Biosecurity – Flashcards

Prevent exposure to or accidental release of potentially hazardous and/or regulated biochemical materials

Prevent the theft, misuse, or intentional release of these materials

Combination of biosafety and biosecurity, working safely and keeping the work secure

Spores must be milled for weaponization. Anthrax would kill 1/3, weaponized anthrax 3/4

Should be used together as an integrated approach to define the laboratory operating environment

Most agents can be isolated from nature or exist elsewhere in culture collection. Few agents can be easily grown, processed, weaponized and successfully deployed while maintaining virulence/toxicity. These are "dual use" agents

Useful for many legitimate defensive, commercial, medical and research applications

Living and self replicating organisms cannot be reliably quantified. Agents are used in small quantities in a variety of operations. Contained biological samples are virtually undetectable. Biological research communities are not accustomed to operation in a security conscious environment

1) Protect against "unacceptable" risks 2) Be prepared to respond to "acceptable" risks 3) Cost and measures to protect should be proportional to risk of release or malicious use

Need methodology to make informed decisions about how to design an effective and efficient biosecurity system. Protection levels should be proportional to risk of loss (theft or destruction)

What requires protection. Dangerous materials, hard to replace materials, rare materials, materials critical to operations

IT systems, hardware, research data, lab equipment, chemicals, research material (agents, animals, etc), personnel, buildings

Contagiousness. Medical effects (Morbidity, Mortality). Potential to become endemic. Economic impact.

Low, moderate, high, extreme

Acquisition. Production Challenges (Ease of growth, processing, storage). Modes of dissemination. Environmental hardiness

Contagiousness : Low (none or limited). Medical effects : High (moderate to severe morbidity, moderate mortality). Endemic vs. Epidemic : Moderate- High (Endemic/ Exotic). Economic : Moderate-High (Limited -> Moderate) Overall : Moderate to high consequences

Ease of acquisition: Moderate (Limited) Production Challenges : High (Limited) Mode of dissemination : Moderate (Easily released) Environmental Stability : Extreme (High) Overall risk : High -> Extreme risk for weaponization

Consequences : Moderate to high. Weaponization risk : Relatively high. Overall malicious use risk : High

Who or what are we protecting from?

No authorized access

Authorized access to facility, materials and restricted information

Asset attractiveness- How well does acquisition or sabotage achieve or help achieve adversary's objective

Capability : Does the adversary have skills, knowledge and tools necessary to conduct attack / meet objective?

Environment : Is adversary active in area? How recently have they acted in ways that may be threatening? Has there been any indication of targeting?

Motive, Means, Opportunity

Animal right's activists, disgruntled employees, terrorists, criminals

More "outsiders," less "insiders." Force adversary to get material/assets elsewhere. Make yourself a less desirable target. Don't comprise legitimate operations without cause, impact operations only to level required

Cannot protect every asset against any threat. Resources are finite. Security systems should be based on the asset or material requiring protection. Should be designed to address unique situations

Physical Security. Personnel Security. Information Security. Material control and accountability. Transport security.

Graded, increases towards highest risk asset

Includes grounds, public access areas. Fences, building boundaries.

Labs, certain offices, corridors around exclusion area. Require unique credentials for access (key card, controlled key)

High containment labs, computer network hubs. Require unique credential AND unique knowledge (password, biometric scan, second person to verify identity). Intrusion detection and response

Detection : Guards, sensors. Validation : Real alarm? Respond Internally : Security personnel. Notify external responders : Reinforces / investigates.

Policies : Escorts, entry logs, etc. Consequences for security violations. Training : What to do - unrecognized persons, unusual activity, missing badges, keys. Performance testing and maintenance: Physical and personnel (drills)

Employees (Hiring, during employment, transfer/termination). Visitors

Ideal personnel

Should be screened related to access and risk levels. Assure that forms, training and health screening is completed

ID badges should be worn, clearly indicate access privileges. Security policy violations should be enforced. Employee assistance program to deal with personal employee issues

Assure paperwork completion for transfer or termination. Transfer accountability for sensitive materials. Retrieve property (badges, keys, equipment). Deactivate computers and access accounts

Objective of Material Control and Accountability

Description and quantity

Can be physical or procedural. Containment can provide control. Functional under normal and abnormal conditions.

Must belong to someone. Establish procedure for assignment and expectations

Location changes (Labs, storage, repositories). Different samples (Master stocks, working stocks, experiments in progress). Different accountable persons (Shipping, receiving, destruction, testing).

Vulnerable. Materials removed from limited access areas, increased pool of people who have access.

Chain of custody: What (Description of materials), Who (Authorized, approved individuals), When (Time & Date signatures for each individual with control), Where (Receipt of material at designated location under appropriate physical security).

Must be pre-approved by responsible party

Must be constantly updated

Information protected from unauthorized or accidental disclosure

Information is as intended without inappropriate modification of corruption

Confidentiality, integrity, availability, transparency

Authorized users can access applications and systems when required

"Public" has a right to certain information or to know what is being withheld

Community Liaison Committee. Determine which information should be released

Define "sensitive" information. Assess all documents for sensitive information. Determine information chain of custody. Determine how to contain information (Physical systems, personnel reliability)

Hard copies should be secured in limited or exclusion areas, any reproductions should be controlled. Networks and servers should be protected, can be layered.

Access privileges include information. Communication restricted. User should know sensitivity levels of information. The person viewing information is accountable

Electronic access control. Personnel screening should include more comprehensive background investigation. Accountability records should be maintained. Material transfers should be pre-approved, require a continuous chain of custody. Information about agent security should be protected

Should be pre-approved, require a continuous chain of custody