Information security, also known as cybersecurity or data security, is the next component of a laboratory biosecurity plan. The objective of an information security program is to protect information from unauthorized release and ensure that the appropriate level of confidentiality is preserved. It is critical to the security of laboratory equipment and materials. Loss of data and computer systems from sabotage, viruses, or other means can be devastating for a laboratory.
Information, like physical property, is considered to be critical infrastructure and must be properly protected and secured because of its value to the Nation. The National Infrastructure Protection Plan considers a full range of physical, cyber, and human risk elements across sectors. Insider threats and a range of other pervasive cyber threats to critical infrastructure highlight the need for public, private, academic, and international entities to collaborate and enhance cybersecurity awareness and preparedness efforts. The National Critical Infrastructure Protection Research and Development (NCIP R&D) Plan also addresses physical, cyber, and human elements of the critical infrastructure sectors.
Biosafety in Microbiological and Biomedical Laboratories provides some standard voluntary guidance for what should be included when a laboratory or other facility possessing biological agents and toxins considers their information security plan. For the purposes of the BMBL, “sensitive information” is that which is related to the security of pathogens and toxins, or other critical infrastructure information. Sensitive information may also include personnel names, identifying information, and any Personally Identifiable Information on patients or the origin of samples held by the laboratory. Examples of sensitive information may include facility security plans, access control codes, agent inventories and storage locations. Information security in this context does not include US Government classified information which is governed by US law or unrestricted research-related information. The BMBL states:
“Facilities should develop policies that govern the identification, marking and handling of sensitive information. The information security program should be tailored to meet the needs of the business environment, support the mission of the organization, and mitigate the identified threats. It is critical that access to sensitive information be controlled.”
Over the years, several incidents of cyber security breaches have led to loss of sensitive information. A detailed description of a laboratory procedure may find its way into the public domain, creating a new resource for those with illicit intentions, or simply depriving the researchers of recognition for their work. Most institutions and firms have information security policies and procedures and information technology support staff who can help implement security systems. Laboratory managers and personnel should be familiar with and follow all appropriate protocols.
People at all levels within an organization have a role in managing information security risks to the organization’s missions and business functions and the information systems that support those missions/business functions. Managing risk is a comprehensive and complex process that involves many activities and functions of an organization – its programs, investments, budgets, legal and safety issues, inventory and supply chain matters, and security. An integrated approach to managing risk brings together the best collective judgments of individuals and groups within the organization who are responsible for strategic planning, oversight, management, and day-to-day operations.
The policies developed for oversight of dual use research of concern (DURC) also provide a mechanism for protecting research information. If research is defined to be DURC, according to the US Government definition, the framework for oversight includes the development of a risk mitigation plan. Within this risk mitigation plan, there is a responsibility to communicate the research and research findings in a responsible manner throughout the research process, not only at the point of publication. These policies help to support the conduct of responsible life sciences research in a manner that protects information that could be utilized for harmful purposes. More detailed information on DURC.
The National Institute of Standards and Technology (NIST) has developed several documents in support of information security and to provide assistance to fulfill the requirements of two key cyber security laws, Executive Order 13636 Improving Critical Infrastructure Cybersecurity and the Federal Information Security Management Act (FISMA) of 2002. The FISMA directs Federal government organizations to develop and implement programs to protect their information and information systems.
EO 13636 focuses on the importance of improving cyber security for critical infrastructure to protect the Nation against both insider and external threats. NIST Special Publication 800-39: Managing Information Security Risk: Organization, Mission, and Information System View is the flagship document in the series of information security standards and guidelines developed by NIST in response to FISMA. The purpose of Special Publication 800-39 is to provide guidance for an integrated, organization-wide program for managing information security risks to organizational operations, assets, individuals, and the Nation resulting from the operation and use of federal information systems. Special Publication 800-39 provides a structured, yet flexible approach for managing risk that is intentionally broad-based, with the specific details of assessing, responding to, and monitoring risk on an ongoing basis provided by other supporting NIST security standards and guidelines.
In support of this, NIST was directed to work with stakeholders to develop a voluntary framework for reducing cyber risks to critical infrastructure. The NIST Cybersecurity Framework consists of standards, guidelines, and best practices to promote the protection of critical infrastructure. The prioritized, flexible, repeatable, and cost-effective approach of the framework will help owners and operators of critical infrastructure manage cybersecurity-related risks while protecting business confidentiality, individual privacy, and civil liberties. The selection and specification of security controls for an information system is accomplished as part of an organization-wide information security program that involves the management of organizational risk. The management of organizational risk is a key element in the organization's information security program and provides an effective framework for selecting the appropriate security controls for an information system. NIST has developed a Risk Management Framework Overview which describes this approach in detail.
Risk assessments are an integral part of the risk management process. NIST SP 800-30 Revision 1, Guide for Conducting Risk Assessments was developed by the Joint Task Force Transformation Initiative Interagency Working Group to provide guidance for federal agencies in conducting risk assessments of information systems and organizations for each of the steps in the risk assessment process. The Working Group is collaborating on the development of a unified information security framework for the federal government to address the challenges of protecting federal information and information systems as well as the Nation’s critical information infrastructure. A common foundation for information security will also provide a strong basis for reciprocal acceptance of security assessments and will facilitate information sharing.
Many of these guidelines are not specific to protecting information within biological laboratories, but many of the same tenets are true regardless of the type of information protected. Facilities registered with the Federal Select Agent Program have specific requirements they must follow as well. The Federal Select Agent Program has prepared an Information Systems Security Control Guidance Document to assist in complying with the requirements of the select agent regulations.