Security can be defined as the state of relative freedom from threat or harm caused by deliberate, unwanted, hostile or malicious acts. It operates on a number of levels ranging from national security issues to countering crime.
This guidance sets out six key principles to guide engineers and technicians in identifying, assessing, managing and communicating issues about security.
'Guidance on Security' was launched at the House of Commons, hosted by the Rt Hon John Hayes MP, Minister for Security on Thursday 19 May 2016 and was attended by over 100 people including employers, academics and professional engineering institutions. Speakers at the event included Terry Morgan CBE CEng FREng, Chairman of Crossrail, and the Head of the Centre for the Protection of National Infrastructure (CPNI).
The guidance document and a handy wallet card listing the six principles of security can be downloaded from the links below. This guidance should be read alongside related information from your institution, such as codes, policy statements and technical guidance.
Launched in April 2021, the UK Cyber Security Council is the self-regulatory body for the UK's cyber security profession. It develops, promotes and stewards nationally recognised standards for cyber security in support of the UK Government’s National Cyber Security Strategy to make the UK the safest place to live and work online. A range of information for individuals and organisations is available on its website.
The UK’s National Cyber Security Centre is a single point of contact for small and medium sized enterprises (SMEs), larger organisations, government agencies, the general public and departments. It works collaboratively with other law enforcement, defence, the UK’s intelligence and security agencies and international partners.
Many of the professional engineering institutions (PEIs) and Professional Affiliates provide material on security, data and privacy, which is a very useful starting point for engineers and technicians.
1. Adopt a security-minded approach to your professional and personal life
A security-minded approach requires engineers and technicians to:
- be aware that their behaviour, use of social media, publications and public presentations affects their own security and the security of others
- assess potential threats and vulnerabilities end to end, taking account of the potential harm to people, the asset or system, and the sensitivity of the information, which may be societal, environmental or commercial
- be aware that security risks are interdependent, adopting a holistic risk management view that is appropriate and proportionate, and is an integral part of all engineering activity and decision-making
- remember that security risk assessment is an aid to professional judgement, not a substitute for it
- be aware that overly-elaborate processes and procedures can lead to poor compliance and undermine a security culture
- identify vulnerabilities that may be used in a hostile, malicious or inadvertent manner to create security breaches or failures
- be responsive to changes in the operating environment, including the impact of changes in use of the asset or system, its wider connectivity and emerging threats and vulnerabilities
2. Apply responsible judgement and take a leadership role
When implementing a security-minded approach, engineers and technicians should demonstrate a commitment to privacy, reliability and ethical conduct by:
- leading others in improving practice
- working with other professionals to ensure informed, proportionate, holistic judgements
- empowering all those involved to identify potential security challenges and opportunities
- being prepared to challenge assumptions and proposals
- ensuring that everybody reporting to them has the opportunity to maintain competence in the area of security
3. Comply with legislation and codes, understand their intent and be prepared to seek further improvements
Seeking advice where necessary, engineers and technicians should:
- be aware of, and comply with, the security-related laws in countries where they operate or where their products or services will be used
- act in accordance with relevant security-related codes of conduct
- recognise and understand the intent behind security standards and codes, as well as their limitations
- seek further improvements where reasonably practicable, thus embedding a culture of continuous security development
- be open-minded and avoid using regulations to facilitate complacency
4. Ensure good security-minded communications
Good security depends on communicating effectively and appropriately with customers, clients, suppliers, sub-contractors and non-engineering colleagues. Engineers and technicians should:
- adopt appropriate measures to protect sensitive information when it is communicated, used and stored, both within and beyond their organisation
- be able to express clearly the risks and benefits
- where appropriate, encourage an ‘open reporting’ approach to security risks, incidents and near-misses, coupled with a spirit of questioning and learning
- take a measured approach to publishing information at conferences, workshops and seminars, or in professional or trade publications, to avoid helping those intent on hostile reconnaissance
- be aware of the impact of data aggregation, both through accumulation and association, including the use of disparate sources
- recognise the persistent nature and accessibility of information published on the internet or otherwise made publicly available
- recognise that indiscriminate publication of project, technical or personal information can aid reconnaissance and enable security breaches through social media
- be aware of the use of social engineering* to manipulate individuals to give up confidential information
- ensure responsible use of social media use for both personal
and professional purposes
5. Understand, comply with and seek to improve lasting systems for security governance
Effective security requires good governance, with clear reporting lines and accountability at board or executive level. Engineers and technicians should:
- ensure that they, and those who work with them, understand the relevant security management policies, processes and procedures
- seek regular briefings on the security threats facing their organisation and understand how threat agents might exploit vulnerabilities in their customers/users and their own assets, systems or business processes
- ensure that security-related roles and responsibilities are clearly assigned and understood, irrespective of whether functions or services are outsourced
- ensure that there are appropriate mechanisms for reporting and feedback on security incidents and issues
- contribute to the development and review of relevant security management frameworks, particularly about aspects which may not be well understood
- scrutinise the security culture and responses to management systems, with audits encompassing processes and technical and paper systems
6. Contribute to public and professional awareness of security
Engineers and technicians have an important role in raising awareness and understanding about security risk and benefit. They should:
- be prepared to engage in debate on security risks and benefits, especially in relation to new technologies and innovative developments
- be security-minded during public discussion
- recognise the social, political and economic implications of security risks and acknowledge these through appropriate channels
- be honest and clear about uncertainties, and prepared to challenge misrepresentations and misconceptions
- contribute to public and professional awareness of security by sharing and promoting knowledge of effective solutions
Guidance on Security has been designed to be read alongside security related information from your institution, such as codes, policy statements and technical guidance
… (Read more)
A handy wallet card listing the six principles for security, designed to be used alongside security related information from your institution, such as codes, policy statements and technical guidance.
… (Read more)
Centre for Protection of National Infrastructure offers advice, guidance and learning opportunities
… (Read more)
For information on security engineering see the Register of Security Engineers and Specialists
… (Read more)
Cyber Essentials is a government backed scheme to help you protect your organisation
… (Read more)
Introduction to BS EN ISO 19650-5:2020, a specification for security-minded information management. This provides a framework for organisations to understand key vulnerabilities and the controls needed to manage their security risks.
… (Read more)
Print this page
Data is at the heart of digital transformation and a part of the Government Transformation Strategy. CPNI has produced a framework for adopting a security-minded approach to the sharing of data, including open data.
… (Read more)