a security risk, there is certainly nothing wrong with that approach if the organization chooses to classify them as a risk. Security and privacy professionals must also wear many different hats. By taking unconventional approaches to security and privacy, and by involving other disciplines such as accounting and finance, security and privacy professionals can better serve their clients by protecting what their clients determine to be valuable.