Biosecurity Risk Assessment: Protecting Your Assets

All licensed facilities in Canada must develop a comprehensive biosecurity plan based on a biosecurity risk assessment. This helps protect and secure assets, including:

•        human pathogens and toxins
•        related sensitive information
•        documentation about controlled activities

It’s important to implement security measures to protect and secure assets that could be used for unlawful, illicit and non-peaceful purposes. Examples of tangible, intangible and people assets can be found in Appendix B of the Biosafety Guideline on Conducting a biosecurity risk assessment.

The licence holder is responsible for protecting the health and well-being of personnel and visitors. This includes ensuring that personnel and visitors don’t participate in activities that threaten biosafety and biosecurity measures in place. For example, some espionage activities in the Canadian Security Intelligence Service 2021 public report pose a threat to biosecurity and national security.

You can help prevent security violations by conducting comprehensive screening and background checks for all people accessing the facility, both onsite and virtually, including:

•        visitors
•        students
•        personnel
•        contractors

Screening and background checks can help detect, deter and prevent security incidents that could pose a risk to public health safety, such as:

•        theft of assets
•        misuse of assets
•        diversion of assets
•        intentional release of assets
•        sabotage of assets or biocontainment
•        espionage compromising controlled activities
•        terrorism involving assets or compromising biocontainment

Comprehensive screening and background checks defend against insider threats. They help to assess the risk that someone in the facility may be targeted or compromised by individuals or groups intending to threaten the facility’s biosafety and biosecurity. Comprehensive screening isn't limited to criminal records checks. It also includes non-criminal record checks covering:

•        credit reports
•        published works
•        reference checks
•        social media searches
•        employment verification
•        professional licence verification
•        affiliations (such as a potential conflict of interest)

In addition to comprehensive screening and background checks, you should implement strong policies and procedures related to personnel security in your biosecurity plans. These could include:

•        restricting off-hour access to laboratories
•        keeping entry logs at building and laboratory access points
•        adopting a 'see something, say something' approach among staff
•        inspecting and taking inventory of materials removed from the laboratory
•        providing all staff and visitors with ID badges for easy identification
•        encouraging reporting of suspicious behaviour, theft or sabotage
•        screening personnel before providing access to sensitive materials or information
•        increasing the situational awareness of laboratory personnel (for example, paying attention to who’s in the lab and identifying suspicious activity)
•        getting authorization from senior management or designated individuals before allowing visitors into the containment zone
•        ensuring individuals with supervised restricted access abide by the instructions of senior management or designated individuals
•        escorting visitors, guests and other non-staff members while on site

Robust personnel security strategies support all other security measures in the biosecurity plan. biological safety officers should review their biosecurity plan annually (and according to the changing threat landscape) with security experts to determine if other measures may also be necessary. These could include:

•         detailed policies and procedures for screening employees
•         policies and procedures on who can handle sensitive human resource information
•         strict procedures for internal moves within the organization and departures (such as employee exit plans)
•         biosecurity training to people outside the containment zone, such as security guards
•         policies regarding the sharing of information related to controlled activities (such as social media policies for all staff)
•         training to address organization-specific threats and security controls
•         policies and procedures for monitoring and logging actions (for example, tracking who accesses sensitive information and when)
•         security agreements with partners and third parties on how to handle and store sensitive information related to:
•    controlled activities
•    emergency contingency plans
•    new constructions or changes to infrastructure (such as floorplans and security measures)

For more information on conducting a biosecurity risk assessment and identifying and safeguarding assets:

•         consult the Canadian Biosafety Guideline: Conducting a Biosecurity Risk Assessment
•         contact us at biosafety.biosecurite@phac-aspc.gc.ca