A specification for security-minded building information modelling, digital built environments and smart asset management



Similar documents
Introduction. Clarification of terminology

FAQs about PAS , A Specification for securityminded building information modelling, digital built environments and smart asset management

HMG Security Policy Framework

OPEN DATA: ADOPTING A SECURITY-MINDED APPROACH

CLOUD-BASED BIM AND SMART ASSET MANAGEMENT: ADOPTING A SECURITY-MINDED APPROACH

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction

HMG Security Policy Framework

THE STRATEGIC POLICING REQUIREMENT. July 2012

Crime Statistics Data Security Standards. Office of the Commissioner for Privacy and Data Protection

CYBER LIABILITY RISKS SEMINAR Programme overview. THURSDAY 1 OCTOBER am 1.00pm Green Park Conference Centre, Reading

London 2012 Olympic Safety and Security Strategic Risk. Mitigation Process summary Version 2 (January 2011) Updated to reflect recent developments

The guidance will be developed over time in the light of practical experience.

ORDER OF THE DIRECTOR OF THE COMMUNICATIONS REGULATORY AUTHORITY OF THE REPUBLIC OF LITHUANIA

Cyber Defence Capability Assessment Tool (CDCAT ) Improving cyber security preparedness through risk and vulnerability analysis


Practical Overview on responsibilities of Data Protection Officers. Security measures

Policy Wording. Directors and Officers Liability and Company Reimbursement. Issued to Eligible Emergency Resource Providers by VMIA

Information security controls. Briefing for clients on Experian information security controls

National Approach to Information Assurance

Managing risk, insurance and terrorism

Information Security Management System Policy

ESKISP Conduct security testing, under supervision

Cyber Security. Protecting the UK water industry

JOINT EXPLANATORY STATEMENT TO ACCOMPANY THE CYBERSECURITY ACT OF 2015

INFORMATION SECURITY MANAGEMENT POLICY

Information Security Management System Information Security Policy

Protective Security Governance Policy. Outlines ANAO protective security arrangements

Issue 1.0. UoG/ILS/IS 001. Information Security and Assurance Policy. Information Security and Compliance Manager

Business Plan 2012/13

ACT. Of On Cyber Security and Change of Related Acts (Act on Cyber Security)

Business Continuity Management Systems. Protecting for tomorrow by building resilience today

Cyber Security Issues - Brief Business Report

Good Practice Guide Security Incident Management

GUIDELINES ON CORPORATE GOVERNANCE FOR LABUAN BANKS

A GOOD PRACTICE GUIDE FOR EMPLOYERS

Overview TECHIS Manage information security business resilience activities

Cyber Security. CYBER SECURITY presents a major challenge for businesses of all shapes and sizes. Leaders ignore it at their peril.

Cyber Security : preventing and mitigating incidents. Alexander Brown Robert Allen

How To Understand And Implement Pas 55

FINAL NOTICE Nationwide has confirmed that it will not be referring the matter to the Financial Services and Markets Tribunal.

Cyber security organisational standards: call for evidence

Asset Management Policy March 2014

Intelligent. Buildings: Understanding and managing the security risks

Enterprise Security Architecture for Cyber Security. M.M.Veeraragaloo 5 th September 2013

Information Governance and Assurance Framework Version 1.0

Harrow Business Consultative Panel. Business Continuity Management. Responsible Officer: Myfanwy Barrett Director of Finance and Business Strategy

Section A: Introduction, Definitions and Principles of Infrastructure Resilience

The Asset Management Landscape

Protecting betting integrity

MarketsandMarkets. Publisher Sample

CESG Certification of Cyber Security Training Courses

National Cyber Security Policy -2013

Secure by design: taking a strategic approach to cybersecurity

National Corporate Practice. Cyber risks explained what they are, what they could cost and how to protect against them

Security Awareness and Training

United Kingdom Nirex Limited CONTEXT NOTE. 4.5: Security. September 2005 Number:

FOREIGN AFFAIRS AND TRADE Australia - Cyber: Reports of Chinese cyber attacks

SETTING THE STANDARD FOR SUPPLY CHAIN SECURITY

COMMISSION REGULATION (EU) No /.. of XXX

ISO27001 Controls and Objectives

Small businesses: What you need to know about cyber security

How To Assess A Critical Service Provider

Cyber Risks in the Boardroom

Overview TECHIS Carry out risk assessment and management activities

Science/Safeguards and Security. Funding Profile by Subprogram

Will we be in trouble? How information laws are enforced

TRUST SECURITY MANAGEMENT POLICY

Cloud Computing Security Considerations

LAW ON MILITARY SECURITY AGENCY AND MILITARY INTELLIGENCE AGENCY I GENERAL PROVISIONS. Article 1

White Paper on Financial Institution Vendor Management

Privacy Policy. January 2014

IT SECURITY POLICY (ISMS 01)

ESKITP6026 IT Security Management Level 6 Role

HIPAA Security Alert

Action Plan for Canada s Cyber Security Strategy

Introduction to PAS 127:2014 Checkpoint security screening of people and their belongings Guide

Information Security in Business: Issues and Solutions

Act on Background Checks

Information Security Policy. Document ID: 3809 Version: 1.0 Owner: Chief Security Officer, Security Services

Investigations Support

Protective security governance guidelines

National Security & Homeland Security Councils Review of National Cyber Security Policy. Submission of the Business Software Alliance March 19, 2009

ACT Auditor-General s Office. Performance Audit Report. Whole-of-Government Information and Communication Technology Security Management and Services

erisks Policyholder s Guide to Privacy & Security Breach Response Planning

Utica College. Information Security Plan

Mitigating and managing cyber risk: ten issues to consider

Protecting Malaysia in the Connected world

How To Ensure That Sovini Is A Successful Business

Information System Audit Guide

PCL2\ \1 CYBER RISKS: RISK MANAGEMENT STRATEGIES

Safety by trust: British model of cyber security. David Wallace, First Secretary, Head of of the Policy Delivery Group British Embassy in Warsaw

The Cancer Running Through IT Cybercrime and Information Security

FSPCOMP3 Assess and mitigate the compliance risks relevant to your organisation

Guidelines on SPECIAL BRANCH WORK in the United Kingdom

Committees Date: Subject: Public Report of: For Information Summary

Seoul Communiqué 2012 Seoul Nuclear Security Summit

Final Draft/Pre-Decisional/Do Not Cite. Forging a Common Understanding for Critical Infrastructure. Shared Narrative

Digital Continuity Plan

Transcription:

Introduction to PAS 1192-5:2015 A specification for security-minded building information modelling, digital built environments and smart asset management

Introduction PAS 1192-5:2015 is a specification for security-minded building information modelling (BIM), digital built environments and smart asset management. It details the approach to applying appropriate and proportionate measures to manage the security risks that affect a built asset, in whole or in part, asset data and information. The adoption of BIM and the increasing use of digital technologies in the management of assets, whether buildings or infrastructure, will have a transformative effect on those involved in their design, building and management. It will do this by promoting: more transparent, open ways of working; cross-sector collaborative working and the sharing of information; and better asset lifecycle management by capture of data about its realtime use and condition. PAS 1192-5 specifies the processes which will assist organisations in identifying and implementing appropriate and proportionate measures to reduce the risk of loss or disclosure of information which could impact on the safety and security of: personnel and other occupants or users of the built asset and its services; the built asset itself; asset information; and/or the benefits the built asset exists to deliver. Such processes can also be applied to protect against the loss, theft or disclosure of valuable commercial information and intellectual property. Embedding good security can give competitive advantage to commercial enterprises by protecting their key assets and building trust with their stakeholders and customers in the services and products they provide. For those involved in the design and delivery of new or modified assets, it can also enhance global positioning in the international construction market, particularly for high profile and sensitive projects. PAS 1192-5:2015 was commissioned by the Centre for the Protection of National Infrastructure (CPNI), who provided the technical authors for its development. The British Standards Institution (BSI) facilitated its production with input from a panel of industry experts. Purpose of this booklet This booklet provides a high level overview of the key components of PAS 1192-5. The full version of the PAS is available to download at http://shop.bsigroup.com/pas1192-5 Who is it for? PAS 1192-5 is applicable to any built asset or portfolio of assets which is deemed sensitive. It is for use by asset owners or, within a project, the employer. It will also be of interest and relevance to other organizations and individuals involved in the design, construction, maintenance and management of built assets, especially those who wish to protect their commercial information and/or intellectual property.

Summary of the PAS 1192-5 process Decision to create a new built asset, or identify need to undertake a review of an existing one The need to undertake a review of an existing built asset would be triggered by: a change of contract; collection of asset information; a significant change to the built asset; implementation of a new asset management system; integration of building management and/or control systems; major changes to policies, processes and procedures; or changes in the threat environment. Assessment of the extent of security-minded approach required Assessment of security risk to the built asset, in whole or in part Decision on appropriate and proportionate mitigation measures commensurate with risk appetite Formal record of the organisation s security strategy and management plan for the built asset Implementation of appropriate and proportionate policies, processes and procedures These will take a holistic approach to security covering the aspects of: people; process; They will also cover: physical; and technology provision of information to third parties; details of accountability and responsibility; process for review and update; storage and protection of information; a security breach/incident management plan; and an outline of contractual measures. Regular review, and review in response to incidents, breaches and significant internal or external changes

What is a sensitive built asset? A sensitive built asset is defined as one which, as a whole or in part, may be of interest to a threat agent for hostile, malicious, fraudulent and criminal behaviours or activities. What makes a built asset sensitive? A built asset, in whole or in part, is sensitive if it: a) is a designated site under sections 128 or 129 of the Serious Organised Crime and Police Act 2005; b) forms part of the critical national infrastructure (only the asset, the lead government department and CPNI will be aware of its status); c) fulfils a defence, law enforcement, national security or diplomatic function; d) is a commercial site involving the creation, trading or storage of significant volumes of valuable materials, currency, pharmaceuticals, chemicals, petrochemicals, or gases; e) constitutes a landmark, nationally significant site or crowded place (as determined by The National Counter Terrorism Security Office [NaCTSO]); f) is used or is planned to be used to host events of security significance; and/or g) has been judged could be used to significantly compromise the integrity of the built asset as a whole, or its ability to function. The specific assets or asset attributes which shall be considered include, as a minimum: i) location, routes, cabling, configuration, identification and use of control systems; ii) location and identification of permanent plant and machinery; iii) structural design details; iv) location and identification of security or other control rooms; v) location and identification of regulated spaces or areas housing regulated substances (e.g. nuclear isotopes and bio-hazards) or information; and vi) technical specification of security products and features. Even if a built asset does not fall into the categories which would make it sensitive, there may be business benefits from applying a security-minded approach to its management. The need for a security-minded approach, and the breadth of the protection measures required, is determined by the Security Triage Process, shown in Figure 5 of PAS 1192-5.

Assessment of risk Where a security-minded approach is adopted, a key component of the process set out in PAS 1192-5 relates to the management of risk. The employer or asset owner needs to assess potential vulnerabilites and threats, in combination with an assessment of the nature of harm which could be caused. The assessment needs to identify the high level security risks associated with: people; process; physical; and technology. It should also identify and record risks associated with intellectual property, commercial data, and information collected or held about neighbouring built assets. Included in PAS 1192-5 The concept of security Security issues The holistic approach to security Understanding the overall security threat to a built asset Sources of security advice Risk mitigation For each identified risk it will be necessary to assess possible mitigation measures. The process should consider and record: The cost of the measure and its implementation; The achievable risk reduction; The potential cost saving; The measure s impact on asset usability, efficiency and appearance; The potential for the measure to create further vulnerabilities; Delivery of business benefits. Residual risks It is important for any residual risks to be re-assessed and put through the risk mitigation process until they fit within the organization s risk appetite. Built Asset Security Strategy The Built Asset Security Strategy will comprise a record of : The extent of the security-minded approach required; The built asset security risk management strategy; A list of those to be informed of residual risks; The mechanisms for reviewing and updating the strategy.

Security policies, processes and procedures The specific security risks identified in the Built Asset Security Strategy should be addressed through the policies, processes and procedures contained in the Built Asset Security Management Plan. This plan should take a holistic approach, encompassing people and process, as well as physical and technological security. The measures should be appropriate and proportionate to both the sensitivity of the built asset and the related security risks. Coverage of the polices, processes and procedures People: Physical: identification of high risk positions; security screening and vetting; security competency requirements; security awareness and training; induction of personnel and organizations; access to asset models and information; demobilisation of personnel. physical security measures at locations used to design, deliver, operate and support the built asset; physical security measures required at the location of the built asset; protective measures for equipment storing asset models and information; protective measures for computing and electronic devices. Process: Technology: granting individuals access to data and information; handling asset information relating to neighbouring assets; handling sensitive and/or classified information and documents; disclosure of information to third parties; control over change of asset information. cyber security of systems; security of interconnections between different systems; configuration and management of systems processing and storing asset information; level of software trustworthiness; demobilisation of organizations; secure deletion, destruction and/or removal of access to asset information.

Embedding security The security-minded approach must be integrated with other strategic policies, plans, and requirements for the delivery, maintenance and operation of built assets. NOTE Developed by CPNI, Alexandra Luck and Hugh Boyes as part of PAS 1192-5 development process

PAS 1192-5 provides a comprehensive framework to help organisations adopt a security-minded approach to the use of information and data in the built environment. Acknowledgement PAS 1192-5 was commissioned by the Centre for the Protection of National Infrastructure (CPNI). Acknowledgement for its development is given to the external technical authors (Alexandra Luck and Hugh Boyes). Production was facilitated by the British Standards Institution (BSI). In addition we would like to thank the following contributing organisations: Acknowledgement is also given to the members of a wider review panel who were consulted in the development of the PAS. How to order a copy Copies of PAS 1192-5 may be downloaded from: http://shop.bsigroup.com/pas1192-5 Atomic Weapons Establishment BIM Technologies Alliance CESG Construction Industry Council Co-opted members Centre for the Protection of National Infrastructure Crossrail Ltd EC Harris LLP FCO Services - part of the Foreign & Commonwealth Office Houses of Parliament (Parliamentary Estates Directorate) HS2 The Institute of Asset Management Laing O Rourke Metropolitan Police Service Ministry of Justice Mott MacDonald Network Rail NG Bailey Ove Arup and Partners Ltd University College London

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information