Show Form
Can’t find it? Try A-Z

Information for:

Sign up to our Engage eNewsletter

Guidance on Security

Security can be defined as the state of relative freedom from threat or harm caused by deliberate, unwanted, hostile or malicious acts. It operates on a number of levels ranging from national security issues to countering crime.

This guidance sets out six key principles to guide engineers and technicians in identifying, assessing, managing and communicating issues about security.

1. Adopt a security-minded approach to your professional and personal life

A security-minded approach requires engineers and technicians to:

  • be aware that their behaviour, use of social media, publications and public presentations affects their own security and the security of others
  • assess potential threats and vulnerabilities end to end, taking account of the potential harm to people, the asset or system, and the sensitivity of the information, which may be societal, environmental or commercial
  • be aware that security risks are interdependent, adopting a holistic risk management view that is appropriate and proportionate, and is an integral part of all engineering activity and decision-making
  • remember that security risk assessment is an aid to professional judgement, not a substitute for it
  • be aware that overly-elaborate processes and procedures can lead to poor compliance and undermine a security culture
  • identify vulnerabilities that may be used in a hostile, malicious or inadvertent manner to create security breaches or failures
  • be responsive to changes in the operating environment, including the impact of changes in use of the asset or system, its wider connectivity and emerging threats and vulnerabilities

2. Apply responsible judgement and take a leadership role

When implementing a security-minded approach, engineers and technicians should demonstrate a commitment to privacy, reliability and ethical conduct by:

  • leading others in improving practice
  • working with other professionals to ensure informed, proportionate, holistic judgements
  • empowering all those involved to identify potential security challenges and opportunities
  • being prepared to challenge assumptions and proposals
  • ensuring that everybody reporting to them has the opportunity to maintain competence in the area of security

3. Comply with legislation and codes, understand their intent and be prepared to seek further improvements

Seeking advice where necessary, engineers and technicians should:

  • be aware of, and comply with, the security-related laws in countries where they operate or where their products or services will be used
  • act in accordance with relevant security-related codes of conduct
  • recognise and understand the intent behind security standards and codes, as well as their limitations
  • seek further improvements where reasonably practicable, thus embedding a culture of continuous security development
  • be open-minded and avoid using regulations to facilitate complacency

4. Ensure good security-minded communications

Good security depends on communicating effectively and appropriately with customers, clients, suppliers, sub-contractors and non-engineering colleagues. Engineers and technicians should:

  • adopt appropriate measures to protect sensitive information when it is communicated, used and stored, both within and beyond their organisation
  • be able to express clearly the risks and benefits
  • where appropriate, encourage an ‘open reporting’ approach to security risks, incidents and near-misses, coupled with a spirit of questioning and learning
  • take a measured approach to publishing information at conferences, workshops and seminars, or in professional or trade publications, to avoid helping those intent on hostile reconnaissance
  • be aware of the impact of data aggregation, both through accumulation and association, including the use of disparate sources 
  • recognise the persistent nature and accessibility of information published on the internet or otherwise made publicly available
  • recognise that indiscriminate publication of project, technical or personal information can aid reconnaissance and enable security breaches through social media
  • be aware of the use of social engineering* to manipulate individuals to give up confidential information 
  • ensure responsible use of social media use for both personal
    and professional purposes

*Social engineering:
www.cpni.gov.uk/advice/Personnel-security1/Social-engineering-Understanding-the-threat

5. Understand, comply with and seek to improve lasting systems for security governance

Effective security requires good governance, with clear reporting lines and accountability at board or executive level. Engineers and technicians should:

  • ensure that they, and those who work with them, understand the relevant security management policies, processes and procedures
  • seek regular briefings on the security threats facing their organisation and understand how threat agents might exploit vulnerabilities in their customers/users and their own assets, systems or business processes
  • ensure that security-related roles and responsibilities are clearly assigned and understood, irrespective of whether functions or services are outsourced
  • ensure that there are appropriate mechanisms for reporting and feedback on security incidents and issues
  • contribute to the development and review of relevant security management frameworks, particularly about aspects which may not be well understood
  • scrutinise the security culture and responses to management systems, with audits encompassing processes and technical and paper systems

6. Contribute to public and professional awareness of security

Engineers and technicians have an important role in raising awareness and understanding about security risk and benefit. They should:

  • be prepared to engage in debate on security risks and benefits, especially in relation to new technologies and innovative developments
  • be security-minded during public discussion
  • recognise the social, political and economic implications of security risks and acknowledge these through appropriate channels
  • be honest and clear about uncertainties, and prepared to challenge misrepresentations and misconceptions 
  • contribute to public and professional awareness of security by sharing and promoting knowledge of effective solutions

The Guidance was launched at the House of Commons, hosted by the Rt Hon John Hayes MP, Minister for Security on Thursday 19 May and was attended by over 100 people including employers, academics and professional engineering institutions. Speakers at the event included Terry Morgan CBE CEng FREng, Chairman of Crossrail, and the Head of the Centre for the Protection of National Infrastructure (CPNI). To read more about the launch, please read the press release.

Download the Guidance on Security leaflet

Guidance on Security has been designed to be read alongside security related information from your institution, such as codes, policy statements and technical guidance

… (Read more)

Print this page