This is the second of a series of three articles on security system testing. Today's security systems are actually IT systems (computers, operating systems, software, databases, networks) coupled with intelligent sensors and control devices (like video cameras, card readers and motion sensors) brought together for security operations use. This puts security systems integrators in the position of providing IT systems without any formal training in testing them. Similarly, the average security practitioner tends to have little or no training in testing IT systems. This situation is changing for large corporate and government customers, who increasingly are getting their IT departments involved in security systems projects. Systems integrators and security practitioners must get up to speed on current good practices with regard to testing integrated computer-based systems.
The Evolution of “Integration”
The term “integrated” has been defined loosely and variously in the security marketplace for many years, so before this article goes further, some clarification is in order. As more and more IT folks begin to take part in security system projects, it is important as well for security and IT folks to be on the same page and for there to be a clear understanding of the scope of integrated security system testing.
Several years ago, the phrase “true integration” was popular, along with its related question, “Is it interfaced or integrated?” When the term was introduced, “true integration” meant that systems were integrated only if they used a single underlying database so that no data entry would have to be performed twice. In contrast, an “interfaced” system was composed of separate software applications with independent databases—usually provided by separate vendors—that were set up to communicate with each other by exchanging data.
In a short time, the definition of “true integration” was expanded to include having a single user interface for all functionality. This concept of integration resulted in monolithic software applications encompassing all of the requisite security system elements, such as access control, alarm monitoring, video monitoring, ID badge production and visitor management.
These integration terms were developed before the introduction of the World Wide Web and the Web browser interface, prior to the proliferation of high-speed Internet connections and global networking. Today even those systems first designed as “truly integrated” are now interfacing with IT department corporate directories and identity management systems. Today not all of the data can reside in the security system's database. Furthermore, wired and wireless networking has connected PDA phones and even building signage to security systems. The idea of a single user interface application no longer fits.
In place of the varied definitions of integration that the industry has employed over the years, I propose the following version from Dictionary.com:
combining or coordinating separate elements so as to provide a harmonious, interrelated whole
This is a much more general definition than “one database, one user interface,” and it has the advantage of not being made obsolete by advances in technology. It also has a subtle, but very important distinction: it is results-oriented. Having a single database or software application is no guarantee that the system will be set up in the way that it should be, or that it will be harmonious with an organization's security operations. How integration is technically accomplished is important for a number of reasons, including initial cost, flexibility, maintenance cost, compliance to standards and performance. But unless the end result is suitable to the security practitioner's purposes, standards compliance and even technical excellence are irrelevant.