2nd Annual Select Agent and Toxin Conference
- 13 pages
- For Official Use Only
- August 2009
Vulnerability Assessment Authorities
- Homeland Security Presidential Directive-7 (HSPD-7) and the National Infrastructure Protection Plan (NIPP) require DHS to identify, prioritize, and coordinate the protection of critical infrastructure and key resources (CIKR).
- DHS is responsible for ensuring that comprehensive vulnerability assessments are performed for nationally critical CIKR, and conducting or supporting vulnerability assessments that address the specific needs of the NIPP’s comprehensive approach to CIKR protection.
- The Senate Appropriations Committee Report to the Consolidated Security, Disaster Assistance, and Continuing Appropriations Act, 2009 (P.L. 110-329) directs DHS to report to the Committee by March 20, 2009, on the progress made to expand vulnerability assessment capacity.
…
Common Vulnerabilities
- No security director as an executive staff member (sole function).
- No established security protocols in response to unusual incidences.
- No screening of packages or vehicles entering facility.
- Inadequate relationship between first responders in consideration to exigent circumstances requiring emergency response to facility.
- Insider threat to facility operations.
- Potential for stealing or diverting agents during shipping and transfers.
- Inconsistent background checks on employees that do not have “entry”access to BSL laboratory.
- No annual or semi-annual updates of background checks for laboratory personnel.
- Co-location of laboratory with other facilities-full access to facility can be gained.
- Inconsistent security procedures across facilities.
- Perimeter security inadequate or in need of repair/replacement.
- No procedure for “non-existing” badge challenges.
Recommended Protective Measures
- Designate security director to develop, implement, and coordinate security related activities.
- Develop a comprehensive security and emergency response plan.
- Establish liaison and regular communication with local law enforcement and emergency response officials.
- Conduct background checks on all employees and establish procedures for reporting change of life information (bankruptcies, divorce, marriage, etc).
- Incorporate security awareness and response procedures into new employee training.
- Install intrusion detection systems in sensitive areas.
- Provide adequate locks, gates, doors, and other barriers for designated secure areas.
- Install barriers at HVAC systems, hatches, and power substations.
- Implement adequate policies and procedures for cyber and controlsystems security.
- Immediately cancel all access to terminated staff (employees andcontractors).
- Develop and maintain emergency response plans, notifications process, and calling procedures.