Project Security

BMM-Security Topic Summary
BMM Security


This research is a collaborative effort between the Construction Industry Institute (CII) and National Institute of Standards and Technology (NIST) that has identified practices for project security of industrial projects during the planning and execution phases of projects to make facilities more secure throughout their life cycles. The research also offers a methodology for assessing the level of implementation of the practices and thus a means for quantitatively assessing impacts on project outcomes. It provides a framework for integrating security into the project delivery process in the context of likely threats facility and consequences of security breaches.

This research provides an approach for the incorporation of security practices into all phases of industrial project planning and execution, resulting in increased security throughout the project life cycle, including the operational phase of the project. External environment and risks to a project are not static, and the project team must continually review the situation and the project to determine if changes are necessary in order to implement project life-cycle security effectively.

The research findings are intended for both owner and contractor.

  • To maximize return on investment, the owner’s project team must ensure that security is incorporated during the project planning and execution phases. Early security planning avoids the disruption and cost associated with retrofitting security improvements later in the project life cycle
  • For the contractor, increased project security pays large dividends, whereby greater security can result in less theft, rework, fewer accidents, among other benefits which all provide opportunity for increased profitability.

Note, this research includes two benchmarking reports. BMM2006-10 built upon the earlier BMM2004-10 material that developed the original best practices for project security.


Key Findings and Implementation Tools

1 : Critical Aspects of Security

Three aspects of security are critical to the project: physical, personnel, and information security. (IR-BMM-3, p. 2)
  • Physical Security – includes equipment, building and grounds design, and security practices designed to prevent physical attacks on facilities, persons, property, or information.
  • Personnel Security – includes practices and procedures for hiring, terminating, and addressing workplace issues, and screening or background checks of employees.
  • Information Security – refers to practices and procedures for protection of documents, data, networks, computer facilities, and telephonic or other verbal communication.
Reference: (IR-BMM-3)

2 : Security Influence Curve

Similar to the CII Cost-Influence Curve relationship, the Security-Influence Curve indicates that it is more feasible to influence security in the early planning phases of a project than during the execution phases. As the cumulative project cost increases in the later phases of a project, influencing security becomes less cost effective. (IR-BMM-3, p. 2)
Reference: (IR-BMM-3)

3 : Security Practices for Implementation

Each of the 33 practices identified should lead to improved security by raising awareness of the need for security integration at critical stages of project planning and execution. In addition, each practice is aligned with the project phase, from front end planning through project startup, in which they apply and the security elements which they address. (IR BMM-3, p. 5)
Reference: (IR-BMM-3)

4 : Security Practices Implementation Process

Implementing project life-cycle security is an integrated, iterative process that requires the involvement of the project team, security management personnel and risk management personnel. The nine-step process incudes steps to identify threats, consequences, and the risks to a project so the project team can develop strategies and actions to implement project life-cycle security. (IR-BMM-3, p. 9)
  1. Review phase checklist before phase start
  2. Develop activity risk matrix
  3. Identify security practices relevant to project phase
  4. Implement practices as appropriate
  5. Complete questionnaire and calculate phase SRI score
  6. Conduct periodic review
  7. Update phase SRI score
  8. Conduct post-phase implementation review
  9. Closeout phase SRI
Examples of key security considerations that are identified within the implementation process include the following three as part of Step 2:
  • Identifying “threat levels” for the project based on five threat levels as defined by this research; very low, low, medium, high or very high as defined by this research.
  • Assess the “consequence levels” of damages that may be expected if a security breach on an asset was successful based on five levels defined by this research; very low, low, medium, high, and very high.
  • Create an “activity risk matrix” and measures to address the risk by each phase of the project.
Reference: (IR-BMM-3)

5 : Construction Site Security Guidelines

An outline of site security guidelines to consider are provided as part of the research. Overall security considerations are driven by the owner, in particular for any renovation or addition projects for existing operating facilities. Typically, security considerations for “greenfield” projects are more contractor-driven. (IR-BMM-3, Appendix D, p. 35)
Reference: (IR-BMM-3)

6 : Implementation Tool #1

IR-BMM-3, Implementing Project Security Practices

The Security Rating Index (SRI) is an electronic tool that organizes the security practices into a questionnaire for quantitative assessment.

Reference: (IR-BMM-3)

Key Performance Indicators

Improved cost, Improved schedule

Research Publications

Lessons Learned in the Implementation of Best Practices for Project Security - BMM2006-10

Publication Date: 07/2006 Type: Benchmarking Report Pages: 61 Status: Reference

Implementing Project Security Practices - IR-BMM-3

Publication Date: 07/2005 Type: Benchmarking Report Pages: 47 Status: Tool

Best Practices for Project Security - BMM2004-10

Publication Date: 10/2004 Type: Benchmarking Report Pages: 85 Status: Reference