The benefits of collaborative working are transforming the architecture, construction and engineering industries beyond recognition. However, with an increasing reliance on digital systems and assets, comes a need to develop an appropriate and proportionate approach to security across the project lifecycle. Here we look at some of the considerations and the practicalities of adopting such an approach...

Introducing PAS 1192-5

Sharing information securely without inhibiting collaboration is what lies at the heart of PAS 1192-5:2015 externallink, a specification for asset owners developed by the Centre for Protection of National Infrastructure externallink (CPNI) working with the BIM Task Group. The standard dovetails with PAS 1192-2, 1192-3 and 1192-4 and is key to developing a 'security-minded' approach. It can be applied to any built asset (or portfolio of assets) where asset information is created, stored, processed or viewed digitally.

Developing such an approach is obviously a prudent thing to do. The misuse, loss, unintentional disclosure or theft of information could clearly impact on users, the built asset itself and any or all information associated with the asset and, of course, the potential effect of a breach may well be magnified when such data is aggregated or associated.

By employing the processes set out in PAS 1192-5, commercial enterprises can protect key assets and maintain the trust of customers and stakeholders. By reducing the risk of reputational damage, and the diversion of resource that would result from a security breach, they are also better able to maintain the trust of customers and stakeholders. This is particularly important for enterprises competing in the international construction market where good security can deliver real competitive advantage.

Assessing security risks

When considering security you need to embed principles, process and procedure into your business at both a strategic and operational level and on outward into the entire supply chain. You may opt for a 'one size fits all approach' or something more tailored – either way, PAS 1192-5 covers the range of processes required to accommodate the full spectrum of security needs – covering the most and least sensitive assets.

Considering security matters at the start of an asset's life is always going to be easier than retrofitting restrictions to assets that are already being shared or used but whether assets are live, or about to be created and PAS 1192-5 suggests a triage process that assesses the likely sensitivity of particular assets and their dependencies.

Identifying likely risks from the start is at the heart of the decision to adopt a security-minded approach and can be roughly divided into three key stages; risk assessment, risk mitigation and review.

Process and documentation

Once the risk management process has been undertaken, and the need for a security-minded approach for a built asset assessed, the analysis and decisions should be recorded in a Built Asset Security Strategy (BASS) – a document from which all other security management and information requirements should flow.

It is the Built Asset Security Management Plan (BASMP) that will ensure risks will be addressed consistently and holistically, taking into account people, process, physical and technological security. These elements must work in tandem or the overall security regime risks being ignored or circumvented. It should contain a suite of policies setting out the business rules for the management of risk and be supported by processes and procedures that will underpin its successful implementation throughout the supply chain. Both the BASS and BASMP should feed into the development of each project's strategic business case and brief at the definition stage so as to ensure they are given due consideration.

A Built Asset Security Information Requirements (BASIR) document is used to both capture and collate the requirements outlined in the BASMP. The BASIR in turn feeds into Asset Information Requirements (AIR) and Employer's Information Requirements (EIR). Its purpose is to ensure that the secure capture, handling, dissemination, storage, access and use of information in relation to sensitive assets and systems, are delivered and communicated to the supply chain where the security variant of the BIM Protocol is used, thus enabling them to be contractually enforced.

It is the BASIR that also sees the establishment of asset management databases that will ensure security of information throughout the operational life of an asset.

Regular review is an important part of the process. It is essential to monitor and assess changing risks and, where these impact on the built asset in question, ensure that the appropriate actions are cascaded down through the BASS to the BASMP and BASIR.

If a breach (or near-miss) occurs it is necessary to review the handling of the incident to assess the effectiveness of response and determine whether existing measures need to be altered or new measures introduced and then cascaded across the built asset security documentation.

PAS 1192-5 and the NBS BIM Toolkit

When it comes to putting security-minded BIM into practice, users of the NBS BIM Toolkit can now also make use of a pre-defined template designed specifically for security-minded projects. This is available by selecting 'Use template' from the 'Create New Project' screen within the NBS BIM Toolkit.

CPNI has recently published a set of security-related Plain Language Questions (PLQs) externallink - those questions that a client intends to answer at each stage of a construction project - and these have been aligned with the security tasks that can be used in conjunction with the NBS BIM Toolkit.

The template also includes the creation of a built asset security manager as a core role by default and makes it easy to access relevant tasks, PLQs, EIRs and supporting notes.

CPNI are also working on a range of sector-specific guidance which will be published shortly.

About this article

This article was adapted from a longer article written for the NBS BIM Toolkit, by Hugh Boyes and Alexandra Luck, on the practicalities of implementing security-minded BIM. Read the full article on the NBS BIM Toolkit website externallink.