Introduction to NCST
In the increasingly connected world we operate in, the products we trust with our security are more and more reliant on ubiquitous connectivity in order to fulfil their core functions. When these technologies, which are often capable of capturing personally identifiable information, biometrics and pattern-of-life information, are connected to other security systems, corporate networks or the internet, they can present an increased, and sometimes intolerable, security risk.
NPSA and NCSC have written guidance about these Network Connected Security Technologies (NCST).
Selecting an NCST
When selecting an NCST, there are a number of different factors which will be considered. While price and functionality will be a strong driving factor, it is critical that security of both the device and its deployment are considered to keep both your network and physical security system secure.
NPSA does not offer advice on 'Vendors of Concern' nor specific manufacturers. The guidance documents cover security concerns that arise from using networked security equipment, allowing high levels of connectivity into security systems and allowing data to be stored and processed in a country that does not have GDPR equivalency.
NCST (including, but not limited to, Video Surveillance Systems) are highly functional computers which are connected to a network and need to be suitable protected, regardless of the manufacturer. This means that an understanding needs to be gained on:
- How the device is network connected
- What is it collecting data on (both visual information such as what can a camera 'see' and meta data)
- Where it is sending, processing and processing this data
Sites deploying NCST need to consider the security risk of utilising networked connected security equipment, the architecture of their networks, the choice of their manufacturer and the functions/features they are selecting.
Independent Legal Opinion
NPSA have additionally commissioned independent legal opinion from law firm Kingsley Napley covering considerations under UK data protection law and the Modern Slavery Act 2015 for UK-based organisations using networked Video Surveillance Systems (VSS) (broadly referred to as Visual Surveillance Technology by Kingsley Napley).
These documents were commissioned to assist those utilising VSS, in particular where those systems have been manufactured or are managed by vendors based in countries with different data protection regimes, and/or where state bodies may seek to exploit access to VSS by virtue of domestic legal powers, or full or partial state ownership.