Project Security

Physical, personnel and information security.  (IR BMM-3, Page 2)
•    Physical Security – includes equipment, building and grounds design, and security practices designed to prevent physical attacks on facilities, persons, property, or information.
•    Personnel Security – includes practices and procedures for hiring, terminating, and addressing workplace issues, and screening or background checks of employees.
•    Information Security – refers to practices and procedures for protection of documents, data, networks, computer facilities, and telephonic or other verbal communication.
 

Similar to the CII Cost-Influence Curve relationship, the Security-Influence Curve indicates that the ability to influence security in the early planning phases of a project is greater than during the execution phases.  As the cumulative project cost increases in the later phases of a project, influencing security becomes less cost effective.  (IR BMM-3, page 2)  

Each of the 33 practices identified should lead to improved security by raising awareness of the need for security integration at critical stages of project planning and execution.  In addition, each practice is aligned with the project phase, from front-end planning through project startup, in which they apply and the security elements which they address.  (IR BMM-3, page 5)

Implementing project life-cycle security is an integrated, iterative process that requires the involvement of the project team, security management personnel and risk management personnel.  The 9-step process incudes steps to identify threats, consequences, and the risks to a project so the project team can develop strategies and actions to implement project life-cycle security. (IR BMM-3, page 9) 
1.    Review phase checklist before phase start
2.    Develop activity risk matrix 
3.    Identify security practices relevant to project phase
4.    Implement practices as appropriate
5.    Complete questionnaire and calculate phase SRI score
6.    Conduct periodic review
7.    Update phase SRI score
8.    Conduct post-phase implementation review
9.    Closeout phase SRI
Examples of key security considerations that are identified within the implementation process include the following three as part of Step 2:
•    Identifying ‘threat levels’ for the project based on five (5) threat levels as defined by this research; very low, low, medium, high or very high as defined by this research.
•    Assess the ‘consequence levels’ of damages that may be expected if a security breach on an asset was successful based on five (5) levels defined by this research; very low, low, medium, high, and very high.
•    Create an ‘activity risk matrix’ and measures to address the risk by each phase of the project.
 

An outline of site security guidelines to consider are provided as part of the research.  Overall security considerations are driven by the owner, in particular for any renovation or addition projects for existing operating facilities.  Typically security considerations for ‘greenfield’ projects are more contractor-driven.  (IR BMM-3, Appendix D, page 35)

IR BMM-3, Implementing Project Security Practices

Security Rating Index (SRI)  is an electronic tool that organizes the security practices into a questionnaire for quantitative assessment.