homepage_0

Physical security

For the scenarios, situations have been chosen that are realistic, but could also occur in another context within your organisation. The following questions are designed to give an impression of whether the described scenario is relevant in your organisation.

Questions for your organisation:

  • Is the situation recognisable?
  • Is the situation realistic (or realistic in another context?
  • What are the vulnerabilities in this situation?
  • What are the possible consequences of this situation?
  • What control measures can be taken to prevent the scenario?
  1. 1

    Sharing access passes

    A colleague from another department must retrieve materials from a biosafety level 3 laboratory facility. This employee has no access to this facility. Another colleague who does have access to this facility temporarily shares her access pass to the employee.

    Fysiek - Scenario 1_0

    In this situation, authorisation, registration and physical access control have been bypassed. An employee consciously shares his/hers access pass to grant access for an unauthorised person to a vital area. An access pass is personal and the user is accountable in case of misuse.

    Other relevant biosecurity pillar of good practice: awareness

    • Safety risk: an unauthorised employee may not be aware of applicable rules, which can have consequences for safety, health, and containment of high-risk materials.
    • Security risk: an unauthorised employee can steal high-risk materials, or intentionally or not, can cause damage in the vital area.
    • Since the registration and monitoring is not linked to the assigned person, this may entail risks in following up an incident.
    • Potential reputational damage, both for the person who has shared his/her access pass, and for the organisation.
    • Absence of alert, security aware employees is a security risk and failing to detect undesirable or dangerous situations can make your organisation vulnerable.

    Is this scenario applicable to your organisation?

    Is this scenario applicable to your organisation?
  2. 2

    Active access pass, after employment has ended

    A week after an employee has left the organisation, he/she returns to his former workplace to collect some personal belongings. Because the access pass is still active, the employee still has access to the facilities on arrival.

    Fysiek - Scenario 2_0

    The authorisation system of an organisation must be up-to-date. In case of termination of employment, access to the organisation’s facilities must be terminated immediately as well, and the access pass should be returned. This scenario is also applicable when employees changes jobs within the organisation and therefore need a change in authorisation rights.

    Other relevant biosecurity pillar of good practice: management

    • A former employee can cause damage in vital areas, or steal high-risk materials.
    • The authorisation system must be up-to-date. If not, security of vital areas or the high-risk materials may be vulnerable.

    Is this scenario applicable to your organisation?

    Is this scenario applicable to your organisation?
  3. 3

    External technician

    On a quiet day, with few employees present, a malfunction occurs in a storage room containing high-risk materials. An external maintenance technician arrives at the end of the afternoon to remedy the malfunction. Since the work takes more than an hour, the technician is left unsupervised in the storage room.

    Fysiek - Scenario 3_0

    If external unauthorised personnel are allowed access and unsupervised carry out their work in a high-risk area, there is always a risk of a safety or security incident. Procedures for working unsupervised of authorised staff or external personnel can be described in a biosecurity management system.

    Other relevant biosecurity pillar of good practice: awareness, personnel reliability

    • Access of unauthorised persons to vital areas is a risk for your organisation. To ensure that at least one layer of protection remains (vital areas), high-risk materials must be secured, an authorised person present, or other, additional security measures have to be taken into account.
    • Safety risk: an external employee may not know the applicable rules, which can have consequences for safety, health and containment of the high-risk materials.
    • Security risk: an external employee can cause damage in vital area(s), steal materials, or, intentionally or not, break through physical barriers (e.g. leave a door open).
    • High-risk materials are vulnerable to damage or theft if there is no barrier between the external employee and the materials.

    Is this scenario applicable to your organisation?

    Is this scenario applicable to your organisation?
  4. 4

    Power failure

    A power failure has occurred, which results in a shutdown of a part of the security measures of high-risk material. During the power failure, a student walks into a secure area to see if there is still someone present.

    Fysiek - Scenario 4

    In facilities dedicated to work with high-risk materials, emergency equipment such as an emergency power generator must be present to ensure security of high-risk materials in case of a power failure. Temporary security solutions, such as deploying security staff to control access to vital areas, can also be used. In addition to physical security, it is possible to indicate whether work is being carried out in an area with high-risk materials and that this area may not be accessed by unauthorised persons.

    Other relevant biosecurity pillar of good practice: emergency response

    • Safety incidents can occur if vital areas becomes accessible to unauthorised persons, who may not know the applicable rules. If containment of high-risk materials is lost due to a power failure, this can be detrimental to safety, health or the environment.
    • Security incidents can occur if physical security measures or barriers are removed due to a power outage. An unauthorised person can damage the vital area or steal materials.
    • Without back-up systems, vital areas are vulnerable.

    Is this scenario applicable to your organisation?

    Is this scenario applicable to your organisation?
  5. 5

    Unauthorised employee in protected area

    An employee wants to enter a building to which he/she has no access. This employee has a credible story and manages to get access to the facility by a colleague.

    Fysiek - Scenario 5

    Awareness is an important issue when it comes to biosecurity and biosafety. There are always risks when a colleague gains access to a section of a building without authorisation. By asking politely how to be of service to this colleague, and accompanying him/her to the intended destination, unauthorised staff may be prevented from gaining access to restricted locations.

    Other relevant biosecurity pillar of good practice: awareness

    • Safety risk: an unauthorised employee may not know the applicable rules in this building, which can have consequences for safety, health and containment of the high-risk materials.
    • Security risk: this unauthorised employee can cause damage in the vital area or steal high-risk materials.
    • There is a risk of reputational damage for the organisation and the employee who gives the unauthorised person access if the person causes damage or the access has other negative consequences.

    Is this scenario applicable to your organisation?

    Is this scenario applicable to your organisation?
  6. 6

    Intruder

    An unknown person tries to gain access to the facility. This may also be a ‘mystery guest’, who at the request of the organisation (e.g. management or security) tries to penetrate the organisation (without prior notification) to test its security system. Using forged access passes and a credible story, this person gains access to the area with high-risk materials.

    Fysiek - Scenario 6_0

    The intruder bypasses physical barriers, alarm or detection systems, and manages to reach high-risk materials. In addition to physical security, an appeal is also made to employees in this situation. Employee awareness of potential risks is an important aspect here. Using a ‘mystery guest’ can expose the vulnerabilities in your physical security and can contribute toward raising awareness.

    Other relevant biosecurity pillar of good practice: awareness

    • Your organisation is at risk if physical control measures, and additional control measures (access passes, intrusion systems, etc.), or employees are not alert.
    • Safety risk: an unauthorised employee may not know the applicable rules in this building, which can have consequences for safety, health and containment of the high-risk materials.
    • Security risk: an unauthorised employee may cause damage in the vital area or steal high-risk materials.
    • There is a risk of reputational damage for the organisation and the employee who provides access to the unauthorised person.
    • By deploying a ‘mystery guest’, it becomes clear where the vulnerabilities in the (bio)security of the organisation may be present. Results from a visit by a ‘mystery guest’ may be valuable in convincing the organisation of the benefit of (bio)security control measures. The results can also be used to raise awareness among staff.
    • The absence of alert, conscious employees is a security risk in detecting anomalous situations and can make your organisation vulnerable.

    Is this scenario applicable to your organisation?

    Is this scenario applicable to your organisation?