BIOSECURITY TOOLBOX A Personal Perspective

Transcription

1 BIOSECURITY TOOLBOX A Personal Perspective ANDREW CANNONS, Ph.D. SCIENTIFIC DIRECTOR USF CENTER FOR BIOLOGICAL DEFENSE

2 Toolbox for a Security Plan A defined set of tools that a user might need for a particular task Different users might use different tools to achieve the same result ANDY Biosecurity vs Biosafety Requirements of a Security Plan Meeting the Requirements of the Security Plan Using a defined set of tools (the Tampa perspective!)

3 Laboratory Biosafety and Biosecurity Biosafety: Development and implementation of administrative policies, work practices, facility design, and safety equipment to prevent transmission of biological agents to workers, other persons, and the environment Biosecurity: Protection of high-consequence microbial agents and toxins, or critical relevant information, against theft or diversion by those who intend to pursue intentional misuse

4 Laboratory Biosafety and Biosecurity, (cont.) Common Strategy Implement graded levels of protection based on a risk management methodology Laboratory biosecurity and biosafety should be integrated systems that avoid compromising necessary infectious disease research and diagnostics

5 Integrated Biosafety & Biosecurity BIOSAFETY SECURITY Review agent properties What is known? What are the infections, toxicity, oncogenecity, allergies? Review agent properties What is potential for malicious use? What are the potential consequences of malicious use? Place in Biosafety Risk Group Place in Malicious Use Risk Group Does planned lab activity change risk? Does planned lab activity change risk? Determine appropriate biosafety measures Determine appropriate security measures Defines Laboratory Operating Environment

6 Requirements of the Security Plan Site Specific Designed on Risk Assessment Provide Graded Protection Select Agents to be Used Risk of those agents Intended use of those agents Submitted upon request Should take into account Incident Response and Biosafety Plans Site Specific Training and Implementation

7 What the Security Plan Must Address Physical Security Inventory Control Information Technology Control Controlled Access Dealing with Routine Jobs cleaning, maintenance, repairs Procedures for removing unauthorized/suspicious persons Procedures for dealing with loss/compromise of keys, passwords, combinations Procedures for reporting theft/loss/release of agents, inventory alteration ALL SRA INDIVIDUALS MUST UNDERSTAND AND COMPLY

8 How to Meet the Requirements of the Security Plan? Physical Security What is needed to physically protect the agents? Some considerations: Physical security is driven by economics BT funding from CDC helped considerably to increase and improve security Labs, such as in academia, likely have a more difficult job What can be achieved with existing structures Utilizing different labs, retroactive fitting of security devices without complete overall Need to consider what is effective and what is just for show

9 Physical Security (cont.) Deter Unauthorized Access Card access (or alternate) for authorized personnel only 24/7 monitoring for forced entry/door ajar Locks on all storage containers Lock boxes (number combinations) to store keys with periodic number changes All key usage is logged Biometrics and number combinations also Guard (7 days/week)

10 Physical Security (cont.) Detect Unauthorized Access CCTV (external/internal) with 24 hr monitoring Motion sensors (real time) Audible sensors (real time) Restricted access Only authorized personnel have room access ID worn at all times in building Inventory checks of Select Agents Physical count at least monthly Alteration of inventory log

11 Physical Security (cont.) Delay Access Should have at least 2 locked doors to reach agents We have aimed to have at least four locked doors to reach agents All agents kept locked during storage (4 o C, ultra low temp) & incubation Located away from public access

12 How to Meet the Requirements of the Security Plan? Security of the Individual All personnel with access to agents must undergo Security Risk Assessment by DOJ Is this adequate? Reassessment is every 5 years is this often enough? Do Select Agent Labs do their own pre-employment screening? Pre-employment background checks of ALL staff Personnel in your receiving area must also be SRA How come FedEX & other shippers are not?

13 Security of the Individual (cont.) Role of the Responsible Official in Security Needs to understand and have a good working knowledge of all the security systems and procedures in place Need full understanding all security issues related to select agents What requirements, other than specified by SAP Active Role of the PIs and Supervisors in Security Need full understanding of the security systems and procedures in their locations as well as rest of building Need to be able to communicate security information to their staff Need to have a good understanding of their staff s attitudes to security Need to be able to determine changes in staff attitudes that might affect security Need full understanding all security issues related to select agents Role of SRA staff in Security Need full understanding of the security systems and procedures in their locations as well as rest of building Need full understanding all security issues related to select agents

14 Security of the Individual (cont.) Role of the Everyone in Security Need to review and understand the security plan Need to feel adequately trained in security issues All employees must wear IDs that are visible at all times No sharing of key cards, card numbers, lock box combinations Must report loss of key card, keys to RO Submit to background checks Report suspicious persons/actions to the RO and/or guard All employees must enter building at the front door All visitors must sign in and out, and be met by an employee to enter the building Constant supervision of unauthorized personnel

15 How to Meet the Requirements of the Security Plan? Inventory Control Basically means that at anytime you know exactly what select agents you have in house and how much of each In terms of security, it will always be after the fact: If a vial is stolen, it would not be recognized until inventory performed

16 Inventory Control (cont.) Example of Inventory Control Stock cultures must in inventoried at least monthly (physical count of vials, assessment of volumes) Two laboratory personnel must be present RO check of inventory process (annual) Removal of vial for use requires documentation on usage form and chain of custody (date, usage, date of discard) Use of inventory forms Packages: All packages containing Select Agents must be delivered to the Select Agent personnel for correct inventory & storage Intra facility transfer: Must use the Intra-facility form (updated) for lab to lab transfer. Receiving lab/p.i. must be approved

17 Inventory Sheet

18 How to Meet the Requirements of the Security Plan? Information Technology Requirement to keep all IT information safe and secure Minimum requirements are password and firewall protection Locked electronic media Digital certificates Are these adequate, are there additional and/or alternates?

19 How to Meet the Requirements of the Security Plan? Routine Jobs Housekeeping/cleaning Only authorized lab personnel clean the labs Maintenance Building maintenance personnel are SRA Do not have access to labs, still requiring escorts Repair (non-building personnel) Must be escorted at all times Lab must deconed prior Must sign a form indicating understanding of the type of lab they are entering

20 How to Meet the Requirements of the Security Plan? Suspicious Persons What are they? Unfamiliar person with no ID Person with anomalous appearance or who is present at an anomalous time (after hours) or place (restricted area) An insider seeking information about protected lab areas or lab projects with no apparent need to know An insider exhibiting uncharacteristic behavior or mood changes. Stressed individuals are more likely to pose a safety risk (e.g. losing focus), rather than security risk

21 How to Meet the Requirements of the Security Plan? Security Training Annual & after any incident Levels of training: For all staff members Discuss security plan Emphasis on building and staff security For members of select agent program Discuss security plan Discuss security in relation to select agents More emphasis on agent security

22 Incident Report Form all types How to report/document security issues? IR form for all security issues, large & small Key not logged back Suspicious person in building IR used to revise and upgrade security plan Requires review by all staff

23 How to Meet the Requirements of the Security Plan? Drills & Exercises Must be performed annually Must test personnel responses to: Inventory alterations Security breaches in building/lab Theft Release Incident Response

24 Drills & Exercises (cont.) Examples of drills/exercises to test security Scenario driven Staff given advance warning drill period Drill initiated by scenario placed on door of select agent lab (Tampa has 3 labs) First SRA person to find envelope is responsible for following the drill Can use help of other staff members Drill proceeds as far up as RO No calls to Law Enforcement or CDC

25 Drills & Exercises (cont.)

26 Summary Biosecurity is all about protecting highconsequence microbial agents and toxins, or critical relevant information A site specific Security Plan is required to implement this protection The Security Plan has a number of requirements from Physical Security to Personnel Security and Inventory Control Meeting these requirements relies on a set of tools These tools are not standard from lab to lab It would be useful to develop a Best Practices web site