• Employers should prioritize facility security to keep employees, contractors, visitors, and assets safe.

Companies are accountable for the safety of those on their sites. That means they are accountable for all employees, contractors, and visitors on the property as well as the property itself.

Customers and employees want to know an organization’s commitment to safe and secure facilities. To start, a company should be aware of security risks faced at its facilities. Then employers can take several steps to keep a facility secure such as:

• Control, limit, and restrict access points and perimeters;
• Secure points of entry such as doors and windows;
• Install security cameras;
• Limit and regulate keys;
• Limit access to critical records and files;
• Create clear security policies; and
• Train employees on company policies.

Most companies have certain areas to which access must be controlled, limited, or restricted to protect employees and the contents of those areas.

• The complexity of a company’s security plan hinges on the nature of the operations conducted by that business.

Whether the business is a small operation with limited resources or a large, multi-state company, it needs to examine the security of its buildings, facilities, and vehicles. Companies should develop a written security plan to control access points and secure the perimeter of the facility.

The complexity of the plan depends on the nature of the company’s operations. It may require hiring more personnel, installing new locks and surveillance equipment, implementing new security procedures for visitors, or even making changes to the facility’s physical layout.

Evaluate the facility

A security plan starts with an evaluation of the physical facility, its operations, its level of risk, and its current state of security. Ask some basic questions about the operation to determine the level of security necessary. Don’t consider the cost until deciding what is needed. Questions to ask include:

• Are there areas that need to be secured? These might include where product, supplies, equipment, or confidential information is stored. Are these high-traffic or highly visible areas? Are controls in place to limit access?
• Are there materials at the facility or in the possession of employees that could be useful to terrorists? Vehicles as well as biological, chemical, nuclear, or other hazardous materials all could be used in or as weapons, as could many common household items such as fertilizer. Consult with law enforcement to quantify the risk.
• Does the company know who and what is coming and going from various areas of the facility? Is a printed record or log kept?
• Are visitors logged in and out, and escorted throughout the visit?
• Is there adequate staff to sufficiently monitor access points leading to secure or sensitive areas?
• Is a key control system in place to prevent unauthorized use of keys or access to restricted areas?
• Is a system in place to periodically inspect, maintain, and replace physical barriers (doors, windows, fences, concrete barriers, etc.)?

Security systems

The security system that’s right for a given business will be unique to that specific operation. Consider hiring a professional to conduct the evaluation-and-needs assessment, then get proposals from several sources.

Security systems come in all shapes and sizes. If proposals are obtained from outside sources, the proposals may differ significantly in options and costs. For example, a security system for access points might:

• Be primarily automated, based on electronically encoded ID cards that automatically unlock doors;
• Use a more labor-intensive system with security guards posted at access points to match photo IDs with faces;
• Involve the issuance of keys to authorized personnel (this is the least-secure method); or
• Combine elements from these methods.

Ideally, if the budget allows, a security presence should be in place 24 hours a day, seven days a week. Guards should monitor facility operations, control exits and entrances (including ID checks), check shipment documentation, and conduct periodic inspections of outbound and inbound vehicles.

Roaming, irregular, staggered security patrols should monitor the entire facility, especially when closed (nights, weekends, and holidays). Make sure local law enforcement personnel are familiar with the facility and include it in patrolling. Develop a close relationship with local law enforcement as these officers likely will be the first to respond in an emergency.

Every security system has vulnerabilities, but steps can be taken and procedures can be developed to prevent those vulnerabilities from leading to losses or disasters.

Access to critical records and files

From drug and alcohol policy documents to financial records, every company has valuable or confidential files that need to be kept secure. Companies should:

• Begin with an evaluation of all files and current security measures. Where are the files stored now? Are the files in one secure location or spread out around the company? Are those areas accessible to people who shouldn’t see the files? Who has access? How is the area monitored?
• Keep all critical files in a secure location that is inaccessible to unauthorized people, including employees and visitors. A locked file cabinet, by itself, is generally not enough.
• Make sure that all doors leading to the file storage area are locked after hours. Janitorial staff should be closely supervised in these areas.
• If using a locked filing cabinet or a safe, evaluate its level of security. Would it survive a crowbar? A fire or flood?
• Consider storing important but seldom-used documents off-site, such as in a safe deposit box.
• Establish a policy for disposal of unwanted, sensitive documents. These may be extra copies that otherwise might be thrown in the trash next to the copier, or old files that have been discarded. The trash bin has proven to be a dangerous method for disposing of ultra-sensitive files. At a minimum, sensitive documents should be shredded.

• Companies should restrict visiting and have procedures for visitors to follow to help keep facilities safe.

Any visitor, vendor, supplier, contractor, or other person who temporarily enters a facility could be a security risk. Though controlling exactly who can enter the facility may be a daunting task, steps can be taken to help reduce risk. The employer is also accountable for these visitors in an emergency. Employers should know who is in their buildings and where to find them should an emergency arise.

Restrict visiting

First, no matter the size of the operation, businesses should develop and enforce a restricted visiting policy. Visitors and other non-employees should only be allowed to enter the facility when necessary, and all visitors should be required to register at a designated visitor entrance before being allowed to move about the facility.

Though employees may think such a policy is an undue restriction, the management of the organization should instruct all employees on its importance to them and the company’s overall safety and security.

Procedures for visitors

Consider taking the following steps, depending on the level of security required, before allowing a visitor to proceed into a facility:

• Screen visitors on arrival to the property. This is the first and usually only line of defense before a visitor gets inside a building. Have employees use vehicle stickers for easy identification and require visitors to sign in at a checkpoint and proceed to a visitor parking space. If theft is a problem or concern, conduct random, periodic inspections of vehicles as they leave.
• Make sure all visitors register with a designated receptionist and/or security guard. These employees who first have contact with visitors are the next line of defense. Depending on the level of security needed, employees should question all visitors, be trained in security and emergency procedures, know how to identify fake IDs, and report any suspicious activity.
• Require all visitors to present a photo ID. Make sure the photo matches the face, and that the ID doesn’t appear to be falsified. Require employees to wear photo ID badges that are easily distinguished from visitor badges.
• Keep a written log that includes:
  • The name of each visitor and who the visitor represents,
  • The visitor’s arrival and departure times,
  • Who approved the visitor’s entry, and
  • Who the visitor came to see or the purpose of the visit.

• Provide all visitors with temporary ID badges and require them to be worn in a visible location throughout the visit.
• Do not allow visitors to wander off alone. Visitors should be met at the entrance location by the employee the visitor has come to visit, or they should be escorted to the planned destination.
• If the company is at high risk for security problems (a hazardous materials hauler, for example), consider searching all bags and packages that enter the facility.
• If outside maintenance or construction personnel will be working at the facility, the company should screen and register these workers each day and require them to wear ID badges at all times while on company property.

Despite the best efforts at keeping unauthorized people out, a company can never afford to let its guard down on the inside. Train all employees to take notice of and report suspicious activities and people. For example, employees should be wary of people who are:

• Trying to access restricted, sensitive areas or materials, such as classified documents, computers, locked areas, hazardous materials, etc.;
• Carrying a weapon without authorization;
• Carrying a piece of company equipment, whether concealed or not;
• Behaving in a strange manner; and/or
• Making unusual requests or demands.

Pay particular attention to custodial/janitorial personnel and repair workers. People in these positions may be the least-well-screened personnel at the facility, but may have the most access and tend to generate little suspicion. If possible, develop a rigid screening process for such persons. If custodial/janitorial personnel and repair workers are not permanent employees of the company, they should be treated like other visitors and be escorted and observed.

Once visitors and other outside personnel leave, make sure ID badges are returned and indicate on the record that the individuals have left the facility.

• A company should ensure an integrated system of defenses is in place to protect its facility from unauthorized persons.

When it comes to protecting a physical facility from intruders, don’t develop a false sense of security just because there is a fence, security camera, or good lighting. One or two security measures are not going to totally protect any company. It takes an integrated system of defenses to prevent unauthorized persons from entering the facility and causing damage and/or leaving with valuable materials.

Facility layout and condition

The best defense starts with the physical layout and condition of the facility. An organization may need to make physical modifications to its facility to truly protect it. Questions to ask include:

• Can receptionists see people approaching?
• Are all entrances and parking lots well-lit and controlled?
• Are storage areas for sensitive or valuable materials located deep within the facility instead of in remote, dark areas?
• Could a criminal break into the facility without being seen, whether sneaking over the fence or driving a car straight through it?

The criminal mind can devise sinister, unconsidered methods to accomplish a task. Make sure employees are trained to report suspicious activity or security lapses, and encourage them to offer suggestions for security improvements.

After basic perimeter security, a doorway may be the next best defense against an intruder. In the case of a smaller company, a securely locked door may be the only defense. It’s critical that all entrances and exit gates and doors are secured when not in use.

• Are employees leaving perimeter doors unlocked or propped open?

Maintenance

Make sure all gates and doors are structurally sound, locks are substantial enough to prevent unauthorized entry, and latches close securely. If an entrance needs maintenance, have it done as soon as possible.

A company should examine all doors and replace parts or entire doors if the items provide inadequate protection. A door is only as strong as its composition and points of attachment (i.e., what it’s made of and the strength of locks and hinges).

Generally, an intruder hoping to break through a door will start with the locks, but then may move to the hinges, glass panels, or other areas of the door. Doors with significant amounts of glass should be equipped with additional security measures such as an alarm system, steel bars, or wire mesh, or should be under constant guard. Hollow-core or paneled doors should be reinforced, perhaps with a steel plate inside.

Clean and lubricate doors and adjust them as necessary (remember that wooden doors may change shape with the seasons).

Restricting entry

Never allow just anyone into a building. It is good company policy to require each employee to use that worker’s own ID to enter the building. If possible, IDs should have the employee’s picture, name, and department or function, but remember that it’s relatively easy to fake an ID.

Businesses should have a written policy that includes immediate reporting of lost or stolen security badges or IDs, because most automated systems are unable to tell if the person entering the building is the same one originally issued the ID.

Instruct employees not to hold the doors open for others unless the employee knows the person and the person is a current employee. All visitors should be instructed to use a designated visitor entrance.

• Are employees letting people without badges in?

Employees, too, should be restricted to designated employee entrances and exits. Emergency exits should only be used in an emergency.

To control who enters the facility, install a security checkpoint, either with personnel or automated. At a minimum, companies should consider a security guard or receptionist at the door screening those who enter the building, or a device that automatically scans employee ID cards or badges and only unlocks the door for authorized personnel.

• Do people tailgate each other into the facility?

Establish set hours during which employees may enter the building(s). If access is necessary after hours, employees should be instructed to contact a security guard who can screen the employee and provide access if authorized. If an automated access card system is in place, program the cards to limit access during non-business hours.

• A company should keep windows secure to help ensure facility safety.

Check all windows for security risks. After doors, windows are the easiest way into a building. A window that is easily reached with a ladder, is large enough for a person to crawl through, or could allow someone to reach and open a lock should be considered vulnerable.

Does the facility have windows that can be opened? If so, there is always the chance that one will be left unlocked, or that an intruder could force open the window lock. Evaluate and reinforce the locks if necessary, and make sure employees are closing and locking windows.

Consider installing alarms on windows located on the first and second floors of each building.

If there are window air-conditioners, make sure the units can’t be removed from the outside.

Perimeter walk-around procedures

A periodic walk-around or audit of the external areas of the facility and surrounding grounds will provide a lot of useful information, keeping the company in tune with facility security and highlighting any security gaps.

How often a company conducts security self-audits — whether weekly, monthly, or quarterly — depends on the size of the operation and its relative level of risk. The assessment should be done under varying light conditions (a burned-out light bulb would be invisible during daylight hours, just as a hole in a fence may not be visible at night). These are some questions to ask during the audit:

• Is lighting adequate? Are there many shadowed areas? Are all lights functional? Does the lighting allow security personnel to see all sensitive areas, including the perimeter? Are there significant dark areas where an intruder could pass unnoticed?
• Are there any unsecured access points, either on the perimeter of the property or on any buildings? For example, are there open windows, unlocked gates, roof vents or skylights, culverts that pass under the fence line, utility tunnels, etc.?
• Is there any vegetation that obscures lights, walkways, entrances, or the fence line, or otherwise compromises security? Is there vegetation that could hide an intruder? Trees, vines, shrubs, etc. should be trimmed regularly.
• Are all fences and walls in good shape? Pay special attention to any trees, buildings, or materials near the fence line or next to a building. The company may need to increase the height of the fence in those areas to prevent someone from climbing over, or remove tree(s) or material(s).
• Does the company have a secure employee parking lot away from the main building(s)?
• Are all locks secured, and do the locks offer adequate protection?
• Are all gates and doors secured? Are doors leading to sensitive areas locked? Could an intruder easily get through a door by breaking a glass panel, removing hinge pins, or breaking through the middle of the door? Are gates at least as secure as the surrounding fencing or barriers?
• Are all security cameras aimed and operating properly?
• Are all company security measures in place? Are they being enforced?
• Are there any sensitive or valuable goods being stored in unsecured outdoor areas?
• Are alarm systems working properly?
• Are ladders and other long, climbable objects secured or stored out of sight?
• If the company handles hazardous materials on-site, are the materials adequately secured and protected? Hazmat storage areas should be secured with fences, walls, or buildings.

Remember to obtain employee input, too, since employees are closest to the issues and might be able to alert management to security concerns that go unnoticed during a walk-around audit.

• A company should invest in a facility-wide key control system for all keys and codes.

The best locks in the world don’t provide much protection against someone who has a key. First and foremost, entrance security depends on key control. All companies should have a facility-wide key control system that ensures the security of keys, access cards, combinations, key-making equipment, key codes, etc.

The security office or another secure location should be used to store all spare keys, access cards, and other lock-related equipment or information. Personnel who work in those areas should have limited access to equipment and information. Do not store combinations or other lock information on a computer. Conduct periodic inventories and inspections to make sure nothing has been stolen or misplaced.

Other security measures include:

• Only provide lock combinations or keys when necessary to those who must have them. Keep the number of copies to a minimum.
• When not in use or under personal control, extra keys should be stored in a locked container. Keys to sensitive areas should be signed out to supervisors on an as-needed basis and turned in at the end of each day. Keep accurate records of who signed out which keys, when, for how long, and who authorized signing out the keys. Account for all keys at the end of each day.
• If employees can retain certain facility keys, access rights should be restricted. In other words, don’t allow employees to retain keys to areas containing valuable equipment or hazardous materials unless necessary.
• If keys are given to contractors temporarily, make sure the keys are returned once work is complete, or render the keys useless by changing the locks.
• Do not use a master key system where a single key can open multiple locks. If a master key system is necessary, limit its use to non-sensitive areas and limit the ability to copy keys.
• Use pick-resistant locks whenever possible.
• Consult with a locksmith or security professional to get options for key and lock systems that best suit the company’s needs.
• Pay particular attention to hazardous materials storage areas. Consider using some form of electronic key or badge that will allow the company to control and monitor access to these areas.
• If combination locks are used, change the combinations periodically or whenever a combination code is lost or misplaced (even temporarily), or an employee who knows the combination(s) leaves the company or is transferred.
• Designate one person to oversee the key control system. The person should maintain records, know who has which keys, investigate the loss of keys, conduct lock and key inventories and inspections, oversee company policies related to keys and access rights, and purchase keys and locks as needed.
• Make sure personnel responding to an emergency will have access to the necessary keys.
• Re-key all door locks periodically, at least once every other year.

• A company should keep up with technology changes in security and consider tech options for its facility.

Technology is always changing, and that can mean more security and information-gathering ability for a (sometimes) cheaper price. Lock and security-device manufacturers are adding more and more computer circuitry into products, allowing unprecedented control over who can enter a locked area, when, and how often. These high-tech access control systems are becoming increasingly common in both home and business applications.

It’s a good idea to stay abreast of changes in security technology. Consider the following:

• Electronic locks can serve an auditing function, letting a company print a record of who entered which areas and when. Similarly, key cards that contain encoded data can track employee movement by letting the company know which areas the employee entered and when.
• Electronic components are being added to products that look like regular keys. Employees can keep the electronic keys with the rest of their keys, and the electronic ones take much longer to wear out than key cards.
• Keyless locks are becoming more popular. These devices are opened using a numeric code rather than a key or card, so keys can’t be lost or stolen, and the codes can be changed at any time. Combination locks can combine a keyless lock with a card key lock, requiring entry of a numeric code along with insertion of a key card, for added security.
• Motion detectors can now reach hundreds of feet. These high-powered devices may be an effective choice for monitoring a large area.
• Monitoring devices are available to distinguish a human intruder from other stimuli that might trigger an alarm, such as animals, weather, or changes in lighting conditions.
• Access control systems are available that can prevent tailgating, where an unauthorized person is allowed to follow an authorized employee through a secured door.

In the future, more and more locks will employ cutting-edge technology including fingerprint, eye, and voice recognition.

• Employers should prepare for any potential terrorist incidents, including devising a proper evacuation plan for employees.

Terrorism, according to the Federal Bureau of Investigation (FBI), is the calculated use of unlawful force or violence, or the threat of unlawful force or violence, against person(s) or property for purposes of intimidation, coercion, or ransom in the pursuit of goals that are generally political, religious, or ideological.

Terrorist incidents are not emergencies that the Occupational Safety and Health Administration (OSHA) expects an employer to reasonably anticipate. However, if a terrorist incident does occur in or near one’s workplace, an effective evacuation plan increases the likelihood that the employees will reach shelter safely.

• Employers have no specific requirements to follow but may want to evaluate the potential for their facility to be targeted. Employers covered by 1910.119, Process safety management of highly hazardous chemicals, may consider potential attacks in their emergency response plans. Employers may also have considerations for responding to releases under 1910.120, Hazardous waste operations and emergency response.

Terrorists typically plan attacks to obtain the greatest publicity, choosing targets that symbolize what they oppose. The effectiveness of the terrorist act lies not in the act itself, but in the public or government reaction to the act.

A terrorist attack can take several forms, depending upon technology available to the terrorist, the nature of the issue motivating the attack, and the target’s points of weakness. While bombings are the most common method, other possibilities include attacking transportation facilities, utilities, banking and financial targets, landmarks, and national treasures, as well as attacks on public services.

Terrorist weapons can include use of explosives, kidnappings, hijackings, arson, killings and assassinations, and cyberattacks designed to slow down or destroy computer networks. Terrorist weapons could also include “weapons of mass destruction� (WMD), defined as biological or chemical agents; and atomic or radioactive “dirty� bombs designed to cause massive casualties in civilian populations.

Since terrorism can impact employers and workers, OSHA works with other federal agencies including the Federal Emergency Management Agency (FEMA), the U.S. Environmental Protection Agency (EPA), the U.S. Soldier Biological and Chemical Command (SBCCOM), the Centers for Disease Control and Prevention (CDC), and within CDC, the National Institute for Occupational Safety and Health (NIOSH).

Chemical facilities, even with very low volumes, are under particular scrutiny, as their operations are considered especially vulnerable to threats.

Because of the increased threat, chemical facilities need to focus on preventing terrorist, criminal, and cyberattacks. Such attacks could have significant national impact (e.g., through the loss of chemicals vital to the national defense or economy). They also could cause releases of hazardous chemicals that might compromise the facility’s integrity, cause serious injuries or fatalities among employees, contaminate adjoining areas, or cause injuries or fatalities among adjoining populations.

For many facilities, compliance with existing regulations led to changes in operations that reduced risk and increased security. Facilities have been able to identify and reduce the chemicals of greatest concern at their facilities. For companies not previously affected by security-related regulations, existing regulations and guidance provide a solid starting point for evaluating processes and implementing changes to improve security.

Chemical facilities that have more than 300 chemicals of interest listed in in Appendix A of the Chemical Facility Anti-Terrorism Standards (CFATS) regulation (6 CFR Part 27) are required to report to the Cybersecurity and Infrastructure Security Agency (CISA) as part of the Chemical Facility Anti-Terrorism Standards (CFATS).

Facilities that have certain amounts of chemicals of interest must meet additional requirements and complete surveys to rank their risk level. Companies that meet the high-risk thresholds are required to have a site security plan.