Implementing Project Security Practices
This guide was developed to assist with the implementation of findings of a joint Construction Industry Institute (CII) and National Institute of Standards and Technology (NIST) study completed in 2003 to determine best practices for project security of industrial projects. The study, a collaborative effort among industry, academia, and government, identified practices for implementation during the planning and execution phases of projects to make facilities more secure throughout their life cycles. The development of the practices is documented in a CII technical report, BMM 2004-10 (available through CII) and a Grant Contractor Report, NIST GCR 04-865, distributed by NIST. The technical report, while focused on practice development, also offers a methodology for assessing the level of implementation of the practices and thus a means for quantitatively assessing impacts on project outcomes. This guide is intended to assist in moving the practices from the realm of research to the field for implementation. While it does not provide specific guidance for the implementation of security procedures at the project level, it offers a framework for integrating security into the project delivery process in the context of likely threats facing the facility and consequences of security breaches.
Chapters 2 and 3 present the practices identified and offer a methodology for their use. Chapter 4 explains the scoring of the level of practice implementation and offers options for automating this process. Quantitative assessment of practice use enables meaningful comparisons across projects and perhaps ultimately, the establishment of norms for various types of facilities given their individual security settings. Organizations are encouraged to explore the tools presented in this chapter and to contribute to the establishment of norms for security implementation. For those who plan to utilize the security practices without assessing their level of implementation, reading chapters 1–3 and 5 is sufficient.
- Physical Security – includes equipment, building and grounds design, and security practices designed to prevent physical attacks on facilities, persons, property, or information.
- Personnel Security – includes practices and procedures for hiring, terminating, and addressing workplace issues, and screening or background checks of employees.
- Information Security – refers to practices and procedures for protection of documents, data, networks, computer facilities, and telephonic or other verbal communication.
- Review phase checklist before phase start
- Develop activity risk matrix
- Identify security practices relevant to project phase
- Implement practices as appropriate
- Complete questionnaire and calculate phase SRI score
- Conduct periodic review
- Update phase SRI score
- Conduct post-phase implementation review
- Closeout phase SRI
- Identifying “threat levels” for the project based on five threat levels as defined by this research; very low, low, medium, high or very high as defined by this research.
- Assess the “consequence levels” of damages that may be expected if a security breach on an asset was successful based on five levels defined by this research; very low, low, medium, high, and very high.
- Create an “activity risk matrix” and measures to address the risk by each phase of the project.
IR-BMM-3, Implementing Project Security Practices
The Security Rating Index (SRI) is an electronic tool that organizes the security practices into a questionnaire for quantitative assessment.
