Video Surveillance Best Practices - CCTV Management Guide
December 16, 2022
share this article:
Closed Circuit Television (CCTV) cameras used in video surveillance are one of the most widely-used technologies in the security industry. Despite personal data legislation becoming more pervasive, CCTV systems don't seem to be going away, so it is pertinent to overview best practices that could benefit your business.
CCTV best practices help ensure that expected requirements are met and that business owners know the law when setting up a video surveillance system.
General Data Protection Regulation (GDPR) informs EU privacy law and has significantly influenced US privacy law. To stay on top of this legislation, businesses using CCTV systems should operate with transparency, ensuring:
Minimal collection of personal information (captured via license plates, faces, etc.)
Secure storage for a specified period and limited access to staff
Processes for responding to requests for access
The conducting of impact studies before installing or upgrading CCTV systems
Redaction of third parties any personally identifiable information.
Below, we’ve listed important guidelines for business owners to follow in order to ensure compliance.
1. Identify the Purpose & Objectives of the Surveillance System
When discussing video surveillance best practices, it is critical to create a document that shows a plan for positioning cameras and detailed objectives.
Saying the entire building and parking lot will be monitored is inadequate. It must be specified that cameras will focus on, e.g., entrances and exits to a parking area, where license registration plates can be recorded, along with a digital timestamp.
2. Develop a Written Appropriate Use and Retention Policy
Having a Standard Operating Procedure (SOP) for managing your surveillance system should cover the correct use and retention of video footage. The company's records retention policy must be accounted for, and the purposes of the video footage and a list of those authorized to access the footage must be included.
Login information (usernames and passwords) should only be provided to trusted employees whose backgrounds and credentials have been properly checked. A record of incidents should be kept on hand so that employees can note when incidents occurred if those with access to the surveillance system are not in the office. Recording the time of an incident cuts down on the number of resources spent locating footage.
Should inappropriate use of video footage be uncovered, disciplinary action should be instituted. This must be mentioned in the policy statement. Dissemination of the policy should include all personnel with access to the footage.
3. Professional Installation
Ideally, a qualified professional can decide the best placement of cameras, but should the business owner decide to install the system themselves; they must understand the limitations of both the cameras and the system. Potential security threats should be evaluated. Cameras must be able to "see" individuals all over the property.
4. Minimize the Number of Cameras and "Task" Them
With fewer cameras, the owner of a CCTV system can use less staff and technical resources, which lowers the costs of running and maintaining the system. The system designer is responsible for "tasking" the cameras to the best effect.
Placing cameras, so they have a view related to the performance objectives is essential. Areas where surveillance is beneficial include entrances and exits, work areas, storage areas, points where monetary transactions are conducted, and loading docks. Once the positioning has been determined, a camera and lens appropriate to the task can be decided.
5. Avoid New or Unproven Technologies
The equipment and network topology (shape of a Local Area Network, LAN, or other communications system) should operate on proven technologies. Where unusual technologies are used, there is the threat of being locked into a platform that may not be supported for long-. A good design allows the cameras to be replaced or upgraded using the same cabling and infrastructure.
6. Invest in Cabling and Infrastructure
By investing in the infrastructure of the cameras—power supplies, fiber-optic conductors, adaptors, and hardware – the essential components of the infrastructure should outlast the cameras with a lifespan of about two decades.
7. Leverage Technology Sensibly
Simple-to-operate software - generally the standard software included with the IP camera or video management system (VMS) - is generally more user-friendly. There is no point in having one-off proprietary hardware technologies so unique that they are not supported later.
Software technologies like video compression or video analytics features like face detection or auto-tracking can improve the effectiveness of video surveillance by capturing and storing worthwhile video clips instead of empty scenes.
8. Maintain the System Properly After Installation
A crucial CCTV best practice is to ensure a regular maintenance plan. This is vital to the successful operation of CCTV, and so, while malfunctions occur, repairs should be carried out routinely so that the system records 24/7.
9. Don't Hold Archived Footage for Extended Periods without Authorization
The specified retention period in the company policy (usually 30 days for most applications) should be adhered to, and the footage must be deleted timeously.
Corporate counsel can guide surveillance operators on what is necessary to retain in connection with ongoing investigations of specific incidents. Save footage that might be needed in the future to a flash drive.
10. Never Delete Unfavorable Footage
Some laws work against business owners' discarding such surveillance. Saving surveillance which indicates negligence may seem pointless, but destroying evidence in the face of a claim can land business owners in more hot water than the original claim.
11. Find out if Audio Footage is Permitted
Due to a broad interpretation of the so-called Wiretap Act (18 US Code § 2511), aimed at protecting privacy in communications, some companies avoid recording audio recordings altogether.
The Wiretap Act makes it illegal to use communications recorded by a device. While video footage is not specifically mentioned in the statute, and a camera is not mentioned as a "device," it does fit a broad interpretation.
Before utilizing audio devices, check that state or local statutes prohibiting audio recording on your company's premises are not being violated. When in doubt, don't record audio, but if permitted, audio recording can enhance the evidentiary benefits of video surveillance.
Applying these basic standards when planning the scope and size of your CCTV system will help avoid some common pitfalls that can arise from poor groundwork.
12. Internet of Things (IoT)
Once a surveillance system is set up, objectives decided, video surveillance best practice policies put in place, and ongoing maintenance attended to, the CCTV operator is not out of the woods. Because of the need for remote access and cheaper cloud storage costs, security camera systems are being connected to the internet with increasing regularity.
Security camera systems need the same level of attention and protection from cyber security vulnerabilities which are given to traditional IT systems. Physical security integrators and internal support staff must keep up-to-date on cyber security attack vectors.
Suppose the system is exposed to the internet. In that case, they should "port forward" as few ports as possible and utilize a next-generation firewall to analyze the protocol and block incorrect protocols sent over the wrong port. An IDS/IPS would be deployed for added protection in an ideal situation.
13. Monitoring and Governance
Knowing what devices are on the system, how they're operating, and that there are no rogue devices is crucial to addressing cybersecurity threats.
An IoT governance platform is a simple solution that makes tracking and monitoring a business's IoT devices simpler. This gives visibility into all devices on a network in a single dashboard. The technology can find and check components of the system, like video surveillance cameras, access control panels, and more.
14. Network Topology
A portal is created where security camera systems are connected to the main network so that hackers can infiltrate the main network through the surveillance system. It is best to keep the surveillance camera network separate from the rest of the network. However, this may be difficult if integration with a sophisticated IT setting is required, so you could use a virtual local area network.
15. Carry out Testing of IP Cameras to Screen for Vulnerabilities
Testing all associated protocols, hardware, and firmware to ensure the capability of each video surveillance component can mitigate or prevent an attempted cyberattack is crucial.
Protocol testing looks at how secure incoming and outgoing conversations between network devices are. This includes encrypted communications and whether these can be ambushed for unauthorized use.
Hardware testing evaluates the IP video surveillance devices' physical, software, and connectivity, ensuring elements remain largely tamper-proof.
A firmware analysis scans the system for buffer overruns, vulnerabilities that allow attackers to relay malicious code through an application to another system, backdoor accounts, and more - this should take account of new firmware which can act against possible risks.
This process can now be done automatically thanks to new technology. This makes finding and fixing cybersecurity holes in the surveillance system easier. The technology that forms part of the procedures intended to optimize performance by automating firmware updates, tracking inventory, and carrying out password checks also uncovers security performance problems and vulnerabilities, helping to resolve them.
16. Limit the Number of Privileged Users
The more people involved with the data or network components, the more of a threat and the more vulnerable a system is to cyberattack.
Your security integrator is probably best positioned to assist in selecting and vetting staff intended to be privileged users.
It is also advisable to institute auditing procedures to follow the privileged users' activities on the system and develop strict policies that disable privileged accounts if suspected attacks or compromises are detected.
By keeping video equipment locked away, you will prevent interference with or theft of system components.
17. Avoid Insecure Connections
Only choose vendors who encrypt their connections. Default passwords and ports make the system easy to hack, as simple passwords can be guessed by hacker applications. The more intricate and randomized the password, the less likely anyone will be able to infiltrate or gain control over the system.
Hackers wanting to gain access to systems can find information about default ports used by system manufacturers and use these to identify weak points on recorders and other IP-based devices, with the aim of intercepting information.
To make it more complicated for hackers to identify and attack video surveillance cameras, firewall best practices and finding uncommon ports work in tandem to prevent breaches.
Maintaining a positive relationship with security providers means you will be able to fall back on their know-how when necessary and be up to date regarding threats, and find ways to circumvent them through new technologies. Having the most expert, flexible, and responsive security services and technologies is crucial to good security.
18. Consider CCTV Storage Methods
Each business should consider its memory needs before purchasing a camera. The camera model, capacity, frames, resolution, audio, and chosen storage method all impact storage capacity.
Modern IP cameras may have local onboard CCTV video storage. This is an improvement on older systems where external DVR devices processed analog data at the recorder or where NVR devices encrypted and processed data at the IP camera to store video footage. This method of storing CCTV video recordings poses difficulties in sharing and accessing footage remotely. But recordings need not be sent across networks, and connectivity is inconsequential.
Solid state drives (SSD) are one of the most desirable forms of CCTV video storage since they have no moving parts and can store months of footage.
Cloud - Although the file size of CCTV video footage is often large, it can usually be transmitted through the network to the cloud, reducing the need to access device storage which can be time-consuming depending on camera location. While connectivity is required to get video stored in the cloud, there is no risk of losing footage due to a disaster like fire or water damage.
Hybrid cloud solutions - If the network is unreliable or bandwidth is limited, and large video file transmissions are difficult, local storage increases the likelihood of video footage being available.
Frequently Asked Questions
Do you have to tell people that CCTV is filming them?
Privacy laws specify the prominent display of signs to inform people they are being filmed. These should clarify that CCTV is in operation. It should also be explained why this data is being collected. Staff must be notified they are being filmed and why.
Where can't I film?
Cameras should not be placed in areas that infringe upon privacy, like dressing rooms, hotel rooms, and bathrooms. Privacy laws differ in each state, so ensure you know your state's privacy laws before installing CCTV. If images/footage beyond the property boundaries (such as your neighbors' property or public streets) are filmed, your system use is subject to data protection laws.
Can I record sound?
Even as part of a video, at least one party has to give consent for audio recording to make it legal, and some states require all parties to consent.
Is it illegal to release CCTV footage?
Besides management and individuals needing access to accomplish their job roles, anyone wanting copies of information held about them under the data protection law has the right to access it and can make a written or verbal request to the system's owner. CCTV systems must allow the operator to retrieve stored footage for this purpose. Third parties should be redacted from the footage.
Ensure Compliance With Sighthound Redactor
Sighthound Redactor supports CCTV best practices by ensuring compliance with data security and safe CCTV video storage laws. When capturing video of the public, their privacy must be prioritized and tools must be put in place.
With Redactor, business owners, operators and authorized users of video files can quickly upload video footage and use automatic redaction functions to hide personal information like faces, vehicles, license plates and other specialized objects like ID cards. No technical experience required and it is available on demand with Redactor cloud.
When time is of the essence in reporting a crime or reviewing for safety concerns, you can use Redactor to quickly obscure private information and share the video with necessary parties.
With affordable month to month subscriptions, CCTV operators should have Redactor on standby when they need it and have a proven easy to use solution.