The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement



Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 255
10 Laboratory Security 10.A INTRODUCTION 256 10.B SECURITY BASICS 256 10.B.1 Physical and Electronic Security 256 10.B.1.1 Door Locks 257 10.B.1.2 Video Surveillance 258 10.B.1.3 Other Systems 258 10.B.2 Operational Security 258 10.B.3 Information Security 258 10.B.3.1 Backup Systems 259 10.B.3.2 Confidential or Sensitive Information 259 10.C SYSTEMS INTEGRATION 259 10.D DUAL-USE HAZARD OF LABORATORY MATERIALS 259 10.E LABORATORY SECURITY REQUIREMENTS 260 10.E.1 Biological Materials and Infectious Agents 260 10.E.2 Research Animals 260 10.E.3 Radioactive Materials and Radiation-Producing Equipment 261 10.E.4 Chemicals 261 10.E.4.1 Drug Enforcement Agency Chemicals 261 10.E.4.2 DHS Chemicals of Interest (COI) 261 10.F SECURITY VULNERABILITY ASSESSMENT 261 10.G DUAL-USE SECURITY 262 10.H SECURITY PLANS 262 10.H.1 Levels of Security 263 10.H.1.1 Normal (Security Level 1) 263 10.H.1.2 Elevated (Security Level 2) 263 10.H.1.3 High (Security Level 3) 264 10.H.2 Managing Security 264 10.H.3 Training 264 255

OCR for page 255
256 PRUDENT PRACTICES IN THE LABORATORY 10.A INTRODUCTION personnel and the public, improve emergency pre- paredness by assisting with preplanning, and lower The world has become more security conscious, and the organization’s liability. that awareness extends to laboratories. New guidelines and approaches, driven by legislation and regulation— to say nothing of common sense—are promulgated 10.B SECURITY BASICS every year. A laboratory security system is put in place There are four integrated domains to consider when to mitigate a number of risks and is complementary improving security of a facility: to existing laboratory security policies. In very broad terms, laboratory safety keeps people safe from chemi- • physical or architectural security—doors, walls, cals, and laboratory security keeps chemicals safe from fences, locks, barriers, controlled roof access, and people. This chapter is intended to provide the reader cables and locks on equipment; with an overview of laboratory security concerns and • electronic security—access control systems, alarm to raise awareness of the issue. Risks to laboratory systems, password protection procedures, and security include video surveillance systems; • operational security—sign-in sheets or logs, con- • theft or diversion of chemicals, biologicals, and trol of keys and access cards, authorization pro- radioactive or proprietary materials (such materi- cedures, background checks, and security guards; als could be stolen from the laboratory, diverted and or intercepted in transit between supplier and • information security—passwords, backup sys- laboratory, at a loading dock, or at a stockroom, tems, shredding of sensitive information. and then sold or used, directly or as precursors, in weapons or manufacture of illicit substances); These domains are complementary, and each should • theft or diversion of mission-critical or high-value be considered when devising security protocols. Any equipment; security system should incorporate redundancy to • threats from activist groups; prevent failure in the event of power loss or other en- • intentional release of, or exposure to, hazardous vironmental changes. materials; Security systems should help • sabotage or vandalism of chemicals or high-value equipment; • detect a security breach, or a potential security • loss or release of sensitive information; and breach, including intrusion or theft; • rogue work or unauthorized laboratory experi- • delay criminal activity by imposing multiple lay- mentation. ered barriers of increasing stringency or “harden- ing” in the form of personnel and access controls; The type and extent of the security system needed and depend on several factors, including • respond to a security breach or an attempt to breach security. • known and recognized threats gleaned from the experience of other laboratories, institutions, or firms; 10.B.1 Physical and Electronic Security • history of theft, sabotage, vandalism, or violence There are many systems available for physical and directed at or near the laboratory, institution, or electronic laboratory security. The choice and imple- firm; mentation depends on the level of security needed and • presence of valuable or desirable materials, equip- resources available. The following sections provide ment, technology, or information; some examples, although new technologies are always • intelligence regarding groups or individuals who under development. pose a general threat to the discipline or a specific The concept of concentric circles of protection, as threat to the institution; shown in Figure 10.1, is useful when considering a • regulatory requirements or guidance; laboratory’s physical security. Physical and electronic • concerns regarding information security; and security begins at the perimeter of the building and • the culture and mission of the institution. becomes increasingly more stringent as one moves toward the interior area (e.g., at the intervention zone), A good laboratory security system should, among where sensitive material, equipment, or technology other things, increase overall safety for laboratory reside. Note that although physical measures are

OCR for page 255
257 LABORATORY SECURITY Concentric circles of physical protection. FIGURE 10.1 implemented in the intervention zones, electronic and to security records to identify which cards were operational security measures are implemented only used to gain access. under certain conditions, depending on need. • Card access (swipe cards).These provide a trans- action record and can be programmed for differ- ent levels and times of access. 10.B.1.1 Door Locks • Key fobs or card access (proximity card readers) Within a laboratory, perhaps the most obvious form have the same benefits as swipe cards, but there of security is the door lock. There are many choices is no requirement to place the card physically in available, including the reader. • Biometric readers offer a high level of security • Traditional locks with regular keys (which are but are expensive and require more intensive subject to duplication, loss, theft, and failure to maintenance. return after access) should no longer be utilized in areas where dual-use materials are located. Each of these systems requires training, manage- • Traditional locks with keys marked “Do Not Du- ment, and maintenance, whether it is a key inventory plicate” have the same drawbacks as above, but system or controls for card access. Of course, the may be less likely to be duplicated. system is only as effective as the users allow it to be. • Cipher locks with an alpha or numeric keypad Users should be trained to not hold doors open for may be vulnerable to thieves who are able to de- others, and that everyone needs to use their key to duce the access code from the appearance of the pass through an access point. Unauthorized personnel keys. Access codes should be changed from the should not be allowed to enter the laboratory, and if factory default when the lock is installed. there is any question, laboratory personnel should be • High-security cores are difficult to break into and instructed to call security for guidance. The organiza- to duplicate. tion should ensure that there is a program in place to • Card access (dip locks) traditionally have data- collect keys or revoke card access to the laboratory logging capabilities that allow those with access before a person leaves the workplace.

OCR for page 255
258 PRUDENT PRACTICES IN THE LABORATORY • locks on roof access doors, 10.B.1.2 Video Surveillance • walls that extend from the floor to the structural Video surveillance systems are often used to supple- ceiling, ment locks for documenting access and may be con- • tamper-resistant door jambs, tinuously monitored by security personnel. Recordings • blinds on windows, of relevant video may be reviewed after an incident. • locks and cables on equipment to prevent easy When implementing a video surveillance system, removal, document the purpose and ensure that personnel • badges or other forms of identification, and understand the objectives. Video surveillance may be • sign-in logs. used to • prevent crime by recognizing unusual activity in 10.B.2 Operational Security real time, which requires staff dedicated to watch- Operational security is responsible for the people ing the camera output and is most effective when within the laboratory. A security system is only as the presence of individuals alone is suspicious; strong as the individuals who support it, and thus, • validate entry authorization by verifying the iden- among the goals of an operational security system are tity of the worker; and to increase awareness of security risks and protocols, to • verify identity of unauthorized personnel after provide authorization for people who need access to a unauthorized access. given area or material, and to provide security training. Though far from comprehensive, elements of opera- Video surveillance cameras should be located to tional security include provide a clear image of people in the area, particularly those entering or exiting. They are not as useful in the • s creening full- and part-time personnel be - work area itself unless suspicious behavior is obvious. fore providing access to sensitive materials or If video is recorded, a system of storage and docu- information; mentation is needed. Establish the duration of re- • providing ID badges; cording retention, the media used, and the need for • working to increase the situational awareness of permanent archiving. Create a procedure to quickly laboratory personnel (e.g., knowing who is in the find, maintain, and duplicate critical recordings if an laboratory, identifying suspicious activity); incident occurs. • encouraging the reporting of suspicious behavior, No matter the objective of the video surveillance sys- theft, or vandalism; tem, it is crucial to establish a policy and procedure for • restricting off-hour access to laboratories; using it and for reviewing recordings. Involve human • providing entry logs at building and laboratory resources and legal personnel in the policy-making access points; and process. For example, if the video surveillance system • inspecting and inventorying materials removed is designed to record unauthorized entry, it may not from the laboratory. be allowable by the institution to use it to track worker productivity. Clarify under what circumstances the information may be viewed, and by whom. 10.B.3 Information Security Information and data security can be as critical as security of equipment and materials. Loss of data and 10.B.1.3 Other Systems computer systems from sabotage, viruses, or other There are many other methods of implementing means can be devastating for a laboratory. physical and electronic security, ranging from simple The issue of dual use applies to information as to sophisticated, which can be employed for crime de- well as laboratory materials. Over the years, several terrence, recognition, or investigation. A few examples examples of cybersecurity breaches have led to loss include of sensitive information. A detailed description of a laboratory procedure may find its way into the public • glass-break alarms for windows and doors, domain, creating a new resource for those with illicit • intrusion alarms, intentions, or simply depriving the researchers of rec- • hardware to prevent tampering with window ognition for their work. and/or door locks, Most institutions and firms have information secu- • lighting of areas where people may enter a secure rity policies and procedures and information technol- area, ogy support staff who can help implement security • bushes and other barriers to reduce visibility of systems. Laboratory managers and personnel should sensitive areas from outside the building, be familiar with and follow their protocols.

OCR for page 255
259 LABORATORY SECURITY • Report any known or suspected breaches in secu- 10.B.3.1 Backup Systems rity immediately. Develop and institute a plan for backing up data on • Establish policies and procedures for the stor- a regular basis with backup media off-site, in fire-safe age of proprietary information on hard drives or storage, or at a central facility (e.g., the institution’s portable storage media and for the removal of information technology facility). proprietary information from the laboratory or secure area. 10.B.3.2 Confidential or Sensitive Information Many services and programs are available to protect Assess the type of data produced by the labora- data from viruses and similar threats as well as high tory, department, or group. Laboratories that possess levels of security. Refer to the institution’s information chemicals of interest (COI) and are covered by the technology group or an outside consultant. Chemical Facilities Anti-Terrorism Standards (CFATS) are subject to U.S. Department of Homeland Security (DHS) requirements for Chemical-terrorism Vulner- 10.C SYSTEMS INTEGRATION ability Information (CVI). CVI may not be openly Since events such as the attacks on the World Trade shared. It includes data and results from an inventory Center, institutions and firms have steadily improved assessment called a Top-Screen (see section 10.E.4.2), their security systems for personal as well as institu- the facility’s DHS Security Vulnerability Assessment tional protection. They have incorporated more rigor- and Site Security Plan (e.g., procedures and physical ous planning, staffing, training, and command systems safeguards), as well as training and incident records, and have implemented emergency communications and drill information. protocols, drills, background checks, card access sys- Other data may fit into the following categories: tems, video surveillance, and other measures. What’s more, many colleges and universities, to say nothing • public, shared freely with anyone; of commercial institutions, have engaged their own • internal, shared freely within the institution; sworn and armed on-site police force. • department, shared only within the department; Security is not new, at least for some laboratories. For • laboratory, shared only in the laboratory; or years, secure management of controlled substances and confidential,1 shared only with those directly in- • denatured alcohol has been required by law; however, volved with the data or on a need-to-know basis. global events have raised the stakes for these labo- ratories as well as for those that were not previously If the laboratory produces private, sensitive, or pro- concerned about security. It is not enough to implement prietary data, a laboratory security system; it is imperative that such a system protect the laboratory and also be compat- • Provide training to those with access to this in- ible, consistent, and integrated smoothly with the formation, stressing the importance of confiden- overarching systems in the institution. The institution tiality. Review any procedures for releasing such is responsible for the general security atmosphere, and information outside the laboratory or group. laboratory systems focus on residual and specialized • C onsider a written and signed confidential - security risks. ity agreement for those with access to such Moreover, the security plan should identify pro- information. tocols, policies, and responsible parties, clearly de- • Keep passwords confidential. Do not store or lineating response to security issues. This includes write them in an obvious place. coordination of institution and laboratory personnel • Change passwords routinely. and coordination of internal and external responders, • Safeguard keys, access cards, or other physical including local police and fire departments. security tools. • Before discarding materials that contain sensitive information, render them unusable by shredding 10.D DUAL-USE HAZARD OF them, or by erasing magnetic tape. LABORATORY MATERIALS In addition to inadvertent misuse of chemicals, it is apparent that chemicals can also be misused intention- ally, for example, as precursors of illicit narcotics. Much 1The term “confidential” may have special meaning for some op- erations and funding resources. Use care in choosing terminology for of the recent focus on security in research and teaching sensitive information. In the event of an inspection by a government laboratories pertains to “dual use” materials. Dual-use agency or association providing information or funding, there may or multiple-use materials are materials that have both a be expectations related to the use of these terms. Classified informa- bona fide use in scientific research and education, but tion is often defined further as confidential, secret, or top secret.

OCR for page 255
260 PRUDENT PRACTICES IN THE LABORATORY also can be used for criminal or terrorist activities. For same logical path or practical considerations as an in- example, common chemical substances that are easily dividual who is trained in laboratory sciences. removed from the laboratory without notice or readily purchased, such as acetone and hydrogen peroxide, 10.E LABORATORY SECURITY can be converted to highly explosive or otherwise haz- REQUIREMENTS ardous products. Although certain dual-use materials can be obtained from hair salons, hardware stores, and For most laboratories, there are a few general secu- the like, laboratories are also a source, and security rity requirements; however, most security measures are should be considered. based on an assessment of the vulnerabilities and needs Dual-use biological agents include live pathogens of an individual laboratory or institution. For some and biological toxins that have a realistic potential to materials or operations, regulations or strict guidance be used for terrorism (e.g., anthrax). There are national documents specify the type or level of security. as well as international regulations to address the risk of dual use, such as import and export controls. Firms 10.E.1 Biological Materials and Infectious and institutions may wish to integrate their facility Agents dual-use controls with both levels of regulation. Terrorist Web sites have suggested that their opera- Certain biological agents, including viruses, bacteria, tives can pose as students to gain access to university fungi, and their genetic elements, are considered dual- laboratories and remove hazardous chemical, biologi- use materials because of their potential for use by ter- cal, or radiological agents. However, meaningful quan- rorists to harm human health. Biological materials pose tities of some dual-use chemicals can also be found a unique problem because these materials can replicate; outside the laboratory in situations that are less secure thus, theft of even small amounts is significant. than laboratories. As a result, the acquisition and dual In the United States, these dual-use biological ma- use of laboratory chemicals is a real possibility, espe- terials are called Select Agents and Toxins, and their cially utilizing chemicals that can pose a high risk in laboratory use is regulated by the Centers for Disease relatively small laboratory quantities. Control and Prevention (CDC) and the U.S. Depart- Although there is no comprehensive list of dual-use ment of Agriculture’s Animal and Plant Health In- chemicals, DHS has developed a list of COI because of spection Service (APHIS). Individuals planning to use concern about dual use. (See section 10.E.4.2 for more Select Agents and Toxins are required to perform a information.) In addition to known warfare agents, security risk assessment (i.e., a detailed background such as nitrogen mustard and sarin (which are difficult check) to determine whether they are permitted to to acquire or synthesize in makeshift laboratories), work with the materials. There are additional require- more common laboratory reagents, such as ammonia, ments for laboratory security, and the CDC or APHIS chlorine, phosgene, cyanogen chloride, sodium cya- will conduct periodic inspections to assess compliance. nide, and sodium azide are considered dual-use com- In addition, federal guidance from the National In- pounds. These substances can cause human injury— stitutes of Health (NIH) addresses the management of either directly or after acidification—that is relatively dual-use risks from gene synthesis, synthetic biology, resistant to medical treatment (Shea and Gottron, 2004), and certain experiments. The publication Biosafety in and therefore could be sought by terrorists gaining Microbiology and Biomedical Laboratories (BMBL; HHS/ access to laboratory facilities. Alternatively, a research CDC/NIH, 2007a) includes guidance for security laboratory could be used for the illicit synthesis of ter- of biological materials, based on a risk assessment ror substances. method described in the document. For institutions Objective evaluation of the utility of a given chemical that receive NIH funding, compliance with the BMBL to terrorists might underestimate the true risk posed is a grant requirement for recombinant DNA research. by malicious intent. For example, osmium tetroxide, which is highly toxic in pure solid form and in solution, 10.E.2 Research Animals has been judged to be a poor choice for terrorists to use, because of its high cost, its rapid evaporation, and Animal research is the focus of numerous ani- the fact that an explosion would convert it to harmless mal rights organizations, including some that have products. Nonetheless, osmium tetroxide poisoning engaged in malicious behavior. Vivarium security was suspected to be the intended means of a thwarted is critical for the safety of animals and researchers. terror attack in the vicinity of London, England (Kosal, The Association for Assessment and Accreditation of 2006). One cannot assume terrorists will follow the Laboratory Animal Care International provides guid-

OCR for page 255
261 LABORATORY SECURITY ance for security of laboratory animals and research materials must be disposed of in accordance with ap- facilities. plicable laws (see Chapter 9 for disposal details). 10.E.3 Radioactive Materials and 10.E.4.2 DHS Chemicals of Interest (COI) Radiation-Producing Equipment DHS has promulgated regulations that apply to In most laboratories, the quantity, isotope, and char- chemical facilities, including laboratories, with the acteristics of radioactive materials used for research or purpose of keeping dual-use chemicals out of the pos- teaching do not pose a serious dual-use risk. However, session and control of terrorists. The Chemical Facility any radioactive materials can be perceived as a risk by Anti-Terrorism Standards are concerned with the fol- the community. lowing types of chemicals: In the United States, use of radioactive materials is regulated by the U.S. Nuclear Regulatory Commis- • EPA Risk Management Plan chemicals, sion (USNRC) or USNRC-authorized state agencies. • highly toxic gases, Compulsory guidelines for security are included in the • chemical weapons convention chemicals, requirements for licensing and use of these materials. • explosives, and Specific USNRC security requirements typically vary • precursors of the above chemicals. depending on the risk of the material. In the DHS process for determination of risk, all laboratory facilities are expected to survey their entire 10.E.4 Chemicals facility (including nonlaboratory areas) for the pres- Chemical security is garnering increasing atten- ence of COI and compare their inventory to the thresh- tion from regulators. Most regulations that require old screening quantities established in the standard. specific security measures are aimed at facilities with If the facility meets or exceeds the threshold quantity large stores of materials—such as production facili- for any chemical of interest, the facility must report ties—rather than laboratory-scale quantities. However, the inventory by completing an assessment document federal, state, and local regulatory agencies are increas- called “Top-Screen.” ingly applying standards to chemical laboratories. Upon receiving a completed Top-Screen, the facility is required to conduct a security vulnerability assess- ment. There are four risk tiers, with tier 1 for facilities 10.E.4.1 Drug Enforcement Agency Chemicals posing the greatest risk and tier 4 posing the least risk. Illicit drugs and their precursors pose a theft risk Based on the results of the assessment and the risk because of their resale (street) value. The U.S. Drug tier, the facility is expected to develop and implement Enforcement Agency (DEA) has strict rules about an approved site security plan. There are also require- procurement, inventory, use, disposal, and security of ments for information security and training provisions these chemicals. A person using materials regulated under this rule. by DEA must obtain a user license or work under the As of the time of publication, DHS was continuing direction of a person with such a license. The materi- to develop rules and guidance for chemical facilities, als must be secured, with the level of security needed including laboratories. dependent on the classification of the material. Laboratories in which DEA-regulated materials 10.F SECURITY VULNERABILITY are used must keep an inventory log that documents ASSESSMENT the quantity and date that any amount of material is removed, as well as a signature or other record to iden- Whether or not the security of a laboratory material tify who removed the material. Once a DEA-regulated is regulated by a government agency, it is prudent to material has expired or is ready for disposal, it must assess risk. A security vulnerability assessment (SVA) be either destroyed or returned to the manufacturer or is used to catalog potential security risks to the labora- distributor. Destruction must render the material unus- tory and the magnitude of possible threats. It begins able and unidentifiable as the original agent and must with a walk-through of the laboratory, building, and be done by a person designated by the licensed user building perimeter, and includes discussion with and witnessed by at least two people, one of whom, laboratory staff pertaining to the chemicals, equipment, preferably, is a law enforcement officer. The destroyed procedures, and data that they use or produce. The SVA process will also assess the adequacy of the systems

OCR for page 255
262 PRUDENT PRACTICES IN THE LABORATORY already in place and help determine the security plan- • Maintain inventory records of dual-use materials. ning needs for the laboratory, building, or department. • Limit the number of laboratory personnel who There are a number of ways to conduct an SVA. have access to dual-use agents. DHS has developed an SVA protocol for higher risk • Provide easy access to a means of emergency facilities, which may include laboratories if threshold communication, in case of a security breach or amounts of COI are present. Completion of this SVA is a threat from within or outside. Consider add- mandatory for facilities that DHS has classified into a ing repeaters, or bidirectional signal amplifiers, risk tier (see section 10.E.4.2). The DHS SVA is available so that someone with a cell phone can make an on its Web site for use by any facility, even those not emergency phone call from within the secure area. regulated by DHS. • Periodically and carefully review laboratory ac- Many states have adopted SVAs for their critical cess controls to areas where dual-use agents are infrastructure, which often includes colleges, uni- used or stored. versities, and other facilities with research or pilot • Maintain a log of who has gained access to areas laboratories. Several professional organizations have where dual-use materials are used or stored. also developed SVA checklists, such as the one by the • Develop a formal policy prohibiting use of labo- American Chemical Society Committee on Chemical ratory facilities or materials without the con- Safety, which is available on the CD that accompanies sent of the principal investigator or laboratory this book. supervisor. The following is a partial list of issues to review as • M onitor and authorize specific use of these part of an SVA: materials. • Remain alert and aware of the possibility of re- • existing threats, based on the history of the institu- moval of any chemicals for illicit purposes. Report tion (e.g., theft of laboratory materials, sabotage, such activity to the head of security. data security breaches, protests); • Train all laboratory personnel who have access • the attractiveness of the institution as a target, and to these substances, including a discussion of the the potential impact of an incident; security risks of dual-use materials. • chemicals, biological agents, radioactive materi- als, or other laboratory equipment or materials As appropriate, address these steps in the SVA and with dual-use potential (see section 10.D); ensure that the security plans adequately provide for • sensitive data or computerized systems; the issues these steps address. • animal care facilities; • i nfrastructure vulnerabilities (e.g., accessible 10.H SECURITY PLANS power lines, poor lighting); • security systems in place (e.g., access control, The SVA findings provide a list of risks, needs, and cameras, intrusion detection); options for improvement (i.e., materials and laborato- • access controls for laboratory personnel (e.g., ries in need of security measures beyond a lock and background checks, authorization procedures, key). There is no template that can apply to every labo- badges, key controls, escorted access); ratory security plan, because several factors make each • institutional procedures and culture (e.g., tailgat- organization unique, including building architecture, ing, open laboratories, no questioning of visitors); building use (e.g., mixed use with classrooms, offices, • security plans in place; and or meeting rooms), organizational culture, and so on. • training and awareness of laboratory personnel. DHS provides guidance on the planning process in its Risk-Based Performance Standard for chemical Where the perceived risk is high, institutions should security. These guidelines were prepared for dual-use consider contracting a laboratory security consultant to materials that pose high or unusual risks. Recognizing conduct the SVA with input and feedback from secu- that facilities need “the flexibility to choose the most rity, safety, and laboratory staff. cost-effective method for achieving a satisfactory level of security based on their risk profile” (DHS, 2008), this guidance provides an outline of elements that should 10.G DUAL-USE SECURITY be considered for any laboratory security plan: When assessing security needs, determine whether laboratories possess materials, equipment, or technolo- • I dentify the leadership structure for security gies that have the potential for dual use, such as Select issues. Agents or COI. Whether or not security regulations • Secure the assets identified in the vulnerability apply, take prudent steps to reduce the risk of theft or assessment in a manner that prevents access by use for terrorist activity. unauthorized individuals.

OCR for page 255
263 LABORATORY SECURITY • Deter cyber sabotage, including unauthorized on- it can be challenging to make them complete and accu- site or remote access to critical process controls. rate. Criminal background checks sometimes include • Prevent diversion using secure shipping, receiv- only local crimes, rather than those committed in other ing, and storage of target materials. areas, or vice versa. However, potential problems can • D etect theft or diversion of target materials be identified by noting gaps in job history and verifying through inventory controls. employment and education background information • Establish a process for personnel surety, such as provided by the applicant. It is often very difficult to background checks, of laboratory personnel, visi- get good background information for people who have tors, and others with access to the laboratory. lived, worked, or been educated in a foreign country. • Screen and control access to the facility using identification badges, electronic access controls, 10.H.1 Levels of Security and security personnel. Check individuals to en- sure individuals do not bring harmful materials When developing a security plan, it is important into the laboratory. to establish levels of security that correspond to the • Train laboratory personnel on the security mea- security needs of a particular laboratory or portion of sures, response, and importance of compliance a laboratory. These needs will also be influenced by the with security procedures. mission of the organization. For example, in many uni- • Deter and delay a security breach through the use versities, research laboratories are housed in the same of multiple security layers and the physical secu- building as instructional classrooms. In those cases, rity measures discussed below. Deterrents add strong access controls to the building are not practi- time between the detection of a breach and the cal, and would likely cause consternation on campus. successful act (i.e., theft or release), which allows Establishing security levels facilitates the review of more time for responders to prevent the act. security needs for a laboratory, ensures consistency in • Monitor (detect) the security of those assets, such the application of security principles, and integrates that a security breach would be noticed, and (for the specific measures described above. high-risk materials) would prompt an immediate The following is one example of a management sys- response by laboratory or security personnel. tem for laboratory security, which illustrates how an • Maintain monitoring, communication, and warn- institution or firm might set three security levels based ing systems. on operations and materials. • Develop and implement response plans for secu- rity breaches, and exercise those plans. 10.H.1.1 Normal (Security Level 1) • Investigate and track reports of security-related incidents. Document the incident reports, includ- In this example, a laboratory characterized as Secu- ing findings and mitigation. rity Level 1 (see Table 10.1) poses low risk for extraor- • Report significant incidents involving chemical dinary chemical, biological, or radioactive hazards. security to local law enforcement. Loss to theft, malicious pranks, or sabotage would have • Maintain records of compliance with the security minimal impact to operations, health, or safety. plan. • Establish information-sharing and communica- 10.H.1.2 Elevated (Security Level 2) tion networks with associations and government agencies that regularly evaluate and categorize A laboratory characterized as Security Level 2 (see threats relevant to the laboratory or laboratory Table 10.2) poses moderate risk for potential chemical, personnel. Develop a multilevel security plan that biological, or radioactive hazards. The laboratory may identifies appropriate security processes, proce- contain equipment or material that could be misused dures, and systems for normal security operations or threaten the public. Loss to theft, malicious pranks, and increasing levels of security for periods of or sabotage would have moderately serious health higher risk. DHS also recommends that security plans address Security Features for Security Level 1 TABLE 10.1 the security of the site perimeter and institute vehicle Physical • Lockable doors and windows checks. These elements may be appropriate where laboratories are located within an industrial facility, Operational • Lock doors when not occupied but may be impractical at a medical, research, or edu- • Ensure all laboratory personnel receive cational facility. security awareness training • Control access to keys, use judgment in Background checks are important for individuals providing keys to visitors working with dual-use or high-security materials, but

OCR for page 255
264 PRUDENT PRACTICES IN THE LABORATORY Security Features for Security Level 2 Security Features for Security Level 3 TABLE 10.2 TABLE 10.3 Physical • Lockable doors, windows, and other passageways Physical • Lockable doors, windows, and other passageways • Door locks with high-security cores • Door locks with high-security cores • Separate from public areas • Separate from public areas • Hardened doors, frames, and locks • Hardened doors, frames, and locks • Perimeter walls extending from the floor to the • Perimeter walls extending from the floor to the ceiling (prevent access from one area to the other ceiling (prevent access from one area to the other over a drop ceiling) over a drop ceiling) • Double-door vestibule entry Operational • Secure doors, windows, and passageways when not occupied Operational • Secure doors, windows, and passageways when • Ensure all laboratory personnel receive security not occupied awareness training • Ensure all laboratory personnel receive security • Escort visitors and contractors, consider an entry awareness training log • Escort and log in visitors and contractors • Lock doors, windows, and passageways at all Electronic • Access control system recommended times • Intrusion alarm recommended where sabotage, • Inspect items carried into or removed from the theft, or diversion is a concern laboratory • Have an inventory system is in place for materials of concern. • Perform background checks on individuals with direct access to the materials of concern or within the control zone. Electronic • Access control system that records the transaction and safety impact, and be detrimental to the research history of all authorized individuals programs and the reputation of the institution. • Biometric personal verification technology recommended • Intrusion alarm system 10.H.1.3 High (Security Level 3) • Closed-circuit television cameras for entrance and exit points, materials storage, and special A laboratory characterized as Security Level 3 (see equipment Table 10.3) in this example can pose serious or poten- tially lethal biological, chemical, or radioactive risks to many overlaps between measures used to increase students, employees, or the environment. Equipment security and those used to increase safety, including or material loss to theft, malicious pranks, or sabotage would have serious health and safety impacts and • minimizing the use of hazardous and precursor consequences to the research programs, the facilities, chemicals, which reduces health, safety, and po- and the reputation of the institution. tential security risks; • minimizing the supply of hazardous materials 10.H.2 Managing Security on-site; • restricting access to only those who need to use As noted above, any security plan, no matter what the material and understand the hazards from level of security is needed, should identify a person or both a chemical standpoint and a security stand- group responsible for the overall plan. The person or point; and group managing the program should have at least basic • knowing what to do in an emergency or security security knowledge, understand the risks and vulner- breach, and how to recognize threats. abilities, and should be provided sufficient resources, responsibility, and authority. Ensure that all personnel understand the security measures in place and how to use them. No matter 10.H.3 Training how complex a system may be, the weakest link tends to be personnel. For example, even the best access Security should be an integral part of the laboratory control system may not prevent laboratory personnel safety program. Ensure all personnel are trained in from granting an unauthorized individual access to a security issues, in addition to safety issues. Although sensitive area. safety and security are two different things, there are