In 2015 the first edition of PAS 1192-5 (Specification for security-minded building information modelling, digital built environments and smart asset management) was published. It identifies the need to take appropriate and proportionate measures to protect asset information, providing useful guidance for asset owners and stakeholders. Importantly PAS 1192-5 sets out a triage process to identify the need for a security-minded approach with recommendations where the outcome of this triage process is that the built asset and/or a neighbouring built asset has a degree of sensitivity. But what should we (clients and design and construction team members) do, when the triage process results in ‘no identified need for more than baseline security measures.’ Do we know what this means – does ‘baseline’ mean do nothing more than we would usually do?
The guidance and information you will find here provides useful tips and things to think about in adopting baseline security measures and it provides direction and context to published standards and recognised initiatives. It is relevant for any organisation engaged in initiating, leading and/or delivering design and construction projects.
Who needs to do what and when?
There are three primary roles to think about in terms of baseline security for design and construction projects:
- The Employer/Client
- The Information Manager
- The Design and Construction team members
|Employer/Client||Undertakes the security triage process||As soon as possible in RIBA stage 0 or 1|
|Authors (or a party on their behalf authors) the Employer’s Information Requirements (EIRs)|
|Information manager||Implements the EIRs||Throughout the project, once the EIRs is available|
|The design and construction team members||Work in accordance with the EIRs||Throughout the project, once the EIRs is available|
|Articulate how they are working in accordance with the EIRs in the project’s BIM Execution Plan (BEP)|
Everybody is responsible for making sure that the ethos of the baseline security requirements are adopted.
Are you a project team member?
Anyone planning to engage with a BIM project will need to understand the security concerns and requirements of the Employer/Client and demonstrate their ability to meet them.
While baseline needs will differ by project and Employer/Client, organisations can plan for consistent issues:
- Understand the types of security risk in a project or organisation
- Familiarise yourself with IT resilience standards â€“ 10 Steps and Cyber Essentials
- Consider the approach to file naming and document control
- Recognise that data and information, including your own, should be protected and prepare to work in this way
When planning to host a CDE:
- Seek security assurances
- Plan a clear, navigable folder structure to aid consistency and allow controls to be applied
- Consider access controls and permissions, their application and monitoring
Be clear in any BEP response that security requirements are understood and demonstrate how you meet them.
Always be aware of security requirements and abide by them – this includes making sure new team members are appropriately briefed. Consider your use or email and social media and any non-disclosure requirements.
If hosting the CDE or document management system:
- Apply access controls and permissions and monitor their use.
- Use file naming and information structure to manage data and protect file contents
- Plan for the transfer of project information in a secure manner.
Ultimately it’s about being confident in the resilience of your organisation and systems, applying the security requirements to manage risk and achieving a successful project outcome.
Baseline security process map
The following process map sets out a basic approach to determining and implementing baseline security requirements. Selecting steps in the map will reveal simple guidance and will provide links to relevant standards and templates.
Drafting Employer’s Information requirements (EIRs)
Think about the Common Data Environment (CDE)
Think about the practical file management
Think about compliance with baseline requirements
Think about design and construction team awareness
Think about project publicity
Include baseline requirements in the EIRs
Implement the requirements
The following people contributed to the development this guidance:
Arup: Mohammed Mamun
Dstl: Shona Jenkinson
Met Police: Javed Edahtally
Turner & Townsend: Nathan Jones
The UK BIM Alliance also thanks Alexandra Luck, technical author of PAS 1192-5:2015 for her guidance and overall contribution.
Guidance and websites
10 Steps to Cyber Security
BSI: ISO/IEC 27001 – Information Security Management
CPNI Digital Built Assets and Environments
Cyber Essentials Scheme
Defence Cyber Protection Partnership
Implementing the Cloud Security Principles