Protecting stored and transmitted data

First and foremost, an internal analysis of the security risks must be carried out to determine what security measures are necessary to protect the video surveillance system, including the personal data it processes.

In all cases, measures must be taken to ensure security with respect to

  • Transmission
  • Storage (such as in computer databases)
  • Access (such as access to servers, storage systems, the network, and premises)

Transmission must be routed through secure communication channels and protected against interception, for example by means of:

  • Encryption of the media from the Recording Server to the servers and clients
  • HTTPS camera to the Recording Server
  • VPN for Smart Client or Management Client connected via internet
  • HTTPS for Web and Mobile client

Protection against interception is especially important if a wireless transmission system is used or if any data is transferred via the internet. In these cases, the data must be encrypted while in transit or equivalent protection must be provided.

Encryption or other technical means ensuring equivalent protection must also be considered in other cases, while in storage, if the internal analysis of the security risks justifies it. This may be the case, for example, if the data is particularly sensitive. This is done by enabling encryption of the media database.

All premises where the video surveillance data is stored and where it is viewed must be secured. Physical access to the control room and the server room where the VMS servers are placed must be protected. No third-parties (e.g. cleaning or maintenance personnel) should have unsupervised access to these premises.

The location of monitors must be chosen so that unauthorized personnel cannot view them. If they must be near the public areas, the monitors must be positioned so that only the security personnel can view them.

The XProtect VMS logs basic information by default, but we recommend that you enable user access logging in the Management Client for the audit log.

This digital logging system is in place to ensure that an audit can determine at any time who accessed the system, where and when. The logging system can identify who viewed, deleted, or exported any video surveillance data (this requires that you enable user access logging, as described in the XProtect VMS - Administrator manual). In this respect, and elsewhere, attention must be paid to the key functions and powers of the system administrators, and the need to balance these with adequate monitoring and safeguards.