TITLE: INFORMATION SECURITY IN QUANTITY SURVEYING: OBJECTIVES,

RISKS, CONTROLS

Introduction:

This report aims to highlight the objectives, risks, controls, and considerations for information security
within the field of quantity surveying. Information security is crucial in ensuring the confidentiality,
integrity, and availability of sensitive data and information in this profession. By identifying potential
risks and implementing appropriate controls, quantity surveyors can protect their data assets and
maintain the trust of their clients. This report provides insights into the key aspects of information
security in quantity surveying.

Information Security Objectives:

i. Data Confidentiality

Objective: Safeguard the confidentiality of sensitive data within the Quantity Survey Section.

- Implement strong access controls to limit access to sensitive information.

ii. Data Integrity

Objective: Maintain the integrity of data stored and processed within the Quantity Survey Section.

- Implement controls to prevent unauthorized modification, deletion, or tampering of data.

- Ensure data accuracy and reliability through regular data validation and verification processes.

- Establish backup and recovery procedures to protect against data corruption or loss.

iii. Access Control

Objective: Establish appropriate access controls to protect sensitive information from unauthorized
access.

- Implement role-based access controls to ensure that employees have access to information based on
their job responsibilities.

- Enforce strong authentication mechanisms such as complex passwords and multi-factor

authentication.

- Regularly review and revoke access rights for employees who no longer require them.
 iv. Risk Management

Objective: Identify and mitigate information security risks specific to the Quantity Survey Section.

- Conduct regular risk assessments to identify potential vulnerabilities and threats.

- Develop risk mitigation strategies and controls to minimize the likelihood and impact of security
incidents.

- Monitor and review risk mitigation measures to ensure their effectiveness.

v. Security Awareness and Training

Objective: Promote information security awareness among employees in the Quantity Survey Section.

- Conduct regular security awareness programs to educate employees about information security risks
and best practices.

- Provide training sessions on topics such as password hygiene, data handling procedures, and
recognizing and reporting security incidents.

- Foster a culture of security awareness and accountability within the department.

vi. Incident Response

Objective: Establish an effective incident response plan to address and manage security incidents.

- Develop an incident response plan that outlines roles, responsibilities, and communication channels.

- Conduct periodic drills or simulations to test the effectiveness of the incident response plan.

- Continuously improve the incident response capabilities based on lessons learned from security
incidents.

vii. Compliance

Objective: Ensure compliance with relevant laws, regulations, and industry standards.

- Stay updated with applicable data protection regulations in Kenya and comply with their requirements.

- Adhere to contractual obligations related to information security.

- Incorporate industry-specific security requirements into the section's practices.

 viii. Secure Communication

Objective: Implement secure communication channels for exchanging sensitive information.

- Use encrypted email and secure file transfer mechanisms when sharing confidential data.

- Implement secure collaboration platforms to protect the confidentiality and integrity of information.

- Train employees on secure communication practices to prevent data leakage or interception.

ix. Incident Reporting and Investigation

Objective: Establish a process for reporting and investigating security incidents.

- Encourage staffs to promptly report any suspected security breaches or anomalies.

- Establish a clear procedure for incident reporting, including designated contact points.

- Conduct thorough investigations to determine the root causes of security incidents and take
appropriate remedial actions.

x. Continuous Improvement

Objective: Continuously monitor and improve the information security measures within the Quantity
Survey Section.

- Regularly review and update information security policies, procedures, and guidelines.

- Conduct security audits and assessments to identify areas for improvement.

- Implement necessary enhancements to enhance the overall security posture.

Risks:

1. Data Breaches: Unauthorized access to sensitive data, leading to reputational damage, financial
losses, and legal implications.

2. Malware and Cyberattacks: The risk of malicious software, viruses, ransomware, and hacking attempts
that can compromise data and systems.

3. Insider Threats: Potential risks arising from employees or contractors with access to confidential
information who may intentionally or inadvertently cause harm.

4. Data Loss or Corruption: Accidental loss, deletion, or alteration of data due to hardware failures,
software glitches, or natural disasters.

5. Lack of Awareness and Training: Insufficient knowledge among staff regarding information security
best practices, making them susceptible to social engineering attacks.

Controls:

a. Access Controls:

- Implement strong authentication mechanisms, such as password policies, multi-factor authentication,

and role-based access control.

- Regularly review and revoke access privileges for employees and contractors.

- Encrypt sensitive data in transit and at rest to protect against unauthorized access.

b. Data Protection and Backup:

- Regularly back up data to prevent loss and corruption.

- Implement data encryption techniques to protect data from unauthorized access.

- Use firewalls, intrusion detection systems, and antivirus software to detect and prevent malware
attacks.

c. Training and Awareness:

- Conduct regular security awareness training programs to educate employees about information
security best practices and potential risks.

- Establish clear policies and guidelines for handling sensitive data and ensure employees are aware of
their responsibilities.
d. Incident Response:

- Develop an incident response plan to address and mitigate security incidents promptly.

- Establish a dedicated team to handle security incidents and conduct post-incident analysis to prevent
future occurrences.

e. Physical Security:

- Implement physical security measures, such as access controls, surveillance systems, and secure
storage for physical devices containing sensitive information.

5. Considerations for Confidentiality, Integrity, and Availability:

- Employ encryption techniques to protect data confidentiality.

- Implement data integrity checks and audit trails to ensure the accuracy and trustworthiness of
quantity survey information.

- Regularly test and update backup and disaster recovery procedures to maintain data availability.

Considerations for Confidentiality, Integrity, and Availability:

1. Confidentiality: Implement strong access controls, encryption, and data classification to safeguard
sensitive information from unauthorized disclosure.

2. Integrity: Ensure data accuracy and integrity through regular data validation, error checking, and
version control.

3. Availability: Implement robust backup and disaster recovery solutions to minimize downtime and
ensure business continuity.

Conclusion:

Information security is of paramount importance in quantity surveying to protect sensitive data,

maintain client trust, and mitigate potential risks. By establishing objectives, identifying risks, and
implementing appropriate controls, quantity surveyors can enhance the confidentiality, integrity, and
availability of their information assets. Regular reviews, updates, and employee awareness programs are
essential to adapt to evolving threats and ensure the effectiveness of information security measures.
This aims to establish a strong information security framework within the Quantity Survey section. This
framework will ensure the protection of sensitive data, minimize risks, and enhance the overall security
posture of the organization. Regular monitoring, review, and improvement will be essential to maintain
the effectiveness of these measures and adapt to evolving security challenges.