What is a sensitive built asset?

A sensitive built asset is defined as one which, as a whole or in part, may be of interest to a threat agent for hostile, malicious, fraudulent and criminal behaviours or activities.

Even if a built asset does not fall into the categories which would make it sensitive, there may be business benefits from applying a security-minded approach to its management. The need for a security-minded approach, and the breadth of the protection measures required, is determined by the Security Triage Process, shown in Figure 5 of PAS 1192-5.

Assessment of risk

Where a security-minded approach is adopted, a key component of the process set out in PAS 1192-5 relates to the management of risk. The employer or asset owner needs to assess potential vulnerabilities and threats, in combination with an assessment of the nature of harm which could be caused. The assessment needs to identify the high level security risks associated with:

• people;
• process; 
• physical;
• technology.

It should also identify and record risks associated with intellectual property, commercial data, and information collected or held about neighbouring built assets.

Risk mitigation

For each identified risk it will be necessary to assess possible mitigation measures. The process should consider and record:

• The cost of the measure and its implementation;
• The achievable risk reduction:
• The potential cost saving;
• The measure’s impact on asset usability, efficiency and appearance;
• The potential for the measure to create further vulnerabilities;
• Delivery of business benefits.

Residual risks

It is important for any residual risks to be re-assessed and put through the risk mitigation process until they fit within the organization’s risk appetite.

Built Asset Security Strategy

The Built Asset Security Strategy will comprise a record of:

• The extent of the security-minded approach required;
• The built asset security risk management strategy;
• A list of those to be informed of residual risks;
• The mechanisms for reviewing and updating the strategy

Security policies, processes and procedures

The specific security risks identified in the Built Asset Security Strategy should be addressed through the policies, processes and procedures contained in the Built Asset Security Management Plan. This Plan should take a holistic approach, encompassing people and process, as well as physical and technological security. The measures should be appropriate and proportionate to both the sensitivity of the built asset and the related security risks.

Embedding security

The security-minded approach must be integrated with other strategic policies, plans, and requirements for the delivery, maintenance and operation of built assets. The approach is outlined in the diagram below:-
  

Note:- Images re-produced with the kind permission of the British Standard Institute.