System Life Cycle Planning

Technology development should spur upgrades

This is an excellent start as existing IT policies apply to many of the security technology elements — such as PCs, laptops and many network components. However, existing IT policies do not cover some of the security technology, and sometimes security needs will trump the IT policies and require what would otherwise be considered premature replacement. This happens when the technology must change for the improvement of risk mitigation — and therein lies a critical difference between IT systems life cycle planning and security systems life cycle planning. In the “old days,” security practitioners would often run every system or technology until its use could simply no longer be justified. Then, the system would be replaced wholesale. While that was appropriate for systems with 10- and 15-year technology cycles, it no longer fits today.

The Context for Life Cycle Planning

The purpose of IT systems life cycle planning is to optimize technology deployments for performance, efficiency and cost containment, including the costs of maintaining the networks and systems and even user training (total cost of ownership). This applies to businesses both large and small. (See 2006 IDC white paper: SMBs can Achieve Business Success Through IT Planning). However, security systems must be optimized for risk mitigation first and foremost, and secondarily for efficiency and cost containment (subject of course to overall budget restraints).

Because of this difference in purpose, it is important to think of deployed security technology as physical security systems infrastructure, rather than IT systems infrastructure, for reasons that will be made clear below.

Defining Infrastructure

Wikipedia has an excellent article on infrastructure. It explains that the word was imported from French, where it means subgrade, the native material underneath a constructed pavement or railway. The word is a combination of the Latin prefix “infra,” meaning “below” and “structure.” That definitely applies to terms like cabling infrastructure. Infrastructure also is used to mean the underlying framework of a system or organization. The term public infrastructure refers to the fundamental facilities and engineered systems serving a country, city or area, such as transportation systems, power generation and distribution systems, water supplies and schools.

Network infrastructure is the term for the underlying network cable and electronic components that support an organization’s information and communications systems. IT infrastructure can be used to refer to the total of computer, communications and network systems.

Thus, a physical security systems infrastructure is a managed network of electronic security systems and devices providing security functions and services in accordance with a risk management strategy.

Managed network is a term that conveys a world of meaning to IT personnel. While an in-depth definition goes beyond the scope of this particular article, it is accurate to say that a managed data network is well-planned and is maintained and enhanced (ideally behind the scenes) using the tools and devices needed to:

• monitor, report, analyze and diagnose the health and performance of the network to anticipate problems before they impact performance;

• maintain the network at user-required levels of performance; and

• expand and adjust its functionality and performance to serve the changing needs of its users.

The term infrastructure connotes an underlying framework for vital services important to a group or population (in this case the organization served by the security function). Thus, an infrastructure is considered an asset that is a strategic investment.

Wikipedia lists seven typical attributes of an infrastructure asset. I have revised and presented five of them below as being applicable to physical security systems infrastructures based upon new technology, especially enterprise-wide systems:

• The assets have a high initial cost and a value that is difficult to determine.

• They are a large systems network constructed over time and are not often replaced as a whole system.

• The systems network has a long life because its service capacity is maintained by continual refurbishment or replacement of components or subsystems as they wear out, become obsolete or require additional functionality.

• The system or network tends to evolve over time as it is continuously modified, improved, enlarged; and as various components and subsystems are re-built, decommissioned or adapted to other uses.

• The system interdependencies or new functional requirements may limit a component life to a lesser period than the expected life of the component itself.