Xchange Members,
@Harish040 has posted a question in the Q&A. He's wanting to know what security certifications are required for a Digital Signage Product.
I bet we have some folks here that can help!
What security certifications are required for a Digital Signage Product?
Xchange Member Question
Manager, Digital Communities, AVIXA
A marketing professional and 20-year AV industry veteran, I am a proud CTS holder and enthusiastic #AVfoodie who is passionate about innovative technologies, design, and all things AV. I love sharing what this dynamic community has to offer and am excited to serve as Community Manager of AVIXA Xchange!
Please sign in
If you are a registered user on AVIXA Xchange, please sign in
All good!!!
It really depends on how the customer wants to setup the signage solution:
1. Is it a separate network ?
2. Will it have access to sensitive data ?
3. Should it allow employees to upload content to it ?
etc.
Off the top of my head I would have the following security measures as a baseline:
SSL, SFTP (for file transfer), AD authentication service, HTTPS access only
With more information it would be possible to recommend further security measures.
Thanks Aviad Cohen
If they're planning on hosting the CMS on a remotely hosted virtual server things like Cyber Essentials accreditation will be needed (according to the data centre's policies), which some proprietary solutions might not have.
Assuming it is just a display (no interactive) then in the US there are the usual. If nothing else FCC approval and ideally UL sticker are start point.
One problem area is with media players/engines. They have storage as a rule and you need to make sure they are secure. Maybe you have a camera capturing data. If it is stored then you can be liable especially in certain states.
There are national standards + state standards that should be reviewed.
State (or Federal) projects always come with a lengthy "compliance" list. Sometimes 30 or 40 items they want a check next to (before they send you a check).
International standards are CCC, FCC, CE, UL, and ROHS
In US -- ADA standards apply to digital signage under conditions
FCC emission approval - much like CE in Europe
UL regs enter in - think LinkNYC "outdoor" or Wind related (up to 180 mph)
Made in America can apply if selling to certain
Hurricane codes come into play from FEMA
WCAG comes into play as does HIPAA or Medical rated (60601)
NEMA for outdoor
Dark Sky comes into play
Biometrics comes into play (see Illinois court docket)
Canada is different
Asia is different
Europe is different
The standards page on kioskindustry.org lists just the more common ones. I should add the other 30 or 40 that come up for agencies.
https://kioskindustry.org/standards/
CMS hosting along with any network credentials/connections are a separate category (and lengthy) for me.
Thanks, @Aviad Cohen , @Samantha Davis , and @Kiosk Manufacturer Association for sharing your expertise with the community! Great question, @Harish040 !
There seem to be many nuances around this and questions to be addressed. Is there any type of best practices "checklist" when approaching a project?
You could take notes from the mentioned above, as far as I know there is no specific checklist as customers differ from one to another. Government is different from HiTech as per regulations, finance has very strict rules and regulations (compliance is a nightmare in some cases).
If you're coming to ise2023 and wish to discuss anything particular - let me know and we'll try to meet there.
All the best
That's a good suggestion Lisa and people love a good checklist. I have one for ADA that covers the "low-hanging fruit" that you don't consider at your own peril. And it is different in verticals and different in countries.
In the self-service world, there is the hardware, the software, the devices, connections, data and along with all that is installation, warranty, service and maintenance (software & hardware). And any and all regulations be them federal and/or state that are in play.
My wife was getting her passport photo at FedEx yesterday and of course I spent my time in benevolent hacker mode at the internet stations. Fairly easy to "intrude."
For digital signage media players running a consumer-grade Windows OS is a consideration all to itself given patch cycles/etc. People do that to save money.
Maybe add a separate section to evaluate all the "money-saving" initiatives of budget, and take an honest look at the resultant liabilities (and subsequent costs).
I spoke with Wendys at NRF and I guess they went "immediate term economical" on signage and kiosks only to find out a year later that downtime and lack of monitoring is taking a big chunk of money every month (and units not serving customers).
Ironic how "went cheap" is usually a synonym for "longterm more costly".