Site Specific Threat Assessment

Site Specific Threat Assessment

Site Specific Threat Assessment

The Site Specific Threat Assessment contains a Threat Assessment Matrix (TAM), a document that is used to assess and identify potential risks for a specific area or practice. The assessment is a two-part process, a TAM as well as a Vulnerability Assessment (VA). A TAM is mostly subjective but allows an individual to identify risks using a simple ranking system (Low, Moderate, High) which determines a total risk value for each individual risk.

Description of agents:

†Name of Agent or Toxin, described as †Biosafety Level agents †airborne/(non-airborne).

†Name of PI is listed as the “Principal Investigator.” †Name of PI maintains specimen accountability and inventory control.

Agent-Specific Risk Assessment:

Based on the agents in the University’s inventory and their intended use, the risk category associated with these agents is (Check one):

Low risk includes agents that are handled in a diagnostic, nonpropagative manner (e.g., single specimen, no culture).

Moderate risk includes agents that are handled in a diagnostic, propagative manner. This level includes only the amounts necessary for experiments at hand (e.g., specimen cultured for diagnostic purposes or produced only in amounts required for the research or experiments being conducted).

High risk includes agents that are handled in large or highly pure quantities such as liters or grams. It would also include those agents and toxins used in restricted experiments or experiments that may increase virulence, and also includes high-risk use (e.g., centrifugation).

Highest risk is a placeholder for smallpox only.

Note: The agent-specific risk categories are based on the concept that all agents and toxins do not pose the same risk or require the same level of protection.

Threat Assessment:

The following table lists the threats, probability of occurrence and consequences if a threat occurs. Probability and consequences are rated as low, moderate, or high.

It should be noted that probability and consequences may vary due to the type of threat.

Threat / Probability / Consequences
Man/Woman
Insider with authorized access / Moderate / High
Outsider with limited access and system knowledge / Low / Moderate
Anyone desiring to do harm (i.e., violent acts, anger, hatred, terrorist activity, civil disturbances, special interest groups, attack at gun point, etc.) / Low / High
Nature
Hurricanes / Low / High
Severe thunderstorms / Low / Moderate
Tornadoes / Low / High
Floods / Low / Moderate
Earthquakes / Moderate / High
Incident
Bomb threats / Low / Low
Communications failure / Low / Low
Electrical power failure / Low / Moderate
Fire / Low / Moderate
HAZMAT incident / Moderate / High
Biological and chemical agents Information technology hacking / Low / Moderate

Figure 1

As shown in the TAM in Figure 1.1, the above subjective factors (Figure1) have been reflected with their assigned values to yield “Risk Factors” which can be used to assign tasks and functions to the process. Any risks or threats with a value greater or equal to 25 will trigger the need to complete a Vulnerability Assessment(Figure 2) which will identify specific actions needed to reduce vulnerability level. Similarly, any value of 50 or greater will trigger the need for a Security Access Plan and Incident Response Plan. Both of these plans will require additional training and must be implemented properly.

Note: A template for Figures 1.1 and 2.1 are available from the link below. Please note that the referenced Microsoft Excel Spreadsheet contains two sheets respective to the figures 1.1 and 2.1. Please be mindful of the included formulas which are programmed to handle any required calculations automatically.

Vulnerability Assessment:

The probability and consequences of each identified threat that were rated as low, moderate or high, in the previous section, were reviewed. Any threat with a moderate probability and consequence or higher was consider significant and chosen for Vulnerability Assessment in this section. The significant/chosen threats had the following ratings:

  • Moderate Probability and Moderate Consequence
  • High Probability and Moderate Consequence
  • Moderate Probability and High Consequence
  • High Probability and High Consequence

These significant threats are listed in the following table as security weaknesses and/or deficiencies. The vulnerability and corrective measures for each of these security weaknesses and/or deficiencies were evaluated and documented in the table.

The vulnerability level is rated as follows:

  • Low level means the threats identified at the entity have little or no probability for harm
  • Moderate level means the threats identified at the entity have some probability for harm
  • High level means the threats identified at the entity are likely to cause harm

Security Weakness/ Deficiencies (AKA Significant Threats) / Vulnerability Level / Corrective Measures Considered
Man/Woman
Insider with authorized access / High /
  • Develop and Implement a written Security Plan.
  • Train personnel on the Security Plan.
  • Require Security Risk Assessments of individuals before granting unescorted access.
  • Maintain three lockable barriers for storage of select agents and/or toxins.
  • Develop and implement an entry log for location.
  • Require unauthorized personnel (Personnel without an approved security risk assessment) to be escorted by authorized personnel when entering rooms where select agents or toxins are present.
  • Develop and implement inventory tracking and verification system.

Nature
Earthquakes / Moderate /
  • Require secondary containment for storage of select agents and/or toxins
  • Bracket storage cabinets to walls to prevent storage cabinets form falling over during an earthquake.
  • Develop and implement a written Incident Response Plan.
  • Train personnel on the Incident Response Plan.

Incident
HAZMAT Incident / Moderate /
  • Develop and implement a written Incident Response Plan.
  • Train personnel on the Incident Response Plan.

Figure 2

Based on the above table of threats (Figure 2), vulnerability ratings and corrective measures, the overall vulnerability is low.

Graded Protection Assessment:

An assessment of the area should be performed by a qualified individual such as a Police Officer and preferably someone who would be responding to the area during an actual emergency.

Considerations:

Based on the site-specific risk assessment, all the above corrective measures have and/or will be implemented. These measures will be documented in the Security Plan, Incident Response Plan and other plans, as necessary.

Entity Security Conference:

On†“Select a Date”, a security conference and survey of the Regulated Material and/or toxin storage and use area were conducted by:

  • †PI Name,Title;
  • †RO Name, California State Polytechnic University, Pomona, Environmental Health and Safety Department;
  • †Inspector Name, California State Polytechnic University, Pomona, Police Department

†Add any additional information or comments here:

General Observations:

†Building #, Room # is located inside †Building # on the Cal Poly Pomona campus. Physical access to †Building #, Room # is possible only through the exterior lab, †Building #, Room #, which is normally kept secured through †means of access to this area (e.g. keycard, master). Access keys for †Building #, Room # are “off master,” and these keys are possessed by†PI Name and †RO Name. Authorized persons wishing to access †Building #, Room # are admitted †PI Name.

The security for this lab consists of the following layers:

1 - Main access doors for †Building #, Room #, keyed to a general building master key;

2 - Internal lab door for †Building #, Room #, where agents are stored / used, keyed “off master;”

3 - Locked storage containers (refrigerators / freezers) inside †Building #, Room #;

4 – Locked internal storage containers inside each refrigerator. All agents are kept secured in these containers at all times, unless immediately being used.

Access to †Building #, Room #is logged on a written sign-in sheet for all those entering the lab. This log sheet appears to be kept up to date, and contains emergency contact numbers for incidents or other occurrences relating to this room. There is also up-to-date emergency contact information posted on the entry door.

Other area observations:

†List any additional observations from the Inspector here.

Recommendations for future security enhancements:

†List all recommendations from the Inspector here.


/ A / B / C
Threat / Probability / Consequence / Risk Factor
Describe any all threats. Insert additional rows as necessary. / (Low [0], Moderate [5], High [10]) / (A)(B)
Man/Woman / e.g. Low [0] / e.g. High [10]
Insider with Authorized Access / 5 / 10 / 50
Outsider with Limited Access or System Knowledge / 0 / 5 / 0
Desire to do harm: violent acts, terrorist activity, civil disturbances, special interest groups, attack at gun point etc. / 0 / 10 / 0
Nature / e.g. Low [0] / e.g. High [10]
Hurricanes / 0 / 10 / 0
Severe Thunderstorms / 0 / 5 / 0
Tornadoes / 0 / 10 / 0
Floods / 0 / 5 / 0
Earthquakes / 5 / 10 / 50
Incident / e.g. Low [0] / e.g. High [10]
Bomb Threats / 0 / 0 / 0
Communications Failure / 0 / 0 / 0
Electrical Power Failure / 0 / 5 / 0
Fire / 0 / 5 / 0
HAZMAT Incident / 5 / 10 / 50
Biological and Chemical Agents Information Technology Hacking / 0 / 5 / 0
Criteria:
Any items with a Risk Factor ≥25 must undergo a Vulnerability Assessment.
Any items with a Risk Factor ≥50 require a Security Access Plan and an Incident Response Plan specific to that location.

Figure 1.1

Security Weakness
/ Vulnerability Level / Corrective Measures Considered
Man/Woman
Threat from Assessment
(Add additional rows as necessary)
Insider with Authorized Access / Significant / Develop and implement a written Security Plan
Train personnel on security plan
Maintain lockable barriers
Develop entry log for restricted areas
Nature
Earthquakes / Significant / Require secondary containment for storage
Bracket storage cabinets to the wall to prevent falls
Develop an incident response plan
Incident
HAZMAT Situations / Significant / Develop an incident response plan
Train personnel on incident response plan
Be familiar with emergency procedures
Risk Factors / Vulnerability Level
25 / Moderate
50 / Significant / Security Access Plan & Incident Response Plan Required
100 / Severe / Security Access Plan & Incident Response Plan Required

Figure 2.1

Authorized Personnel

Authorized personnel with access to Regulated Materials must carry a lab specific Identification card to identify themselves as Authorized Personnel. Due to the cumbersome procedures associated with this process, a viable alternative is available. All lab personnel shall be identified on a poster located in the lab and in the Security Access Plan. This identification must have their photo.

†PI Name (Photo Below)
/ † RO Name (Photo Below)
/ †ARO Name (Photo Below)

†Staff 1 (Photo Below)
/ †Staff 2 (Photo Below)
/ †Staff 3 (Photo Below)

Additional Information

†Provide any additional information regarding Authorized Personnel here:

Certification of Annual Review of Security Plan

Signature of Reviewer / Date of Review

1 | Page

Top View