Jon Nakapalau, CHSO, CPO

Biopharmaceutical Access Levels

Biopharmaceutical companies differ from other physical security environments (PSEs) due to the nature of the threats specific to the industry.

Security personnel must be able to proactively identify these threats in order to protect both people and property. Due to the nature of the threats this can only be done by establishing clear SOP's that have been collaboratively established.

The first step in development of a security operation should be to conduct a thorough SVA using a

phased approach.

Security Vulnerability Assessment

(SVA)

Phase #1: divide the company into

common/restricted areas

Common Areas: Cafeteria Mail room Meeting rooms Lobby Break areas Supply closets Library/reading room Picnic area Restrooms

Restricted Areas: Labs Note book room S&R Legal HR Engineering department (tools/supplies) IT Hazardous waste collection points Offices

Access levels are based on

need…not convenience!

Access levels should always be “echeloned up” with each higher

level requiring more and more strident review.

Does the person who has access to the

area understand the potential dangers of

the area?

Examples:

Common Access Levels (CAL’s) are given to anyone who works at the company.

LEVEL 1 Common Access (L1CA)Common Access to a single building

LEVEL 2 Common Access (L2CA)Common access to several buildings

LEVEL 3 Common Access (L3CA)Common Access to all buildings

This is also known as “branch” access (the branch of a tree)

Examples:

Restricted Access Levels: (RAC’s)

RAC’s are areas that require additional levels of access due to the nature of what is being done there. It is very

important to make sure that each RAC has a point of contact (POC) that can sign in order to maintain control over

the area.

CHEMESTRY LAB: (CLRAC)

RAC’s are leaves on a branch; just because you have access to the branch

(hallway) does not mean you have access to all leaves (rooms).

CAL computer entry: Name of employee is followed

by CAL in parenthesis.

This allows security personnel the ability to cross-reference the CAL in real time.

Example: We can see that John Doe has

been given L1CA access.

If John Doe uses his access card on any other building security personnel will be able to “track” the situation.

Doe, John (L1CA)

RAC computer entry: RAC access level includes the

CAL access level (branch) that leads to the area (leaf).

RAC access should be given only after sign-off by lab administration.

Example: We can see that Jane Doe has

been given CHEMESTRY LAB (CLRAC) access.

This includes L1CA access due to the fact that the chemistry lab is in L1CA.

Doe, Jane (CLRAC)

Bye!