Security Plan Guidance: Section 11(a)
Section 11(a) – Creating a Site-Specific Written Security Plan
Section 11(a) of the select agent regulations require entities to develop and implement a written site-specific security plan. A security plan is a documented systematic set of policies and procedures to achieve security goals that protect BSAT from theft, loss, or release. It establishes the performance goals for the system and performance metrics. Plans also include agreements or arrangements with extra-entity organizations such as local law enforcement.
Entities should establish specific policies which support their plan. Security policies should document strategies, principles, and rules which the entity follows to manage its security risks. Effective policies provide a clear means of establishing behavioral expectations. They cover the spectrum from directives to standard operating procedures. As part of security program management, the entity should consider formally documenting security policies covering all operational controls.
Background checks and other personnel security measures, if practical, should be vetted through the entity’s legal and human resources department. See the FSAP Guidance for Suitability Assessments for additional information.
An effective security plan should be based on the following principles:
- It should result from collaboration between entity management, scientific, facilities, safety and security personnel.
- It is built upon tested, well documented operational processes.
- It should account for and secure all biological select agents or toxins from creation or acquisition to destruction.
- It complements other plans such as biosafety, disaster recovery, continuity of operations, and others.
- It does not violate any laws. Laws to consider when creating the security plan include the Americans with Disabilities Act, OSHA Safety Standards, and local building and fire codes.
- The entity should provide security plan training to ensure every person understands his or her responsibilities.
- It requires reporting of all suspected security incidents and suspicious activities.
- It is reviewed at least annually and updated whenever conditions change.
- It is based on a site-specific risk assessment.