Site Specific Threat Assessment The Site Specific Threat Assessment contains a Threat Assessment Matrix (TAM), a document that is used to assess and identify potential risks for a specific area or practice. The assessment is a twopart process, a TAM as well as a Vulnerability Assessment (VA). A TAM is mostly subjective but allows an individual to identify risks using a simple ranking system (Low, Moderate, High) which determines a total risk value for each individual risk. Description of agents: † Name of Agent or Toxin, described as † Biosafety Level agents † airborne/ (non-airborne). † Name of PI is listed as the “Principal Investigator.” and inventory control. † Name of PI maintains specimen accountability Agent-Specific Risk Assessment: Based on the agents in the University’s inventory and their intended use, the risk category associated with these agents is (Check one): Low risk includes agents that are handled in a diagnostic, nonpropagative manner (e.g., single specimen, no culture). Moderate risk includes agents that are handled in a diagnostic, propagative manner. This level includes only the amounts necessary for experiments at hand (e.g., specimen cultured for diagnostic purposes or produced only in amounts required for the research or experiments being conducted). High risk includes agents that are handled in large or highly pure quantities such as liters or grams. It would also include those agents and toxins used in restricted experiments or experiments that may increase virulence, and also includes high-risk use (e.g., centrifugation). Highest risk is a placeholder for smallpox only. Note: The agent-specific risk categories are based on the concept that all agents and toxins do not pose the same risk or require the same level of protection. 1|Page Threat Assessment: The following table lists the threats, probability of occurrence and consequences if a threat occurs. Probability and consequences are rated as low, moderate, or high. It should be noted that probability and consequences may vary due to the type of threat. Threat Man/Woman Insider with authorized access Outsider with limited access and system knowledge Anyone desiring to do harm (i.e., violent acts, anger, hatred, terrorist activity, civil disturbances, special interest groups, attack at gun point, etc.) Nature Hurricanes Severe thunderstorms Tornadoes Floods Earthquakes Incident Bomb threats Communications failure Electrical power failure Fire HAZMAT incident Biological and chemical agents Information technology hacking Probability Consequences Moderate Low Low High Moderate High Low Low Low Low Moderate High Moderate High Moderate High Low Low Low Low Moderate Low Low Low Moderate Moderate High Moderate Figure 1 As shown in the TAM in Figure 1.1, the above subjective factors (Figure1) have been reflected with their assigned values to yield “Risk Factors” which can be used to assign tasks and functions to the process. Any risks or threats with a value greater or equal to 25 will trigger the need to complete a Vulnerability Assessment (Figure 2) which will identify specific actions needed to reduce vulnerability level. Similarly, any value of 50 or greater will trigger the need for a Security Access Plan and Incident Response Plan. Both of these plans will require additional training and must be implemented properly. Note: A template for Figures 1.1 and 2.1 are available from the link below. Please note that the referenced Microsoft Excel Spreadsheet contains two sheets respective to the figures 1.1 and 2.1. Please be mindful of the included formulas which are programmed to handle any required calculations automatically. http://www.cpp.edu/~ehs/biosafety/TAM.xlsx 2|Page Vulnerability Assessment: The probability and consequences of each identified threat that were rated as low, moderate or high, in the previous section, were reviewed. Any threat with a moderate probability and consequence or higher was consider significant and chosen for Vulnerability Assessment in this section. The significant/chosen threats had the following ratings: Moderate Probability and Moderate Consequence High Probability and Moderate Consequence Moderate Probability and High Consequence High Probability and High Consequence These significant threats are listed in the following table as security weaknesses and/or deficiencies. The vulnerability and corrective measures for each of these security weaknesses and/or deficiencies were evaluated and documented in the table. The vulnerability level is rated as follows: Low level means the threats identified at the entity have little or no probability for harm Moderate level means the threats identified at the entity have some probability for harm High level means the threats identified at the entity are likely to cause harm Security Weakness/ Deficiencies (AKA Significant Threats) Vulnerabil ity Level Corrective Measures Considered High Man/Woman Insider with authorized access Develop and Implement a written Security Plan. Train personnel on the Security Plan. Require Security Risk Assessments of individuals before granting unescorted access. Maintain three lockable barriers for storage of select agents and/or toxins. Develop and implement an entry log for location. Require unauthorized personnel (Personnel without an approved security risk assessment) to be escorted by authorized personnel when entering rooms where select agents or toxins are present. Develop and implement inventory tracking and verification system. Nature Earthquakes Moderate Require secondary containment for storage of select agents and/or toxins Bracket storage cabinets to walls to prevent storage cabinets form falling over during an earthquake. Develop and implement a written Incident Response Plan. Train personnel on the Incident Response Plan. Develop and implement a written Incident Response Plan. Train personnel on the Incident Response Plan. Incident HAZMAT Incident Moderate Figure 2 Based on the above table of threats (Figure 2), vulnerability ratings and corrective measures, the overall vulnerability is low. 3|Page Graded Protection Assessment: An assessment of the area should be performed by a qualified individual such as a Police Officer and preferably someone who would be responding to the area during an actual emergency. Considerations: Based on the site-specific risk assessment, all the above corrective measures have and/or will be implemented. These measures will be documented in the Security Plan, Incident Response Plan and other plans, as necessary. Entity Security Conference: On † “Select a Date”, a security conference and survey of the Regulated Material and/or toxin storage and use area were conducted by: † PI Name, Title; † RO Name, California State Polytechnic University, Pomona, Environmental Health and Safety Department; † Inspector Name, California State Polytechnic University, Pomona, Police Department † Add any additional information or comments here: 4|Page General Observations: † Building #, Room # is located inside † Building # on the Cal Poly Pomona campus. Physical access to † Building #, Room # is possible only through the exterior lab, † Building #, Room #, which is normally kept secured through † means of access to this area (e.g. keycard, master). Access keys for † Building #, Room # are “off master,” and these keys are possessed by † PI Name and † RO Name. Authorized persons wishing to access † Building #, Room # are admitted † PI Name. The security for this lab consists of the following layers: 1 - Main access doors for † Building #, Room #, keyed to a general building master key; 2 - Internal lab door for † Building #, Room #, where agents are stored / used, keyed “off master;” 3 - Locked storage containers (refrigerators / freezers) inside † Building #, Room #; 4 – Locked internal storage containers inside each refrigerator. All agents are kept secured in these containers at all times, unless immediately being used. Access to † Building #, Room # is logged on a written sign-in sheet for all those entering the lab. This log sheet appears to be kept up to date, and contains emergency contact numbers for incidents or other occurrences relating to this room. There is also up-to-date emergency contact information posted on the entry door. Other area observations: † List any additional observations from the Inspector here. Recommendations for future security enhancements: † List all recommendations from the Inspector here. 5|Page A Threat B C Probability Consequence (Low [0], Moderate [5], High [10]) Describe any all threats. Insert additional rows as necessary. Man/Woman e.g. Low [0] Risk Factor (A)(B) e.g. High [10] Insider with Authorized Access Outsider with Limited Access or System Knowledge 5 0 10 5 50 0 Desire to do harm: violent acts, terrorist activity, civil disturbances, special interest groups, attack at gun point etc. 0 10 0 Nature e.g. Low [0] Hurricanes Severe Thunderstorms Tornadoes Floods Earthquakes e.g. High [10] 0 0 0 0 5 Incident Bomb Threats Communications Failure Electrical Power Failure Fire HAZMAT Incident Biological and Chemical Agents Information Technology Hacking e.g. Low [0] 10 5 10 5 10 0 0 0 0 50 e.g. High [10] 0 0 0 0 5 0 0 0 5 5 10 5 Criteria: Any items with a Risk Factor ≥25 must undergo a Vulnerability Assessment. Any items with a Risk Factor ≥50 require a Security Access Plan and an Incident Response Plan specific to that location. Figure 1.1 6|Page 0 0 0 0 50 0 Security Weakness Vulnerability Level Corrective Measures Considered Man/Woman Threat from Assessment (Add additional rows as necessary) Insider with Authorized Access Significant Develop and implement a written Security Plan Train personnel on security plan Maintain lockable barriers Develop entry log for restricted areas Nature Earthquakes Significant Require secondary containment for storage Bracket storage cabinets to the wall to prevent falls Develop an incident response plan Incident HAZMAT Situations Risk Factors Significant Vulnerability Level 25 Moderate 50 Significant 100 Severe Develop an incident response plan Train personnel on incident response plan Be familiar with emergency procedures Security Access Plan & Incident Response Plan Required Security Access Plan & Incident Response Plan Required Figure 2.1 7|Page Authorized Personnel Authorized personnel with access to Regulated Materials must carry a lab specific Identification card to identify themselves as Authorized Personnel. Due to the cumbersome procedures associated with this process, a viable alternative is available. All lab personnel shall be identified on a poster located in the lab and in the Security Access Plan. This identification must have their photo. † PI Name (Photo Below) † RO Name (Photo Below) † ARO Name (Photo Below) † Staff 1 (Photo Below) † Staff 2 (Photo Below) † Staff 3 (Photo Below) 8|Page Additional Information † Provide any additional information regarding Authorized Personnel here: 9|Page Certification of Annual Review of Security Plan Signature of Reviewer Date of Review 10 | P a g e