Introduction

In 2015 the first edition of PAS 1192-5 (Specification for security-minded building information modelling, digital built environments and smart asset management) was published. It identifies the need to take appropriate and proportionate measures to protect asset information, providing useful guidance for asset owners and stakeholders. Importantly PAS 1192-5 sets out a triage process to identify the need for a security-minded approach with recommendations where the outcome of this triage process is that the built asset and/or a neighbouring built asset has a degree of sensitivity. But what should we (clients and design and construction team members) do, when the triage process results in ‘no identified need for more than baseline security measures.’ Do we know what this means – does ‘baseline’ mean do nothing more than we would usually do?

The guidance and information you will find here provides useful tips and things to think about in adopting baseline security measures and it provides direction and context to published standards and recognised initiatives. It is relevant for any organisation engaged in initiating, leading and/or delivering design and construction projects.

Who needs to do what and when?

There are three primary roles to think about in terms of baseline security for design and construction projects:

  1. The Employer/Client
  2. The Information Manager
  3. The Design and Construction team members
Who? Does what? When?
Employer/Client Undertakes the security triage process As soon as possible in RIBA stage 0 or 1
Authors (or a party on their behalf authors) the Employer’s Information Requirements (EIRs)
Information manager Implements the EIRs Throughout the project, once the EIRs is available
The design and construction team members Work in accordance with the EIRs Throughout the project, once the EIRs is available
Articulate how they are working in accordance with the EIRs in the project’s BIM Execution Plan (BEP)

Everybody is responsible for making sure that the ethos of the baseline security requirements are adopted.

Are you a project team member?

 Before appointment

 Anyone planning to engage with a BIM project will need to understand the security concerns and requirements of the Employer/Client and demonstrate their ability to meet them.

While baseline needs will differ by project and Employer/Client, organisations can plan for consistent issues:

  • Understand the types of security risk in a project or organisation
  • Familiarise yourself with IT resilience standards – 10 Steps and Cyber Essentials
  • Consider the approach to file naming and document control
  • Recognise that data and information, including your own, should be protected and prepare to work in this way

When planning to host a CDE:

  • Seek security assurances
  • Plan a clear, navigable folder structure to aid consistency and allow controls to be applied
  • Consider access controls and permissions, their application and monitoring

Post appointment

Be clear in any BEP response that security requirements are understood and demonstrate how you meet them.

Always be aware of security requirements and abide by them – this includes making sure new team members are appropriately briefed. Consider your use or email and social media and any non-disclosure requirements.

If hosting the CDE or document management system:

  • Apply access controls and permissions and monitor their use.
  • Use file naming and information structure to manage data and protect file contents
  • Plan for the transfer of project information in a secure manner.

Ultimately it’s about being confident in the resilience of your organisation and systems, applying the security requirements to manage risk and achieving a successful project outcome.

Baseline security process map

The following process map sets out a basic approach to determining and implementing baseline security requirements. Selecting steps in the map will reveal simple guidance and will provide links to relevant standards and templates.


Project Initiation


Drafting Employer’s Information requirements (EIRs)


Think about the Common Data Environment (CDE)


Think about the practical file management


Think about compliance with baseline requirements


Think about design and construction team awareness


Think about project publicity


Include baseline requirements in the EIRs


Implement the requirements

The following people contributed to the development this guidance:

Arup: Mohammed Mamun
Dstl: Shona Jenkinson
IET:Rick Hartwig
Gleeds:Sarah Davidson
Met Police: Javed Edahtally
Turner & Townsend: Nathan Jones

The UK BIM Alliance also thanks Alexandra Luck, technical author of PAS 1192-5:2015 for her guidance and overall contribution.

Useful resources

BS 1192:2007+A2:2016
BS 1192-4:2014
PAS 1192-2:2013
PAS 1192-3:2014
PAS 1192-5:2015

Guidance and websites

10 Steps to Cyber Security
BSI: ISO/IEC 27001 – Information Security Management
CPNI Digital Built Assets and Environments
Cyber Essentials Scheme
Defence Cyber Protection Partnership
Implementing the Cloud Security Principles

Share this post

Similar Posts

Project Data Requirements

Project Data Requirements

Byshanekweb

Currently, most asset information requirements (AIRs) do not have sufficient detail on what data is requested by the client and Asset Manager. A key driver for the project is that without clear data requirements and the delivery of validated as built data, the biggest opportunity for BIM i.e. improved operational performance cannot be realised. Simply…

Winfield Rock Report

Winfield Rock Report

Byshanekweb

The aim of this report is not to set out or repeat discussions on the appropriate BIM contractual framework or provide a detailed analysis of this standard form contracts, which have already been canvassed comprehensively elsewhere.  Rather, the aim of this report is to consider the present understand of BIM legal and contractual issues among…

Information management according to BS EN ISO 19650

Byshanekweb

The UK BIM Alliance with BSI and CDBB  is developing guidance to support individuals and organisations in the UK to understand the fundamental principles of building information modelling according to ISO 19650 Parts 1 and 2. The ISO 19650 series is being developed over time and these first two parts supersede BS 1192:2007 and PAS…

Upskilling Briefing Paper

Upskilling Briefing Paper

Byshanekweb

Since 2016 with the inception of the UK BIM Alliance, the upskilling stream has been working on what upskilling means in terms of competence and what competence means in terms of the digital transformation journey. More recently two major failings were highlighted in the Dame Judith Hackett report ‘Building a Safer Future’ within the construction…