Information Security is not a dirty word!

Lets start with the word "Trust" one of the single most important words in business, industry, construction and information management. Without being able to trust information, I don't value it, and if I don't value it, I wont expend any time, money or effort in procuring it, managing it, using it and disposing of it correctly.

Just one instance of something not trustworthy in your common data environment or CAFM system can them taint every other piece of data in it. Making all your expense and efforts pointless.

Trust is built by creating information that is needed, of quality and can be easily found, but there is a little more to it than that. Security.

If your information isn't secure, it can be manipulated by malignant actors, out for criminal profit, commercial damage or in a worse case scenario attacking the lives and livelihoods of millions of people!

An IT department can assign a security level to a piece of information in a good "zero trust" environment easily enough, but how can we easily understand how secure each set of information needs to be and how to classify it? I am yet to see a project that does this in a well thought out and consistent manner. most just blanket protect information, to a point where it is almost unusable or the people who actually need access so they can make a crucial decision have to wait weeks or months for someone to enable it.

Using a system of systems approach as the foundation of your design, construction and operations, allows a very smart way of securing both the physical and digital assets. (and the live links between them!)

At the beginning of a project, when you have identified the high level systems that will achieve the desired outcomes, then the security assessment can begin. Mapping out the systems, understanding their interdependencies, impacts and relationships, coupled with a standard CARVER (Criticality, Accessibility, Recoverability, Vulnerability, Effort and Recognisability) assessment will allow a set of values to be calculated for each system, and then each sub systems giving a likelihood and importance rating.

This rating, as well as helping to prioritise risks and identify areas of focus for risk mitigation efforts, will be set against a standard security classification table for this type of asset. Each person, on a case by case basis should be cleared to a specific security classification, giving the basis of what you can trust this person to see and manipulate.

As the project progresses and the finer details of the components and connections of each system is defined, then these will further refine the classification process.

Its great having a Common Data Environment that you know is secure and you can look back on to find out who did what and when, but if I am to trust what I see and base my key decisions on it, I need to know that the right person, with the right clearance, has done their job, at the right time, with the right information.

Without trust, there is no value, without value we might as well not bother!