Project Security Provision

Introduction

In 2015 the first edition of PAS 1192-5 (Specification for security-minded building information modelling, digital built environments and smart asset management) was published. It identifies the need to take appropriate and proportionate measures to protect asset information, providing useful guidance for asset owners and stakeholders. Importantly PAS 1192-5 sets out a triage process to identify the need for a security-minded approach with recommendations where the outcome of this triage process is that the built asset and/or a neighbouring built asset has a degree of sensitivity. But what should we (clients and design and construction team members) do, when the triage process results in ‘no identified need for more than baseline security measures.’ Do we know what this means – does ‘baseline’ mean do nothing more than we would usually do?

The guidance and information you will find here provides useful tips and things to think about in adopting baseline security measures and it provides direction and context to published standards and recognised initiatives. It is relevant for any organisation engaged in initiating, leading and/or delivering design and construction projects.

Who needs to do what and when?

There are three primary roles to think about in terms of baseline security for design and construction projects:

  1. The Employer/Client
  2. The Information Manager
  3. The Design and Construction team members
Who?Does what?When?
Employer/ClientUndertakes the security triage processAs soon as possible in RIBA stage 0 or 1
Authors (or a party on their behalf authors) the Employer’s Information Requirements (EIRs)
Information managerImplements the EIRsThroughout the project, once the EIRs is available
The design and construction team membersWork in accordance with the EIRsThroughout the project, once the EIRs is available
Articulate how they are working in accordance with the EIRs in the project’s BIM Execution Plan (BEP)

Everybody is responsible for making sure that the ethos of the baseline security requirements are adopted.

Are you a project team member?

 Before appointment

 Anyone planning to engage with a BIM project will need to understand the security concerns and requirements of the Employer/Client and demonstrate their ability to meet them.

While baseline needs will differ by project and Employer/Client, organisations can plan for consistent issues:

  • Understand the types of security risk in a project or organisation
  • Familiarise yourself with IT resilience standards – 10 Steps and Cyber Essentials
  • Consider the approach to file naming and document control
  • Recognise that data and information, including your own, should be protected and prepare to work in this way

When planning to host a CDE:

  • Seek security assurances
  • Plan a clear, navigable folder structure to aid consistency and allow controls to be applied
  • Consider access controls and permissions, their application and monitoring

Post appointment

Be clear in any BEP response that security requirements are understood and demonstrate how you meet them.

Always be aware of security requirements and abide by them – this includes making sure new team members are appropriately briefed. Consider your use or email and social media and any non-disclosure requirements.

If hosting the CDE or document management system:

  • Apply access controls and permissions and monitor their use.
  • Use file naming and information structure to manage data and protect file contents
  • Plan for the transfer of project information in a secure manner.

Ultimately it’s about being confident in the resilience of your organisation and systems, applying the security requirements to manage risk and achieving a successful project outcome.

Baseline security process map

The following process map sets out a basic approach to determining and implementing baseline security requirements. Selecting steps in the map will reveal simple guidance and will provide links to relevant standards and templates.

 

The following people contributed to the development this guidance:

Arup: Mohammed Mamun
Dstl: Shona Jenkinson
IET:Rick Hartwig
Gleeds:Sarah Davidson
Met Police: Javed Edahtally
Turner & Townsend: Nathan Jones

The UK BIM Alliance also thanks Alexandra Luck, technical author of PAS 1192-5:2015 for her guidance and overall contribution.

Share this post

Share on twitter
Share on linkedin
Close Menu

Project Initiation

Undertake the security triage process set out in PAS 1192-5 and complete CPNI security triage questionaire

Whatever the nature or complexity of construction project envisaged, there is one single activity that should be carried out as early as possible in the project’s life - that is to apply the security triage process set out in PAS 1192-5. This is an activity carried out by the Employer/Client. Until and unless this is undertaken there is unlikely to be a clear understanding of whether or not baseline security measures are sufficient. Note the triage process can be applied to an existing or to be constructed built asset and its site. CPNI provides a helpful questionnaire to support the triage process.

CPNI Application of the security triage process questionaire can be found here

Result of Triage Process

S4 = no identified need for more than baseline security.
Then just file your triarge questionaire for reference. Complete your Employer Information Requirments (EIR) document with Baseline Secuirty Requiements. S1-S3 = Further Action required. Follow the guidence in PAS 1192-5:2015 Complete your Employer Information Requirments (EIR) document with the requried security provisions.

Additional Resources

Drafting Employer's Information Requirements (EIRs)

Record outcome of triage process/questionnaire in the Employer's Information Requirements (EIRs)

Step one is to plan for and articulate the security measures on the project - even if the Employer/Client has no specific security requirements it is unlikely that he/she will want to inadvertently share information about their organisation, their assets or their projects with individuals that have no connection with them. Make sure it is clear in the EIRs that the security triage has been undertaken, how it has been undertaken (i.e. in reference to the CPNI questionnaire) and what the result of that process is

Additional resources

Additional Resources
BS 1192-4:2014
PAS 1192-2:2013
PAS 1192-3:2014

PAS 1192-5:2015

Additional Guidance Notes on Drafting
Your EIR can be found here.

Think about the Common Data Environment (CDE)

Define the project strategy for file and data management using a common data environment (CDE) or other agreed system.

References:
ISO/IEC 27001 Information Security Management
PAS 1192-5:2015
CDE Process Map

How will the CDE be procured? Determine CDE procurement - direct by the Employer/Client or indirect via a member of the design and construction team. Ideally, the CDE will be operational early in the project's life.

Who will manage/administer the CDE? Review data access and permissions principles

What are the CDE licence requirements? Make sure that CDE licencing requirements are clear and will support the project for its duration

Additional Resources
Additional Guidance on CDE Principles can be found here. Additional Guidance on Managing Access to the CDE can be found here. Additional Guidance on Outsourcing IT can be found here.

Think about practical file management

The adoption of a project CDE supports collaborative file management and they can be managed to generate secure working environments. But to be effective and to adopt a baseline security approach it is important that CDEs are structured and files held on them adopt consistent file referencing. There should also be clarity around files to be held on the CDE and the extent to which files can be shared using other media

Section

BS1192:2007 + A2:2016 provides a structure for all files to be held on a CDE - from work in progress files through to contractual and archived files. Consider the extent to which this approach is to be adopted. Consider also if some files should be held outside of the CDE.

Is there a requirement to restrict distribution of files by email?

Issue of files by email, when there is a fully functional CDE can lead to confusion around the reliability of the CDE as a reference point. Consider the extent to which it is acceptable (or preferred) to issue files by email.

Is there a requirement to transfer files from the CDE on completion of the project?

Where the CDE is procured by a design and construction team member on behalf of the Employer/Client, direction will be needed on how files should be transferred to the Employer/Client on completion. Think also about requirements for ongoing design and construction team access to and/or disposal of files held on the CDE post project completion

Is there a requirement for structured file naming?

Structured file naming is set out in BS1192-2007. Adopting a file naming approach will enable the CDE to operate efficiently and generates consistency across a project.

Should room/space locations recorded in file descriptions be identifiable by activity or is a simple alpha numeric reference preferred?

Often file descriptions note the activity within referenced rooms (i.e.'plant room'). If it is preferred that activities are not noted, then rooms and spaces may be given an alternative reference code. Requirements should be noted in the EIR.

Additonal Resources

think about compliance with baseline requirements

Are there specific plain language questions (PLQ) to include to check implementation of baseline requirements?

A PLQ is a request (or a check) for information that is expressed in simple, easy-to-understand terms. It is a means of communicating an information requirement

Are there specific requirements for BIM Execution Plan content (BEP) in respect of baseline requirements?

The EIR is an instructing document setting out minimum data and information requirements. The BEP should convey how the EIR is to be implemented, detailing use of specific systems, processes and standards as well as who, in the design and construction team, is undertaking what. . In terms of baseline security, the BEP may consider the EIR plus personnel, process, physical and technical security issues

Additional Resources

think about design & construction team awareness

It is important to ensure that design and construction team members understand Employer/Client requirements in respect of specific ways of working and/or behaviours - ideally understanding should be checked, not assumed.

How is awareness to be established?

Consider procurement requirements for security; develop a design and construction team pre-qualification questionnaire including BIM experience and competence and any security assurance.

Is certification to/compliance with certain standards required?

PAS 1192-5 states that the UK Government recomments that all its suppliers should, as a minimum, meet the Cyber Essentials Scheme. There are two levels of badges that an organisation can apply for - Cyber Essentials and Cyber Essentials PLUS. Cyber Essentials requires the organisation completes a self-assessment questionnaire and responses are independently reviewed by an external certifying body. Cyber Essentials PLUS, in addition requires that tests of systems are carried out by an external certifying body. To get started a simple on-line questionnaire can be completed.

Additional Resources

think about project publicity

Public References

Projects and project Employers/Clients are often publicly referenced by design and construction team members as a means of promotion and conveying capability. Should there be any restriction on reference to the project in CVs and case studies? Think about the extent to which the project/the site/the Employer/Client can be referenced in CVs and case studies - are there any concerns about certain information being made public?

Should there be any restriction on reference to the project on social media?

Consider the extent to which casual reference to the project/the Employer/Client via social media is acceptable.

include baseline requirements in the eir

Include the requirements in the Employer Information Requirements document

Add the secuirity requirements to the EIR and reference any external standards where required

Implement the Requirements

Implement the security requirements defined in the EIR

Monitor compliance with standards Receive evidence of standards certification (if required) Establish and monitor relevant BEP content Monitor CDE compliance and management Implement baseline PLQs at information exchange points Monitor file management and transmission