CONVERGED LOGICAL AND PHYSICAL SECURITY

Abstract

A security management system that includes a hierarchical security platform, converged IT and physical security management, unified credentialing, credential issuance and incident(s) management. An exemplary aspect of the invention also relates to physical and logical security management and information technology/network security management, with a credential issuance and integrity checking system as well as associated readers and printers of the credential. Still further aspects of the invention relate to obtaining, assembling and analyzing one or more of data, video information, image information, biometric information, sensor information, terrorist information, profile information, and/or other types of information to provide a comprehensive platform for all aspects of security management. A toolkit is also provided that allows complete management, integration, scalability, interoperability and centralized control of all aspects of security including personnel credentialing, personnel management, personnel tracking, task management, security system integration, security information exchange and scalability.

Claims

1. A converged physical and logical security management server, comprising: at least one microprocessor, input device and output device and capable of storing data in and retrieving data from a data store and two-way communication with a plurality of security management devices and with one or more access controllers and configured to store a unique identifier having associated therewith authentication and authorization information that includes at least two configuration options to control at least one access decision for a physical area and for a logical area and a directory service associated with the data store and configured to make a physical area access decision using one of the at least two configuration options and a logical area access decision using a second authentication and authorization information.

2. The server of claim 1, further comprising a credential issuance system that can associate additional information with the unique identifier.

3. The server of claim 2, wherein the additional information pertains to one or more of personnel and equipment.

4. The server of claim 3, wherein additional information about the personnel comprises one or more of fingerprint information, name, credentials, certifications, biometric information, access information, a picture, background information and medical information.

5. The server of claim 1, wherein the unique identifier is associated with at least one of a contact or contactless chip, a bar code, printed data, a proximity chip, a magnetic stripe, a token and computer readable information.

6. The server of claim 1, wherein the configuration options include one or more of a card ID, card certificate, username and AccessID.

7. The server of claim 1, wherein one or more of personnel, tasks, equipment, and access to a secure area are controlled.

8. The server of claim 1, wherein one or more of a fingerprint capture system, a camera, a PIN capture system, a signature capture system, a document scanner, a card reader/writer, a card printer and a report printer is capable on communicating therewith through an input device.

9. The server of claim 1, wherein the server is capable of being used in a system where the unique identifier is stored on a smart card, smart chip, embedded chip, mobile device or implanted chip.

10. The server of claim 1, wherein the information associated with the unique identifier is verified through a government entity.

11. The server of claim 1, further comprising a rules toolkit, the toolkit allowing a user to construct one or more rules.

12. The server of claim 1, further comprising an interface configured to communicate with the one or more of an existing enterprise physical security system and an existing enterprise computer system.

13. The server of claim 1, further being configured for two-way communication with one or more of a satellite, VOIP system, switch-based network communication system and packet-based network system.

14. The server of claim 1, further being configured to be booted into a plurality of modes.

15. The server of claim 1, wherein the server provides security for one or more of chemical, drinking water and wastewater treatment systems, energy facilities, dams, commercial nuclear reactors, water sectors, process manufacturing, emergency services, public health and healthcare, continuity of government, government facilities, defense facilities, defense industrial base, information technology, telecommunications, converged facilities, national monuments and icons, postal and shipping, banking and finance, commercial facilities, materials and waste facilities, transportation systems, port security, aviation security, cargo, cruise ships, trains, mass transit, Intermodal, food and agriculture facilities, military facilities, first responders, police, fire control access to a machine and OSHA Compliance.

16. The server of claim 1, wherein the data store is one of located within and without the server.

17. The server of claim 1, wherein the physical area is one of a room, a hallway, a closet, a paddock, a building, a vehicle, and a secure space.

18. The server of claim 1, wherein the at least two configuration options relate to networks, systems and/or physical access control to include one or more of hours of access, security zones, and accessible domains.

19. The server of claim 1, wherein the one or more access controllers is one of located within and without the server.

20. The server of claim 1, wherein the one or more access controllers is at least one of connected to the at least one microprocessor by an ethernet connector.

21. The server of claim 1, wherein the one or more access controllers communicate with remote with the one or more security management devices as directed by the one or more microprocessors.

22. The server of claim 21, wherein the communication occurs in a protocol native to the one or more security management devices.

23. The server of claim 1, wherein the server is one of a traditional server and an appliance.

24. The server of claim 1 is at least one of logically connected, directly connected, indirectly connected via one or more intermediary components, and wirelessly connected to one or more access controllers.

25. The server of claim 1, wherein the data store is coded in the SQL language.

26. The server of claim 1, wherein the directory service is active directory.

27. The server of claim 1, wherein the security management devices include at least one of an electronic lock, a firewall, a camera, or a password protected, a laptop, a workstation, a tablet, and a smart phone.

28. A converged physical and logical security management system comprising: a security management server including at least one microprocessor and at least one input device and at least two output devices; the security management server capable of storing data in a data store and retrieving data from said data store; the security management server capable of two-way communication with one or more security management devices; the security management server configured to store a unique identifier having associated therewith authentication and authorization information that controls access decisions for a physical area and logical access to one or more of a computer, computer network or network resource, the authentication and authorization information including at least two configuration options; the security management server further configured to determine at least one access decision for the physical area and at least one logical access decision for the one or more of the computer, the computer network and the network resource; the security management server connected to one or more access controllers that are capable of communicating in a standard protocol and capable of communicating with the one or more access controllers in the standard protocol; wherein the security management server also includes a directory service associated with said data store and configurable to make the at least one access decision for an access request to the physical area, utilizing a first authentication and authorization information to select one of the at least two configuration options within said data store of the security management server for a physical access decision, and for logical access, a second, separate access decision, utilizing a second authentication and authorization information of the at least two configuration options within the directory service of the security management server for a logical access decision; wherein the security management server is configured to perform artificial intelligence (AI) processes that attempt to emulate the decision making abilities of a human expert using knowledge (facts) and inference procedures (rules), said AI processes comprising one or more of neural networking, data clumping, and associative discovery; and wherein and the security management server is further configured to perform a trending/prediction reporting process in cooperation with said AI processes to generate trending and/or prediction reporting.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

[0023] The exemplary embodiments of the invention will be described in detail, with reference to the following figures wherein:

[0024] FIG. 1 is an overview of the exemplary security system according to this invention.

[0025] FIG. 2 illustrates exemplary components that can be associated with a credential according to this invention.

[0026] FIG. 3 illustrates an exemplary credential issuance system according to this invention.

[0027] FIG. 4 illustrates in greater detail the components of the IT/Network and Physical Security Management system according to this invention.

[0028] FIG. 5 illustrates in greater detail the IMPACT system according to this invention.

[0029] FIGS. 6-37 illustrate exemplary graphical user interfaces associated with this invention.

[0030] FIG. 38 illustrates an exemplary relational database structure according to this invention.

[0031] FIG. 39 illustrates exemplary data flow processes according to this invention.

[0032] FIG. 40 illustrates an exemplary credential shield according to this invention.

DETAILED DESCRIPTION

[0033] The exemplary embodiments of this invention will be described in relation to security management. However, it should be appreciated, that in general, the systems and methods of this invention will work equally well for any type of communication system in any environment.

[0034] The exemplary systems and methods of this invention will also be described in relation to security management and the components, sensors, hardware, software and data feeds associated therewith. However, to avoid unnecessarily obscuring the present invention, the following description omits well-known structures and devices that may be shown in block diagram form or otherwise summarized.

[0035] For purposes of explanation, numerous details are set forth in order to provide a thorough understanding of the present invention. It should be appreciated however that the present invention may be practiced in a variety of ways beyond the specific details set forth herein.

[0036] Furthermore, while the exemplary embodiments illustrated herein show the various components of the system collocated, it is to be appreciated that the various components of the system can be located at distant portions of a distributed network, such as a telecommunications network and/or the Internet, or within a dedicated secure, unsecured and/or encrypted system. Thus, it should be appreciated that the components of the system can be combined into one or more devices, or collocated on a particular node of a distributed network, such as a telecommunications network. As will be appreciated from the following description, and for reasons of computational efficiency, the components of the system can be arranged at any location within a distributed network without affecting the operation of the system. For example, the various components and functions associated therewith can be divided between one or more of the described systems, can be load balanced between one or more security systems and can be networked between on or more security systems, devices, or some combination thereof. Similarly, one or more functional portions of the system could be distributed between a plurality of geographically separate systems.

[0037] Furthermore, it should be appreciated that the various links, including any communications channels connecting the elements can be wired or wireless links, (including satellite based link(s) or any combination thereof, or any other known or later developed element(s) that is capable of supplying and/or communicating data to and from the connected elements. The term module as used herein can refer to any known or later developed hardware, software, firmware, or combination thereof that is capable of performing the functionality associated with that element. The terms determine, calculate and compute, and variations thereof, as used herein are used interchangeably and include any type of methodology, process, mathematical operation or technique. It should also be appreciated that various levels of redundancy and portability can be included with the system, as well as a shock mount case for emergency drops to remote locations, such as battery back-up, multi-national power supplies, recharging capabilities, and a plurality of communication options.

[0038] FIG. 1 illustrates an exemplary security system 1. The security system includes an IT/Network and Physical Security management System 100, an Incident Management Perimeter Access Control and Tracking module 200 and a credential issuance system 300. The IT/Network and Physical Security management System 100 can be connected, via one or more of network 10 and links 5, to one or more additional IT/Network and Physical Security Management Systems as well as an identity proofing module 11, one or more sensors 12, a unified credential 13, one or more access control readers 14 (which can govern physical as well as network/computer access), one or more cameras and/or video cameras or feeds 15, existing enterprise IT security system(s) 16, existing enterprise security systems 17, such as building access systems and alarm systems 18 and associated annunciators 19 and devices.

[0039] FIG. 2 illustrates an exemplary credential 200, and some of the types of information and information carrying devices associated therewith. For example, the credential can include one or more of a contact-based chip, embedded chip(s), implanted chip(s), bar code(s), printed data, picture(s), a proximity chip, a magnetic stripe and a contactless chip. Each of the information carrying devices have certain associated advantages and disadvantages and can be chosen, for example, based on the expected operating environment, environmental conditions, data to be stored thereon, security requirements and the like. The credential can be any one or more of a smart card, smart chip and embedded chip. The security system can automatically recognize the card type, issuing agency, format, etc., as well as what authorized information can be read. This allows for multi-administrators, multi-use, multi-readers and multi-sections (with each section have different access permissions), i.e., an e-passport.

[0040] While certain embodiments are described in relation to the exemplary credential, other options are also available. For example, although a uniform visual card design is desirable, experience indicates that while the flash-pass capabilities are important, more crucial is the uniformity of the information programmed into the smart card/smart chip/embedded/implanted chip. The credential issuance system can abstract the desired data into containers or sectors of the credential that are programmed into the smart card chip, some with varying degrees of protection for very sensitive data like biometric templates. These credentials/certificates are thus immediately usable at the incident site(s), not within some delayed time period, such as 24 hours. Revocation can also be immediate. Interoperability with other standards-based cards can be a key architecture principle.

[0041] While a standard template can be defined, other templates may be added. For example, while one jurisdiction may choose to store encrypted fingerprint, iris scan, hand geometry or facial recognition, including any biometric, in an encrypted card container, another jurisdiction may utilize the same space on the card for emergency medical treatment information. The ability of the credential issuance system to discern the differences between the two card types described is a unique feature that can be enabled as required. Thus, different entities can have different permissions to access different portions of one or more containers or sectors of the same card. Highlights of an exemplary credential include:

TABLE-US-00001 Data Capture and Issuance Optional Version for Contact Chip Works with the Credential Issuance System for Printing/Lamination-Enables ‘One Button’ Print/Program Works with IMPACT and the IT/Network and Physical Security Management System for Contactless 13.56 MHz Chip and other embedded/implanted chips Authorization & Tracking Unique Identifier by Individual Global Unique Identifier (GUID) or Optional Cardholder Unique Identifier (CHUID) Digital Certificate Follows PKCS11 Standard-and all future standards, technologies or certificates as them become available Lifecycle Operations Secure Identity Management System (IdMS) Secure Containers for Data on Chip Works with IMPACT and the IT/Network and Physical Security Management System Reprogram or Update Data in Field or Centrally Real-time Validation of Digital Certificate Verification through, for example, a third-party Rapid Provisioning and Termination of Privileges-NOT 24 hours Maintain High ‘Level of Trust’ Manage Data on Card, in IdMS or both • Portable and Fixed Base • Modular • Secure Pre-Issue Multi-function Credential or Onsite Verify Identity Verify Authorizations Ensure ‘Level of Trust’ Create Photo ID or Smart Card Badge for this Incident Update Smart Card Chip if 2nd Incident Visual Grouping by Skill or Responsibility Utilize for Physical and Logical Access Stored X.509 or PKCS11 Certificates-and all future certificates as they become available Match-on-Card Biometrics Smart Card/Smart Chip/Embedded Chip and use of SQL and the and active directory Registrar Functionality Sponsors Submit Applicant's Background Check Info Registrar Collects Identity Information In-Person Fingerprints and 1-9 Documents System Tracks Status of Application Notification When NACI Complete ID Management System Active Directory Link Revalidation Dates, Moves, Adds, Changes, Terminations Distribution of Applications PIN Resets Robust Member Search and Auditing Capability SQL or SQL Link File/Data transfers

[0042] Write IMPACT is an application that allows for the reading and writing of contact and contactless smart cards.

[0043] Exemplary Components:

1. Client software that allows for writing and reading data, acquiring biometric data and specifying certifications.
2. Data backend for storing data in either a connected or disconnected state.
3. Interfacing for smartcards.
Write Impact has the capability to write and read contact/contactless smartcards that meet a variety of standards to include HSPD-12, Mifare, Desfire, Smart MX and others.

[0044] Due to card storage size and end user requirements, a matrixing solution has been developed that allows users to add a large amount of data into limited space on the smartcard chip. The matrix allows for defining a mapping solution from the application to the card's database and vice-versa. This allows agencies to define their own data and enter it into the chip of a card while not using the space required to enter that data. An example would be: Denver Sheriff Department wants to track certain certifications that they have developed. The exemplary certification is broken down to a 3 or 4 (or in general any) digit number or lettering scheme that designates that the certification is local, that the certification is related to law enforcement, that the certification is for SWAT and that the final certification is for level. There is also a 1 digit number that specifies if the user is current, not current, in retraining, or that currency doesn't apply. This schema allows for the storage of much more data on a chip that can be directly referenced through the back end. Other agencies may then map their data in their own way and agency data may be correlated together through a mapping structure so outside agencies have visibility of certifications.

[0045] For protecting the credential, as illustrated in FIG. 40, a shielding credential holder device leverages a magnet to hold a clear cover to a shielding back, and can be flipped out with one hand when one needs to enable the contactless signal when presented to a reader to, for example, open a door. Credential holders that shield contactless emanation from unwanted and/or unauthorized reading are current state-of-the-art, however convenient usage by an individual when entering a secured facility is somewhat lacking. The illustrated units are designed to feature a clear pocket for the credential that magnetically adheres to a shielding backing. Thus, a user is able to confidently display the front of the credential on a lanyard or clipped to clothing knowing that it cannot be read contactlessly in this mode, yet easily separate the clear pocket from the backing with one hand to expose the contactless signal when required, and allow reading thereof.

[0046] FIG. 3 illustrates an exemplary credential issuance system 300. The credential issuance system 300 comprises a signature capturer 305, a PIN keypad capturer 310, a fingerprint capturer 320, a camera 330, a module for registrar functionality 340, an ID management module 350, a report printer 360, a card printer 370, a card reader/writer 380, and a document scanner 390, all interconnected via one or more links and networks. One or more pieces of data can be secured via the appropriate capturer and associated with a credential. The data can be associated, in cooperation with the card reader/writer 380, by storing information on the card or printing information on the card. This information, or a portion thereof, can also be encrypted as needed.

[0047] The credential issuance system 300 also can cooperate with a module for registrar functionality. Registrar functionality can include a background check, fingerprinting and 1-9 documentation, system tracking of the application process and notification of when the NACI is complete. The ID Management module can include an active directory link, revalidation functions, date and tracking, moves, adds, changes, terminations, and the like, for an issued credential. The ID management module 350 can also handle the distribution of applications, PIN Resets, robust member searching functionality and auditing.

[0048] FIG. 4 illustrates the IT/Network and Physical Security Management System 100 in greater detail. In particular, the IT/Network and Physical Security management System 100 comprises one or more of a data store 105, logging module 110, authentication processes/access control module 115, data filtering module 120, data marts/warehouses 125, Artificial Intelligence modules 130, video module 135, document module 140, mapping module 145, training/prediction reporting module 150, sensor module 155, audio module 160, VOIP module 165, communications management module 170, user module 175, admin module 180, environment specific module 185, information feed module 190, scalability and interconnection module 195 and security module 199, all intercommoned via the appropriate link(s) and/or network(s) as required (not shown).

[0049] FIG. 5 illustrates in greater detail an exemplary member of the IMPACT family of solutions 200. In particular, the IMPACT system comprises one or more of an equipment tracking module 205, a personnel tracking module 210, a perimeter management module 215, a credential management module 220, a task module 225, an alert module 230, a reporting module 235 and a sensor module 240, all intercommoned via the appropriate link(s) and/or network(s) as required (not shown).

[0050] In operation, an administrator initializes the system by adding the personnel, equipment, credentials, or in general any tangible or intangible, that are to be managed. The addition of the managed information can be streamlined through the use of one or more templates designed for specific incidents and/or environments. For example, when booting the security system, the system can query the user as to the type of deployment, incident or environment. Based on the user's selection, specific GUI's, templates and prompts for connections to various types of data feeds can be generated. Once all relevant information pertaining to the managed information is established, various pre-defined rule sets can be invoked or one or more custom rules created that allow actions to be triggered based on satisfaction of one or more rules. For example, if the incident is a fire and the security system is connected to the existing building fire system, a pre-defined “building fire” rule set could be selected that allows the security system to monitor heat sensors, movement of emergency responders in the building, fire sensors, video feeds, etc.

[0051] In addition, the security system can monitor the presence of emergency responders into and out of the incident scene. This not only allows to the system to account for the presence and location of personnel, but also more routine tasks such as billing management. In the event of an injured emergency responder, the system could also automatically forward medical information based on the emergency responder's credential to a hospital to assist with treatment.

[0052] The IMPACT family of solutions can also be preconfigured with connectivity escalation routines that allow the security system to contact one or more additional security system based on, for example, the meeting of one or metrics monitored by the system. For example, if explosives or an explosion is detected, the security system and forward information related thereto to the federal authorities. Additionally, the security system may connect to other security systems to assist in the analysis of trend data in the event of, for example, widespread terrorist activity.

[0053] In another exemplary embodiment, the system is not actually deployed to an incident, but is used as a full-time security monitor for one or more of a facility/network/computer system. The system can also interface with existing structures, such as a school, utilizing the appropriate modules, allowing control over and monitoring of, for example, a schools security system. For example, the security system can be connected wired or wirelessly by an emergency response team to the school and control all aspects of security including cameras, locks, access, etc.

[0054] FIGS. 6-37 illustrate exemplary GUI's associated with the security system. With all the exemplary GUI's different skins can be selected that are suitable for different lighting environments, thus allowing the application to be easily seen inside or outside, while it is bright or dark, in red, blue, green, yellow, white light, etc. In particular, FIG. 6 illustrates an exemplary access control GUI where a user would go to add other users, permit what they can do have access to (i.e., logical and/or physical), and the hours and zones they have access to these resources. Other things can be controlled here such as the person's certifications and username and password. The Connected Tab (located above the Full Name) shows a list of all the different users that are currently connected to the system.

[0055] The Reader button (located bellow the Time Zone) will group the card readers into logical groups that will be considered one of many zones. The Users button gives you a list of all the users that have been added into the Access Control for quick navigation to a specific user.

[0056] FIG. 7 illustrates an exemplary main navigation menu. The main navigation menu allows a user to move through the application. It can be moved as well as set to auto hide in case you need more screen space for the content area. The main area in the content area. All the tools selected from the main menu can be illustrated in this main portion. Tabs or buttons are also provided in this interface to access other features of the system. In this example, the tabs are “org chart,” “packages,” etc. The lower portion of the GUI is the log. The log illustrates all the events that have happened such as a connection to the server. Like the main menu, this can be moved, resized, or set to auto hide, and each event in the log can be selected for additional information.

[0057] FIG. 8 illustrates an exemplary custom time view GUI where a user can create custom times that a user is allowed into either physical or the network. Times can be set from any day of the week and can be controlled down to the hour.

[0058] FIG. 9 illustrates an exemplary incident GUI. The Incident screen gives a quick overview of the scene that includes who opened it, the date it was opened and closed, and location. Additionally, historical data can be shown so lessons learned from one event can assist in the decision making process.

[0059] FIG. 10 illustrates an exemplary Org Chart (Organization Chart) that can be used to see a graphical representation of the incident command structure under, for example, a HSPD. By simply dragging and dropping, a single person or an entire group can be placed under a different commander. A user can add or remove any of the nodes for situations that require different specialists. A user can also fill the role of the positions with people that have been added to the Access Control area.

[0060] Expand and Collapse button controls all the boxes and expands all of them, or collapses all of them.

[0061] FIG. 11 illustrates in greater detail some of the Org Chart information.

[0062] FIG. 12 illustrates an exemplary SITREPS (Situation Reports) GUI. The situation reports can be updated every time something is changed in, for example, an emergency scene, event or exercise.

[0063] FIGS. 13 and 14 illustrate lists all of the different agencies that are at the scene. Within each agency is a list of all the employees. Each employee has information about them such as status (deployed, staging, etc.), blood type, and cost rate. Then each employee will have a list of certifications that they carry. Information held here pertains to when did the individual receive the certification, when does it expire, when is he expected to have it renewed, and if the person has insurance.

[0064] FIG. 15 illustrates the different packages and their status, including when they arrived at the emergency scene.

[0065] FIG. 16 illustrates an exemplary tasking screen, a user can assign various tasks that can include a description, when it was assigned, when it needs to be completed by, who it is assigned to, priority, and it's sensitivity. Tasks can be assigned to an individual or to a group/agency.

[0066] FIG. 17 illustrates an auto populated log that provides a brief overview of everything that has occurred within this incident including when a new Incident Commander comes in, when new SITREPS are created, and when packages arrive.

[0067] FIG. 18 illustrates the History Tab showing a brief overview of all the incidents for quick reference. When a user selects one of the incidents, that incidents information is seen through the rest of the EMS tabs. This is used for not only review, but if an incident is happening that is similar to a past scene, it can provide for a quick way of seeing some of the possibilities that could happen.

[0068] FIG. 19 illustrates an exemplary video GUI. The video GUI at least supports IP, USB, and CCTV and wireless cameras with support for audio. The video GUI can auto adjust if more than four cameras are added and the ability to manually resize each box. Snapshots and recording can be automated through rules, so if someone tries to swipe a card that is invalid, you can automatically take a snapshot capturing the persons face. Motion detection can be used for the entire camera view or you can set up grids so that it will only record if there is motion within that area. Frame rate can also be controlled from here.

[0069] FIG. 20 illustrates an exemplary sensor GUI. The sensor GUI displays data from a sensor that can be captured and displayed as a 2D/3D graph or mapped into a GIS. A user is also able to turn on and off the various bars as well as the markers. A user can also change a bars color, width, as well as the amount of time that they are viewing in the recorded data.

[0070] FIGS. 21 and 22 illustrate the ability to open a wide variety of various documents, including the ability to utilize a built in spell checker and thesaurus. Also supported is a built in capability to open various spreadsheets. This is where a user can come to open template-type forms that can be blank or pre-populated with data from the incident.

[0071] FIGS. 23-25 illustrate various scheduling interfaces. Here a user can see a daily over view of different tasks that have been scheduled. A user can delete/add new columns by clicking Delete/Add buttons on the right. A user can add a new task into a timeslot by double clicking the time that you want it to start. When a user adds an event to the time slot, it can be titled, given a location, mark what type of an event it is, show its status at that time (i.e. busy), and set a duration. A user can also set up a reassurance so this event is automatically there daily, weekly, biweekly, monthly, annually.

[0072] FIGS. 26-27 illustrate alternative scheduling GUI's. By changing the view to a weekly view, a monthly view, or an annual view, a user can easily see all of the appointments or scheduled events and historical data.

[0073] FIGS. 28-31 illustrate exemplary mapping GUIs. A user can use both static mapping or Internet mapping and can tilt, rotate, and zoom in through the tools on the right. A user can also bring in various layers, even to the Internet mapping that can provide different information. Terrorist alerts/maps, disasters maps and GIS data, as well as existing terra maps and GIS systems can also be obtained by the system.

[0074] FIG. 32 illustrates a built in VOIP GUI and chat support that allows for communications as long as there is power. A user can also record VOIP conversations in this GUI.

[0075] FIG. 33 illustrates an exemplary metrics GUI. Here a user can total a utilization cost, as an agency, and even by there status. This can be done, for example, for Agencies and Resources. This allows, for example, states/counties to call for federal assistance as soon as it is available or limits are reached.

[0076] FIGS. 34-37 illustrate various exemplary admin GUIs. Within the Admin Console, a user can check out the server's health status, have it automatically send alerts to E-Mail, a phone, a computer, or just write a log. Within the console, a user can set up automatic discovery and/or failover with other security systems, or the systems can be manually discovered. The software can also be configured to automatically check for updates from this console.

[0077] FIG. 38 illustrates a high-level architecture of a relational database that can be used in conjunction with the embodiments described herein. The attached Appendix provides more detailed specifics regarding the architecture and the relationships therebetween, with the numbers in the connecting lines corresponding to the relationships detailed in the Appendix. In general however, any relational database, object-oriented or object-relational database structure will work well with the systems and methods of this invention provided a mapping between associated elements can be determined. This exemplary architecture represents the relationships between, for example, video, graph, audio, VOIP, documents, equipment, personnel, tasks, etc.

[0078] FIG. 39 illustrates an exemplary data flow and process tree according to an embodiment of this invention. The exemplary processes depicted within the figure illustrate connectivity and process flow. These flow diagrams can be consistent throughout all various modules. For example, both the IMPACT family of solutions and the IT/Network and Physical Security Management System can include the same processes for cameras, video, access control, etc., as well as a Supervisory Control And Data Acquisition (SCADA) type system using the functionality described herein, with all of the systems capable of including the same processes as other modules and process applied to data operations, etc. The scope of all modules can be configured into a self-healing networked structure where if a piece, segment or network were to fail, a self-healing process could instantiate itself and rebuild critical parts of any portion of the system(s) and/or network. The systems/networks can also support a failsafe mechanism that allows for the destruction of a device if, for example, tampering is detected.

[0079] The exemplary processes that can b performed by one or more of the modules discussed herein (or by one or more modules connected to the security management system) are: New Record, Replication Process, Video Processes, EMS Processes, Mapping Processes, Authentication Processes/Access Control, Document Processes, Logging Processes, Sensor Processes, Support Processes, Audio Processes, VOIP Processes, AI Processes, Data Scrubbing, Data Scrubbing, Trending/Prediction Reporting Process and Communications Processes.

[0080] The New Record process allows the creation of a new record. This new record can relate to personnel, equipment, monitors, sensors, credentials, or in general any aspect of security management including both tangible objects/personnel and intangibles.

[0081] The Replication Process allows both upstream and downstream replication of information. This replication can include filtering to allow for a hierarchy of data flow with, for example, permissions established such that data stores with lesser permissions have access only to certain portions of data.

[0082] The Video Processes, as with the other types of “data” feeds, such as audio, VOIP, etc., are logged in a logging module and preserved in a local data store as well as monitored by the Authentication Processes/Access Control Process. Video can be also be streamed from different devices using different transmission protocols to include IP based, BNC, Web and others.

[0083] The EMS Processes is one of several exemplary processes that reflect the various operating environment(s) into which the systems and methods described herein may be placed. It should be appreciated however that these specific operating environment type processes can be combined with other operating environment type processes as needed and may be dynamically added at any time. For example, during boot of the IT/Network and Physical Security Management System, the environment can be configured through selection of the specific event type(s). EMS processes cover all aspects of an incident to at least include personnel, equipment, org charts, situation reports, lessons learned, scheduling, mapping, and other related items specific to an event.

[0084] The Mapping Processes allows the integration and display of map(s) into the Network and Physical Security Management System. The Mapping Processes at least includes one or more of GIS, real-time mapping, static mapping, overlaying mapping with various sets of data either retrieved, input or correlated through AI Processes onto maps that can be made available to a user(s).

[0085] The Authentication Processes/Access Control Authentication includes logical and physical authentication through, for example, various chip processes to include contact and contactless chips as well as biometrics that may be attached, imbedded embedded and/or implanted anywhere in the body including the hand and head. Authentication mechanisms also provide for the tracking of incrementing and decrementing values as well as storage of finite values within the authentication medium if a non-biogenic authentication template, e.g., smartcard, is used. Identities can be tracked and authenticated through, for example, GUID, UUID, certificate based processes, or in general any mechanism, locally, regionally, nationally and internationally. The authentication medium will also allow for in some cases multi-user/multi-administration capabilities. Authentication at both physical and logical layers can include encryption using standard approved methodologies as well as future encryption strategies utilizing, for example, nano-technologies or quantum technologies not only from the controller to the controlling device (door reader for example), but also from the controlling device to the controller and/or other operating system that may act as an intermediary or controller itself. The Authentication Processes allow for multi-factored authentication mechanisms to include, for example, what someone knows, what someone has, who someone is, where a person is, through space and time, through behavioral analysis as well as other mechanisms. This will allow for authentication of identities, groups, processes, etc., as well as physical devices and information sources.

[0086] The Document Processes allows for the creation, viewing and modification of secured documents through a data labeling process, as well as the management and classification of documents. For example, an AI process classifies documents on the fly based on, for example, certain keywords, origin information, creator information, content, or phrasings as well as by the classification authority or creator. Documents identified as secure can be stored in an encrypted format within the database.

[0087] The Logging Processes support event correlation through a triage AI process for each entry added to the log. Logsets can be multi-record structures where event correlation takes place against a set of log entries that may or may not be similar in nature. Logs can be archived, for example, at the event level and can be fine tuned to, for example, periods of time.

[0088] The Sensor Processes not only include sensors for environmental characteristics but also include tracking through thermal, biologic, pressure and other methods provided through a sensor interface.

[0089] The Support Processes include failover support, self-discovery and other system configurations. Support processes also include all processes that provide for systems administration, configuration, healing, alerting, balancing or other processes supporting any of the described processes or modules.

[0090] The Audio Processes allow for the modeling of various audio characteristics. This can include sound that is audible to the human range or outside the scope of human range.

[0091] The VOIP Processes allow VOIP communications over one or more networks to one or more other IMPACT and/or IT/Network and Physical Security Management System(s). VOIP and Conferencing services allow for internal conferencing capabilities. The only requirement is connectivity through any available means. Conferences can be recorded stored and verified in the future.

[0092] The AI Processes include rule set, fact set, fuzzy and neural processes to predict and trend. Intelligent processes include inferencing technology, neural processes as well as other multi-generation intelligence processes. In terms of intelligent processing there are three layers. [0093] 1. Triage (Real-time)—this is accomplished as raw data is entered through a process. This basic yes/no type rule set logic and can be applied to an individual record very quickly. [0094] 2. Near real-time—This can be accomplished across multiple records as data sits in an active local data store. The correlation of this data can be more complex than simple rule sets and can include complex nested rule sets as well as facts applied. [0095] 3. Historical—This takes place against a data mart/warehouse and/or a regional, national and/or international level data source. These AI Processes can include not only rule set and facts, but fuzzy logic through inferencing and in some cases neural networking, as appropriate.

[0096] AI Processes allow for human and non-human intervention, alerting and other modifications to configurations, data or other items designated as modifiable on-the-fly. Expert Systems can attempt to emulate the decision making abilities of a human expert using knowledge (facts) and inference procedures (rules). In some cases other intelligent processes may be used such as neural networking, data clumping, associative discovery etc. AI processes are designed to find events, trends and predict where the data to support that data doesn't appear to exist.

[0097] The Data Scrubbing process allows for sanitizing of data by any means, such as rule based sanitizing.

[0098] The Trending/Prediction Reporting Process can cooperate with the AI Processes to generate trending and/or prediction reporting and alerts based on one or more of incident information, information feeds, activity, data trends or in general any information received by the IT/Network and Physical Security Management System.

[0099] The Communications Processes include any method for communications to include satellite, cellular, wireless, networked, encrypted, hardened, packet or circuit-switched, or any other communications process or protocol.

[0100] The Data Stores house data that can be shared with one or more other data stores. The data stores can store any information relevant to the IMPACT and the IT/Network and Physical Security Management Systems, as well as credential issuance system, and in general any information associated with the systems described herein.

[0101] In addition to the above higher-level processes, sub-process operate within the security system. A description of the exemplary sub-processes are discussed below.

[0102] The Record Management process allows entities identified with “administrator” privileges to administer records. These records include identity records and administrators can at least add, delete or modify identities as well as levels of permission, access control, etc., and in general any feature associated with a record including the creation, modification or deletion of a record.

[0103] The Identity Configurations process includes all aspects of an identity account. These includes basic personal information such as name, DOB, position, access control parameters—to include access points and hours, biometric data etc. An identity is directly correlated to a certificate and a GUID/UUID or other unique identifier. These items are used to correlate identities to other sets of information through lookups.

[0104] The Permissions Process provides and regulates permissions to information and/or objects.

[0105] The Access Control process provide for both logical and physical access control solutions to one or more physical areas and/or computer, computer network or IT-based systems.

[0106] The Authentication Process determines whether or not an entity has the authority to access and manage records.

[0107] The Record Management Process includes the ability to add records, delete records, modify records as well as provides record navigation and searching functionality.

[0108] The Active Directory Process provides standard active directory structures and extended active directory structures. For example, in an emergency response scenario, the security system 1 is a self-contained network whereas in other incident management solutions active directory can be integrated into an existing network structure. In cases where an incident management solution must control access logically, the security system can act as the master controller and only make updates to the active directory databases while, for example, dedicated, incident specific incident management controllers will act as authenticating mechanisms thereby reducing the overall load on the IMPACT system.

[0109] The Physical Access Control Process controls, for example, disconnected hand-held or other types of credential reading devices that can be updated, for example, on-the-fly through wireless, wired or by removable media. The devices can first authenticate to one another prior to data updating. In other IMPACT scenario solutions, physical reader controllers can be embedded into the IMPACT solution and control physical access by a direct or wireless connection to the terminal reader.

[0110] The Motion Detection Process allows for the configuration of the sensitivity of the detection grid in one or more connected video cameras or feeds as well as other options related to motion detection. The motion detection processes can be defined to slew a camera to a certain position if motion enabled cameras are used.

[0111] The Snapshot Process allows snapshotting by extracting a single frame from a video stream. Snapshotted graphics can be stored in an encrypted format and checksummed for evidentiary use.

[0112] The Streaming Process allows video to be streamed to a user interface within the security system and can be saved in, for example, a compressed and encrypted format to the data store. Video can also be checksummed for evidentiary use.

[0113] The Video Interface Process allows a user to manipulate and view video data. This interface allows also acts as the record management interface that allows user to add, delete, modify and navigate video records, for example, with the use of meta-data, keywords, etc.

[0114] The Docs Mods Process allows video data stills and in some cases streamed video data to be included into documents that are stored within the data store.

[0115] The Camera Control Processes allow camera controlling through motion detection as well as user remote control of any of the cameras associated with the security system.

[0116] The Logging Process can support event correlation through the triage of artificial intelligence processes for each entry added to the log. Log sets can be multi-record structures where event correlation takes place against a set of log entries that may or may not be similar in nature. Logs can be archived off at the event level and/or system level and be fine tuned to periods of time.

[0117] The Event Data Process allows management of event data, comprising basic information pertaining to an event, to include, for example, incident commander, location, perimeters, zones and event descriptions.

[0118] The Situation Reporting Process allows situations taking place during an event to be identified, flagged and tracked.

[0119] The Org Charting Process provides the ability to create and manage an organizational chart of the incident staffing. Personnel can be selected to fill slots within the organizational structure. Also when an individual is selected to fill a role, the role can be cross-referenced with certifications data that is tied to personnel. If, for example, the individual is not certified to fill a role, then, for example, based on an active rule set, the incident commander can be informed. An incident commander can also be authorized to override the flag. There can be more than one organizational chart per event.

[0120] The Personnel/Equipment/Certs Process allows one or more of personnel, equipment and personnel certifications to be tracked through an event to include, for example, cost rates, use, renewal information and other items.

[0121] The Package definition Process allows packages to be defined by standard definitions, non-standard definitions as well as task force definitions. Packages can be requested, offered for deployment and in special circumstances be defined on-the-fly during and at an incident. Packages are normally defined and then pushed to, for example, a regional and national data store for deployment. Packages can also be requested by various agencies to take part in an event.

[0122] The Historics Process allows for the management and creation of “lessons learned documents” as well as documents generated through an artificial intelligence process that correlates useful information for specific requirements during an incident. This gives event managers access to data and data mining capabilities that may uncover information relevant to the incident(s) such as trending information. Documents can be correlated from local, regional, national and/or international sources.

[0123] The Graphic Layering process allows graphic overlay(s) to be added to or taken off of a mapping structure. Layers can represent different sets of interpolated data.

[0124] The Internet Based Mapping Wrapper Process allows for including access to internet based maps. This provides, for example, an instant mapping interface that doesn't require any static map files to be carried with the security system. Layers can be added to internet based mapping to represent different sets of data.

[0125] The Data Interpolation Process allows taking data from different sources, turning that data into coordinate data and then placing it into a graphic layer to be presented through a mapping interface. Data can represent sensor locations, boundary locations, personnel locations, equipment locations, or in general data the security system has access to.

[0126] The GIS Processing Process allows real-time GPS related navigation, as well as other GIS related mapping processes. For Example, responders can use GPS enabled tracking devices that can be represented in a mapping structure. This is useful for deploying, tracking and recalling responders that may be in hot, warm, cold or all zones, etc.

[0127] The Graphical Interface Process allows one or more graphic interfaces to be used to manage records as well as provide for option selections and a viewing interface for the mapping modifications.

[0128] The Doc Generation Process allows user to create spreadsheets, word processing documents, flowchart documents, graphic documents as well as other document types. These documents can be labeled with a security classification and then encrypted into the data stores where other users with the proper classification can then view the documents. This provides for a secured document access control system that provides security, integrity, reliability as well as the capability to control document dissemination.

[0129] The Classification Process allows classification labels to be added to any information within the system and can add a mandatory layer of security to document control that does not exist in discretionary operating systems that provide for shared access control. Each document can be labeled with a classification and clearance requirement that is tied directly to the data object.

[0130] The Sensor Data Parsing Process allows data entering the security system from any information feed, such as a sensor feed, to be parsed into data that can be represented in a graph series. Parsing can be unique to the sensor type and manufacture. To effectively parse data the manufacturer's data schema can be processed and stored into a retrievable data structure that can be identified on-the-fly to the sensor.

[0131] The Sensor Chart Generation Process allows the representation of sensor data through a graph series. Each graph can hold multiple series and update in real-time based, for example, on parsed data.

[0132] The Sensor GUI Interface Process allows a sensor GUI to act as the record management facility as well as the interface for sensor graphs that can depict real-time sensor feeds for a variety of sensor types.

[0133] The Logging/Alerting Services Process are specific to application processes and specific server processes. To configure logging and alerting, administrators can select an event type and then apply a rule to the event. Then, based, for example, on the relationship between a metric and the event, alarms triggered, actions activated, alerts sent to one or more individuals, entities or groups thereof, or the like.

[0134] The Identify Facts and Factsets Process allows processing of facts and fact sets that are known or defined facts about an expert domain.

[0135] The Build Rules and Rulesets Process allows for inferencing processes to take place.

[0136] The Apply Fuzzy Definitions Process allows for the application of intelligence to address non-linear problems.

[0137] The Define Training Requirements Process allows for the training of one or more neural networks.

[0138] The Stream Analysis Process allows for the capability to determine direction and distance of sounds as well as the sound type. Audio streams can be used as alerting features and can be saved in an encrypted format into a data store and checksummed to prove authenticity in the future.

[0139] The Audio GUI Process allows an audio GUI(s) to act as the record management facility as well as the graphic interface that allows users to configure and process audio data. Audio data can be collected from different sources.

[0140] The VOIP/Video Conference process allows audio and/or video communications between connected security systems. A specific security system can itself act as a collector for conversations from other end points. The security system can then trunk the communications into a stream of data that can be sent out to one or more participants.

[0141] The Reporting Process allows generation of different types of reports.

[0142] Ad Hoc—Ad Hoc reports show the user exactly what is on screen in the same state as the data container. For example, if a data grid is grouped and/or filtered then the report view will be of the grouped and filtered set of data. These reports are designed for on the fly real-time type reports.

[0143] Formatted—These reports are pre-defined and have a more professional look than ad hoc reports. These are the reports that are sent to others as a more formal document.

[0144] Metric based—These reports correlate data into a pivot grid like report structure. These reports are good for tracking certain sets of data over time.

[0145] Charts—These are charts may be formatted as histograms, pie charts, bare charts etc.

[0146] The reporting interface allows the user to define the report type and data to collect as well as save the report to internal or export reports to other data formats.

[0147] The Data Request Process builds the sql (or other) statement that requests data from a backend. Queries may be simple, complex, nested, multi dimensional, etc., and will take into account future data extraction technologies.

[0148] The exemplary Transaction Process allows adding, deleting and modifying identities and other records and follows a straight forward transaction process. The process provides for the guarantee of the integrity and reliability of data and meets federal standards under HSPD-12 for identity verification in a government environment.

[0149] Exemplary Components include:

1. Transaction tracking mechanism (GUID, UUID, or any certificate).
2. Authentication medium (smartcards, chips, and any other data storage medium whether its embedded, imbedded, attached, not attached etc.)
3. Authentication factor (something a person has, something a person knows, who a person is, time, space etc.)
4. Storage mediums (relational data structures, active directory, chips and other mediums).
Integrity and reliability of identity information can be done through transaction and data tracking through storage devices and authentication mediums through the use of
1. GUID—globally unique identifiers
2. UUIDs—universally unique identifiers
3. Certificates (any type)
4. Other unique markers as they are developed.
GUIDs, UUIDs, or any certificate(s) and other markers can be used to uniquely identify an identity across local, regional, national and international structures whether they are storage structure or authentications mediums. An identity can be uniquely correlated through connected or disconnected space and time through any of the above markers. Considering the fact that certain attributes of personal or private data can't be transmitted in some cases, the unique marker/identifier provides a means to validate an identity without the loss or compromise of sensitive data. If sensitive data needs to be accessed the unique marker/identifier can be used as a lookup structure to a storage medium or to an authentication medium for additional sensitive data.

[0150] By using these markers and identifiers it is possible to replicate identities across multiple remote data stores locally, regionally, nationally or internationally without losing integrity. This also allows for near real-time updates for immediate identity visibility.

[0151] While the above-described flowcharts have been discussed in relation to a particular sequence of events, it should be appreciated that changes to this sequence can occur without materially effecting the operation of the invention. Additionally, the exact sequence of events need not occur as set forth in the exemplary embodiments, but rather the steps can be performed by one or more of the elements described. Additionally, the exemplary techniques illustrated herein are not limited to the specifically illustrated embodiments but can also be utilized with the other exemplary embodiments and each described feature is individually and separately claimable.

[0152] The above-described system can be implemented on one or more secured, hardened and/or unsecured computer systems and related components, and may be connected to other systems, data feeds, network(s), etc., via a secure or unsecured or encrypted wired and/or wireless wide/local area network system, a satellite communication system, a modem, or the like, or on a separate programmed general purpose computer having a communications device.

[0153] Additionally, the systems, methods and protocols of this invention can be implemented on a special purpose computer(s), a programmed microprocessor or microcontroller and peripheral integrated circuit element(s), an ASIC or other integrated circuit, a digital signal processor, a hard-wired electronic or logic circuit such as discrete element circuit, a programmable logic device such as PLD, PLA, FPGA, PAL, any comparable means, or the like. In general, any device capable of implementing a state machine that is in turn capable of implementing the methodology illustrated herein can be used to implement the various systems and techniques described in relation to this invention.

[0154] Furthermore, the disclosed methods may be readily implemented in software using object or object-oriented software development environments that provide portable source code that can be used on a variety of computer or workstation platforms. Alternatively, the disclosed system may be implemented partially or fully in hardware using standard logic circuits or VLSI design. Whether software or hardware is used to implement the systems in accordance with this invention is dependent on the speed and/or efficiency requirements of the system, the particular function, and the particular software or hardware systems or microprocessor or microcomputer systems being utilized. The systems, methods and protocols illustrated herein can be readily implemented in hardware and/or software using any known or later developed systems or structures, devices and/or software by those of ordinary skill in the applicable art from the functional description provided herein and with a general basic knowledge of the computer and logical and physical security arts.

[0155] Moreover, the disclosed methods may be readily implemented in software that can be stored on a storage medium, executed on programmed general-purpose computer with the cooperation of a controller and memory, a special purpose computer, a microprocessor, or the like. In these instances, the systems and methods of this invention can be implemented as program embedded on personal computer such as an applet, JAVA® or CGI script, as a resource residing on a server or computer workstation, as a routine embedded in a dedicated communication system or system component, or the like. The system can also be implemented by physically incorporating the system and/or method into a software and/or hardware system, such as the hardware and software systems of a security system.

[0156] It is therefore apparent that there has been provided, in accordance with the present invention, systems and methods for combined IT/Network and physical security management. While this invention has been described in conjunction with a number of embodiments, it is evident that many alternatives, modifications and variations would be or are apparent to those of ordinary skill in the applicable arts. Accordingly, it is intended to embrace all such alternatives, modifications, equivalents and variations that are within the spirit and scope of this invention.