U.S. patent application number 15/679941 was filed with the patent office on 2017-12-28 for converged logical and physical security.
The applicant listed for this patent is VETRIX, LLC. Invention is credited to Melani S. Hernoud, Elizabeth J. Pierce, Gregory Reith.
Application Number | 20170374105 15/679941 |
Document ID | / |
Family ID | 39136664 |
Filed Date | 2017-12-28 |
United States Patent
Application |
20170374105 |
Kind Code |
A1 |
Hernoud; Melani S. ; et
al. |
December 28, 2017 |
CONVERGED LOGICAL AND PHYSICAL SECURITY
Abstract
A security management system that includes a hierarchical
security platform, converged IT and physical security management,
unified credentialing, credential issuance and incident(s)
management. An exemplary aspect of the invention also relates to
physical and logical security management and information
technology/network security management, with a credential issuance
and integrity checking system as well as associated readers and
printers of the credential. Still further aspects of the invention
relate to obtaining, assembling and analyzing one or more of data,
video information, image information, biometric information, sensor
information, terrorist information, profile information, and/or
other types of information to provide a comprehensive platform for
all aspects of security management. A toolkit is also provided that
allows complete management, integration, scalability,
interoperability and centralized control of all aspects of security
including personnel credentialing, personnel management, personnel
tracking, task management, security system integration, security
information exchange and scalability.
Inventors: |
Hernoud; Melani S.;
(Brighton, CO) ; Pierce; Elizabeth J.; (Dacono,
CO) ; Reith; Gregory; (Dacono, CO) |
|
Applicant: |
Name |
City |
State |
Country |
Type |
VETRIX, LLC |
Brighton |
CO |
US |
|
|
Family ID: |
39136664 |
Appl. No.: |
15/679941 |
Filed: |
August 17, 2017 |
Related U.S. Patent Documents
|
|
|
|
|
|
Application
Number |
Filing Date |
Patent Number |
|
|
15409780 |
Jan 19, 2017 |
|
|
|
15679941 |
|
|
|
|
15187208 |
Jun 20, 2016 |
|
|
|
15409780 |
|
|
|
|
14802660 |
Jul 17, 2015 |
9400881 |
|
|
15187208 |
|
|
|
|
13314335 |
Dec 8, 2011 |
|
|
|
14802660 |
|
|
|
|
11740063 |
Apr 25, 2007 |
8108914 |
|
|
13314335 |
|
|
|
|
60794529 |
Apr 25, 2006 |
|
|
|
Current U.S.
Class: |
1/1 |
Current CPC
Class: |
G06F 21/6218 20130101;
H04L 63/20 20130101; G06F 21/34 20130101; G07C 9/28 20200101; G06F
16/29 20190101; G06F 21/71 20130101; G07C 9/26 20200101; G07C 9/257
20200101; G06F 21/35 20130101; G06F 21/32 20130101; G06F 21/602
20130101; G07C 9/22 20200101; G06K 19/06028 20130101 |
International
Class: |
H04L 29/06 20060101
H04L029/06; G06F 21/62 20130101 G06F021/62 |
Claims
1. An integrated physical and network security platform comprising:
a unified credential having associated therewith information
allowing access to one or more of a physical area and a computer
system; a security management system including a data store and
connectivity modules allowing scalability and one or more
connections to one or more additional security management systems,
wherein the security management system is capable of interfacing
with one or more of an existing enterprise physical security system
and an existing enterprise computer system; an incident management
perimeter access control and tracking system that manages one or
more of personnel, tasks, equipment and access for a secure
area.
2. The system of claim 1, further comprising a credential issuance
system that can associate information with the unified
credential.
3. The system of claim 2, wherein the information pertains to one
or more of personnel and equipment.
4. The system of claim 3, wherein information about the personnel
comprises one or more of fingerprint information, name,
credentials, certifications, biometric information, access
information, a picture, background information and medical
information.
5. The system of claim 1, wherein the unified credential includes a
contact or contactless chip and one or more of a bar code, printed
data, proximity chip, magnetic stripe, token and computer readable
information.
6. The system of claim 1, wherein the secure area can be a physical
area, a computer or a computer network.
7. The system of claim 1, wherein a credential issuance system
interfaces with one or more of a fingerprint capture system, a
camera, a PIN capture system, a signature capture system, a
document scanner, a card reader/writer, a card printer and a report
printer.
8. The system of claim 1, wherein the unified credential is a smart
card, smart chip, embedded chip or implanted chip.
9. The system of claim 1, wherein the information associated with
the unified credential is verified through a government entity.
10. The system of claim 9, wherein status information related to
the verification of the information is maintained by the security
management system.
11. The system of claim 1, wherein the security management system
can receive information from one or more external data sources.
12. The system of claim 11, wherein the external data sources
include one or more of map information, terrorist activity
information, incident information, global positioning system
information, audio information, video information, perimeter breach
information, alarms, enterprise security system status information,
local emergency response information, local, state, federal or
international governmental information and information obtained
from one or more other security management systems.
13. The system of claim 1, further comprising a rules toolkit, the
toolkit allowing a user to construct one or more rules including
metrics that govern the handling and action to be taken based on
received information.
14. The system of claim 1, further comprising an interface module
configured to communicate with the one or more of the existing
enterprise physical security system and the existing enterprise
computer system.
15. The system of claim 1, wherein the platform includes one or
more of satellite communications capabilities, VOIP capabilities,
networking capabilities, switch-based network communication
capabilities and packet-based network capabilities.
16. The system of claim 1, wherein the platform can be booted into
a plurality of modes.
17. The system of claim 16, wherein the modes are one or more of an
EMS mode, a national disaster mode, an incident mode, a local
disaster mode, a state disaster mode, a terrorist activity mode and
a international disaster mode.
18. The system of claim 17, wherein additional modes can be
dynamically added in real-time.
19. The system of claim 17, wherein each mode has an associated set
of templates related to management of information associated with
the security management system.
20. The system of claim 1, further comprising a data filtering
module that filters data based on a sensitivity rating.
21. The system of claim 1, further comprising a prediction module
utilizing artificial intelligence to analyze information received
by the security management system.
22. The system of claim 1, wherein the system provides security for
one or more of chemical, drinking water and wastewater treatment
systems, energy facilities, dams, commercial nuclear reactors,
water sectors, process manufacturing, emergency services, public
health and healthcare, continuity of government, government
facilities, defense facilities, defense industrial base, continuity
of government, information technology, telecommunications,
converged facilities, national monuments and icons, postal and
shipping, banking and finance, commercial facilities, materials and
waste facilities, transportation systems, port security, aviation
security, cargo, cruise ships, trains, mass transit, Intermodal,
food and agriculture facilities, military facilities, first
responders, police, fire control access to a machine and OSHA
Compliance.
23. The system of claim 1, wherein the unified credential is stored
in a RFID shielded pouch.
24. A method for providing integrated physical and network security
comprising: providing an unified credential having associated
therewith information allowing access to one or more of a physical
area and a computer system; maintaining a security management
system including a data store and connectivity modules allowing
scalability and one or more connections to one or more additional
security management systems, wherein the security management system
is capable of interfacing with one or more of an existing
enterprise physical security system and an existing enterprise
computer system; monitoring an incident management perimeter access
control and tracking system that manages one or more of personnel,
tasks, equipment and access for a secure area.
25. The method of claim 24, wherein the information pertains to one
or more of personnel, equipment, corporation, government entity,
international entity or facility.
26. The method of claim 25, wherein information about the personnel
comprises one or more of fingerprint information, name,
credentials, certifications, biometric information, access
information, a picture, a unique identifier, background information
and medical information.
27. The method of claim 24, wherein the unified credential includes
a contact or contactless chip, smart card, smart chip or embedded
chip, implanted chip and one or more of a bar code, printed data,
proximity chip, magnetic stripe and computer readable
information.
28. The method of claim 24, wherein the secure area can be a
physical area, a computer or a computer network.
29. The method of claim 24, wherein a credential issuance system
interfaces with one or more of a fingerprint capture system, a
camera, a PIN capture system, a signature capture system, a
document scanner, a card reader/writer, a card printer and a report
printer.
30. The method of claim 24, wherein the unified credential is a
smart card, implanted chip or embedded chip.
31. The method of claim 24, wherein the information associated with
the unified credential is verified through one or more of a
government entity, certificate authority, corporate entity, state
authority and local authority.
32. The method of claim 31, wherein status information related to
the verification of the information is maintained by the security
management system.
33. The method of claim 24, wherein the security management system
can receive information from one or more external data sources.
34. The method of claim 33, wherein the external data sources
include one or more of map information, GIS information, terra
server information, terrorist activity information, incident
information, global positioning system information, audio
information, video information, perimeter breach information,
alarms, enterprise security system status information, local
emergency response information, local, state, federal or
international governmental information and information obtained
from one or more other security management systems.
35. The method of claim 24, wherein the platform includes one or
more of satellite communications capabilities, VOIP capabilities,
networking capabilities, switch-based network communication
capabilities and packet-based network capabilities.
36. The method of claim 24, wherein the platform can be booted into
a plurality of modes.
37. The method of claim 36, wherein the modes are one or more of an
EMS mode, a national disaster mode, an incident mode, a local
disaster mode, a state disaster mode, a terrorist activity mode and
a international disaster mode.
38. The method of claim 37, wherein additional modes can be
dynamically added in real-time.
39. The method of claim 38, wherein each mode has an associated set
of templates related to management of information associated with
the security management system.
40. The method of claim 24, wherein the system provides security
for one or more of chemical, drinking water and wastewater
treatment systems, energy facilities, dams, commercial nuclear
reactors, water sectors, process manufacturing, emergency services,
public health and healthcare, continuity of government, government
facilities, defense facilities, defense industrial base, continuity
of government, information technology, telecommunications,
converged facilities, national monuments and icons, postal and
shipping, banking and finance, commercial facilities, materials and
waste facilities, transportation systems, port security, aviation
security, cargo, cruise ships, trains, mass transit, Intermodal,
food and agriculture facilities, military facilities, first
responders, police, fire and OSHA Compliance.
41. Any one or more of the features as described herein.
42. Means for performing any one or more of the features described
herein.
43. A computer readable storage medium comprising information, that
when executed, performs one or more of the functions described
herein.
44. The method of claim 24, wherein a combination of SQL and active
directory are used to integrate the physical and network
security.
45. The method of claim 24, wherein authentication is based on
location based in time.
46. The method of claim 45, wherein artificial intelligence
compares location and time information to determine authentication.
Description
RELATED APPLICATION DATA
[0001] This application is a Continuation of U.S. patent
application Ser. No. 14/802,660, filed Jul. 15, 2015, which is a
Continuation of U.S. patent application Ser. No. 13/314,335, filed
Dec. 8, 2011, which is a Continuation of U.S. patent application
Ser. No. 11/740,063, filed Apr. 25, 2007, now U.S. Pat. No.
8,108,914, which claims the benefit of and priority under 35 U.S.C.
.sctn.119(e) to U.S. Patent Application No. 60/794,529, filed Apr.
25, 2006, entitled "Emergency Responder Security System," each of
which, including the Appendix of the Ser. No. 11/740,063
Application, are incorporated herein by reference in their
entirety.
BACKGROUND
Field of the Invention
[0002] Exemplary aspects of this invention relate to security. More
specific aspects of the invention relate to security management, a
hierarchical security platform, converged IT and physical security
management, unified credentialing, credential issuance and
incident(s)/event management.
SUMMARY
[0003] The exemplary systems discussed herein are in general
directed toward security and security management. An exemplary
aspect of the invention relates to physical security management and
information technology/network security management. Additional
aspects of the invention relate to a credential issuance and
integrity checking systems as well as associated readers and
printers of the credential certificate and electronic
personalization. Still further aspects of the invention relate to
obtaining, assembling and analyzing one or more of data, video
information, image information, biometric information, sensor
information, alarm information, perimeter information, terrorist
information, profile information, and/or other types of information
to provide a comprehensive platform for all aspects of security
management. Still further aspects of the invention relate to
providing a scalable toolkit that allows complete management,
integration, interoperability and centralized control and
monitoring of all aspects of security including personnel
credentialing, personnel management, personnel tracking, task
management, equipment management, personnel tracking, security
system integration and security information exchange.
[0004] The exemplary IT/network and physical security management
system can be architected for open standards and its operability
designed for modularity and scalability, and can be extendable
across a spectrum of security needs, and adaptable to both legacy
and upcoming technologies. The exemplary IT/network and physical
security management system can also be networked with other
IT/network and physical security management system(s) to allow for
widespread security management, for example, during one or more
non-collocated incidents, that may be one or more of international,
federal, tribal, state, city or local in nature.
[0005] Supporting multi-function contact and contactless smart
card/token/smart chip/embedded/implanted chip user validation, the
exemplary system works with existing collocated and distributed
facility environments, and optionally supports various technologies
including fingerprint recognition, facial recognition, iris
scanning, biometrics, geographic information system information
feeds, and the like. Blending, for example, video surveillance and
hazardous environmental sensors, the exemplary system can be
adapted to interface with building control systems, alarm systems,
existing card readers, annunciators, cameras and video cameras,
enterprise IT security systems, enterprise hardwired or wireless
security systems, alarm systems, and general any security system.
The exemplary system allows integration into even the most complex
mission-critical enterprise IT security infrastructures through,
for example, standard protocols, resulting in improved situational
awareness, ability to correlate events and control responses in
real-time, reduced administration overhead an improved audit and
forensic capabilities.
[0006] The IT/network and physical security management system
cooperates with the Incident Management Parameter Access Control
and Tracking (IMPACT) family of solutions which provide access
control and identity management for deployment by, for example, one
or more of Federal, State, local and tribal governments. The IMPACT
family of solutions can cooperate with IT/network and physical
security management systems to allow control of physical and IT
access using, for example, a unified credential. The system
enables, for example, incident command to have a reliable,
real-time emergency management hub that brings together all the
assets and resources into a field environment, including, for
example, personnel management and tracking, video surveillance and
hazardous environment sensors, wireless communications and backend
communications to Federal, State and/or regional resources. Various
card issuance and reading systems are also supported as well as
manufacturers of multi-technology smart cards, such as contact or
contact-less smart cards, smart chips and embedded/implanted chips.
The IMPACT family of solutions can be configured, for example,
based on the type of incident or environment into which it is
deployed. For example, the critical infrastructure elements
discussed herein can each have a specific IMPACT solution that
includes specific modules, interfaces, templates, workflows and
processes or sub-processes pre-configured for deployment.
[0007] The exemplary system supports both a multi-function contact
and contactless smart card/token/smart chip/embedded chip/implanted
chip, user validation, and also works with a variety of incident
scenarios and climatic environments.
[0008] The exemplary system supports both a multi-function contact
and contactless smart chip user validation, and also works with a
variety of incident scenarios and climatic environments.
[0009] The exemplary system supports both a multi-function contact
and contactless embedded/implanted chip user validation, and also
works with a variety of incident scenarios and climatic
environments.
[0010] As examples, the systems described herein can be used for
HSPD compliance, such as HSPD 5, HSPD 7 and HSPD 12. There is a
number of critical infrastructure and key resource (CI/KR) sectors
in which the systems described herein can be used, or defined to
address any of the areas covered under these guidelines.
[0011] Exemplary non-limiting environments include: chemical,
drinking water and wastewater treatment systems, energy (power
facilities, electrical grid, oil & gas), dams, commercial
nuclear reactors, water sectors, process manufacturing, emergency
services, public health and healthcare, continuity of government,
government facilities, defense facilities, defense industrial base,
information technology, telecommunications, converged facilities,
national monuments and icons, postal and shipping, banking and
finance, commercial facilities, materials and waste, transportation
systems, port security, aviation security, cargo, cruise ships,
trains, mass transit, Intermodal, food and agriculture, military,
first responders, police, fire and OSHA Compliance (Authentication
& tracking of machine use). However, in general the systems
disclosed herein can be implemented in any environment(s).
[0012] As an example, in a national/city based incident, an ID is
used to derive access to all City/National Resources, and can
include all HSPD 7, and more. For example, access can be provided
to water, power, facilities, transportation, city buildings and the
like. In this example, the 4th factor of authentication which is
Location Based in time/Global/ZULU/GMT can be supported.
Additionally, a GUID and/or a UUID which is a universal or Global
unique Identifier can also use certificates including but not
limited to PKI, PKCS #, etc. GUIDs, UUIDs and Certificates can be
used in varying ways as any one item can define identity. Use can
be cumulative, stand alone or a process can select the preferred
method for identity processes. Chip/card/Implant has sectors that
only allow Authorized Writer/Readers/Users to allow for Multi-use
and Multi-Administrators. Built in Fail-safe options include a
running agent that identified debuggers, heap readers,
dis-assemblers and other reverse engineering processes on the fly.
Applications can then be shut down into its stored encrypted state.
In case of additional tampering, after a certain threshold of code
has been tampered with, Artificial Intelligence (AI) processes
rewrite the code back to the original code base (last known good
configuration) and/or after so much loss can seal in encrypted
container so only, for example, an authorized factory
representative can reopen and/or it is destroyed. In addition, the
software and hardware case can be configured to scramble drive
contents upon compromise. This is useful in cases where classified
data may sit on a device.
[0013] Optional configurations include BOOT Choice on start-up to
include but not limited to evacuation conditions and/or Bomb
scenario and/or Ingress/egress of any area, an Artificial
Intelligent system, a self healing network and systems component,
Attendance and HR, the embedded Chip could be in Body and/or hand
and have multiple administrators for use in a single ID, multi-use
and multi-administrators, (i.e., where a chip/card has sectors that
only allow authorized writers/readers/users to allow multi-use and
multi-administrators to access or update specific
partitions/sectors) HSPD 7 and other applications and all critical
infrastructures, and any and all additions now and in the future,
sensors in the ceiling and/or roof area in cooperation with GPS and
other backend systems can track live movement of an individual
and/or asset thru space and time, perimeter technologies can
include but not limited to, line of sight, satellite, fiber drop
wire, radar, microwave, seismic sensor, beams, etc. . . . Perimeter
technologies can be applied in a variety of environments to support
very specific perimeter control requirements. All data and
confidential information can be encrypted at rest and/or in
transit--one exemplary way of encrypting the reader to the security
system is by using encrypt and/or decrypt chips as an I/O board
attached to the reader and/or the security system.
[0014] Cooperation between the exemplary IMPACT family of solutions
and the IT/network and physical security management system allows
interface designs to be built as modules that can be used as a
checklist to compile to produce any security product to address all
Critical Infrastructures and/or any other security systems, force
protection, border control and/or need. These, as discussed, at
least include the following modules: sensor modules--including but
not limited to chemical, hazardous, environmental, temperature,
HVAC, physical Security Modules--including but not limited to glass
break, motion detection, physical access control, magnetic stripe,
fire Suppression, etc. Converged physical and IT security access
control is built into one or more of the described systems can
include communications module--including but not limited to, 900
mhz, 2.4 mhz, satellite, microwave, 800 MHz, HAM radio, 802.11,
Fiber Optic, VOIP, CDMA, GPRS, etc. They also include the identity
management aspects of the invention and the mapping module
including--static, internet based, real-time imagery, data based
and others, the cameras module, the behavioral analysis modules,
the audio and audio analysis modules, the EMS modules and the
alerting and logging modules.
[0015] The security system is an application that converges logical
and physical security into a unified process for access control of
physical entities and network or other logical entities.
[0016] Exemplary Components that allow this converged design are:
[0017] 1. Client software provides an interface to an Active
Directory structure or an identity management structure (also
includes Federated Identity Management schema), LDAP (Light
Directory Access Protocol), and other schemas for identity
information including InfoCard, the physical access control
structure and allows for configurations of security zones, access
permissions, camera operations, alerting, logging and other
processes that support physical and logical access control. [0018]
2. Remote controller is the domain controller containing the
primary active directory structure and the controlling operating
system. [0019] 3. Physical access controllers are devices that
provide reader control for physical access. [0020] 4. Cameras.
[0021] 5. Logical control readers that allow for network or system
authentication. [0022] 6. SQL relational database or
object-oriented, or object-relational repository that stores access
information, user information, physical information, zone maps and
other information related to logical and physical access control.
The security system uses active directory, SQL and controller based
data structures to control physical and logical access. The
elements are tied together through processes that integrate active
directory, a relational database backend and physical controller
data structures. Clients that provide for disconnected Access
control may also use ADAM (a clientized version of active
directory) that may synchronize to a master active directory
structure.
[0023] Access control is based on defining identities or grouping
identities based on Roles and then assigning them to security
zones, networked based or system based objects. An object can be a
file or other element stored in a file system, database etc. . . .
An identity is defined by creating a new identity and setting
different configuration options that relate to networks, systems
and or physical access control to include hours of access, security
zones, accessible domains etc. . . . Logical attributes are stored
within the active directory structure while physical attributes are
stored within the controller data structure and other attributes
that bridge both are stored in the relational data structure.
Services tie all three together in a transactional process that
guarantees identity update parameters (adding or provisioning,
modifying privileges, and termination or revocation). Identities
are tracked through the use of GUIDs, UUIDs and or certificates.
This structure allows for the best data integrity and reliability
as well as maintaining separation of duties between physical
controllers and logical controllers.
[0024] When the security system is installed the device identifies
the controlling aspects of the logical networks and takes the role
as the master controller. Identity updates will occur to the device
through active directory and active directory extensions. The other
controller then act as authentication controllers for the network.
CRITSEC also conducts a search and discovers physical control
devices, systems and logical network elements and takes control of
those as well. Updates that are applied to an identity are
transacted through a service that acts as a broker between active
directory, the physical controller and the relational database.
[0025] The relational structure is implemented in a way that
provides for data mapping as opposed to hard defined data
structures. This allows user of the CRITSEC system to use a variety
of data backends to use CRITSEC with to include MS SQL, Oracle,
MySQL and other.
[0026] Supervisory Control And Data Acquisition (SCADA) is a remote
control process that controls infrastructure such as water or power
etc. . . . There's a client that communicates with a control device
that controls some aspect of a process. The exemplary compontentry
associated with the SCADA embodiment includes: Client software that
provides an interface to a variety of controllers. SCADA software
secures SCADA operational processes through an enhanced SCADA
interface. Controllers and remote terminal units are, for example,
devices that monitor and open or shut valves or perform some other
function that is required to maintain certain process attributes. A
controlled device is, for example, a valve or other device that has
impact over a controlled process. The security system integrates
logical and physical access control to SCADA networks. SCADA has
been over the years inherently weak when it comes to access
controls and security. SCADA security addresses this by integrating
the SCADA network with the security system for controlling physical
and logical access to SCADA networks. SCADA security also provides
for a more secure interface while allowing SCADA operators to
continually monitor processes through a locked for input but
functional, visible open to monitoring screen. Physical and logical
access controls are similar to the other applications and processes
described herein. The client software secures the SCADA management
process by creating a transparent screen that SCADA operators can
use to monitor SCADA processes. Though users can see processes in
real-time, they can't interact with the process until
authentication takes place through the security management system.
Once authentication takes place then the transparent screen moves
to a background process while the SCADA client application takes
the foreground process and allows for operator interaction.
Alerting takes place through a colored border that flashes at the
edge of the border of the screen, still allowing the operator to
monitor real-time actions through the transparent screen.
[0027] These and other features and advantages of this invention
are described in, or are apparent from, the following detailed
description of the exemplary embodiments.
BRIEF DESCRIPTION OF THE DRAWINGS
[0028] The exemplary embodiments of the invention will be described
in detail, with reference to the following figures wherein:
[0029] FIG. 1 is an overview of the exemplary security system
according to this invention.
[0030] FIG. 2 illustrates exemplary components that can be
associated with a credential according to this invention.
[0031] FIG. 3 illustrates an exemplary credential issuance system
according to this invention.
[0032] FIG. 4 illustrates in greater detail the components of the
IT/Network and Physical Security Management system according to
this invention.
[0033] FIG. 5 illustrates in greater detail the IMPACT system
according to this invention.
[0034] FIGS. 6-37 illustrate exemplary graphical user interfaces
associated with this invention.
[0035] FIG. 38 illustrates an exemplary relational database
structure according to this invention.
[0036] FIG. 39 illustrates exemplary data flow processes according
to this invention.
[0037] FIG. 40 illustrates an exemplary credential shield according
to this invention.
DETAILED DESCRIPTION
[0038] The exemplary embodiments of this invention will be
described in relation to security management. However, it should be
appreciated, that in general, the systems and methods of this
invention will work equally well for any type of communication
system in any environment.
[0039] The exemplary systems and methods of this invention will
also be described in relation to security management and the
components, sensors, hardware, software and data feeds associated
therewith. However, to avoid unnecessarily obscuring the present
invention, the following description omits well-known structures
and devices that may be shown in block diagram form or otherwise
summarized.
[0040] For purposes of explanation, numerous details are set forth
in order to provide a thorough understanding of the present
invention. It should be appreciated however that the present
invention may be practiced in a variety of ways beyond the specific
details set forth herein.
[0041] Furthermore, while the exemplary embodiments illustrated
herein show the various components of the system collocated, it is
to be appreciated that the various components of the system can be
located at distant portions of a distributed network, such as a
telecommunications network and/or the Internet, or within a
dedicated secure, unsecured and/or encrypted system. Thus, it
should be appreciated that the components of the system can be
combined into one or more devices, or collocated on a particular
node of a distributed network, such as a telecommunications
network. As will be appreciated from the following description, and
for reasons of computational efficiency, the components of the
system can be arranged at any location within a distributed network
without affecting the operation of the system. For example, the
various components and functions associated therewith can be
divided between one or more of the described systems, can be load
balanced between one or more security systems and can be networked
between on or more security systems, devices, or some combination
thereof. Similarly, one or more functional portions of the system
could be distributed between a plurality of geographically separate
systems.
[0042] Furthermore, it should be appreciated that the various
links, including any communications channels connecting the
elements can be wired or wireless links, (including satellite based
link(s) or any combination thereof, or any other known or later
developed element(s) that is capable of supplying and/or
communicating data to and from the connected elements. The term
module as used herein can refer to any known or later developed
hardware, software, firmware, or combination thereof that is
capable of performing the functionality associated with that
element. The terms determine, calculate and compute, and variations
thereof, as used herein are used interchangeably and include any
type of methodology, process, mathematical operation or technique.
It should also be appreciated that various levels of redundancy and
portability can be included with the system, as well as a shock
mount case for emergency drops to remote locations, such as battery
back-up, multi-national power supplies, recharging capabilities,
and a plurality of communication options.
[0043] FIG. 1 illustrates an exemplary security system 1. The
security system includes an IT/Network and Physical Security
management System 100, an Incident Management Perimeter Access
Control and Tracking module 200 and a credential issuance system
300. The IT/Network and Physical Security management System 100 can
be connected, via one or more of network 10 and links 5, to one or
more additional IT/Network and Physical Security Management Systems
as well as an identity proofing module 11, one or more sensors 12,
a unified credential 13, one or more access control readers 14
(which can govern physical as well as network/computer access), one
or more cameras and/or video cameras or feeds 15, existing
enterprise IT security system(s) 16, existing enterprise security
systems 17, such as building access systems and alarm systems 18
and associated annunciators 19 and devices.
[0044] FIG. 2 illustrates an exemplary credential 200, and some of
the types of information and information carrying devices
associated therewith. For example, the credential can include one
or more of a contact-based chip, embedded chip(s), implanted
chip(s), bar code(s), printed data, picture(s), a proximity chip, a
magnetic stripe and a contactless chip. Each of the information
carrying devices have certain associated advantages and
disadvantages and can be chosen, for example, based on the expected
operating environment, environmental conditions, data to be stored
thereon, security requirements and the like. The credential can be
any one or more of a smart card, smart chip and embedded chip. The
security system can automatically recognize the card type, issuing
agency, format, etc., as well as what authorized information can be
read. This allows for multi-administrators, multi-use,
multi-readers and multi-sections (with each section have different
access permissions), i.e., an e-passport.
[0045] While certain embodiments are described in relation to the
exemplary credential, other options are also available. For
example, although a uniform visual card design is desirable,
experience indicates that while the flash-pass capabilities are
important, more crucial is the uniformity of the information
programmed into the smart card/smart chip/embedded /implanted chip.
The credential issuance system can abstract the desired data into
containers or sectors of the credential that are programmed into
the smart card chip, some with varying degrees of protection for
very sensitive data like biometric templates. These
credentials/certificates are thus immediately usable at the
incident site(s), not within some delayed time period, such as 24
hours. Revocation can also be immediate. Interoperability with
other standards-based cards can be a key architecture
principle.
[0046] While a standard template can be defined, other templates
may be added. For example, while one jurisdiction may choose to
store encrypted fingerprint, iris scan, hand geometry or facial
recognition, including any biometric, in an encrypted card
container, another jurisdiction may utilize the same space on the
card for emergency medical treatment information. The ability of
the credential issuance system to discern the differences between
the two card types described is a unique feature that can be
enabled as required. Thus, different entities can have different
permissions to access different portions of one or more containers
or sectors of the same card. Highlights of an exemplary credential
include:
TABLE-US-00001 Data Capture and Issuance Optional Version for
Contact Chip Works with the Credential Issuance System for
Printing/Lamination - Enables `One Button` Print/Program Works with
IMPACT and the IT/Network and Physical Security Management System
for Contactless 13.56 MHz Chip and other embedded/implanted chips
Authorization & Tracking Unique Identifier by Individual Global
Unique Identifier (GUID) or Optional Cardholder Unique Identifier
(CHUID) Digital Certificate Follows PKCS11 Standard - and all
future standards, technologies or certificates as them become
available Lifecycle Operations Secure Identity Management System
(IdMS) Secure Containers for Data on Chip Works with IMPACT and the
IT/Network and Physical Security Management System Reprogram or
Update Data in Field or Centrally Real-time Validation of Digital
Certificate Verification through, for example, a third-party Rapid
Provisioning and Termination of Privileges - NOT 24 hours Maintain
High `Level of Trust` Manage Data on Card, in IdMS or both .cndot.
Portable and Fixed Base .cndot. Modular .cndot. Secure Pre-Issue
Multi-function Credential or Onsite Verify Identity Verify
Authorizations Ensure `Level of Trust` Create Photo ID or Smart
Card Badge for this Incident Update Smart Card Chip if 2nd Incident
Visual Grouping by Skill or Responsibility Utilize for Physical and
Logical Access Stored X.509 or PKCS11 Certificates - and all future
certificates as they become available Match-on-Card Biometrics
Smart Card/Smart Chip/Embedded Chip and use of SQL and the and
active directory Registrar Functionality Sponsors Submit
Applicant's Background Check Info Registrar Collects Identity
Information In-Person Fingerprints and I-9 Documents System Tracks
Status of Application Notification When NACI Complete ID Management
System Active Directory Link Revalidation Dates, Moves, Adds,
Changes, Terminations Distribution of Applications PIN Resets
Robust Member Search and Auditing Capability SQL or SQL Link
File/Data transfers
[0047] Write IMPACT is an application that allows for the reading
and writing of contact and contactless smart cards.
[0048] Exemplary Components: [0049] 1. Client software that allows
for writing and reading data, acquiring biometric data and
specifying certifications. [0050] 2. Data backend for storing data
in either a connected or disconnected state. [0051] 3. Interfacing
for smartcards. Write Impact has the capability to write and read
contact/contactless smartcards that meet a variety of standards to
include HSPD-12, Mifare, Desfire, Smart MX and others.
[0052] Due to card storage size and end user requirements, a
matrixing solution has been developed that allows users to add a
large amount of data into limited space on the smartcard chip. The
matrix allows for defining a mapping solution from the application
to the card's database and vice-versa. This allows agencies to
define their own data and enter it into the chip of a card while
not using the space required to enter that data. An example would
be: Denver Sheriff Department wants to track certain certifications
that they have developed. The exemplary certification is broken
down to a 3 or 4 (or in general any) digit number or lettering
scheme that designates that the certification is local, that the
certification is related to law enforcement, that the certification
is for SWAT and that the final certification is for level. There is
also a 1 digit number that specifies if the user is current, not
current, in retraining, or that currency doesn't apply. This schema
allows for the storage of much more data on a chip that can be
directly referenced through the back end. Other agencies may then
map their data in their own way and agency data may be correlated
together through a mapping structure so outside agencies have
visibility of certifications.
[0053] For protecting the credential, as illustrated in FIG. 40, a
shielding credential holder device leverages a magnet to hold a
clear cover to a shielding back, and can be flipped out with one
hand when one needs to enable the contactless signal when presented
to a reader to, for example, open a door. Credential holders that
shield contactless emanation from unwanted and/or unauthorized
reading are current state-of-the-art, however convenient usage by
an individual when entering a secured facility is somewhat lacking.
The illustrated units are designed to feature a clear pocket for
the credential that magnetically adheres to a shielding backing.
Thus, a user is able to confidently display the front of the
credential on a lanyard or clipped to clothing knowing that it
cannot be read contactlessly in this mode, yet easily separate the
clear pocket from the backing with one hand to expose the
contactless signal when required, and allow reading thereof.
[0054] FIG. 3 illustrates an exemplary credential issuance system
300. The credential issuance system 300 comprises a signature
capturer 305, a PIN keypad capturer 310, a fingerprint capturer
320, a camera 330, a module for registrar functionality 340, an ID
management module 350, a report printer 360, a card printer 370, a
card reader/writer 380, and a document scanner 390, all
interconnected via one or more links and networks. One or more
pieces of data can be secured via the appropriate capturer and
associated with a credential. The data can be associated, in
cooperation with the card reader/writer 380, by storing information
on the card or printing information on the card. This information,
or a portion thereof, can also be encrypted as needed.
[0055] The credential issuance system 300 also can cooperate with a
module for registrar functionality. Registrar functionality can
include a background check, fingerprinting and I-9 documentation,
system tracking of the application process and notification of when
the NACI is complete. The ID Management module can include an
active directory link, revalidation functions, date and tracking,
moves, adds, changes, terminations, and the like, for an issued
credential. The ID management module 350 can also handle the
distribution of applications, PIN Resets, robust member searching
functionality and auditing.
[0056] FIG. 4 illustrates the IT/Network and Physical Security
Management System 100 in greater detail. In particular, the
IT/Network and Physical Security management System 100 comprises
one or more of a data store 105, logging module 110, authentication
processes/access control module 115, data filtering module 120,
data marts/warehouses 125, Artificial Intelligence modules 130,
video module 135, document module 140, mapping module 145,
training/prediction reporting module 150, sensor module 155, audio
module 160, VOIP module 165, communications management module 170,
user module 175, admin module 180, environment specific module 185,
information feed module 190, scalability and interconnection module
195 and security module 199, all intercommoned via the appropriate
link(s) and/or network(s) as required (not shown).
[0057] FIG. 5 illustrates in greater detail an exemplary member of
the IMPACT family of solutions 200. In particular, the IMPACT
system comprises one or more of an equipment tracking module 205, a
personnel tracking module 210, a perimeter management module 215, a
credential management module 220, a task module 225, an alert
module 230, a reporting module 235 and a sensor module 240, all
intercommoned via the appropriate link(s) and/or network(s) as
required (not shown).
[0058] In operation, an administrator initializes the system by
adding the personnel, equipment, credentials, or in general any
tangible or intangible, that are to be managed. The addition of the
managed information can be streamlined through the use of one or
more templates designed for specific incidents and/or environments.
For example, when booting the security system, the system can query
the user as to the type of deployment, incident or environment.
Based on the user's selection, specific GUI's, templates and
prompts for connections to various types of data feeds can be
generated. Once all relevant information pertaining to the managed
information is established, various pre-defined rule sets can be
invoked or one or more custom rules created that allow actions to
be triggered based on satisfaction of one or more rules. For
example, if the incident is a fire and the security system is
connected to the existing building fire system, a pre-defined
"building fire" rule set could be selected that allows the security
system to monitor heat sensors, movement of emergency responders in
the building, fire sensors, video feeds, etc.
[0059] In addition, the security system can monitor the presence of
emergency responders into and out of the incident scene. This not
only allows to the system to account for the presence and location
of personnel, but also more routine tasks such as billing
management. In the event of an injured emergency responder, the
system could also automatically forward medical information based
on the emergency responder's credential to a hospital to assist
with treatment.
[0060] The IMPACT family of solutions can also be preconfigured
with connectivity escalation routines that allow the security
system to contact one or more additional security system based on,
for example, the meeting of one or metrics monitored by the system.
For example, if explosives or an explosion is detected, the
security system and forward information related thereto to the
federal authorities. Additionally, the security system may connect
to other security systems to assist in the analysis of trend data
in the event of, for example, widespread terrorist activity.
[0061] In another exemplary embodiment, the system is not actually
deployed to an incident, but is used as a full-time security
monitor for one or more of a facility/network/computer system. The
system can also interface with existing structures, such as a
school, utilizing the appropriate modules, allowing control over
and monitoring of, for example, a schools security system. For
example, the security system can be connected wired or wirelessly
by an emergency response team to the school and control all aspects
of security including cameras, locks, access, etc.
[0062] FIGS. 6-37 illustrate exemplary GUI's associated with the
security system. With all the exemplary GUI's different skins can
be selected that are suitable for different lighting environments,
thus allowing the application to be easily seen inside or outside,
while it is bright or dark, in red, blue, green, yellow, white
light, etc. In particular, FIG. 6 illustrates an exemplary access
control GUI where a user would go to add other users, permit what
they can do have access to (i.e., logical and/or physical), and the
hours and zones they have access to these resources. Other things
can be controlled here such as the person's certifications and
username and password. The Connected Tab (located above the Full
Name) shows a list of all the different users that are currently
connected to the system.
[0063] The Reader button (located bellow the Time Zone) will group
the card readers into logical groups that will be considered one of
many zones. The Users button gives you a list of all the users that
have been added into the Access Control for quick navigation to a
specific user.
[0064] FIG. 7 illustrates an exemplary main navigation menu. The
main navigation menu allows a user to move through the application.
It can be moved as well as set to auto hide in case you need more
screen space for the content area. The main area in the content
area. All the tools selected from the main menu can be illustrated
in this main portion. Tabs or buttons are also provided in this
interface to access other features of the system. In this example,
the tabs are "org chart," "packages," etc. The lower portion of the
GUI is the log. The log illustrates all the events that have
happened such as a connection to the server. Like the main menu,
this can be moved, resized, or set to auto hide, and each event in
the log can be selected for additional information.
[0065] FIG. 8 illustrates an exemplary custom time view GUI where a
user can create custom times that a user is allowed into either
physical or the network. Times can be set from any day of the week
and can be controlled down to the hour.
[0066] FIG. 9 illustrates an exemplary incident GUI. The Incident
screen gives a quick overview of the scene that includes who opened
it, the date it was opened and closed, and location. Additionally,
historical data can be shown so lessons learned from one event can
assist in the decision making process.
[0067] FIG. 10 illustrates an exemplary Org Chart (Organization
Chart) that can be used to see a graphical representation of the
incident command structure under, for example, a HSPD. By simply
dragging and dropping, a single person or an entire group can be
placed under a different commander. A user can add or remove any of
the nodes for situations that require different specialists. A user
can also fill the role of the positions with people that have been
added to the Access Control area.
[0068] Expand and Collapse button controls all the boxes and
expands all of them, or collapses all of them.
[0069] FIG. 11 illustrates in greater detail some of the Org Chart
information.
[0070] FIG. 12 illustrates an exemplary SITREPS (Situation Reports)
GUI. The situation reports can be updated every time something is
changed in, for example, an emergency scene, event or exercise.
[0071] FIGS. 13 and 14 illustrate lists all of the different
agencies that are at the scene. Within each agency is a list of all
the employees. Each employee has information about them such as
status (deployed, staging, etc.), blood type, and cost rate. Then
each employee will have a list of certifications that they carry.
Information held here pertains to when did the individual receive
the certification, when does it expire, when is he expected to have
it renewed, and if the person has insurance.
[0072] FIG. 15 illustrates the different packages and their status,
including when they arrived at the emergency scene.
[0073] FIG. 16 illustrates an exemplary tasking screen, a user can
assign various tasks that can include a description, when it was
assigned, when it needs to be completed by, who it is assigned to,
priority, and it's sensitivity. Tasks can be assigned to an
individual or to a group/agency.
[0074] FIG. 17 illustrates an auto populated log that provides a
brief overview of everything that has occurred within this incident
including when a new Incident Commander comes in, when new SITREPS
are created, and when packages arrive.
[0075] FIG. 18 illustrates the History Tab showing a brief overview
of all the incidents for quick reference. When a user selects one
of the incidents, that incidents information is seen through the
rest of the EMS tabs. This is used for not only review, but if an
incident is happening that is similar to a past scene, it can
provide for a quick way of seeing some of the possibilities that
could happen.
[0076] FIG. 19 illustrates an exemplary video GUI. The video GUI at
least supports IP, USB, and CCTV and wireless cameras with support
for audio. The video GUI can auto adjust if more than four cameras
are added and the ability to manually resize each box. Snapshots
and recording can be automated through rules, so if someone tries
to swipe a card that is invalid, you can automatically take a
snapshot capturing the persons face. Motion detection can be used
for the entire camera view or you can set up grids so that it will
only record if there is motion within that area. Frame rate can
also be controlled from here.
[0077] FIG. 20 illustrates an exemplary sensor GUI. The sensor GUI
displays data from a sensor that can be captured and displayed as a
2D/3D graph or mapped into a GIS. A user is also able to turn on
and off the various bars as well as the markers. A user can also
change a bars color, width, as well as the amount of time that they
are viewing in the recorded data.
[0078] FIGS. 21 and 22 illustrate the ability to open a wide
variety of various documents, including the ability to utilize a
built in spell checker and thesaurus. Also supported is a built in
capability to open various spreadsheets. This is where a user can
come to open template-type forms that can be blank or pre-populated
with data from the incident.
[0079] FIGS. 23-25 illustrate various scheduling interfaces. Here a
user can see a daily over view of different tasks that have been
scheduled. A user can delete/add new columns by clicking Delete/Add
buttons on the right. A user can add a new task into a timeslot by
double clicking the time that you want it to start. When a user
adds an event to the time slot, it can be titled, given a location,
mark what type of an event it is, show its status at that time
(i.e. busy), and set a duration. A user can also set up a
reassurance so this event is automatically there daily, weekly,
biweekly, monthly, annually.
[0080] FIGS. 26-27 illustrate alternative scheduling GUI's. By
changing the view to a weekly view, a monthly view, or an annual
view, a user can easily see all of the appointments or scheduled
events and historical data.
[0081] FIGS. 28-31 illustrate exemplary mapping GUIs. A user can
use both static mapping or Internet mapping and can tilt, rotate,
and zoom in through the tools on the right. A user can also bring
in various layers, even to the Internet mapping that can provide
different information. Terrorist alerts/maps, disasters maps and
GIS data, as well as existing terra maps and GIS systems can also
be obtained by the system.
[0082] FIG. 32 illustrates a built in VOIP GUI and chat support
that allows for communications as long as there is power. A user
can also record VOIP conversations in this GUI.
[0083] FIG. 33 illustrates an exemplary metrics GUI. Here a user
can total a utilization cost, as an agency, and even by there
status. This can be done, for example, for Agencies and Resources.
This allows, for example, states/counties to call for federal
assistance as soon as it is available or limits are reached.
[0084] FIGS. 34-37 illustrate various exemplary admin GUIs. Within
the Admin Console, a user can check out the server's health status,
have it automatically send alerts to E-Mail, a phone, a computer,
or just write a log. Within the console, a user can set up
automatic discovery and/or failover with other security systems, or
the systems can be manually discovered. The software can also be
configured to automatically check for updates from this
console.
[0085] FIG. 38 illustrates a high-level architecture of a
relational database that can be used in conjunction with the
embodiments described herein. The attached Appendix provides more
detailed specifics regarding the architecture and the relationships
therebetween, with the numbers in the connecting lines
corresponding to the relationships detailed in the Appendix. In
general however, any relational database, object-oriented or
object-relational database structure will work well with the
systems and methods of this invention provided a mapping between
associated elements can be determined. This exemplary architecture
represents the relationships between, for example, video, graph,
audio, VOIP, documents, equipment, personnel, tasks, etc. . . .
[0086] FIG. 39 illustrates an exemplary data flow and process tree
according to an embodiment of this invention. The exemplary
processes depicted within the figure illustrate connectivity and
process flow. These flow diagrams can be consistent throughout all
various modules. For example, both the IMPACT family of solutions
and the IT/Network and Physical Security Management System can
include the same processes for cameras, video, access control,
etc., as well as a Supervisory Control And Data Acquisition (SCADA)
type system using the functionality described herein, with all of
the systems capable of including the same processes as other
modules and process applied to data operations, etc. The scope of
all modules can be configured into a self-healing networked
structure where if a piece, segment or network were to fail, a
self-healing process could instantiate itself and rebuild critical
parts of any portion of the system(s) and/or network. The
systems/networks can also support a failsafe mechanism that allows
for the destruction of a device if, for example, tampering is
detected.
[0087] The exemplary processes that can b performed by one or more
of the modules discussed herein (or by one or more modules
connected to the security management system) are: New Record,
Replication Process, Video Processes, EMS Processes, Mapping
Processes, Authentication Processes/Access Control, Document
Processes, Logging Processes, Sensor Processes, Support Processes,
Audio Processes, VOIP Processes, AI Processes, Data Scrubbing, Data
Scrubbing, Trending/Prediction Reporting Process and Communications
Processes.
[0088] The New Record process allows the creation of a new record.
This new record can relate to personnel, equipment, monitors,
sensors, credentials, or in general any aspect of security
management including both tangible objects/personnel and
intangibles.
[0089] The Replication Process allows both upstream and downstream
replication of information. This replication can include filtering
to allow for a hierarchy of data flow with, for example,
permissions established such that data stores with lesser
permissions have access only to certain portions of data.
[0090] The Video Processes, as with the other types of "data"
feeds, such as audio, VOIP, etc., are logged in a logging module
and preserved in a local data store as well as monitored by the
Authentication Processes/Access Control Process. Video can be also
be streamed from different devices using different transmission
protocols to include IP based, BNC, Web and others.
[0091] The EMS Processes is one of several exemplary processes that
reflect the various operating environment(s) into which the systems
and methods described herein may be placed. It should be
appreciated however that these specific operating environment type
processes can be combined with other operating environment type
processes as needed and may be dynamically added at any time. For
example, during boot of the IT/Network and Physical Security
Management System, the environment can be configured through
selection of the specific event type(s). EMS processes cover all
aspects of an incident to at least include personnel, equipment,
org charts, situation reports, lessons learned, scheduling,
mapping, and other related items specific to an event.
[0092] The Mapping Processes allows the integration and display of
map(s) into the Network and Physical Security Management System.
The Mapping Processes at least includes one or more of GIS,
real-time mapping, static mapping, overlaying mapping with various
sets of data either retrieved, input or correlated through AI
Processes onto maps that can be made available to a user(s).
[0093] The Authentication Processes/Access Control Authentication
includes logical and physical authentication through, for example,
various chip processes to include contact and contactless chips as
well as biometrics that may be attached, imbedded embedded and/or
implanted anywhere in the body including the hand and head.
Authentication mechanisms also provide for the tracking of
incrementing and decrementing values as well as storage of finite
values within the authentication medium if a non-biogenic
authentication template, e.g., smartcard, is used. Identities can
be tracked and authenticated through, for example, GUID, UUID,
certificate based processes, or in general any mechanism, locally,
regionally, nationally and internationally. The authentication
medium will also allow for in some cases
multi-user/multi-administration capabilities. Authentication at
both physical and logical layers can include encryption using
standard approved methodologies as well as future encryption
strategies utilizing, for example, nano-technologies or quantum
technologies not only from the controller to the controlling device
(door reader for example), but also from the controlling device to
the controller and/or other operating system that may act as an
intermediary or controller itself. The Authentication Processes
allow for multi-factored authentication mechanisms to include, for
example, what someone knows, what someone has, who someone is,
where a person is, through space and time, through behavioral
analysis as well as other mechanisms. This will allow for
authentication of identities, groups, processes, etc., as well as
physical devices and information sources.
[0094] The Document Processes allows for the creation, viewing and
modification of secured documents through a data labeling process,
as well as the management and classification of documents. For
example, an AI process classifies documents on the fly based on,
for example, certain keywords, origin information, creator
information, content, or phrasings as well as by the classification
authority or creator. Documents identified as secure can be stored
in an encrypted format within the database.
[0095] The Logging Processes support event correlation through a
triage AI process for each entry added to the log. Logsets can be
multi-record structures where event correlation takes place against
a set of log entries that may or may not be similar in nature. Logs
can be archived, for example, at the event level and can be fine
tuned to, for example, periods of time.
[0096] The Sensor Processes not only include sensors for
environmental characteristics but also include tracking through
thermal, biologic, pressure and other methods provided through a
sensor interface.
[0097] The Support Processes include failover support,
self-discovery and other system configurations. Support processes
also include all processes that provide for systems administration,
configuration, healing, alerting, balancing or other processes
supporting any of the described processes or modules.
[0098] The Audio Processes allow for the modeling of various audio
characteristics. This can include sound that is audible to the
human range or outside the scope of human range.
[0099] The VOIP Processes allow VOIP communications over one or
more networks to one or more other IMPACT and/or IT/Network and
Physical Security Management System(s). VOIP and Conferencing
services allow for internal conferencing capabilities. The only
requirement is connectivity through any available means.
Conferences can be recorded stored and verified in the future.
[0100] The AI Processes include rule set, fact set, fuzzy and
neural processes to predict and trend. Intelligent processes
include inferencing technology, neural processes as well as other
multi-generation intelligence processes. In terms of intelligent
processing there are three layers. [0101] 1. Triage
(Real-time)--this is accomplished as raw data is entered through a
process. This basic yes/no type rule set logic and can be applied
to an individual record very quickly. [0102] 2. Near
real-time--This can be accomplished across multiple records as data
sits in an active local data store. The correlation of this data
can be more complex than simple rule sets and can include complex
nested rule sets as well as facts applied. [0103] 3.
Historical--This takes place against a data mart/warehouse and/or a
regional, national and/or international level data source. These AI
Processes can include not only rule set and facts, but fuzzy logic
through inferencing and in some cases neural networking, as
appropriate.
[0104] AI Processes allow for human and non-human intervention,
alerting and other modifications to configurations, data or other
items designated as modifiable on-the-fly. Expert Systems can
attempt to emulate the decision making abilities of a human expert
using knowledge (facts) and inference procedures (rules). In some
cases other intelligent processes may be used such as neural
networking, data clumping, associative discovery etc. . . . AI
processes are designed to find events, trends and predict where the
data to support that data doesn't appear to exist.
[0105] The Data Scrubbing process allows for sanitizing of data by
any means, such as rule based sanitizing.
[0106] The Trending/Prediction Reporting Process can cooperate with
the AI Processes to generate trending and/or prediction reporting
and alerts based on one or more of incident information,
information feeds, activity, data trends or in general any
information received by the IT/Network and Physical Security
Management System.
[0107] The Communications Processes include any method for
communications to include satellite, cellular, wireless, networked,
encrypted, hardened, packet or circuit-switched, or any other
communications process or protocol.
[0108] The Data Stores house data that can be shared with one or
more other data stores. The data stores can store any information
relevant to the IMPACT and the IT/Network and Physical Security
Management Systems, as well as credential issuance system, and in
general any information associated with the systems described
herein.
[0109] In addition to the above higher-level processes, sub-process
operate within the security system. A description of the exemplary
sub-processes are discussed below.
[0110] The Record Management process allows entities identified
with "administrator" privileges to administer records. These
records include identity records and administrators can at least
add, delete or modify identities as well as levels of permission,
access control, etc., and in general any feature associated with a
record including the creation, modification or deletion of a
record.
[0111] The Identity Configurations process includes all aspects of
an identity account. These includes basic personal information such
as name, DOB, position, access control parameters--to include
access points and hours, biometric data etc. . . . An identity is
directly correlated to a certificate and a GUID/UUID or other
unique identifier. These items are used to correlate identities to
other sets of information through lookups.
[0112] The Permissions Process provides and regulates permissions
to information and/or objects.
[0113] The Access Control process provide for both logical and
physical access control solutions to one or more physical areas
and/or computer, computer network or IT-based systems.
[0114] The Authentication Process determines whether or not an
entity has the authority to access and manage records.
[0115] The Record Management Process includes the ability to add
records, delete records, modify records as well as provides record
navigation and searching functionality.
[0116] The Active Directory Process provides standard active
directory structures and extended active directory structures. For
example, in an emergency response scenario, the security system 1
is a self-contained network whereas in other incident management
solutions active directory can be integrated into an existing
network structure. In cases where an incident management solution
must control access logically, the security system can act as the
master controller and only make updates to the active directory
databases while, for example, dedicated, incident specific incident
management controllers will act as authenticating mechanisms
thereby reducing the overall load on the IMPACT system.
[0117] The Physical Access Control Process controls, for example,
disconnected hand-held or other types of credential reading devices
that can be updated, for example, on-the-fly through wireless,
wired or by removable media. The devices can first authenticate to
one another prior to data updating. In other IMPACT scenario
solutions, physical reader controllers can be embedded into the
IMPACT solution and control physical access by a direct or wireless
connection to the terminal reader.
[0118] The Motion Detection Process allows for the configuration of
the sensitivity of the detection grid in one or more connected
video cameras or feeds as well as other options related to motion
detection. The motion detection processes can be defined to slew a
camera to a certain position if motion enabled cameras are
used.
[0119] The Snapshot Process allows snapshotting by extracting a
single frame from a video stream. Snapshotted graphics can be
stored in an encrypted format and checksummed for evidentiary
use.
[0120] The Streaming Process allows video to be streamed to a user
interface within the security system and can be saved in, for
example, a compressed and encrypted format to the data store. Video
can also be checksummed for evidentiary use.
[0121] The Video Interface Process allows a user to manipulate and
view video data. This interface allows also acts as the record
management interface that allows user to add, delete, modify and
navigate video records, for example, with the use of meta-data,
keywords, etc.
[0122] The Docs Mods Process allows video data stills and in some
cases streamed video data to be included into documents that are
stored within the data store.
[0123] The Camera Control Processes allow camera controlling
through motion detection as well as user remote control of any of
the cameras associated with the security system.
[0124] The Logging Process can support event correlation through
the triage of artificial intelligence processes for each entry
added to the log. Log sets can be multi-record structures where
event correlation takes place against a set of log entries that may
or may not be similar in nature. Logs can be archived off at the
event level and/or system level and be fine tuned to periods of
time.
[0125] The Event Data Process allows management of event data,
comprising basic information pertaining to an event, to include,
for example, incident commander, location, perimeters, zones and
event descriptions.
[0126] The Situation Reporting Process allows situations taking
place during an event to be identified, flagged and tracked.
[0127] The Org Charting Process provides the ability to create and
manage an organizational chart of the incident staffing. Personnel
can be selected to fill slots within the organizational structure.
Also when an individual is selected to fill a role, the role can be
cross-referenced with certifications data that is tied to
personnel. If, for example, the individual is not certified to fill
a role, then, for example, based on an active rule set, the
incident commander can be informed. An incident commander can also
be authorized to override the flag. There can be more than one
organizational chart per event.
[0128] The Personnel/Equipment/Certs Process allows one or more of
personnel, equipment and personnel certifications to be tracked
through an event to include, for example, cost rates, use, renewal
information and other items.
[0129] The Package definition Process allows packages to be defined
by standard definitions, non-standard definitions as well as task
force definitions. Packages can be requested, offered for
deployment and in special circumstances be defined on-the-fly
during and at an incident. Packages are normally defined and then
pushed to, for example, a regional and national data store for
deployment. Packages can also be requested by various agencies to
take part in an event.
[0130] The Historics Process allows for the management and creation
of "lessons learned documents" as well as documents generated
through an artificial intelligence process that correlates useful
information for specific requirements during an incident. This
gives event managers access to data and data mining capabilities
that may uncover information relevant to the incident(s) such as
trending information. Documents can be correlated from local,
regional, national and/or international sources.
[0131] The Graphic Layering process allows graphic overlay(s) to be
added to or taken off of a mapping structure. Layers can represent
different sets of interpolated data.
[0132] The Internet Based Mapping Wrapper Process allows for
including access to internet based maps. This provides, for
example, an instant mapping interface that doesn't require any
static map files to be carried with the security system. Layers can
be added to internet based mapping to represent different sets of
data.
[0133] The Data Interpolation Process allows taking data from
different sources, turning that data into coordinate data and then
placing it into a graphic layer to be presented through a mapping
interface. Data can represent sensor locations, boundary locations,
personnel locations, equipment locations, or in general data the
security system has access to.
[0134] The GIS Processing Process allows real-time GPS related
navigation, as well as other GIS related mapping processes. For
Example, responders can use GPS enabled tracking devices that can
be represented in a mapping structure. This is useful for
deploying, tracking and recalling responders that may be in hot,
warm, cold or all zones, etc.
[0135] The Graphical Interface Process allows one or more graphic
interfaces to be used to manage records as well as provide for
option selections and a viewing interface for the mapping
modifications.
[0136] The Doc Generation Process allows user to create
spreadsheets, word processing documents, flowchart documents,
graphic documents as well as other document types. These documents
can be labeled with a security classification and then encrypted
into the data stores where other users with the proper
classification can then view the documents. This provides for a
secured document access control system that provides security,
integrity, reliability as well as the capability to control
document dissemination.
[0137] The Classification Process allows classification labels to
be added to any information within the system and can add a
mandatory layer of security to document control that does not exist
in discretionary operating systems that provide for shared access
control. Each document can be labeled with a classification and
clearance requirement that is tied directly to the data object.
[0138] The Sensor Data Parsing Process allows data entering the
security system from any information feed, such as a sensor feed,
to be parsed into data that can be represented in a graph series.
Parsing can be unique to the sensor type and manufacture. To
effectively parse data the manufacturer's data schema can be
processed and stored into a retrievable data structure that can be
identified on-the-fly to the sensor.
[0139] The Sensor Chart Generation Process allows the
representation of sensor data through a graph series. Each graph
can hold multiple series and update in real-time based, for
example, on parsed data.
[0140] The Sensor GUI Interface Process allows a sensor GUI to act
as the record management facility as well as the interface for
sensor graphs that can depict real-time sensor feeds for a variety
of sensor types.
[0141] The Logging/Alerting Services Process are specific to
application processes and specific server processes. To configure
logging and alerting, administrators can select an event type and
then apply a rule to the event. Then, based, for example, on the
relationship between a metric and the event, alarms triggered,
actions activated, alerts sent to one or more individuals, entities
or groups thereof, or the like.
[0142] The Identify Facts and Factsets Process allows processing of
facts and fact sets that are known or defined facts about an expert
domain.
[0143] The Build Rules and Rulesets Process allows for inferencing
processes to take place.
[0144] The Apply Fuzzy Definitions Process allows for the
application of intelligence to address non-linear problems.
[0145] The Define Training Requirements Process allows for the
training of one or more neural networks.
[0146] The Stream Analysis Process allows for the capability to
determine direction and distance of sounds as well as the sound
type. Audio streams can be used as alerting features and can be
saved in an encrypted format into a data store and checksummed to
prove authenticity in the future.
[0147] The Audio GUI Process allows an audio GUI(s) to act as the
record management facility as well as the graphic interface that
allows users to configure and process audio data. Audio data can be
collected from different sources.
[0148] The VOIP/Video Conference process allows audio and/or video
communications between connected security systems. A specific
security system can itself act as a collector for conversations
from other end points. The security system can then trunk the
communications into a stream of data that can be sent out to one or
more participants.
[0149] The Reporting Process allows generation of different types
of reports.
[0150] Ad Hoc--Ad Hoc reports show the user exactly what is on
screen in the same state as the data container. For example, if a
data grid is grouped and/or filtered then the report view will be
of the grouped and filtered set of data. These reports are designed
for on the fly real-time type reports.
[0151] Formatted--These reports are pre-defined and have a more
professional look than ad hoc reports. These are the reports that
are sent to others as a more formal document.
[0152] Metric based--These reports correlate data into a pivot grid
like report structure. These reports are good for tracking certain
sets of data over time.
[0153] Charts--These are charts may be formatted as histograms, pie
charts, bare charts etc. . . .
[0154] The reporting interface allows the user to define the report
type and data to collect as well as save the report to internal or
export reports to other data formats.
[0155] The Data Request Process builds the sql (or other) statement
that requests data from a backend. Queries may be simple, complex,
nested, multi dimensional, etc., and will take into account future
data extraction technologies.
[0156] The exemplary Transaction Process allows adding, deleting
and modifying identities and other records and follows a straight
forward transaction process. The process provides for the guarantee
of the integrity and reliability of data and meets federal
standards under HSPD-12 for identity verification in a government
environment.
[0157] Exemplary Components include: [0158] 1. Transaction tracking
mechanism (GUID, UUID, or any certificate). [0159] 2.
Authentication medium (smartcards, chips, and any other data
storage medium whether its embedded, imbedded, attached, not
attached etc. . . .) [0160] 3. Authentication factor (something a
person has, something a person knows, who a person is, time, space
etc. . . .) [0161] 4. Storage mediums (relational data structures,
active directory, chips and other mediums). Integrity and
reliability of identity information can be done through transaction
and data tracking through storage devices and authentication
mediums through the use of [0162] 1. GUID--globally unique
identifiers [0163] 2. UUIDs--universally unique identifiers [0164]
3. Certificates (any type) [0165] 4. Other unique markers as they
are developed. GUIDs, UUIDs, or any certificate(s) and other
markers can be used to uniquely identify an identity across local,
regional, national and international structures whether they are
storage structure or authentications mediums. An identity can be
uniquely correlated through connected or disconnected space and
time through any of the above markers. Considering the fact that
certain attributes of personal or private data can't be transmitted
in some cases, the unique marker/identifier provides a means to
validate an identity without the loss or compromise of sensitive
data. If sensitive data needs to be accessed the unique
marker/identifier can be used as a lookup structure to a storage
medium or to an authentication medium for additional sensitive
data.
[0166] By using these markers and identifiers it is possible to
replicate identities across multiple remote data stores locally,
regionally, nationally or internationally without losing integrity.
This also allows for near real-time updates for immediate identity
visibility.
[0167] While the above-described flowcharts have been discussed in
relation to a particular sequence of events, it should be
appreciated that changes to this sequence can occur without
materially effecting the operation of the invention. Additionally,
the exact sequence of events need not occur as set forth in the
exemplary embodiments, but rather the steps can be performed by one
or more of the elements described. Additionally, the exemplary
techniques illustrated herein are not limited to the specifically
illustrated embodiments but can also be utilized with the other
exemplary embodiments and each described feature is individually
and separately claimable.
[0168] The above-described system can be implemented on one or more
secured, hardened and/or unsecured computer systems and related
components, and may be connected to other systems, data feeds,
network(s), etc., via a secure or unsecured or encrypted wired
and/or wireless wide/local area network system, a satellite
communication system, a modem, or the like, or on a separate
programmed general purpose computer having a communications
device.
[0169] Additionally, the systems, methods and protocols of this
invention can be implemented on a special purpose computer(s), a
programmed microprocessor or microcontroller and peripheral
integrated circuit element(s), an ASIC or other integrated circuit,
a digital signal processor, a hard-wired electronic or logic
circuit such as discrete element circuit, a programmable logic
device such as PLD, PLA, FPGA, PAL, any comparable means, or the
like. In general, any device capable of implementing a state
machine that is in turn capable of implementing the methodology
illustrated herein can be used to implement the various systems and
techniques described in relation to this invention.
[0170] Furthermore, the disclosed methods may be readily
implemented in software using object or object-oriented software
development environments that provide portable source code that can
be used on a variety of computer or workstation platforms.
Alternatively, the disclosed system may be implemented partially or
fully in hardware using standard logic circuits or VLSI design.
Whether software or hardware is used to implement the systems in
accordance with this invention is dependent on the speed and/or
efficiency requirements of the system, the particular function, and
the particular software or hardware systems or microprocessor or
microcomputer systems being utilized. The systems, methods and
protocols illustrated herein can be readily implemented in hardware
and/or software using any known or later developed systems or
structures, devices and/or software by those of ordinary skill in
the applicable art from the functional description provided herein
and with a general basic knowledge of the computer and logical and
physical security arts.
[0171] Moreover, the disclosed methods may be readily implemented
in software that can be stored on a storage medium, executed on
programmed general-purpose computer with the cooperation of a
controller and memory, a special purpose computer, a
microprocessor, or the like. In these instances, the systems and
methods of this invention can be implemented as program embedded on
personal computer such as an applet, JAVA.RTM. or CGI script, as a
resource residing on a server or computer workstation, as a routine
embedded in a dedicated communication system or system component,
or the like. The system can also be implemented by physically
incorporating the system and/or method into a software and/or
hardware system, such as the hardware and software systems of a
security system.
[0172] It is therefore apparent that there has been provided, in
accordance with the present invention, systems and methods for
combined IT/Network and physical security management. While this
invention has been described in conjunction with a number of
embodiments, it is evident that many alternatives, modifications
and variations would be or are apparent to those of ordinary skill
in the applicable arts. Accordingly, it is intended to embrace all
such alternatives, modifications, equivalents and variations that
are within the spirit and scope of this invention.
* * * * *