Secure Data Management for Utility Surveys

2. Planning and risk assessment

At the planning and risk assessment stage, the surveyor should:

01. Assess the site, assets and/or building being surveyed and check if the contract requires higher security measures to be applied. Ensure the measures stipulated in the contract will be complied with.

02. Assess the neighbouring buildings and assets. If data could be collected on these, find out who the building occupiers are and notify them that a survey will be taking place. This step is essential if the survey site includes or is close to a site that would require additional security measures. The client should not be relied on to notify the occupiers.

03. If mass data collection methods are being used, consider if data of a building's interior could be collected, including for example, whiteboards in offices or name plaques on doors, and inform the client and building occupiers, as they may want to mask these prior to data collection.

04. The survey zone should only be expanded if it is efficient to do so, for example, when mass-data collection tools are the most appropriate method of data collection for the survey. The survey zone should not be expanded for the sole reason of collecting excess data for possible onward sale without the prior permission of the client. If the survey zone is increased, assess the security risks around
collecting data on all buildings and assets within the expanded zone.

05. If there is publicity surrounding the project, especially a sensitive one, this could increase the risk of the data being stolen or obtained for malicious use. Consider this extra risk when planning the timing of the survey and if extra security personnel or other measures will be needed.

06. Ensure field surveyors are conscious of the vulnerability of equipment to theft and that they are aware of any pin code protection and tracking devices available, as well as standard theft mitigation measures.1

07. When collecting sensitive data, ensure secure WiFi or data transfer methods will be available on site, or as close as possible to the site, for upload via a secure device. Do not rely on open insecure networks in public places. Ensure the device/s are secure, for example access is limited to named employees, accounts are password protected and require multi-factor authentication. Consider guidance2 from the National Cyber Security Centre (NCSC) on device security.

08. If sensitive data will be stored on a removable drive or memory card, ensure this is encrypted and password-protected, and that the field surveyors are aware they need to remove the drive or card from the equipment as soon as the data collection is complete and keep it in a secure place until the data can be transferred.

09. If sensitive data is to be transferred to a cloud server or a secure data storage location in the field, ensure these are password protected. Consider NCSC guidance3 on sanitisation of storage media and wipe the removable drive or memory card as soon as the data has been uploaded for processing or transferred in the field. If the data cannot be deleted from the collection tools in the field, appraise what
additional protective measures will need to be in place to prevent unauthorised access.

10. Consider how survey equipment will be transported to and from the site. Caging equipment within a vehicle is considered best practice, however if the survey will require an overnight stay/s, a secure location should be arranged so the equipment is not left in a vehicle overnight.

11. Consider if the data will be processed in-house or subcontracted. Ensure that the processors and modellers will be aware of any additional security measures. If external processors and modellers are being used, disclose this to the client if not mentioned in the contract, and consider if any confidentiality agreements need to be signed.

1 The Survey Association's Theft Mitigation Measures: https://www.tsa-uk.org.uk/downloads/

2 https://www.ncsc.gov.uk/collection/end-user-device-security

3 https://www.ncsc.gov.uk/guidance/secure-sanitisation-storage-media