National Academies Press: OpenBook
« Previous: 9 Laboratory Facilities
Suggested Citation:"10 Laboratory Security." National Research Council. 2011. Prudent Practices in the Laboratory: Handling and Management of Chemical Hazards, Updated Version. Washington, DC: The National Academies Press. doi: 10.17226/12654.
×

10.A INTRODUCTION

The world has become more security conscious, and that awareness extends to laboratories. New guidelines and approaches, driven by legislation and regulation—to say nothing of common sense—are promulgated every year. A laboratory security system is put in place to mitigate a number of risks and is complementary to existing laboratory security policies. In very broad terms, laboratory safety keeps people safe from chemicals, and laboratory security keeps chemicals safe from people. This chapter is intended to provide the reader with an overview of laboratory security concerns and to raise awareness of the issue. Risks to laboratory security include

   theft or diversion of chemicals, biologicals, and radioactive or proprietary materials (such materials could be stolen from the laboratory, diverted or intercepted in transit between supplier and laboratory, at a loading dock, or at a stockroom, and then sold or used, directly or as precursors, in weapons or manufacture of illicit substances);

   theft or diversion of mission-critical or high-value equipment;

   threats from activist groups;

   intentional release of, or exposure to, hazardous materials;

   sabotage or vandalism of chemicals or high-value equipment;

   loss or release of sensitive information; and

   rogue work or unauthorized laboratory experimentation.

The type and extent of the security system needed depend on several factors, including

   known and recognized threats gleaned from the experience of other laboratories, institutions, or firms;

   history of theft, sabotage, vandalism, or violence directed at or near the laboratory, institution, or firm;

   presence of valuable or desirable materials, equipment, technology, or information;

   intelligence regarding groups or individuals who pose a general threat to the discipline or a specific threat to the institution;

   regulatory requirements or guidance;

   concerns regarding information security; and

   the culture and mission of the institution.

A good laboratory security system should, among other things, increase overall safety for laboratory personnel and the public, improve emergency preparedness by assisting with preplanning, and lower the organization’s liability.

10.B SECURITY BASICS

There are four integrated domains to consider when improving security of a facility:

   physical or architectural security—doors, walls, fences, locks, barriers, controlled roof access, and cables and locks on equipment;

   electronic security—access control systems, alarm systems, password protection procedures, and video surveillance systems;

   operational security—sign-in sheets or logs, control of keys and access cards, authorization procedures, background checks, and security guards; and

   information security—passwords, backup systems, shredding of sensitive information.

These domains are complementary, and each should be considered when devising security protocols. Any security system should incorporate redundancy to prevent failure in the event of power loss or other environmental changes.

Security systems should help

   detect a security breach, or a potential security breach, including intrusion or theft;

   delay criminal activity by imposing multiple layered barriers of increasing stringency or “hardening” in the form of personnel and access controls; and

   respond to a security breach or an attempt to breach security.

10.B.1 Physical and Electronic Security

There are many systems available for physical and electronic laboratory security. The choice and implementation depends on the level of security needed and resources available. The following sections provide some examples, although new technologies are always under development.

The concept of concentric circles of protection, as shown in Figure 10.1, is useful when considering a laboratory’s physical security. Physical and electronic security begins at the perimeter of the building and becomes increasingly more stringent as one moves toward the interior area (e.g., at the intervention zone), where sensitive material, equipment, or technology reside. Note that although physical measures are

Suggested Citation:"10 Laboratory Security." National Research Council. 2011. Prudent Practices in the Laboratory: Handling and Management of Chemical Hazards, Updated Version. Washington, DC: The National Academies Press. doi: 10.17226/12654.
×

img

FIGURE 10.1 Concentric circles of physical protection.

implemented in the intervention zones, electronic and operational security measures are implemented only under certain conditions, depending on need.

10.B.1.1 Door Locks

Within a laboratory, perhaps the most obvious form of security is the door lock. There are many choices available, including

   Traditional locks with regular keys (which are subject to duplication, loss, theft, and failure to return after access) should no longer be utilized in areas where dual-use materials are located.

   Traditional locks with keys marked “Do Not Duplicate” have the same drawbacks as above, but may be less likely to be duplicated.

   Cipher locks with an alpha or numeric keypad may be vulnerable to thieves who are able to deduce the access code from the appearance of the keys. Access codes should be changed from the factory default when the lock is installed.

   High-security cores are difficult to break into and to duplicate.

   Card access (dip locks) traditionally have datalogging capabilities that allow those with access to security records to identify which cards were used to gain access.

   Card access (swipe cards).These provide a transaction record and can be programmed for different levels and times of access.

   Key fobs or card access (proximity card readers) have the same benefits as swipe cards, but there is no requirement to place the card physically in the reader.

   Biometric readers offer a high level of security but are expensive and require more intensive maintenance.

Each of these systems requires training, management, and maintenance, whether it is a key inventory system or controls for card access. Of course, the system is only as effective as the users allow it to be. Users should be trained to not hold doors open for others, and that everyone needs to use their key to pass through an access point. Unauthorized personnel should not be allowed to enter the laboratory, and if there is any question, laboratory personnel should be instructed to call security for guidance. The organization should ensure that there is a program in place to collect keys or revoke card access to the laboratory before a person leaves the workplace.

Suggested Citation:"10 Laboratory Security." National Research Council. 2011. Prudent Practices in the Laboratory: Handling and Management of Chemical Hazards, Updated Version. Washington, DC: The National Academies Press. doi: 10.17226/12654.
×

10.B.1.2 Video Surveillance

Video surveillance systems are often used to supplement locks for documenting access and may be continuously monitored by security personnel. Recordings of relevant video may be reviewed after an incident.

When implementing a video surveillance system, document the purpose and ensure that personnel understand the objectives. Video surveillance may be used to

   prevent crime by recognizing unusual activity in real time, which requires staff dedicated to watching the camera output and is most effective when the presence of individuals alone is suspicious;

   validate entry authorization by verifying the identity of the worker; and

   verify identity of unauthorized personnel after unauthorized access.

Video surveillance cameras should be located to provide a clear image of people in the area, particularly those entering or exiting. They are not as useful in the work area itself unless suspicious behavior is obvious.

If video is recorded, a system of storage and documentation is needed. Establish the duration of recording retention, the media used, and the need for permanent archiving. Create a procedure to quickly find, maintain, and duplicate critical recordings if an incident occurs.

No matter the objective of the video surveillance system, it is crucial to establish a policy and procedure for using it and for reviewing recordings. Involve human resources and legal personnel in the policy-making process. For example, if the video surveillance system is designed to record unauthorized entry, it may not be allowable by the institution to use it to track worker productivity. Clarify under what circumstances the information may be viewed, and by whom.

10.B.1.3 Other Systems

There are many other methods of implementing physical and electronic security, ranging from simple to sophisticated, which can be employed for crime deterrence, recognition, or investigation. A few examples include

   glass-break alarms for windows and doors,

   intrusion alarms,

   hardware to prevent tampering with window and/or door locks,

   lighting of areas where people may enter a secure area,

   bushes and other barriers to reduce visibility of sensitive areas from outside the building,

   locks on roof access doors,

   walls that extend from the floor to the structural ceiling,

   tamper-resistant door jambs,

   blinds on windows,

   locks and cables on equipment to prevent easy removal,

   badges or other forms of identification, and

   sign-in logs.

10.B.2 Operational Security

Operational security is responsible for the people within the laboratory. A security system is only as strong as the individuals who support it, and thus, among the goals of an operational security system are to increase awareness of security risks and protocols, to provide authorization for people who need access to a given area or material, and to provide security training.

Though far from comprehensive, elements of operational security include

   screening full- and part-time personnel before providing access to sensitive materials or information;

   providing ID badges;

   working to increase the situational awareness of laboratory personnel (e.g., knowing who is in the laboratory, identifying suspicious activity);

   encouraging the reporting of suspicious behavior, theft, or vandalism;

   restricting off-hour access to laboratories;

   providing entry logs at building and laboratory access points; and

   inspecting and inventorying materials removed from the laboratory.

10.B.3 Information Security

Information and data security can be as critical as security of equipment and materials. Loss of data and computer systems from sabotage, viruses, or other means can be devastating for a laboratory.

The issue of dual use applies to information as well as laboratory materials. Over the years, several examples of cybersecurity breaches have led to loss of sensitive information. A detailed description of a laboratory procedure may find its way into the public domain, creating a new resource for those with illicit intentions, or simply depriving the researchers of recognition for their work.

Most institutions and firms have information security policies and procedures and information technology support staff who can help implement security systems. Laboratory managers and personnel should be familiar with and follow their protocols.

Suggested Citation:"10 Laboratory Security." National Research Council. 2011. Prudent Practices in the Laboratory: Handling and Management of Chemical Hazards, Updated Version. Washington, DC: The National Academies Press. doi: 10.17226/12654.
×

10.B.3.1 Backup Systems

Develop and institute a plan for backing up data on a regular basis with backup media off-site, in fire-safe storage, or at a central facility (e.g., the institution’s information technology facility).

10.B.3.2 Confidential or Sensitive Information

Assess the type of data produced by the laboratory, department, or group. Laboratories that possess chemicals of interest (COI) and are covered by the Chemical Facilities Anti-Terrorism Standards (CFATS) are subject to U.S. Department of Homeland Security (DHS) requirements for Chemical-terrorism Vulnerability Information (CVI). CVI may not be openly shared. It includes data and results from an inventory assessment called a Top-Screen (see section 10.E.4.2), the facility’s DHS Security Vulnerability Assessment and Site Security Plan (e.g., procedures and physical safeguards), as well as training and incident records, and drill information.

Other data may fit into the following categories:

   public, shared freely with anyone;

   internal, shared freely within the institution;

   department, shared only within the department;

   laboratory, shared only in the laboratory; or

   confidential,1 shared only with those directly involved with the data or on a need-to-know basis.

If the laboratory produces private, sensitive, or proprietary data,

   Provide training to those with access to this information, stressing the importance of confidentiality. Review any procedures for releasing such information outside the laboratory or group.

   Consider a written and signed confidentiality agreement for those with access to such information.

   Keep passwords confidential. Do not store or write them in an obvious place.

   Change passwords routinely.

   Safeguard keys, access cards, or other physical security tools.

   Before discarding materials that contain sensitive information, render them unusable by shredding them, or by erasing magnetic tape.

   Report any known or suspected breaches in security immediately.

   Establish policies and procedures for the storage of proprietary information on hard drives or portable storage media and for the removal of proprietary information from the laboratory or secure area.

Many services and programs are available to protect data from viruses and similar threats as well as high levels of security. Refer to the institution’s information technology group or an outside consultant.

10.C SYSTEMS INTEGRATION

Since events such as the attacks on the World Trade Center, institutions and firms have steadily improved their security systems for personal as well as institutional protection. They have incorporated more rigorous planning, staffing, training, and command systems and have implemented emergency communications protocols, drills, background checks, card access systems, video surveillance, and other measures. What’s more, many colleges and universities, to say nothing of commercial institutions, have engaged their own sworn and armed on-site police force.

Security is not new, at least for some laboratories. For years, secure management of controlled substances and denatured alcohol has been required by law; however, global events have raised the stakes for these laboratories as well as for those that were not previously concerned about security. It is not enough to implement a laboratory security system; it is imperative that such a system protect the laboratory and also be compatible, consistent, and integrated smoothly with the overarching systems in the institution. The institution is responsible for the general security atmosphere, and laboratory systems focus on residual and specialized security risks.

Moreover, the security plan should identify protocols, policies, and responsible parties, clearly delineating response to security issues. This includes coordination of institution and laboratory personnel and coordination of internal and external responders, including local police and fire departments.

10.D DUAL-USE HAZARD OF LABORATORY MATERIALS

In addition to inadvertent misuse of chemicals, it is apparent that chemicals can also be misused intentionally, for example, as precursors of illicit narcotics. Much of the recent focus on security in research and teaching laboratories pertains to “dual use” materials. Dual-use or multiple-use materials are materials that have both a bona fide use in scientific research and education, but

_______________

1The term “confidential” may have special meaning for some operations and funding resources. Use care in choosing terminology for sensitive information. In the event of an inspection by a government agency or association providing information or funding, there may be expectations related to the use of these terms. Classified information is often defined further as confidential, secret, or top secret.

Suggested Citation:"10 Laboratory Security." National Research Council. 2011. Prudent Practices in the Laboratory: Handling and Management of Chemical Hazards, Updated Version. Washington, DC: The National Academies Press. doi: 10.17226/12654.
×

also can be used for criminal or terrorist activities. For example, common chemical substances that are easily removed from the laboratory without notice or readily purchased, such as acetone and hydrogen peroxide, can be converted to highly explosive or otherwise hazardous products. Although certain dual-use materials can be obtained from hair salons, hardware stores, and the like, laboratories are also a source, and security should be considered.

Dual-use biological agents include live pathogens and biological toxins that have a realistic potential to be used for terrorism (e.g., anthrax). There are national as well as international regulations to address the risk of dual use, such as import and export controls. Firms and institutions may wish to integrate their facility dual-use controls with both levels of regulation.

Terrorist Web sites have suggested that their operatives can pose as students to gain access to university laboratories and remove hazardous chemical, biological, or radiological agents. However, meaningful quantities of some dual-use chemicals can also be found outside the laboratory in situations that are less secure than laboratories. As a result, the acquisition and dual use of laboratory chemicals is a real possibility, especially utilizing chemicals that can pose a high risk in relatively small laboratory quantities.

Although there is no comprehensive list of dual-use chemicals, DHS has developed a list of COI because of concern about dual use. (See section 10.E.4.2 for more information.) In addition to known warfare agents, such as nitrogen mustard and sarin (which are difficult to acquire or synthesize in makeshift laboratories), more common laboratory reagents, such as ammonia, chlorine, phosgene, cyanogen chloride, sodium cyanide, and sodium azide are considered dual-use compounds. These substances can cause human injury—either directly or after acidification—that is relatively resistant to medical treatment (Shea and Gottron, 2004), and therefore could be sought by terrorists gaining access to laboratory facilities. Alternatively, a research laboratory could be used for the illicit synthesis of terror substances.

Objective evaluation of the utility of a given chemical to terrorists might underestimate the true risk posed by malicious intent. For example, osmium tetroxide, which is highly toxic in pure solid form and in solution, has been judged to be a poor choice for terrorists to use, because of its high cost, its rapid evaporation, and the fact that an explosion would convert it to harmless products. Nonetheless, osmium tetroxide poisoning was suspected to be the intended means of a thwarted terror attack in the vicinity of London, England (Kosal, 2006). One cannot assume terrorists will follow the same logical path or practical considerations as an individual who is trained in laboratory sciences.

10.E LABORATORY SECURITY REQUIREMENTS

For most laboratories, there are a few general security requirements; however, most security measures are based on an assessment of the vulnerabilities and needs of an individual laboratory or institution. For some materials or operations, regulations or strict guidance documents specify the type or level of security.

10.E.1 Biological Materials and Infectious Agents

Certain biological agents, including viruses, bacteria, fungi, and their genetic elements, are considered dual-use materials because of their potential for use by terrorists to harm human health. Biological materials pose a unique problem because these materials can replicate; thus, theft of even small amounts is significant.

In the United States, these dual-use biological materials are called Select Agents and Toxins, and their laboratory use is regulated by the Centers for Disease Control and Prevention (CDC) and the U.S. Department of Agriculture’s Animal and Plant Health Inspection Service (APHIS). Individuals planning to use Select Agents and Toxins are required to perform a security risk assessment (i.e., a detailed background check) to determine whether they are permitted to work with the materials. There are additional requirements for laboratory security, and the CDC or APHIS will conduct periodic inspections to assess compliance.

In addition, federal guidance from the National Institutes of Health (NIH) addresses the management of dual-use risks from gene synthesis, synthetic biology, and certain experiments. The publication Biosafety in Microbiology and Biomedical Laboratories (BMBL; HHS/CDC/NIH, 2007a) includes guidance for security of biological materials, based on a risk assessment method described in the document. For institutions that receive NIH funding, compliance with the BMBL is a grant requirement for recombinant DNA research.

10.E.2 Research Animals

Animal research is the focus of numerous animal rights organizations, including some that have engaged in malicious behavior. Vivarium security is critical for the safety of animals and researchers. The Association for Assessment and Accreditation of Laboratory Animal Care International provides guid-

Suggested Citation:"10 Laboratory Security." National Research Council. 2011. Prudent Practices in the Laboratory: Handling and Management of Chemical Hazards, Updated Version. Washington, DC: The National Academies Press. doi: 10.17226/12654.
×

ance for security of laboratory animals and research facilities.

10.E.3 Radioactive Materials and Radiation-Producing Equipment

In most laboratories, the quantity, isotope, and characteristics of radioactive materials used for research or teaching do not pose a serious dual-use risk. However, any radioactive materials can be perceived as a risk by the community.

In the United States, use of radioactive materials is regulated by the U.S. Nuclear Regulatory Commission (USNRC) or USNRC-authorized state agencies. Compulsory guidelines for security are included in the requirements for licensing and use of these materials. Specific USNRC security requirements typically vary depending on the risk of the material.

10.E.4 Chemicals

Chemical security is garnering increasing attention from regulators. Most regulations that require specific security measures are aimed at facilities with large stores of materials—such as production facilities—rather than laboratory-scale quantities. However, federal, state, and local regulatory agencies are increasingly applying standards to chemical laboratories.

10.E.4.1 Drug Enforcement Agency Chemicals

Illicit drugs and their precursors pose a theft risk because of their resale (street) value. The U.S. Drug Enforcement Agency (DEA) has strict rules about procurement, inventory, use, disposal, and security of these chemicals. A person using materials regulated by DEA must obtain a user license or work under the direction of a person with such a license. The materials must be secured, with the level of security needed dependent on the classification of the material.

Laboratories in which DEA-regulated materials are used must keep an inventory log that documents the quantity and date that any amount of material is removed, as well as a signature or other record to identify who removed the material. Once a DEA-regulated material has expired or is ready for disposal, it must be either destroyed or returned to the manufacturer or distributor. Destruction must render the material unusable and unidentifiable as the original agent and must be done by a person designated by the licensed user and witnessed by at least two people, one of whom, preferably, is a law enforcement officer. The destroyed materials must be disposed of in accordance with applicable laws (see Chapter 9 for disposal details).

10.E.4.2 DHS Chemicals of Interest (COI)

DHS has promulgated regulations that apply to chemical facilities, including laboratories, with the purpose of keeping dual-use chemicals out of the possession and control of terrorists. The Chemical Facility Anti-Terrorism Standards are concerned with the following types of chemicals:

   EPA Risk Management Plan chemicals,

   highly toxic gases,

   chemical weapons convention chemicals,

   explosives, and

   precursors of the above chemicals.

In the DHS process for determination of risk, all laboratory facilities are expected to survey their entire facility (including nonlaboratory areas) for the presence of COI and compare their inventory to the threshold screening quantities established in the standard. If the facility meets or exceeds the threshold quantity for any chemical of interest, the facility must report the inventory by completing an assessment document called “Top-Screen.”

Upon receiving a completed Top-Screen, the facility is required to conduct a security vulnerability assessment. There are four risk tiers, with tier 1 for facilities posing the greatest risk and tier 4 posing the least risk. Based on the results of the assessment and the risk tier, the facility is expected to develop and implement an approved site security plan. There are also requirements for information security and training provisions under this rule.

As of the time of publication, DHS was continuing to develop rules and guidance for chemical facilities, including laboratories.

10.F SECURITY VULNERABILITY ASSESSMENT

Whether or not the security of a laboratory material is regulated by a government agency, it is prudent to assess risk. A security vulnerability assessment (SVA) is used to catalog potential security risks to the laboratory and the magnitude of possible threats. It begins with a walk-through of the laboratory, building, and building perimeter, and includes discussion with laboratory staff pertaining to the chemicals, equipment, procedures, and data that they use or produce. The SVA process will also assess the adequacy of the systems

Suggested Citation:"10 Laboratory Security." National Research Council. 2011. Prudent Practices in the Laboratory: Handling and Management of Chemical Hazards, Updated Version. Washington, DC: The National Academies Press. doi: 10.17226/12654.
×

already in place and help determine the security planning needs for the laboratory, building, or department.

There are a number of ways to conduct an SVA. DHS has developed an SVA protocol for higher risk facilities, which may include laboratories if threshold amounts of COI are present. Completion of this SVA is mandatory for facilities that DHS has classified into a risk tier (see section 10.E.4.2). The DHS SVA is available on its Web site for use by any facility, even those not regulated by DHS.

Many states have adopted SVAs for their critical infrastructure, which often includes colleges, universities, and other facilities with research or pilot laboratories. Several professional organizations have also developed SVA checklists, such as the one by the American Chemical Society Committee on Chemical Safety, which is available on the CD that accompanies this book.

The following is a partial list of issues to review as part of an SVA:

   existing threats, based on the history of the institution (e.g., theft of laboratory materials, sabotage, data security breaches, protests);

   the attractiveness of the institution as a target, and the potential impact of an incident;

   chemicals, biological agents, radioactive materials, or other laboratory equipment or materials with dual-use potential (see section 10.D);

   sensitive data or computerized systems;

   animal care facilities;

   infrastructure vulnerabilities (e.g., accessible power lines, poor lighting);

   security systems in place (e.g., access control, cameras, intrusion detection);

   access controls for laboratory personnel (e.g., background checks, authorization procedures, badges, key controls, escorted access);

   institutional procedures and culture (e.g., tailgating, open laboratories, no questioning of visitors);

   security plans in place; and

   training and awareness of laboratory personnel.

Where the perceived risk is high, institutions should consider contracting a laboratory security consultant to conduct the SVA with input and feedback from security, safety, and laboratory staff.

10.G DUAL-USE SECURITY

When assessing security needs, determine whether laboratories possess materials, equipment, or technologies that have the potential for dual use, such as Select Agents or COI. Whether or not security regulations apply, take prudent steps to reduce the risk of theft or use for terrorist activity.

   Maintain inventory records of dual-use materials.

   Limit the number of laboratory personnel who have access to dual-use agents.

   Provide easy access to a means of emergency communication, in case of a security breach or a threat from within or outside. Consider adding repeaters, or bidirectional signal amplifiers, so that someone with a cell phone can make an emergency phone call from within the secure area.

   Periodically and carefully review laboratory access controls to areas where dual-use agents are used or stored.

   Maintain a log of who has gained access to areas where dual-use materials are used or stored.

   Develop a formal policy prohibiting use of laboratory facilities or materials without the consent of the principal investigator or laboratory supervisor.

   Monitor and authorize specific use of these materials.

   Remain alert and aware of the possibility of removal of any chemicals for illicit purposes. Report such activity to the head of security.

   Train all laboratory personnel who have access to these substances, including a discussion of the security risks of dual-use materials.

As appropriate, address these steps in the SVA and ensure that the security plans adequately provide for the issues these steps address.

10.H SECURITY PLANS

The SVA findings provide a list of risks, needs, and options for improvement (i.e., materials and laboratories in need of security measures beyond a lock and key). There is no template that can apply to every laboratory security plan, because several factors make each organization unique, including building architecture, building use (e.g., mixed use with classrooms, offices, or meeting rooms), organizational culture, and so on.

DHS provides guidance on the planning process in its Risk-Based Performance Standard for chemical security. These guidelines were prepared for dual-use materials that pose high or unusual risks. Recognizing that facilities need “the flexibility to choose the most cost-effective method for achieving a satisfactory level of security based on their risk profile” (DHS, 2008), this guidance provides an outline of elements that should be considered for any laboratory security plan:

   Identify the leadership structure for security issues.

   Secure the assets identified in the vulnerability assessment in a manner that prevents access by unauthorized individuals.

Suggested Citation:"10 Laboratory Security." National Research Council. 2011. Prudent Practices in the Laboratory: Handling and Management of Chemical Hazards, Updated Version. Washington, DC: The National Academies Press. doi: 10.17226/12654.
×

   Deter cyber sabotage, including unauthorized on-site or remote access to critical process controls.

   Prevent diversion using secure shipping, receiving, and storage of target materials.

   Detect theft or diversion of target materials through inventory controls.

   Establish a process for personnel surety, such as background checks, of laboratory personnel, visitors, and others with access to the laboratory.

   Screen and control access to the facility using identification badges, electronic access controls, and security personnel. Check individuals to ensure individuals do not bring harmful materials into the laboratory.

   Train laboratory personnel on the security measures, response, and importance of compliance with security procedures.

   Deter and delay a security breach through the use of multiple security layers and the physical security measures discussed below. Deterrents add time between the detection of a breach and the successful act (i.e., theft or release), which allows more time for responders to prevent the act.

   Monitor (detect) the security of those assets, such that a security breach would be noticed, and (for high-risk materials) would prompt an immediate response by laboratory or security personnel.

   Maintain monitoring, communication, and warning systems.

   Develop and implement response plans for security breaches, and exercise those plans.

   Investigate and track reports of security-related incidents. Document the incident reports, including findings and mitigation.

   Report significant incidents involving chemical security to local law enforcement.

   Maintain records of compliance with the security plan.

   Establish information-sharing and communication networks with associations and government agencies that regularly evaluate and categorize threats relevant to the laboratory or laboratory personnel. Develop a multilevel security plan that identifies appropriate security processes, procedures, and systems for normal security operations and increasing levels of security for periods of higher risk.

DHS also recommends that security plans address the security of the site perimeter and institute vehicle checks. These elements may be appropriate where laboratories are located within an industrial facility, but may be impractical at a medical, research, or educational facility.

Background checks are important for individuals working with dual-use or high-security materials, but it can be challenging to make them complete and accurate. Criminal background checks sometimes include only local crimes, rather than those committed in other areas, or vice versa. However, potential problems can be identified by noting gaps in job history and verifying employment and education background information provided by the applicant. It is often very difficult to get good background information for people who have lived, worked, or been educated in a foreign country.

10.H.1 Levels of Security

When developing a security plan, it is important to establish levels of security that correspond to the security needs of a particular laboratory or portion of a laboratory. These needs will also be influenced by the mission of the organization. For example, in many universities, research laboratories are housed in the same building as instructional classrooms. In those cases, strong access controls to the building are not practical, and would likely cause consternation on campus. Establishing security levels facilitates the review of security needs for a laboratory, ensures consistency in the application of security principles, and integrates the specific measures described above.

The following is one example of a management system for laboratory security, which illustrates how an institution or firm might set three security levels based on operations and materials.

10.H.1.1 Normal (Security Level 1)

In this example, a laboratory characterized as Security Level 1 (see Table 10.1) poses low risk for extraordinary chemical, biological, or radioactive hazards. Loss to theft, malicious pranks, or sabotage would have minimal impact to operations, health, or safety.

10.H.1.2 Elevated (Security Level 2)

A laboratory characterized as Security Level 2 (see Table 10.2) poses moderate risk for potential chemical, biological, or radioactive hazards. The laboratory may contain equipment or material that could be misused or threaten the public. Loss to theft, malicious pranks, or sabotage would have moderately serious health

TABLE 10.1 Security Features for Security Level 1


Physical

•   Lockable doors and windows

Operational

•   Lock doors when not occupied

•   Ensure all laboratory personnel receive security awareness training

•   Control access to keys, use judgment in providing keys to visitors


Suggested Citation:"10 Laboratory Security." National Research Council. 2011. Prudent Practices in the Laboratory: Handling and Management of Chemical Hazards, Updated Version. Washington, DC: The National Academies Press. doi: 10.17226/12654.
×

TABLE 10.2 Security Features for Security Level 2


Physical

•   Lockable doors, windows, and other passageways

•   Door locks with high-security cores

•   Separate from public areas

•   Hardened doors, frames, and locks

•   Perimeter walls extending from the floor to the ceiling (prevent access from one area to the other over a drop ceiling)

Operational

•   Secure doors, windows, and passageways when not occupied

•   Ensure all laboratory personnel receive security awareness training

•   Escort visitors and contractors, consider an entry log

Electronic

•   Access control system recommended

•   Intrusion alarm recommended where sabotage, theft, or diversion is a concern


and safety impact, and be detrimental to the research programs and the reputation of the institution.

10.H.1.3 High (Security Level 3)

A laboratory characterized as Security Level 3 (see Table 10.3) in this example can pose serious or potentially lethal biological, chemical, or radioactive risks to students, employees, or the environment. Equipment or material loss to theft, malicious pranks, or sabotage would have serious health and safety impacts and consequences to the research programs, the facilities, and the reputation of the institution.

10.H.2 Managing Security

As noted above, any security plan, no matter what level of security is needed, should identify a person or group responsible for the overall plan. The person or group managing the program should have at least basic security knowledge, understand the risks and vulnerabilities, and should be provided sufficient resources, responsibility, and authority.

10.H.3 Training

Security should be an integral part of the laboratory safety program. Ensure all personnel are trained in security issues, in addition to safety issues. Although safety and security are two different things, there are many overlaps between measures used to increase security and those used to increase safety, including

TABLE 10.3 Security Features for Security Level 3


Physical

•   Lockable doors, windows, and other passageways

•   Door locks with high-security cores

•   Separate from public areas

•   Hardened doors, frames, and locks

•   Perimeter walls extending from the floor to the ceiling (prevent access from one area to the other over a drop ceiling)

•   Double-door vestibule entry

Operational

•   Secure doors, windows, and passageways when not occupied

•   Ensure all laboratory personnel receive security awareness training

•   Escort and log in visitors and contractors

•   Lock doors, windows, and passageways at all times

•   Inspect items carried into or removed from the laboratory

•   Have an inventory system is in place for materials of concern.

•   Perform background checks on individuals with direct access to the materials of concern or within the control zone.

Electronic

•   Access control system that records the transaction history of all authorized individuals

•   Biometric personal verification technology recommended

•   Intrusion alarm system

•   Closed-circuit television cameras for entrance and exit points, materials storage, and special equipment


   minimizing the use of hazardous and precursor chemicals, which reduces health, safety, and potential security risks;

   minimizing the supply of hazardous materials on-site;

   restricting access to only those who need to use the material and understand the hazards from both a chemical standpoint and a security standpoint; and

   knowing what to do in an emergency or security breach, and how to recognize threats.

Ensure that all personnel understand the security measures in place and how to use them. No matter how complex a system may be, the weakest link tends to be personnel. For example, even the best access control system may not prevent laboratory personnel from granting an unauthorized individual access to a sensitive area.

Suggested Citation:"10 Laboratory Security." National Research Council. 2011. Prudent Practices in the Laboratory: Handling and Management of Chemical Hazards, Updated Version. Washington, DC: The National Academies Press. doi: 10.17226/12654.
×
Page 255
Suggested Citation:"10 Laboratory Security." National Research Council. 2011. Prudent Practices in the Laboratory: Handling and Management of Chemical Hazards, Updated Version. Washington, DC: The National Academies Press. doi: 10.17226/12654.
×
Page 256
Suggested Citation:"10 Laboratory Security." National Research Council. 2011. Prudent Practices in the Laboratory: Handling and Management of Chemical Hazards, Updated Version. Washington, DC: The National Academies Press. doi: 10.17226/12654.
×
Page 257
Suggested Citation:"10 Laboratory Security." National Research Council. 2011. Prudent Practices in the Laboratory: Handling and Management of Chemical Hazards, Updated Version. Washington, DC: The National Academies Press. doi: 10.17226/12654.
×
Page 258
Suggested Citation:"10 Laboratory Security." National Research Council. 2011. Prudent Practices in the Laboratory: Handling and Management of Chemical Hazards, Updated Version. Washington, DC: The National Academies Press. doi: 10.17226/12654.
×
Page 259
Suggested Citation:"10 Laboratory Security." National Research Council. 2011. Prudent Practices in the Laboratory: Handling and Management of Chemical Hazards, Updated Version. Washington, DC: The National Academies Press. doi: 10.17226/12654.
×
Page 260
Suggested Citation:"10 Laboratory Security." National Research Council. 2011. Prudent Practices in the Laboratory: Handling and Management of Chemical Hazards, Updated Version. Washington, DC: The National Academies Press. doi: 10.17226/12654.
×
Page 261
Suggested Citation:"10 Laboratory Security." National Research Council. 2011. Prudent Practices in the Laboratory: Handling and Management of Chemical Hazards, Updated Version. Washington, DC: The National Academies Press. doi: 10.17226/12654.
×
Page 262
Suggested Citation:"10 Laboratory Security." National Research Council. 2011. Prudent Practices in the Laboratory: Handling and Management of Chemical Hazards, Updated Version. Washington, DC: The National Academies Press. doi: 10.17226/12654.
×
Page 263
Suggested Citation:"10 Laboratory Security." National Research Council. 2011. Prudent Practices in the Laboratory: Handling and Management of Chemical Hazards, Updated Version. Washington, DC: The National Academies Press. doi: 10.17226/12654.
×
Page 264
Next: 11 Safety Laws and Standards Pertinent to Laboratories »
Prudent Practices in the Laboratory: Handling and Management of Chemical Hazards, Updated Version Get This Book
×
Buy Hardback | $99.95 Buy Ebook | $79.99
MyNAP members save 10% online.
Login or Register to save!
Download Free PDF

Prudent Practices in the Laboratory—the book that has served for decades as the standard for chemical laboratory safety practice—now features updates and new topics. This revised edition has an expanded chapter on chemical management and delves into new areas, such as nanotechnology, laboratory security, and emergency planning.

Developed by experts from academia and industry, with specialties in such areas as chemical sciences, pollution prevention, and laboratory safety, Prudent Practices in the Laboratory provides guidance on planning procedures for the handling, storage, and disposal of chemicals. The book offers prudent practices designed to promote safety and includes practical information on assessing hazards, managing chemicals, disposing of wastes, and more.

Prudent Practices in the Laboratory will continue to serve as the leading source of chemical safety guidelines for people working with laboratory chemicals: research chemists, technicians, safety officers, educators, and students.

  1. ×

    Welcome to OpenBook!

    You're looking at OpenBook, NAP.edu's online reading room since 1999. Based on feedback from you, our users, we've made some improvements that make it easier than ever to read thousands of publications on our website.

    Do you want to take a quick tour of the OpenBook's features?

    No Thanks Take a Tour »
  2. ×

    Show this book's table of contents, where you can jump to any chapter by name.

    « Back Next »
  3. ×

    ...or use these buttons to go back to the previous chapter or skip to the next one.

    « Back Next »
  4. ×

    Jump up to the previous page or down to the next one. Also, you can type in a page number and press Enter to go directly to that page in the book.

    « Back Next »
  5. ×

    Switch between the Original Pages, where you can read the report as it appeared in print, and Text Pages for the web version, where you can highlight and search the text.

    « Back Next »
  6. ×

    To search the entire text of this book, type in your search term here and press Enter.

    « Back Next »
  7. ×

    Share a link to this book page on your preferred social network or via email.

    « Back Next »
  8. ×

    View our suggested citation for this chapter.

    « Back Next »
  9. ×

    Ready to take your reading offline? Click here to buy this book in print or download it as a free PDF, if available.

    « Back Next »
Stay Connected!