Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter.
Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.
OCR for page 255
10 Laboratory Security
10.A INTRODUCTION 256
10.B SECURITY BASICS 256
10.B.1 Physical and Electronic Security 256
10.B.1.1 Door Locks 257
10.B.1.2 Video Surveillance 258
10.B.1.3 Other Systems 258
10.B.2 Operational Security 258
10.B.3 Information Security 258
10.B.3.1 Backup Systems 259
10.B.3.2 Confidential or Sensitive Information 259
10.C SYSTEMS INTEGRATION 259
10.D DUAL-USE HAZARD OF LABORATORY MATERIALS 259
10.E LABORATORY SECURITY REQUIREMENTS 260
10.E.1 Biological Materials and Infectious Agents 260
10.E.2 Research Animals 260
10.E.3 Radioactive Materials and Radiation-Producing Equipment 261
10.E.4 Chemicals 261
10.E.4.1 Drug Enforcement Agency Chemicals 261
10.E.4.2 DHS Chemicals of Interest (COI) 261
10.F SECURITY VULNERABILITY ASSESSMENT 261
10.G DUAL-USE SECURITY 262
10.H SECURITY PLANS 262
10.H.1 Levels of Security 263
10.H.1.1 Normal (Security Level 1) 263
10.H.1.2 Elevated (Security Level 2) 263
10.H.1.3 High (Security Level 3) 264
10.H.2 Managing Security 264
10.H.3 Training 264
255
OCR for page 256
256 PRUDENT PRACTICES IN THE LABORATORY
10.A INTRODUCTION personnel and the public, improve emergency pre-
paredness by assisting with preplanning, and lower
The world has become more security conscious, and
the organization’s liability.
that awareness extends to laboratories. New guidelines
and approaches, driven by legislation and regulation—
to say nothing of common sense—are promulgated 10.B SECURITY BASICS
every year. A laboratory security system is put in place
There are four integrated domains to consider when
to mitigate a number of risks and is complementary
improving security of a facility:
to existing laboratory security policies. In very broad
terms, laboratory safety keeps people safe from chemi-
• physical or architectural security—doors, walls,
cals, and laboratory security keeps chemicals safe from
fences, locks, barriers, controlled roof access, and
people. This chapter is intended to provide the reader
cables and locks on equipment;
with an overview of laboratory security concerns and
• electronic security—access control systems, alarm
to raise awareness of the issue. Risks to laboratory
systems, password protection procedures, and
security include
video surveillance systems;
• operational security—sign-in sheets or logs, con-
• theft or diversion of chemicals, biologicals, and
trol of keys and access cards, authorization pro-
radioactive or proprietary materials (such materi-
cedures, background checks, and security guards;
als could be stolen from the laboratory, diverted
and
or intercepted in transit between supplier and
• information security—passwords, backup sys-
laboratory, at a loading dock, or at a stockroom,
tems, shredding of sensitive information.
and then sold or used, directly or as precursors,
in weapons or manufacture of illicit substances);
These domains are complementary, and each should
• theft or diversion of mission-critical or high-value
be considered when devising security protocols. Any
equipment;
security system should incorporate redundancy to
• threats from activist groups;
prevent failure in the event of power loss or other en-
• intentional release of, or exposure to, hazardous
vironmental changes.
materials;
Security systems should help
• sabotage or vandalism of chemicals or high-value
equipment;
• detect a security breach, or a potential security
• loss or release of sensitive information; and
breach, including intrusion or theft;
• rogue work or unauthorized laboratory experi-
• delay criminal activity by imposing multiple lay-
mentation.
ered barriers of increasing stringency or “harden-
ing” in the form of personnel and access controls;
The type and extent of the security system needed
and
depend on several factors, including
• respond to a security breach or an attempt to
breach security.
• known and recognized threats gleaned from the
experience of other laboratories, institutions, or
firms; 10.B.1 Physical and Electronic Security
• history of theft, sabotage, vandalism, or violence
There are many systems available for physical and
directed at or near the laboratory, institution, or
electronic laboratory security. The choice and imple-
firm;
mentation depends on the level of security needed and
• presence of valuable or desirable materials, equip-
resources available. The following sections provide
ment, technology, or information;
some examples, although new technologies are always
• intelligence regarding groups or individuals who
under development.
pose a general threat to the discipline or a specific
The concept of concentric circles of protection, as
threat to the institution;
shown in Figure 10.1, is useful when considering a
• regulatory requirements or guidance;
laboratory’s physical security. Physical and electronic
• concerns regarding information security; and
security begins at the perimeter of the building and
• the culture and mission of the institution.
becomes increasingly more stringent as one moves
toward the interior area (e.g., at the intervention zone),
A good laboratory security system should, among
where sensitive material, equipment, or technology
other things, increase overall safety for laboratory
reside. Note that although physical measures are
OCR for page 257
257
LABORATORY SECURITY
Concentric circles of physical protection.
FIGURE 10.1
implemented in the intervention zones, electronic and to security records to identify which cards were
operational security measures are implemented only used to gain access.
under certain conditions, depending on need. • Card access (swipe cards).These provide a trans-
action record and can be programmed for differ-
ent levels and times of access.
10.B.1.1 Door Locks
• Key fobs or card access (proximity card readers)
Within a laboratory, perhaps the most obvious form have the same benefits as swipe cards, but there
of security is the door lock. There are many choices is no requirement to place the card physically in
available, including the reader.
• Biometric readers offer a high level of security
• Traditional locks with regular keys (which are but are expensive and require more intensive
subject to duplication, loss, theft, and failure to maintenance.
return after access) should no longer be utilized
in areas where dual-use materials are located. Each of these systems requires training, manage-
• Traditional locks with keys marked “Do Not Du- ment, and maintenance, whether it is a key inventory
plicate” have the same drawbacks as above, but system or controls for card access. Of course, the
may be less likely to be duplicated. system is only as effective as the users allow it to be.
• Cipher locks with an alpha or numeric keypad Users should be trained to not hold doors open for
may be vulnerable to thieves who are able to de- others, and that everyone needs to use their key to
duce the access code from the appearance of the pass through an access point. Unauthorized personnel
keys. Access codes should be changed from the should not be allowed to enter the laboratory, and if
factory default when the lock is installed. there is any question, laboratory personnel should be
• High-security cores are difficult to break into and instructed to call security for guidance. The organiza-
to duplicate. tion should ensure that there is a program in place to
• Card access (dip locks) traditionally have data- collect keys or revoke card access to the laboratory
logging capabilities that allow those with access before a person leaves the workplace.
OCR for page 258
258 PRUDENT PRACTICES IN THE LABORATORY
• locks on roof access doors,
10.B.1.2 Video Surveillance
• walls that extend from the floor to the structural
Video surveillance systems are often used to supple-
ceiling,
ment locks for documenting access and may be con-
• tamper-resistant door jambs,
tinuously monitored by security personnel. Recordings
• blinds on windows,
of relevant video may be reviewed after an incident.
• locks and cables on equipment to prevent easy
When implementing a video surveillance system,
removal,
document the purpose and ensure that personnel
• badges or other forms of identification, and
understand the objectives. Video surveillance may be
• sign-in logs.
used to
• prevent crime by recognizing unusual activity in 10.B.2 Operational Security
real time, which requires staff dedicated to watch-
Operational security is responsible for the people
ing the camera output and is most effective when
within the laboratory. A security system is only as
the presence of individuals alone is suspicious;
strong as the individuals who support it, and thus,
• validate entry authorization by verifying the iden-
among the goals of an operational security system are
tity of the worker; and
to increase awareness of security risks and protocols, to
• verify identity of unauthorized personnel after
provide authorization for people who need access to a
unauthorized access.
given area or material, and to provide security training.
Though far from comprehensive, elements of opera-
Video surveillance cameras should be located to
tional security include
provide a clear image of people in the area, particularly
those entering or exiting. They are not as useful in the
• s creening full- and part-time personnel be -
work area itself unless suspicious behavior is obvious.
fore providing access to sensitive materials or
If video is recorded, a system of storage and docu-
information;
mentation is needed. Establish the duration of re-
• providing ID badges;
cording retention, the media used, and the need for
• working to increase the situational awareness of
permanent archiving. Create a procedure to quickly
laboratory personnel (e.g., knowing who is in the
find, maintain, and duplicate critical recordings if an
laboratory, identifying suspicious activity);
incident occurs.
• encouraging the reporting of suspicious behavior,
No matter the objective of the video surveillance sys-
theft, or vandalism;
tem, it is crucial to establish a policy and procedure for
• restricting off-hour access to laboratories;
using it and for reviewing recordings. Involve human
• providing entry logs at building and laboratory
resources and legal personnel in the policy-making
access points; and
process. For example, if the video surveillance system
• inspecting and inventorying materials removed
is designed to record unauthorized entry, it may not
from the laboratory.
be allowable by the institution to use it to track worker
productivity. Clarify under what circumstances the
information may be viewed, and by whom. 10.B.3 Information Security
Information and data security can be as critical as
security of equipment and materials. Loss of data and
10.B.1.3 Other Systems
computer systems from sabotage, viruses, or other
There are many other methods of implementing
means can be devastating for a laboratory.
physical and electronic security, ranging from simple
The issue of dual use applies to information as
to sophisticated, which can be employed for crime de-
well as laboratory materials. Over the years, several
terrence, recognition, or investigation. A few examples
examples of cybersecurity breaches have led to loss
include
of sensitive information. A detailed description of a
laboratory procedure may find its way into the public
• glass-break alarms for windows and doors,
domain, creating a new resource for those with illicit
• intrusion alarms,
intentions, or simply depriving the researchers of rec-
• hardware to prevent tampering with window
ognition for their work.
and/or door locks,
Most institutions and firms have information secu-
• lighting of areas where people may enter a secure
rity policies and procedures and information technol-
area,
ogy support staff who can help implement security
• bushes and other barriers to reduce visibility of
systems. Laboratory managers and personnel should
sensitive areas from outside the building,
be familiar with and follow their protocols.
OCR for page 259
259
LABORATORY SECURITY
• Report any known or suspected breaches in secu-
10.B.3.1 Backup Systems
rity immediately.
Develop and institute a plan for backing up data on
• Establish policies and procedures for the stor-
a regular basis with backup media off-site, in fire-safe
age of proprietary information on hard drives or
storage, or at a central facility (e.g., the institution’s
portable storage media and for the removal of
information technology facility).
proprietary information from the laboratory or
secure area.
10.B.3.2 Confidential or Sensitive Information
Many services and programs are available to protect
Assess the type of data produced by the labora-
data from viruses and similar threats as well as high
tory, department, or group. Laboratories that possess
levels of security. Refer to the institution’s information
chemicals of interest (COI) and are covered by the
technology group or an outside consultant.
Chemical Facilities Anti-Terrorism Standards (CFATS)
are subject to U.S. Department of Homeland Security
(DHS) requirements for Chemical-terrorism Vulner- 10.C SYSTEMS INTEGRATION
ability Information (CVI). CVI may not be openly
Since events such as the attacks on the World Trade
shared. It includes data and results from an inventory
Center, institutions and firms have steadily improved
assessment called a Top-Screen (see section 10.E.4.2),
their security systems for personal as well as institu-
the facility’s DHS Security Vulnerability Assessment
tional protection. They have incorporated more rigor-
and Site Security Plan (e.g., procedures and physical
ous planning, staffing, training, and command systems
safeguards), as well as training and incident records,
and have implemented emergency communications
and drill information.
protocols, drills, background checks, card access sys-
Other data may fit into the following categories:
tems, video surveillance, and other measures. What’s
more, many colleges and universities, to say nothing
• public, shared freely with anyone;
of commercial institutions, have engaged their own
• internal, shared freely within the institution;
sworn and armed on-site police force.
• department, shared only within the department;
Security is not new, at least for some laboratories. For
• laboratory, shared only in the laboratory; or
years, secure management of controlled substances and
confidential,1 shared only with those directly in-
•
denatured alcohol has been required by law; however,
volved with the data or on a need-to-know basis.
global events have raised the stakes for these labo-
ratories as well as for those that were not previously
If the laboratory produces private, sensitive, or pro-
concerned about security. It is not enough to implement
prietary data,
a laboratory security system; it is imperative that such
a system protect the laboratory and also be compat-
• Provide training to those with access to this in-
ible, consistent, and integrated smoothly with the
formation, stressing the importance of confiden-
overarching systems in the institution. The institution
tiality. Review any procedures for releasing such
is responsible for the general security atmosphere, and
information outside the laboratory or group.
laboratory systems focus on residual and specialized
• C onsider a written and signed confidential -
security risks.
ity agreement for those with access to such
Moreover, the security plan should identify pro-
information.
tocols, policies, and responsible parties, clearly de-
• Keep passwords confidential. Do not store or
lineating response to security issues. This includes
write them in an obvious place.
coordination of institution and laboratory personnel
• Change passwords routinely.
and coordination of internal and external responders,
• Safeguard keys, access cards, or other physical
including local police and fire departments.
security tools.
• Before discarding materials that contain sensitive
information, render them unusable by shredding 10.D DUAL-USE HAZARD OF
them, or by erasing magnetic tape. LABORATORY MATERIALS
In addition to inadvertent misuse of chemicals, it is
apparent that chemicals can also be misused intention-
ally, for example, as precursors of illicit narcotics. Much
1The term “confidential” may have special meaning for some op-
erations and funding resources. Use care in choosing terminology for of the recent focus on security in research and teaching
sensitive information. In the event of an inspection by a government
laboratories pertains to “dual use” materials. Dual-use
agency or association providing information or funding, there may
or multiple-use materials are materials that have both a
be expectations related to the use of these terms. Classified informa-
bona fide use in scientific research and education, but
tion is often defined further as confidential, secret, or top secret.
OCR for page 260
260 PRUDENT PRACTICES IN THE LABORATORY
also can be used for criminal or terrorist activities. For same logical path or practical considerations as an in-
example, common chemical substances that are easily dividual who is trained in laboratory sciences.
removed from the laboratory without notice or readily
purchased, such as acetone and hydrogen peroxide,
10.E LABORATORY SECURITY
can be converted to highly explosive or otherwise haz-
REQUIREMENTS
ardous products. Although certain dual-use materials
can be obtained from hair salons, hardware stores, and For most laboratories, there are a few general secu-
the like, laboratories are also a source, and security rity requirements; however, most security measures are
should be considered. based on an assessment of the vulnerabilities and needs
Dual-use biological agents include live pathogens of an individual laboratory or institution. For some
and biological toxins that have a realistic potential to materials or operations, regulations or strict guidance
be used for terrorism (e.g., anthrax). There are national documents specify the type or level of security.
as well as international regulations to address the risk
of dual use, such as import and export controls. Firms
10.E.1 Biological Materials and Infectious
and institutions may wish to integrate their facility
Agents
dual-use controls with both levels of regulation.
Terrorist Web sites have suggested that their opera- Certain biological agents, including viruses, bacteria,
tives can pose as students to gain access to university fungi, and their genetic elements, are considered dual-
laboratories and remove hazardous chemical, biologi- use materials because of their potential for use by ter-
cal, or radiological agents. However, meaningful quan- rorists to harm human health. Biological materials pose
tities of some dual-use chemicals can also be found a unique problem because these materials can replicate;
outside the laboratory in situations that are less secure thus, theft of even small amounts is significant.
than laboratories. As a result, the acquisition and dual In the United States, these dual-use biological ma-
use of laboratory chemicals is a real possibility, espe- terials are called Select Agents and Toxins, and their
cially utilizing chemicals that can pose a high risk in laboratory use is regulated by the Centers for Disease
relatively small laboratory quantities. Control and Prevention (CDC) and the U.S. Depart-
Although there is no comprehensive list of dual-use ment of Agriculture’s Animal and Plant Health In-
chemicals, DHS has developed a list of COI because of spection Service (APHIS). Individuals planning to use
concern about dual use. (See section 10.E.4.2 for more Select Agents and Toxins are required to perform a
information.) In addition to known warfare agents, security risk assessment (i.e., a detailed background
such as nitrogen mustard and sarin (which are difficult check) to determine whether they are permitted to
to acquire or synthesize in makeshift laboratories), work with the materials. There are additional require-
more common laboratory reagents, such as ammonia, ments for laboratory security, and the CDC or APHIS
chlorine, phosgene, cyanogen chloride, sodium cya- will conduct periodic inspections to assess compliance.
nide, and sodium azide are considered dual-use com- In addition, federal guidance from the National In-
pounds. These substances can cause human injury— stitutes of Health (NIH) addresses the management of
either directly or after acidification—that is relatively dual-use risks from gene synthesis, synthetic biology,
resistant to medical treatment (Shea and Gottron, 2004), and certain experiments. The publication Biosafety in
and therefore could be sought by terrorists gaining Microbiology and Biomedical Laboratories (BMBL; HHS/
access to laboratory facilities. Alternatively, a research CDC/NIH, 2007a) includes guidance for security
laboratory could be used for the illicit synthesis of ter- of biological materials, based on a risk assessment
ror substances. method described in the document. For institutions
Objective evaluation of the utility of a given chemical that receive NIH funding, compliance with the BMBL
to terrorists might underestimate the true risk posed is a grant requirement for recombinant DNA research.
by malicious intent. For example, osmium tetroxide,
which is highly toxic in pure solid form and in solution,
10.E.2 Research Animals
has been judged to be a poor choice for terrorists to
use, because of its high cost, its rapid evaporation, and Animal research is the focus of numerous ani-
the fact that an explosion would convert it to harmless mal rights organizations, including some that have
products. Nonetheless, osmium tetroxide poisoning engaged in malicious behavior. Vivarium security
was suspected to be the intended means of a thwarted is critical for the safety of animals and researchers.
terror attack in the vicinity of London, England (Kosal, The Association for Assessment and Accreditation of
2006). One cannot assume terrorists will follow the Laboratory Animal Care International provides guid-
OCR for page 261
261
LABORATORY SECURITY
ance for security of laboratory animals and research materials must be disposed of in accordance with ap-
facilities. plicable laws (see Chapter 9 for disposal details).
10.E.3 Radioactive Materials and 10.E.4.2 DHS Chemicals of Interest (COI)
Radiation-Producing Equipment
DHS has promulgated regulations that apply to
In most laboratories, the quantity, isotope, and char- chemical facilities, including laboratories, with the
acteristics of radioactive materials used for research or purpose of keeping dual-use chemicals out of the pos-
teaching do not pose a serious dual-use risk. However, session and control of terrorists. The Chemical Facility
any radioactive materials can be perceived as a risk by Anti-Terrorism Standards are concerned with the fol-
the community. lowing types of chemicals:
In the United States, use of radioactive materials is
regulated by the U.S. Nuclear Regulatory Commis- • EPA Risk Management Plan chemicals,
sion (USNRC) or USNRC-authorized state agencies. • highly toxic gases,
Compulsory guidelines for security are included in the • chemical weapons convention chemicals,
requirements for licensing and use of these materials. • explosives, and
Specific USNRC security requirements typically vary • precursors of the above chemicals.
depending on the risk of the material.
In the DHS process for determination of risk, all
laboratory facilities are expected to survey their entire
10.E.4 Chemicals
facility (including nonlaboratory areas) for the pres-
Chemical security is garnering increasing atten- ence of COI and compare their inventory to the thresh-
tion from regulators. Most regulations that require old screening quantities established in the standard.
specific security measures are aimed at facilities with If the facility meets or exceeds the threshold quantity
large stores of materials—such as production facili- for any chemical of interest, the facility must report
ties—rather than laboratory-scale quantities. However, the inventory by completing an assessment document
federal, state, and local regulatory agencies are increas- called “Top-Screen.”
ingly applying standards to chemical laboratories. Upon receiving a completed Top-Screen, the facility
is required to conduct a security vulnerability assess-
ment. There are four risk tiers, with tier 1 for facilities
10.E.4.1 Drug Enforcement Agency Chemicals
posing the greatest risk and tier 4 posing the least risk.
Illicit drugs and their precursors pose a theft risk Based on the results of the assessment and the risk
because of their resale (street) value. The U.S. Drug tier, the facility is expected to develop and implement
Enforcement Agency (DEA) has strict rules about an approved site security plan. There are also require-
procurement, inventory, use, disposal, and security of ments for information security and training provisions
these chemicals. A person using materials regulated under this rule.
by DEA must obtain a user license or work under the As of the time of publication, DHS was continuing
direction of a person with such a license. The materi- to develop rules and guidance for chemical facilities,
als must be secured, with the level of security needed including laboratories.
dependent on the classification of the material.
Laboratories in which DEA-regulated materials
10.F SECURITY VULNERABILITY
are used must keep an inventory log that documents
ASSESSMENT
the quantity and date that any amount of material is
removed, as well as a signature or other record to iden- Whether or not the security of a laboratory material
tify who removed the material. Once a DEA-regulated is regulated by a government agency, it is prudent to
material has expired or is ready for disposal, it must assess risk. A security vulnerability assessment (SVA)
be either destroyed or returned to the manufacturer or is used to catalog potential security risks to the labora-
distributor. Destruction must render the material unus- tory and the magnitude of possible threats. It begins
able and unidentifiable as the original agent and must with a walk-through of the laboratory, building, and
be done by a person designated by the licensed user building perimeter, and includes discussion with
and witnessed by at least two people, one of whom, laboratory staff pertaining to the chemicals, equipment,
preferably, is a law enforcement officer. The destroyed procedures, and data that they use or produce. The SVA
process will also assess the adequacy of the systems
OCR for page 262
262 PRUDENT PRACTICES IN THE LABORATORY
already in place and help determine the security plan- • Maintain inventory records of dual-use materials.
ning needs for the laboratory, building, or department. • Limit the number of laboratory personnel who
There are a number of ways to conduct an SVA. have access to dual-use agents.
DHS has developed an SVA protocol for higher risk • Provide easy access to a means of emergency
facilities, which may include laboratories if threshold communication, in case of a security breach or
amounts of COI are present. Completion of this SVA is a threat from within or outside. Consider add-
mandatory for facilities that DHS has classified into a ing repeaters, or bidirectional signal amplifiers,
risk tier (see section 10.E.4.2). The DHS SVA is available so that someone with a cell phone can make an
on its Web site for use by any facility, even those not emergency phone call from within the secure area.
regulated by DHS. • Periodically and carefully review laboratory ac-
Many states have adopted SVAs for their critical cess controls to areas where dual-use agents are
infrastructure, which often includes colleges, uni- used or stored.
versities, and other facilities with research or pilot • Maintain a log of who has gained access to areas
laboratories. Several professional organizations have where dual-use materials are used or stored.
also developed SVA checklists, such as the one by the • Develop a formal policy prohibiting use of labo-
American Chemical Society Committee on Chemical ratory facilities or materials without the con-
Safety, which is available on the CD that accompanies sent of the principal investigator or laboratory
this book. supervisor.
The following is a partial list of issues to review as • M onitor and authorize specific use of these
part of an SVA: materials.
• Remain alert and aware of the possibility of re-
• existing threats, based on the history of the institu- moval of any chemicals for illicit purposes. Report
tion (e.g., theft of laboratory materials, sabotage, such activity to the head of security.
data security breaches, protests); • Train all laboratory personnel who have access
• the attractiveness of the institution as a target, and to these substances, including a discussion of the
the potential impact of an incident; security risks of dual-use materials.
• chemicals, biological agents, radioactive materi-
als, or other laboratory equipment or materials As appropriate, address these steps in the SVA and
with dual-use potential (see section 10.D); ensure that the security plans adequately provide for
• sensitive data or computerized systems; the issues these steps address.
• animal care facilities;
• i nfrastructure vulnerabilities (e.g., accessible
10.H SECURITY PLANS
power lines, poor lighting);
• security systems in place (e.g., access control, The SVA findings provide a list of risks, needs, and
cameras, intrusion detection); options for improvement (i.e., materials and laborato-
• access controls for laboratory personnel (e.g., ries in need of security measures beyond a lock and
background checks, authorization procedures, key). There is no template that can apply to every labo-
badges, key controls, escorted access); ratory security plan, because several factors make each
• institutional procedures and culture (e.g., tailgat- organization unique, including building architecture,
ing, open laboratories, no questioning of visitors); building use (e.g., mixed use with classrooms, offices,
• security plans in place; and or meeting rooms), organizational culture, and so on.
• training and awareness of laboratory personnel. DHS provides guidance on the planning process
in its Risk-Based Performance Standard for chemical
Where the perceived risk is high, institutions should security. These guidelines were prepared for dual-use
consider contracting a laboratory security consultant to materials that pose high or unusual risks. Recognizing
conduct the SVA with input and feedback from secu- that facilities need “the flexibility to choose the most
rity, safety, and laboratory staff. cost-effective method for achieving a satisfactory level
of security based on their risk profile” (DHS, 2008), this
guidance provides an outline of elements that should
10.G DUAL-USE SECURITY
be considered for any laboratory security plan:
When assessing security needs, determine whether
laboratories possess materials, equipment, or technolo- • I dentify the leadership structure for security
gies that have the potential for dual use, such as Select issues.
Agents or COI. Whether or not security regulations • Secure the assets identified in the vulnerability
apply, take prudent steps to reduce the risk of theft or assessment in a manner that prevents access by
use for terrorist activity. unauthorized individuals.
OCR for page 263
263
LABORATORY SECURITY
• Deter cyber sabotage, including unauthorized on- it can be challenging to make them complete and accu-
site or remote access to critical process controls. rate. Criminal background checks sometimes include
• Prevent diversion using secure shipping, receiv- only local crimes, rather than those committed in other
ing, and storage of target materials. areas, or vice versa. However, potential problems can
• D etect theft or diversion of target materials be identified by noting gaps in job history and verifying
through inventory controls. employment and education background information
• Establish a process for personnel surety, such as provided by the applicant. It is often very difficult to
background checks, of laboratory personnel, visi- get good background information for people who have
tors, and others with access to the laboratory. lived, worked, or been educated in a foreign country.
• Screen and control access to the facility using
identification badges, electronic access controls,
10.H.1 Levels of Security
and security personnel. Check individuals to en-
sure individuals do not bring harmful materials When developing a security plan, it is important
into the laboratory. to establish levels of security that correspond to the
• Train laboratory personnel on the security mea- security needs of a particular laboratory or portion of
sures, response, and importance of compliance a laboratory. These needs will also be influenced by the
with security procedures. mission of the organization. For example, in many uni-
• Deter and delay a security breach through the use versities, research laboratories are housed in the same
of multiple security layers and the physical secu- building as instructional classrooms. In those cases,
rity measures discussed below. Deterrents add strong access controls to the building are not practi-
time between the detection of a breach and the cal, and would likely cause consternation on campus.
successful act (i.e., theft or release), which allows Establishing security levels facilitates the review of
more time for responders to prevent the act. security needs for a laboratory, ensures consistency in
• Monitor (detect) the security of those assets, such the application of security principles, and integrates
that a security breach would be noticed, and (for the specific measures described above.
high-risk materials) would prompt an immediate The following is one example of a management sys-
response by laboratory or security personnel. tem for laboratory security, which illustrates how an
• Maintain monitoring, communication, and warn- institution or firm might set three security levels based
ing systems. on operations and materials.
• Develop and implement response plans for secu-
rity breaches, and exercise those plans.
10.H.1.1 Normal (Security Level 1)
• Investigate and track reports of security-related
incidents. Document the incident reports, includ- In this example, a laboratory characterized as Secu-
ing findings and mitigation. rity Level 1 (see Table 10.1) poses low risk for extraor-
• Report significant incidents involving chemical dinary chemical, biological, or radioactive hazards.
security to local law enforcement. Loss to theft, malicious pranks, or sabotage would have
• Maintain records of compliance with the security minimal impact to operations, health, or safety.
plan.
• Establish information-sharing and communica-
10.H.1.2 Elevated (Security Level 2)
tion networks with associations and government
agencies that regularly evaluate and categorize A laboratory characterized as Security Level 2 (see
threats relevant to the laboratory or laboratory Table 10.2) poses moderate risk for potential chemical,
personnel. Develop a multilevel security plan that biological, or radioactive hazards. The laboratory may
identifies appropriate security processes, proce- contain equipment or material that could be misused
dures, and systems for normal security operations or threaten the public. Loss to theft, malicious pranks,
and increasing levels of security for periods of or sabotage would have moderately serious health
higher risk.
DHS also recommends that security plans address Security Features for Security Level 1
TABLE 10.1
the security of the site perimeter and institute vehicle Physical • Lockable doors and windows
checks. These elements may be appropriate where
laboratories are located within an industrial facility, Operational • Lock doors when not occupied
but may be impractical at a medical, research, or edu- • Ensure all laboratory personnel receive
cational facility. security awareness training
• Control access to keys, use judgment in
Background checks are important for individuals
providing keys to visitors
working with dual-use or high-security materials, but
OCR for page 264
264 PRUDENT PRACTICES IN THE LABORATORY
Security Features for Security Level 2 Security Features for Security Level 3
TABLE 10.2 TABLE 10.3
Physical • Lockable doors, windows, and other passageways Physical • Lockable doors, windows, and other passageways
• Door locks with high-security cores • Door locks with high-security cores
• Separate from public areas • Separate from public areas
• Hardened doors, frames, and locks • Hardened doors, frames, and locks
• Perimeter walls extending from the floor to the • Perimeter walls extending from the floor to the
ceiling (prevent access from one area to the other ceiling (prevent access from one area to the other
over a drop ceiling) over a drop ceiling)
• Double-door vestibule entry
Operational • Secure doors, windows, and passageways when
not occupied Operational • Secure doors, windows, and passageways when
• Ensure all laboratory personnel receive security not occupied
awareness training • Ensure all laboratory personnel receive security
• Escort visitors and contractors, consider an entry awareness training
log • Escort and log in visitors and contractors
• Lock doors, windows, and passageways at all
Electronic • Access control system recommended
times
• Intrusion alarm recommended where sabotage,
• Inspect items carried into or removed from the
theft, or diversion is a concern
laboratory
• Have an inventory system is in place for materials
of concern.
• Perform background checks on individuals with
direct access to the materials of concern or within
the control zone.
Electronic • Access control system that records the transaction
and safety impact, and be detrimental to the research history of all authorized individuals
programs and the reputation of the institution. • Biometric personal verification technology
recommended
• Intrusion alarm system
10.H.1.3 High (Security Level 3) • Closed-circuit television cameras for entrance
and exit points, materials storage, and special
A laboratory characterized as Security Level 3 (see equipment
Table 10.3) in this example can pose serious or poten-
tially lethal biological, chemical, or radioactive risks to
many overlaps between measures used to increase
students, employees, or the environment. Equipment
security and those used to increase safety, including
or material loss to theft, malicious pranks, or sabotage
would have serious health and safety impacts and
• minimizing the use of hazardous and precursor
consequences to the research programs, the facilities,
chemicals, which reduces health, safety, and po-
and the reputation of the institution.
tential security risks;
• minimizing the supply of hazardous materials
10.H.2 Managing Security
on-site;
• restricting access to only those who need to use
As noted above, any security plan, no matter what
the material and understand the hazards from
level of security is needed, should identify a person or
both a chemical standpoint and a security stand-
group responsible for the overall plan. The person or
point; and
group managing the program should have at least basic
• knowing what to do in an emergency or security
security knowledge, understand the risks and vulner-
breach, and how to recognize threats.
abilities, and should be provided sufficient resources,
responsibility, and authority.
Ensure that all personnel understand the security
measures in place and how to use them. No matter
10.H.3 Training
how complex a system may be, the weakest link tends
to be personnel. For example, even the best access
Security should be an integral part of the laboratory
control system may not prevent laboratory personnel
safety program. Ensure all personnel are trained in
from granting an unauthorized individual access to a
security issues, in addition to safety issues. Although
sensitive area.
safety and security are two different things, there are
