Select Agent Program Workshop November 16, 2012. Agricultural Select Agent Program (USDA/APHIS) CDC Select Agent Program (HHS/CDC)

Similar documents
Security at San Onofre

MAJOR PROJECTS CONSTRUCTION SAFETY STANDARD HS-09 Revision 0

A Risk Assessment Methodology (RAM) for Physical Security

Section VI Principles of Laboratory Biosecurity

welcome to Telect s Minimum Security Criteria for Customs-Trade Partnership Against Terrorism (C-TPAT) Foreign Manufacturers Training Presentation

State of Vermont. Physical Security for Computer Protection Policy

Working Relationship with Local Law Enforcement Authorities. Department of Safety and Security Scope of Authority. How to Report On-Campus Crime

"DOT IN-DEPTH HAZMAT SECURITY TRAINING"

Security Criteria for C-TPAT Foreign Manufacturers in English

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

Security-in-Depth 4/26/2013. Physical Security Webinar. DCO Meeting Room Navigation. Host: Danny Jennings

Security Alarm Monitoring Protocol

Security Service de Services sécurité. Security Alarm Monitoring Protocol

FINAL May Guideline on Security Systems for Safeguarding Customer Information

Supply Chain Security Audit Tool - Warehousing/Distribution

Intermec Security Letter of Agreement

SECURITY IN TRUCKING

Science/Safeguards and Security. Funding Profile by Subprogram

Importers must have written and verifiable processes for the selection of business partners including manufacturers, product suppliers and vendors.

Global Supply Chain Security Recommendations

C-TPAT Importer Security Criteria

Connect C CURE 9000 with dozens of applications for a holistic business-empowering, all inclusive solution

BUSINESS CONTINUITY PLANNING

Upon completion of the module, you will be issued an electronic training certificate.

DOT HAZMAT SECURITY AWARENESS TRAINING

EVACUATION Fire / Explosion / Smell of Smoke / Gas Odor / Fire Alarm / Bomb Threat

WAREHOUSE SECURITY BEST PRACTICE GUIDELINES CUSTOMS-TRADE PARTNERSHIP AGAINST TERRORISM

Identification of Red Flags, Detecting Red Flags, and Preventing and Mitigating Identity Theft

SECURITY RISK ASSESSMENT SUMMARY

other legitimate calls for service and create a drain on available resources; and

Security Guidelines for. Agricultural distributors

FREQUENTLY ASKED QUESTIONS WASHOE COUNTY ALARM ORDINANCE

East Mississippi Community College. Scooba Campus * Mayhew Campus Department of Public Safety. Campus Emergency Action Plan.

Homeland Security for Schools: Threat Status Alert Worksheet

HIPAA Security Alert

IOWA LABORATORIES FACILITIES PHYSICAL SECURITY PLAN

Seventh Avenue Inc. 1

Security Management Plan

[FACILITY NAME] IDENTITY THEFT PREVENTION PROGRAM. Effective May 1, 2009

ISO IEC ( ) INFORMATION SECURITY AUDIT TOOL

Administrative Procedure

NPCollege Crisis Management Plan Page 1 of 11. Table of Contents

Oklahoma State University Policy and Procedures. Red Flags Rules and Identity Theft Prevention

PITTSBURGH CARE PARTNERSHIP, INC. COMMUNITY LIFE PROGRAM POLICIES AND PROCEDURES. Identity Theft Prevention Program Policy for Health Care Providers

SHARING BEST PRACTICES IN INFORMATION SECURITY PREVENTION TIPS & RESPONSE TECHNIQUES

APEC Private Sector. Supply Chain Security Guidelines

RUSK COUNTY ELECTION CONTINGENCY PLAN

C-TPAT Self-Assessment - Manufacturing & Warehousing

Todd & Cue Ltd Your Business Continuity Partner

NEVADA SYSTEM OF HIGHER EDUCATION PROCEDURES AND GUIDELINES MANUAL CHAPTER 13 IDENTITY THEFT PREVENTION PROGRAM (RED FLAG RULES)

MONTGOMERY COUNTY ALARMS RULES GOVERNING ALARMS RESPONDED TO BY LAW ENFORCEMENT SECTION 1. PURPOSE SECTION 2. DEFINITIONS

How To Protect A Water System

Western Kentucky University, The Center. The Michael Minger Act Report for 2015 Activity Reported for Calendar Year 2014

Access Control Regulations

Hazardous Materials Security Awareness

UNIVERSITY OF MASSACHUSETTS IDENTITY THEFT PREVENTION PROGRAM

Customs-Trade Partnership Against Terrorism (C-TPAT) Security Guidelines for Suppliers/Shippers

Physical Access Control System

E3211. DOT Hazmat Security Awareness. Leader s Guide

FREQUENTLY ASKED QUESTIONS about the ALARM ORDINANCE, ALARM REGISTRATION AND FALSE ALARM FEES

Retail Solutions. Why Tyco Security Products for Retail?

Return the attached PPG Supply Chain Security Acknowledgement by , fax, or mail within two weeks from receipt.

RANDOLPH COUNTY EMERGENCY SERVICES & TAX DEPARTMENT. Identity Theft Prevention Program. Adopted August 3, 2009 Effective beginning August 1, 2009

State of Illinois Department of Central Management Services ACTION PLAN FOR NOTIFICATION OF A SECURITY BREACH

Elements of Physical Security Systems II: Intrusion Detection, Alarm Communication and Assessment, Delay, and Response

SAMPLE BUSINESS ASSOCIATE AGREEMENT

Food Defense Self-Assessment Checklist for. Slaughter and Processing Plants

CRITICAL/NON CRITICAL INCIDENT MANAGEMENT AND REPORTING PROCEDURE

MINIMUM SECURITY GUIDELINES FOR SOURCE MANUFACTURER/WAREHOUSEMEN C-TPAT INFORMATION

FACILITY SECURITY PLAN (FSP) REVIEW CHECKLIST

SYRACUSE CITY SCHOOL DISTRICT

Middleton-Cross Plains Area Schools. Crisis Preparedness Parents and School Emergencies

Partners in Protection / C-TPAT Supply Chain Security Questionnaire

Rx-360 Supply Chain Security White Paper: Audits and Assessments of Third Party Warehousing and Distribution Facilities

CRISIS PREPAREDNESS:

Information Security Basic Concepts

1.4 The banking entities that provide customer service will keep controls of access to the premises.

FSIS Security Guidelines for Food Processors

Transcription:

Select Agent Program Workshop November 16, 2012 Agricultural Select Agent Program (USDA/APHIS) CDC Select Agent Program (HHS/CDC)

Revisions to Regulations 11 (a) through 11 (c)(7): (b) and (c)(2) changed 11 (c) (8), (9), (10): New, applies to all entities 11 (d) Unchanged 11 (e): New, applies to all entities 11 (f): New, the Tier 1 requirements 11 (g): New, applies to all entities

CFR: Section 11(b) The security plan must be designed according to a site-specific risk assessment and must provide graded protection in accordance with the risk of the select agent or toxin, given its intended use. A current security plan must be submitted for initial registration, renewal of registration, or when requested.

CFR: Section 11(c)(2) Contain provisions for the control of access to select agents and toxins, including the safeguarding of animals, including arthropods, or plants intentionally or accidentally exposed to or infected with a select agent, against unauthorized access, theft, loss or release.

CFR: Section 11(c)(8) (All) Describe procedures for how the Responsible Official will be informed of suspicious activity that may be criminal in nature and related to: the entity its personnel its select agents or toxins Describe procedures for how the entity will notify the appropriate federal, state, or local law enforcement agencies of activity that may be criminal in nature.

CFR: Section 11(c)(8) Why may be criminal in nature Covers the gap between suspicious and crime Broadens from suspicious persons The law can be confusing What s a threat? Inchoate offenses First amendment and animal rights terrorists

CFR: Section 11(c)(8) (All) Describe procedures for how the entity will notify the appropriate federal, state, or local law enforcement agencies of activity that may be criminal in nature. Coordination, notification Who, what, where

CFR: Section 11(c)(8) All Describe procedures for how the entity will notify the appropriate federal, state, or local law enforcement agencies of activity that may be criminal in nature. This can be anyone with the authority to legally investigate a crime Police, state police, sheriff, FBI, campus police, military police (all good answers) Security guards, DHS, PIs, Crime Stoppers (not good answers)

CFR Section 11(c) (10) Shipping and Receiving (All) Contain provisions and policies for shipping, receiving, and storage of select agents and toxins, including: Documented procedures for receiving, monitoring, and shipping of all select agents and toxins How the entity will secure containers on site A written contingency plan for unexpected shipments

CFR Section 11(c) (10) What is an unexpected shipment? Unexpected shipment- when an entity receives a shipment of a select agent that they had neither requested nor coordinated with the sender. Receives package with select agent or toxin without authorization from Federal Select Agent Program (i.e., No APHIS/CDC Form 2). The entity must have a contingency plan to have approved personnel gain control of the shipment without delay and secure it in a registered area. What does without delay mean? An approved person stops what they are doing and gets it.

CFR Section 11(e) (All) Entities must conduct complete inventory audits of all affected select agents and toxins in long-term storage when any of the following occur: Upon the physical relocation of a collection or inventory of select agents or toxins for those select agents or toxins in the collection or inventory; Upon the departure or arrival of a principal investigator for those select agents and toxins under the control of that principal investigator In the event of a theft or loss of a select agent or toxin, all select agents and toxins under the control of that principal investigator.

What s an inventory audit CFR Section 11(e) (All) An inventory audit is an examination of a portion of the inventory or collection sufficient to verify inventory controls are effective. Why? Insider threat What should they inventory? Depends on the circumstances Depends how the inventory is stored Requirement for current/accurate still exists

CFR Section 11(f) (2) (Tier 1) Describe procedures for how an entity s Responsible Official will coordinate their efforts with the entity s safety and security professionals to ensure security of Tier 1 select agents and toxins and share information.

CFR Section 11(f) (4) (i) (Tier 1) Procedures that will limit access to a Tier 1 select agent or toxin to only those individuals who have an current SRA, are approved for access and have had an entity-conducted preaccess suitability assessment, and are subject to the entity s procedures for ongoing suitability assessments Only people in the surety program can access the agent or toxin

CFR Section 11(f) (4)(iv) (Tier 1) Not the same as biocontainment barriers A minimum of three security barriers where each security barrier adds to the delay in reaching secured areas where select agents and toxins are used or stored. The final barrier must limit access to the select agent or toxin to only those individuals who are approved by the HHS Secretary or Administrator and enrolled in entity s Suitability Assessment Program. Access through the barrier only takes an approval by the HHS Secretary or Administrator (ie SRA Approval) Why? Shared space Person as a barrier

CFR Section 11(f) (4)(iv) (Tier 1) What s a security barrier? A security barrier is a physical structure that is designed to prevent entry by unauthorized person. Can a person be a barrier? Personnel who are trained to identify and respond to suspicious activities can be a security barrier. They must be present!

CFR Section 11(f) (4)(iv) (Tier 1) Are locked freezer doors still a barrier? Yes, the act of opening the door counts as entry Keep in mind the suitability requirements

CFR Section 11(f) (4)(iv) (Tier 1) The final barrier must limit access to the select agent or toxin to personnel who are SRA approved. The final barrier. Not ALL barriers. The outer two barriers do NOT have to limit access to SRA approved persons.

3 Barrier Examples (Tier 1) Barrier 1 Barrier 2 Barrier 3 (linked to access approval) Guard/Perimeter Fence Card-Key Access to floor Key locked freezer with strong key control measures Building Card Key Access Limited Room card-key access Different card-key required for room Building Card Key Access Limited Room card-key access Card-key PIN access room Building Card Key Access Limited Room card-key access Biometric lock system on freezer Building Card Key Access Card-key PIN access room PIN access to freezer Building Card Key Access Limited Room card-key access Restricted card key access to registered space Floor Card Key Access Limited Room card-key access Restricted card key access to registered space

Barriers concerns The final barrier must limit access to the select agent or toxin to individuals who are approved by the HHS Secretary or Administrator and enrolled in entity s Suitability Assessment Program Person as a barrier Must be there all the time the select agent or toxin is present Must be trained (suspicious persons) Guards present only during business hours After hours the access point must be secure Single guards Must be no disruption of coverage

Shared Space and Barriers If they have access to the Tier 1, they must be in the Surety Program If they have access to the room but not the agent, they must be approved by the HHS Secretary or Administrator (ie SRA Approved) See security guide for examples of Storage only Separated by time

CFR Section 11(f) (4)(ii) Procedures that limit access to laboratory and storage facilities outside of normal business hours to only those specifically approved by the Responsible Official or designee. If you have 24 hour access, it s a deliberate decision not a default by the access control system. Personnel can t work outside normal business hours without permission

CFR Section 11(f) (4)(iii) Procedures for allowing visitors, their property, and vehicles at the entry and exit points to the registered space, or at other designated points of entry to the building, facility, or compound based on the entity s site-specific risk assessment. Have a plan to allow visitor s entry Doesn t require you to deny access to visitors

CFR Section 11(f) (4)(v) All registered space or areas that reasonably afford access to the registered space must be protected by an intrusion detection system (IDS) unless physically occupied; An IDS is a system that uses a sensor(s) to detect an impending or actual security breach and initiate an alarm that notifies a response force. Please see the Security guide for examples of sensors.

CFR Section 11(f) (4)(vi) Personnel monitoring the IDS must be capable of evaluating and interpreting the alarm and alerting the designated security response force or law enforcement. They should know what to do when an alarm goes off. They know who to call

CFR Section 11(f) (4)(vi) For powered access control systems, describe procedures to ensure that security is maintained in the event of the failure of access control systems due to power disruption affecting registered space; Locks should fail secure Fail Safe = power off, it's unlocked Fail Secure = power off, it's locked Fire Rules

CFR Section 11(f) (4)(viii) The entity must: Determine that the response time for security forces or local police will not exceed 15 minutes or Provide security barriers that are sufficient to delay unauthorized access until the response force arrives in order to safeguard the select agents and toxins from theft, intentional release, or unauthorized access. The response time is measured from the time of an intrusion alarm, or report of a security incident, to the arrival of the responders at the first security barrier.

CFR Section 11(f) (4)(viii) Police departments are NOT reacting to home security alarms at all! Detroit Las Vegas Indianapolis Orange County CA Police do have priority alarms or potentially dangerous alarms Banks Pharmacies Gun shops

CFR Section 11(f) (4)(viii) Delay Time Barriers don t stop anyone, they just slow them down Response force stops (interrupts) a threat Barriers must slow an adversarial force down long enough for a response force to arrive

CFR Section 11(f) (4)(viii) The response force can be: Personnel trained to respond Observe/Report to neutralize Employees who observe

CFR Section 11(g) In developing a security plan, an individual or entity should consider the document entitled, Security guide for select agent or toxin facilities. The document is available on the Internet at http://www.selectagents.gov.

Prior to the cycle: Autoclaves An SRA approved individual should check the autoclave to ensure it is loaded properly and reaches to appropriate temperature and pressure. Once that is complete, the person does not have to remain with the autoclave. At the end of the cycle If the cycle was completed within normal parameters the person removing the material does not have to be SRA approved and meet the suitability requirements. If the run was not completed within normal parameters, the personnel security requirements remain. The RO should be notified and the material removed by an SRA approved individual subject to the surety requirements.

Final Thoughts Security should always re-enforce other processes. Don t add a new barrier, add a lock to a current one If you make it hard, no one will do it Anonymity is a key deterrence to crime Suspicious Person, Criminal in Nature, IT, IDS and Visitors policies 3 barriers Doubt is the best way to mitigate insider threat Audits Work hours Access controls Barriers won t stop a threat IDS Response force