At Traction Guest, we take compliance really seriously.
Section Article: Guide for the Care and Use of Laboratory Animals, p23 and p151
Preventive measures should be considered, including pre-employment screening and physical and information technology security (Miller 2007).
When possible, the animal facility should be located within another structure with its own independent set of security features. Vehicular access should be limited and, when provided, controlled, and monitored.
Security and access control are generally provided in zones, starting at the perimeter with areas of highest security located within other zones. Control measures may consist of security personnel, physical barriers, and control devices.
- External watch list screening for FDA barred persons
- Internal watch lists screening for known animal rights activists
- Log of all escorted visitors for investigations
Chemical Facility Anti-Terrorism Standards (CFATS)
Section Article: 6 CFR, Part 27
Too much to list, but simply you need a visitor management system – see links above
- Requires the existence of a visitor management system even at the lowest tiered facilities
- Ensuring that all visitors are escorted and/or screened against terror watch lists
- Keep legible records for x amount of years
- Process for terminated employees and keeping them out of the facility
- Verify and keep a record of TWIC credential
Customs Trade Partnership Against Terrorism (C-TPAT)
- Access controls prevent unauthorized entry to facilities, maintain control of employees and visitors, and protect company assets. Access controls must include the positive identification of all employees, visitors, and vendors at all points of entry.
- Visitors must present photo identification for documentation purposes upon arrival. All visitors should be escorted and visibly display temporary identification.
- Procedures must be in place to identify, challenge and address unauthorized/unidentified persons.
- Processes must be in place to screen prospective employees and to periodically check current employees.
- Access controls, visitors require photo identification
- All visitors should be escorted (escorted sign in)
Visibly display temp ID badge
- Arriving packages should be screenings
- Procedures must be in place to id and challenge unauthorized persons
- Must screen prospective employees ( pre-employment, background, etc)
- Documentation Processing. Procedures must be in place to ensure that all documentation used in the movement of cargo is legible, complete, accurate and protected against exchange, loss or introduction of erroneous information. It must include safeguarding computer access and information.
DEA Regulations for Non-Practitioners
Section Article: 21 CFR Part 1301.72
Accessibility to storage areas. The controlled substances storage areas shall be accessible only to an absolute minimum number of specifically authorized employees. When it is necessary for employee maintenance personnel, nonemployee maintenance personnel, business guests, or visitors to be present in or pass through controlled substances storage areas, the registrant shall provide for adequate observation of the area by an employee specifically authorized in writing.
- Log for all visitors
- Escorted sign in
- Reason for being in the vault
- DEA sanctioned watch list
FDA Food Safety Modernization Act (FSMA)
- Preventive Controls.–The owner, operator, or agent in charge of a facility shall identify and implement preventive controls, including at critical control points, if any, to provide assurances that–
- “(1) hazards identified in the hazard analysis conducted under subsection (b)(1) will be significantly minimized or prevented;
- “(2) any hazards identified in the hazard analysis conducted under subsection (b)(2) will be significantly minimized or prevented and addressed, consistent with section 420, as applicable; and
- “(3) the food manufactured, processed, packed, or held by such facility will not be adulterated under section 402 or misbranded under section 403(w).
- The owner, operator, or agent in charge of a facility shall maintain, for not less than 2 years, records documenting the monitoring of the preventive controls implemented under subsection (c), instances of nonconformance material to food safety, the results of testing, and other appropriate means of verification under subsection (f)(4), instances when corrective actions were implemented, and the efficacy of preventive controls and corrective actions.
- Maintain a record of everyone who has entered a food space, when they left, how long they were there
- Maintain record in legible format for at least 2 years
- Scan third party watch lists for all FDA and other barred lists
- Leverage internal watch list to keep out “disgruntled” employees
Federal Information Security Modernization Act (FISMA)
Section Article: FIPS PUB 200
Personnel Security (PS): Organizations must: (i) ensure that individuals occupying positions of responsibility within organizations (including third-party service providers) are trustworthy and meet established security criteria for those positions; (ii) ensure that organizational information and information systems are protected during and after personnel actions such as terminations and transfers; and (iii) employ formal sanctions for personnel failing to comply with organizational security policies and procedures.
Physical and Environmental Protection (PE): Organizations must: (i) limit physical access to information systems, equipment, and the respective operating environments to authorized individuals; (ii) protect the physical plant and support infrastructure for information systems; (iii) provide supporting utilities for information systems; (iv) protect information systems against environmental hazards; and (v) provide appropriate environmental controls in facilities containing information systems.
- Keeping a log of who enters a space
- Ensuring visitors are escorted and labeled appropriately
- Leveraging internal watchlists to keep terminated personnel out of the facility
General Data Protection Regulation (GDPR)
- The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to the data subject in a concise, transparent, intelligible, and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child.
- Right to be provided person data collected and not collected from the data subject
- Right of access by the data subject
- Right to rectification
- Right to erasure
- Right to restriction of processing
- Right of data portability
- SOC2 Type 2
- Auto deletion; retention periods
- Profile-based reports
- Data minimization (not holding/sending data without specific purpose)
- Skip on photo
- Data residency – visibility and selection by country
Good Laboratory Practice (GLP)
(a) Each individual engaged in the conduct of or responsible for the supervision of a nonclinical laboratory study shall have education, training, and experience, or combination thereof, to enable that individual to perform the assigned functions.
(b) Each testing facility shall maintain a current summary of training and experience and job description for each individual engaged in or supervising the conduct of a nonclinical laboratory study.
(f) Any individual found at any time to have an illness that may adversely affect the quality and integrity of the nonclinical laboratory study shall be excluded from direct contact with test systems, test and control articles and any other operation or function that may adversely affect the study until the condition is corrected. All personnel shall be instructed to report to their immediate supervisors any health or medical conditions that may reasonably be considered to have an adverse effect on a nonclinical laboratory study.
- a) Physical security measures should be in place to restrict access to computer hardware, communications equipment, peripheral components and electronic storage media to authorised personnel only. For equipment not held within specific ’computer rooms’ (e.g., personal computers and terminals), standard test facility access controls are necessary as a minimum. However, where such equipment is located remotely (e.g., portable components and modem links), additional measures need to be taken
SOPs required: Procedures for security measures used to detect and prevent unauthorised access and programme changes.
- Record of who enters a lab space
- Record of training for non-employees in a space
- COVID-19 health tracking
Good Manufacturing Practice (GMP)
Section Article: 21 CFR Chapter I, Subchapter B, Part 117
Same as GLP – recordkeeping, SOP for Security, etc…
- Record of who enters a lab space
- Record of training for non-employees in a space
- COVID-19 health tracking
Gramm Leach Bliley Act (GLBA)
§314.3 – Standards for safeguarding customer information
(a) Information security program. You shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to your size and complexity, the nature and scope of your activities, and the sensitivity of any customer information at issue. Such safeguards shall include the elements set forth in §314.4 and shall be reasonably designed to achieve the objectives of this part, as set forth in paragraph (b) of this section.
(b) Objectives. The objectives of section 501(b) of the Act, and of this part, are to:
(1) Ensure the security and confidentiality of customer information;
(2) Protect against any anticipated threats or hazards to the security or integrity of such information; and
(3) Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.
- Log of who enters where
- Internal watch list for insider threat issues
- NDAs and other waivers for third party providers
- SOC2 Type 2 compliant
Healthcare Information Portability Agency Act (HIPAA)
Section Article: 68 CFR 8376, 164.310 Physical Safeguards
- Physical safeguards involve access both to the physical structures of a covered entity and its electronic equipment (45 CFR §164.310). ePHI and the computer systems in which it resides must be protected from unauthorized access, in accordance with defined policies and procedures. Some of these requirements can be accomplished by using electronic security systems, but physicians should not rely on use of certified electronic health records technology (CEHRT) to satisfy their Security Rule compliance obligations.
- (A) Authorization and/or supervision (Addressable). Implement procedures for the authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed.
- (B) Workforce clearance procedure (Addressable). Implement procedures to determine that the access of a workforce member to electronic protected health information is appropriate.
- (ii) Implementation specification: Response and reporting (Required). Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity or business associate; and document security incidents and their outcomes.
- A business associate may permit a business associate that is a subcontractor to create, receive, maintain, or transmit electronic protected health information on its behalf only if the business associate obtains satisfactory assurances, in accordance with § 164.314(a), that the subcontractor will appropriately safeguard the information. (must be documented)
- (a)(1) Standard: Facility access controls. Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed.
- (iii) Access control and validation procedures (Addressable). Implement procedures to control and validate a person’s access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision.
- “Visitor controls” required by the security rule
- Third party watch list screening for HHS barred lists
International Standards Organization (ISO) 27000
Section Article: ISO 27001, A.11.1.2 Physical Entry Controls
- Visitors routinely escorted
- Visitors logged in (room visitors book)
- Copies of visitor check in/outs maintained for audit
- Maintain log of all entry/exits
- Escort required
International Traffic in Arms Regulation (ITAR)
Section Article: 22 CFR, M Part 122
- Ability to screen business partners with denied parties list
- Ability to confirm nationality
- Ability to clearly mark non-US people, from US with escort, and US with no escort
- NDAs for visitors
- Third party watch list screening
- Nationality questions plus passport metadata extraction
- Badges displaying relevant information
- Can sign NDAs
Joint Commission on Accreditation of Healthcare Organizations (JCAHO)
Section Article: EC.2.10
According to the Joint Commission, the intent of this requirement is that the written plan provide mechanisms for the following:
- Designating personnel responsible for developing, implementing, and monitoring the security management plan
- Addressing security issues concerning patients, visitors, personnel, and property
- Having procedures in place in the event of an infant or pediatric patient kidnapping
- Reporting and investigating all security incidents
- Providing identification, as appropriate, for all patients, visitors, and staff
- Controlling access to and egress from sensitive areas (as determined by the organization)
- Providing for vehicular access to urgent-care areas
Orientation and education. HR.2.20 requires that a staff orientation and education program be established in the security management plan. Orientation and education should address the following:
- Processes for minimizing security risks for personnel in security-sensitive areas
- Emergency procedures to be followed during security incidents
- Security incident reporting procedures for patients, visitors, personnel, and property
Reporting procedures for security incidents involving patients, visitors, personnel, and property (for help developing a response plan for infant abductions, see Assaulted and/or Battered Employee Policy).
- Requirements call for addressing visitors
- Watch list capabilities for “kidnapping”
- Vehicular access parking assignments
- ID requirements
- Incident reporting concerning visitors
Maritime Transportation Security Act (MTSA)
(1) Deter the unauthorized introduction of dangerous substances and devices, including any device intended to damage or destroy persons, vessels, facilities, or ports;
(3) Control access to the facility; and
(4) Prevent an unescorted individual from entering an area of the facility that is designated as a secure area unless the individual holds a duly issued TWIC and is authorized to be in the area. Individuals seeking unescorted access to a secure area in a facility in Risk Group A must pass electronic TWIC inspection and those seeking unescorted access to a secure area in a facility not in Risk Group A must pass either electronic TWIC inspection or visual TWIC inspection.
(1) The locations where restrictions or prohibitions that prevent unauthorized access are applied for each MARSEC Level, including those points where TWIC access control provisions will be applied. Each location allowing means of access to the facility must be addressed;
(2) The types of restrictions or prohibitions to be applied and the means of enforcing them;
(4) Procedures for identifying authorized and unauthorized persons at any MARSEC level; and
(5) The locations where persons, personal effects and vehicle screenings are to be conducted. The designated screening areas should be covered to provide for continuous operations regardless of the weather conditions.
126.96.36.199. Provide methods of identification for all employees and visitors. (See para 2.3.4. & 2.3.5.)
188.8.131.52. Implement procedures for escorting visitors, contractors, vendors, and other non facility employees to their destinations when necessary. See Note 2
2.3.6 CDC Facilities should register privately owned vehicles and contractor vehicles that are allowed routine access to the facility at the security office. Records should be maintained that include matching personnel with permit number and motor vehicle identification. Temporary permits should be issued to vendors and visitors for parking in designated areas. Security personnel should conduct random checks of parking permits.
- Escorted visitors
- Logging and identifying visitors
- Validating TWIC card
- Internal watch list capability
- Parking assignment and vehicle info capture
National Institute of Standards and Technology (NIST)
Nuclear Emissions Regulatory Commission (NERC)
Section Article: CIP-006-6 Physical Security of BES Cyber Systems
- Each facility must have a visitor control program
- Require continuous escorted access of visitors within the perimeter
- Require manual or automated logging of visitor entry into and exit from the perimeter including data/time, visitors name, and the host
- Retain visitor logs for at least ninety calendar days
- Use of NDAs for sensitive areas required
- Presence of a VMS
- Entry logging and reporting
- Maintaining records for at least 90 days
- NDA signing
- Escorted Sign-in
Payment Card Industry Data Security Standard (PCI DSS)
Section Article: PCI Card Production Physical Security Requirements V2, Section 2.3 VisitorsLinks: https://www.pcisecuritystandards.org/documents/PCI_Card_Production_Physical_Security_Requirements_v2_Nov2016.pdf
- a) Procedures for how visitors are managed at the vendor facility must be documented and followed.
- b) All visitors to the facility must be registered ahead of their arrival.
- c) The registration must include name and company they represent.
- d) If the visitor requires access to the HSA or cloud-based provisioning environment, this must be approved by both the Security Manager and the Production Manager.
- e) Any unsolicited visitors must be turned away.
- f) An authorized employee must accompany all visitors at all times while they are in the facility.
- g) Visitors must enter through the reception area.
2.3.1 Registration procedures
- a) The vendor must apply the same registration procedures to all visitors entering their facility. These procedures must include the following:
o Confirmation of previously agreed appointment
o Verification of identification against an official, government issued picture ID
- b) The vendor must maintain records, manually or electronically, of all visitors who enter the facility. If a manual logbook is used, it must contain consecutive, pre-numbered, bound pages.
- c) All logs must be protected from modification.
- d) The following information must be recorded in the logbook:
o Name of the visitor, printed and signed
o Number of the official ID document(s) presented and the date and place of issue
o Company the visitor represents (if any)
o Name of the person being visited or in charge of the visitor o Purpose of the visit
o Visitor badge number
o Date and time of arrival and departure
o Signature of the employee initially assigned to escort the visitor
- e) The vendor must retain visitors’ registration records for at least 90 days.
2.3.2 Visitor Security Notification
At a minimum, the vendor must make visitors aware of vendor security and confidentiality requirements, and the vendor-provided escort must ensure the visitor’s adherence to those requirements.
2.3.3 Visitor identification
- a) Each visitor entering the facility must be issued with and must wear visibly on their person a security pass or ID badge that identifies them as a non-employee.
- b) If the security pass or ID badge is disposable, the visitor’s name and date of entry to the facility and, if multi-day, the validity period must be clearly indicated on the front of the badge.
- c) If the security pass or ID badge is the access-control type that enables a record to be kept of the visitor’s movement throughout the facility:
o The visitor must be instructed on its proper use.
o The vendor must program the visitor access badge or card to enable the tracking of movement of all visitors. It should be activated only for areas that the visitor is authorized to enter.
o Visitors must use their access card in the card readers to the room into which they enter.
o Badging to track access must be used wherever feasible.
- d) Unissued visitor access badges must be securely stored.
- e) Any un-badged access must be recorded in a log. Logs may be electronic and/or manual.
- f) Employees responsible for escorting visitors while they are inside the facility must ensure that the visitor surrenders their ID badge to the receptionist or guard before leaving the building
- Deployment of VMS alone
- Pre-registration , denial of unsolicited visitors
- Escort required
- Agreements & NDAs signed
- ID checking
- Logbook protection from modification & 90 day retention
- Surrender badge check?
- Issued visitor badge
Sarbanes Oxley Act (SOX)
Section Article: Public Law 107-204
SOX requires internal controls to protect computers which house financial records. Auditors often pull access control and visitor logs to see who has access, who has accessed, and for what reasons, these areas which store financial data whether on computers (data center) or hard files.
- Visitor management system
- Reports of who entered what
- Reports of reason for visit
Service Organization Controls Type 2 (SOC2)
Section Article: CC6.4
The entity restricts physical access to facilities and protected information assets (for XYZ, data center facilities, backup media storage, and other sensitive locations) to authorized personnel to meet the entity’s objectives.
- Presence of VMS
- Our own SOC2, Type 2 certification
- Ability to report out all entries/exits to a space
Transported Asset Protection Association (TAPA)
Section Article: TAPA Facility Requirements (FSR) 2017
Access at visitor entry point(s) controlled by an employee/guard/receptionist that has been trained on badge issuance, controls, logging, visitors, escort requirement, etc. (process in place for visits outside operational hours).
3.1.4 All visitors identified using government-issued photo-ID (e.g. driver’s license; passport or national ID card, etc.).
3.1.5 All visitors registered and log maintained for minimum of 30 days.
3.1.6 All visitor badges must be reconciled as the visitor leaves the premises and the full log checked daily.
3.1.7 All visitors visibly display badges or passes and are escorted by company personnel
3.1.8 Visitor policy documented.
- Presence of VMS
- ID checking
- PRocess for after hours visits (kiosk mode)
- Visitor badge reconciliation
- Visitor pass printing
- Driver and manifest information
United States Department of Agriculture (USDA) & Food Safety & Inspection Service (FSIS)
Section Article: FSIS Security Guidelines for Food Processors
- Visitor vehicles placarded and registered
- Visitors restricted to non product areas unless escorted
- Visitors identified in some manner at all times while on premises
- Visitors restricted to what they can bring with them inside
- Vehicle registrations
- Visitor badges issuance with ESCORT required
- Escort required
- Waivers shown to visitors on entry
- Pre-registration (for deliveries)