Remember that a CDE doesn’t have to be a dedicated document management system, it’s a process rather than a specific software (where have I heard that before?). Your CDE could be constructed on a remote server or a file hosting service, you do not necessarily need to spend a lot of money on it.
The following are suggestions that you might want to consider when building your CDE.
The PAS docs make a brief mention of security where the CDE is concerned (PAS1192-2:2015 section 3.1.9). I found this PAS incredibly vague when reading it so would like to offer some tangible security and safety measures you can take.
Right: Part of the common data environment diagram from PAS 1192-2:2013
Each of these CDE areas has a ‘gate’ (numbered 1-6 in the diagram above) that require sign-off procedures before a piece of information passes between them.
You may want to limit write access to the different areas, for example once a document passes through gate 2 to the published documentation area it is either set to read-only or access is limited in some other way. You may also want to limit task teams and others to write to the shared area only
The information manager and (perhaps) a document controller would be the only people capable of adding information to the ‘published documentation’ area.
This approach makes it easier to maintain control of project documentation and means we can use access privileges and similar to enforce the ‘gateways’.
No matter what tech you’re using for your CDE, it is essential that the data is periodically copied and archived into a completely separate system. A two-tier system should exist where data is backed up internally by its author and then externally via the CDE.
You may want to make internal data safety a project requirement or make sure a requirement is included on capability statements.
There are a number of operating system tools and dedicated security systems that can assist with automating backups.
A secure environment
PAS1192-5 states that ‘Sensitive information would not normally be contained within a CDE unless that CDE is held within a secure environment.’
Of course it doesn’t actually tell us how to secure the environment, or even give us a range of parameters to measure the security of our CDE against, but that’s what standards do…
Some document management systems could be considered secure, with access restricted to registered users that have varying levels of access.
If you don’t have a DMS system there are some things you can do to protect sensitive documents or directories:
- Password-protect sensitive documents and folders. These can help you enforce effective gateways between the CDE areas.
- Ensure that any non-disclosure agreements present in the project contract docs have been extended to cover the contents of sensitive CDE areas.
- Investigate encryption tools not just for the CDE but for backups. Whilst I am not terribly well versed in encryption I am aware that there are tools bundled with a variety of operating systems that will allow drives and volumes to be encrypted.
- Consider using VPN. Virtual private networks create a tunnel from your computer to a server, rather than just connecting through a normal ‘open’ connection. Data travelling through a VPN is also encrypted.