Lessons Learned in the Implementation of Best Practices for Project Security

This research was performed by the Construction Industry Institute (CII) and complements previous research into best practices for project security. The security best practices were developed by CII and published as CII technical report BMM2004-10 (available through CII) and a Grant Contractor Report, NIST GCR 04-865; however, little data still exist on the implementation of these practices. This lack of information impeded utilization of the practices due to uncertainties about cost and schedule impacts as well as impacts on established project processes. This research addresses this lack of information.

The research consisted of three tasks. The first task included a statistical analysis of a broad cross section of projects to produce baseline measures of performance used to establish a desired set of characteristics typical of exemplary projects. The second task entailed the selection of a set of exemplary projects for case-by-case analyses. The case-by-case analyses included observation of project team implementations using facilitated discussions to collect anecdotal information resulting in lessons learned. The final task of the research was a synthesis of the findings. This synthesis includes a discussion of baseline measures of performance, a summary of significant findings producing the lessons learned, and how to use the lessons learned to improve implementation for future projects.

The case study projects provided significant supporting information confirming a project team’s ability to apply the security practices. The security practices provide project teams access to a flexible and structured framework for integrating security into the project delivery process. Project teams experienced the most success when they incorporated implementation steps into existing organizational processes and procedures.