Policies should be established for handling sensitive information associated with the biosecurity program. For the purpose of these policies, “sensitive information” is that which is related to the security of pathogens and toxins, or other critical infrastructure information
Examples of sensitive information may include facility security plans, access control codes, agent inventories and storage locations.
The objective of an information security program is to protect information from unauthorized release and ensure that the appropriate level of confidentiality is preserved. Facilities should develop policies that govern the identification, marking and handling of sensitive information.
The information security program should be tailored to meet the needs of the research environment, support the mission of the organization, and mitigate the identified threats. It is critical that access to sensitive information be controlled. Policies for properly identifying and
securing sensitive information including electronic files and removable electronic media (e.g., CDs, computer drives) should be developed.