When you outsource design, construction, and model, you’re putting your company’s sensitive, classified data into another organization’s hands.
So how can you ensure service teams at Virtual Design and Construction (VDC) and Building Information Modeling (BIM) companies keep your information safe? MEP companies are, after all, trusting contractors with risky information about government buildings, hospitals, or other buildings.
The most reassuring answer might be the most straightforward: If the provider didn’t fully protect your information, it wouldn’t be in operation long.
Because your data is the lifeblood of their business, VDC and BIM providers take many steps to safeguard the information they’re entrusted with. They often provide contracts that spell out those safeguards up front. The contract should specify how the VDC and BIM provider will collect, transfer, and store personal data.
Data Center Protection
The contract, for example, stipulates if information is to be stored on the provider’s cloud server, such as Amazon Web Services. A provider that uses AWS is offering state-of-the-art data protection, as access to AWS data centers is strictly controlled and data centers are constantly monitored to ensure systems are functioning properly. In other words, data centers—and the information they house—can’t be broached by outsiders and are also protected—“hardened,” in industry speak— against natural disasters such as hurricanes, tornadoes, or floods.
Servers can only be accessed via secure, encrypted channels using a VPN (Virtual Private Network) operated by the VDC and BIM provider.
Also important is that the service provider offer continual information backup, whether through on-site storage, backup, or recovery systems. Daily backup of secure databases is necessary. If disaster does strike, you can be assured your information—and updated VDC plans and BIM models—aren’t lost.
Often a service provider will run routine checks to ensure proper data has been backed up and can be quickly restored.
A VDC/BIM service provider that has your data security in mind will make sure all communication occurs over hypertext transfer protocol secure (HTTPS), which means communication is encrypted with TLS (SSL). The systems secure all transactions and exchange it over a secure, encrypted channel instead of encrypting the content of the message and sending it through the traditional unreliable standard mail transport protocol route.
Of course, communication works both ways. The VDC provider will make sure that your company’s files are properly encrypted when sent to the provider, and the files they send back are likewise protected by encryption.
The provider should use an application security model that separates its customers’ data and ensures complete customer segregation and privacy. Look for a VDC and BIM provider that allows only authorized employees to have access to servers and application data.
Some systems classifying the information based on how sensitive it is, the information can be controlled and secured. IT managers can better control who has access to the information and who can send it outside the company.
Asking users to identify every document or email they send makes them accountable for confidential and private information and also forces them to consider where they’re sending the information.
If your VDC and BIM service provider shares information with you via an encrypted channel—and accounts are managed in a secure database—you’ll need to also ensure passwords are stored as salted, one-way hashtags. That is, that the accounts can’t be hacked and the passwords discovered. The passwords themselves should never be stored and never transmitted as plain text.
Mobile Device Protection
Don’t let these complex nature of the above steps sidetrack you about one straightforward security risk that you should also pay attention to: the tendency for mobile or even USP devices to leave through a providers’ doors. Information stored on those devices could be downloaded offsite. Even if the person who took the device off premises had the best intentions in mind—getting a little work done at home—the device could still get lost.
They could, for example, be left in the back of a rental car.
Mobile devices should also be equipped with hardware and software data encryption and passwords or PIN locks.
Ask your service provider about their use of mobile devices and how it tracks employees with access to these devices and protects data stored on mobile platforms. Some technologies can lock down the device remotely or will track it to its location.
Other Security Measures
Here are other security aspects to check that your VDC and BIM has in place. These measures keep your data from cyber attack. Has the provider...
- Installed security software on servers and computers that automatically receives the most up-to-date malware definitions?
- Ensured your firewalls are enabled and updated regularly with security patches?
- Trained all employees on security policies and practices and required employees to change their passwords every three months?
- Secured its wifi network with an encrypted wireless signal, and secured its router with a password?
- Filtered MAC addresses of devices so only employees and authorized personnel can access the wifi network?
Of course, it’s no good ensuring your subcontractor meets the above requirements if your own company isn’t protecting its data. You don’t want plans and BIM models that the VDC company has secured to walk out of your own door. With that in mind, your outsourced company should make sure it meets the above protections as well.
Look to the Brits
The UK recognizes the sensitive nature of BIM models with the recently implemented PAS1192-5, which is meant to allow BIM information to be shared securely without hindering collaboration like that between an MEP company and a VDC and BIM service provider.
Published by the British Standards Institute and the Centre for Protection of National Infrastructure, this is intended to help teams identify and guard against risks including:
- Hostile reconnaissance
- Malicious acts
- Loss or disclosure of intellectual property
- Loss or disclosure of commercially sensitive information
- Release of personally identifiable information
While United States standards-setting bodies have yet to publish a similar standard as it applies to BIM security, there are numerous steps you can take, as outlined above, to make sure your own information isn’t compromised.
Because your VDC and BIM service provider’s continuing operation depends on keeping your data secure, it will undertake all security precautions. Back that up in writing within your contract and then rest assured that security is your provider’s number one concern as you proceed with your collaboration.
About the AuthorMore Content by Jean Thilmany