Engineering Council

A security-minded approach requires engineers and technicians to:

• be aware that their behaviour, use of social media, publications and public presentations affects their own security and the security of others
• assess potential threats and vulnerabilities end to end, taking account of the potential harm to people, the asset or system, and the sensitivity of the information, which may be societal, environmental or commercial
• be aware that security risks are interdependent, adopting a holistic risk management view that is appropriate and proportionate, and is an integral part of all engineering activity and decision-making
• remember that security risk assessment is an aid to professional judgement, not a substitute for it
• be aware that overly-elaborate processes and procedures can lead to poor compliance and undermine a security culture
• identify vulnerabilities that may be used in a hostile, malicious or inadvertent manner to create security breaches or failures
• be responsive to changes in the operating environment, including the impact of changes in use of the asset or system, its wider connectivity and emerging threats and vulnerabilities

When implementing a security-minded approach, engineers and technicians should demonstrate a commitment to privacy, reliability and ethical conduct by:

• leading others in improving practice
• working with other professionals to ensure informed, proportionate, holistic judgements
• empowering all those involved to identify potential security challenges and opportunities
• being prepared to challenge assumptions and proposals
• ensuring that everybody reporting to them has the opportunity to maintain competence in the area of security

Seeking advice where necessary, engineers and technicians should:

• be aware of, and comply with, the security-related laws in countries where they operate or where their products or services will be used
• act in accordance with relevant security-related codes of conduct
• recognise and understand the intent behind security standards and codes, as well as their limitations
• seek further improvements where reasonably practicable, thus embedding a culture of continuous security development
• be open-minded and avoid using regulations to facilitate complacency

Good security depends on communicating effectively and appropriately with customers, clients, suppliers, sub-contractors and non-engineering colleagues. Engineers and technicians should:

• adopt appropriate measures to protect sensitive information when it is communicated, used and stored, both within and beyond their organisation
• be able to express clearly the risks and benefits
• where appropriate, encourage an ‘open reporting’ approach to security risks, incidents and near-misses, coupled with a spirit of questioning and learning
• take a measured approach to publishing information at conferences, workshops and seminars, or in professional or trade publications, to avoid helping those intent on hostile reconnaissance
• be aware of the impact of data aggregation, both through accumulation and association, including the use of disparate sources 
• recognise the persistent nature and accessibility of information published on the internet or otherwise made publicly available
• recognise that indiscriminate publication of project, technical or personal information can aid reconnaissance and enable security breaches through social media
• be aware of the use of social engineering* to manipulate individuals to give up confidential information 
• ensure responsible use of social media use for both personal
  and professional purposes

*Social engineering:
www.cpni.gov.uk/advice/Personnel-security1/Social-engineering-Understanding-the-threat

Effective security requires good governance, with clear reporting lines and accountability at board or executive level. Engineers and technicians should:

• ensure that they, and those who work with them, understand the relevant security management policies, processes and procedures
• seek regular briefings on the security threats facing their organisation and understand how threat agents might exploit vulnerabilities in their customers/users and their own assets, systems or business processes
• ensure that security-related roles and responsibilities are clearly assigned and understood, irrespective of whether functions or services are outsourced
• ensure that there are appropriate mechanisms for reporting and feedback on security incidents and issues
• contribute to the development and review of relevant security management frameworks, particularly about aspects which may not be well understood
• scrutinise the security culture and responses to management systems, with audits encompassing processes and technical and paper systems

Engineers and technicians have an important role in raising awareness and understanding about security risk and benefit. They should:

• be prepared to engage in debate on security risks and benefits, especially in relation to new technologies and innovative developments
• be security-minded during public discussion
• recognise the social, political and economic implications of security risks and acknowledge these through appropriate channels
• be honest and clear about uncertainties, and prepared to challenge misrepresentations and misconceptions 
• contribute to public and professional awareness of security by sharing and promoting knowledge of effective solutions