The security requirements of Provision 10 have a direct impact on a Recycler’s ability to conform to several other provisions of the R2 Standard. Proper security measures prevent theft of material and data security breaches (R2:2013 Guidance, section 10.1).
Security is more than locks and cameras. Security extends from the moment you take possession of the material to the moment you release material into another’s custody. Security includes physical security, monitoring of activities, transport security, chain-of-custody, and personnel qualifications (R2:2013 Guidance, section 10.2).
Implementing Provision 10
It is important to document the type of material you process (value, potential risk, data bearing) and the type of customers you serve (government, medical, bank) (R2:2013 Guidance, section 10.3). Consider conducting a security risk assessment of your facility and operations and assess the vulnerabilities (physical, administrative technological). Review contractual language to determine what security requirements are mandated by customer requirements. Ensure you understand if you are taking on data liability per legal requirements (Ex. HIPPA, Sarbanes Oxley) and understand what security is required for these legal requirements.
Based on the security risk assessment, determine appropriate security controls for the facility, materials and equipment, and data contained on equipment. Design and implement controls to mitigate vulnerabilities (authorization, termination, monitoring, etc.). All security controls should be documented in a written Security Program.
A Security Program should contain the following:
- Communication requirements for notifying clients, regulatory officials, and the public about any security breaches.
- Disclosure laws relevant to the facility.
- Processes to maintain security upon pickup or delivery (Is material that requires extra security tagged? Is material immediately moved to a secure area?)
- Controls while at the facility (physical, transport, chain-of-custody, personnel qualifications, monitoring)
- Responsibilities and authorities for security requirements. (Who has access to that secure area?)
Train employees on the security program and ensure monitoring of controls is built into the system.
Example Controls for a Security Program