5 Security Systems; Design, Monitoring and Responses.
5.1 Monitoring Post
Physical Security
5.1.1
Monitoring of alarm events 24x7x366 via an internal or 3rd party external monitoring post, protected from unauthorized access.
Note: Monitoring posts may be located on or off site, and can be company owned, or third party. In all cases, access must be controlled through the use of an electronic access control system (badges), locks, or biometric scanners.
Alarms Response
5.1.2
All security system alarms responded to in real-time 24x7x366.
5.1.3
Monitoring post acknowledges alarm-activation and escalates in less than 3 minutes.
Procedures
5.1.4
Alarm monitoring reports available.
5.1.5
Documented response procedures.
5.2 Intruder Alarm System
Procedures
5.2.1
All systems activated during non-operational hours and linked to the main alarm system
5.2.2
60 days of security system alarm records maintained.
5.2.3
Security system alarm records, securely stored and backed up.
5.2.4.
Security system alarm records securely stored.
5.2.5
Documented procedure to ensure security system access is restricted to authorized individuals or system administrators. This includes servers, consoles, controllers, panels, networks, and data.
Access privileges must be promptly updated when individuals depart the organization, or change roles, no longer requiring access.
Alarms Transmitted and Monitored
5.2.6
Alarm transmitted on power failure/loss.
Note: For systems with Uninterrupted Power Supply (UPS), the alarm is transmitted when the UPS battery fails.
5.2.7
Alarm set verification in place.
Note: Documented procedures validating that alarms are armed during non-operational hours.
5.2.8
Alarm transmitted on device and/or line failure.
5.2.9
Back-up communication system in place on device and/or line failure.
5.3 Electronic Access Control system
Access Recording Retention
5.3.1
90 days of system transaction records available. Records securely stored; backed up.
Access Restriction
5.3.2
Documented procedure to ensure system access is restricted to authorized individuals or system administrators.
Access privileges must be promptly updated when individuals depart the organization, or change roles, no longer requiring access.
Review of Access Reports
5.3.3
Access system reports reviewed at least quarterly to identify irregularities or misuse (i.e. multiple unsuccessful attempts, false readings (i.e. disabled card), evidence of card sharing to allow unauthorized access, etc.). Documented process in place.
5.4 CCTV
Physical
5.4.1Digital recording in place.
5.4.2Minimum 3 frames per second per camera.
CCTV Procedures
5.4.3Digital recording functionality checked daily on operational days via documented procedure. Records available.
5.4.4CCTV recordings stored for a minimum of 30 days where allowed by local law. LSP/Applicant must provide evidence of any local laws that prohibit the use of CCTV and/or limit the video data storage to less than 30 days.
5.4.5Access tightly controlled to CCTV system, including hardware, software, and data/video storage.
5.4.6CCTV images, for security purposes, are only viewed by authorized personnel.
5.4.7Documented procedures in place detailing CCTV data protection policy regarding use of real time and archive images in accordance with local law
5.5 Exterior and Interior Lighting
Procedures
5.5.1Exterior and interior lighting levels are sufficient to support CCTV images that allow investigation and evidential quality image recording
5.5.2All vehicles and individuals clearly recognizable