BSI publishes benchmark document on postal security
The last decade has witnessed several criminal attempts to infiltrate organisations’ mail systems with intent to cause disruption and damage. Examples include the letter bomb campaign of 2007 and the series of hoax anthrax letters sent to high profile individuals between 2003 and 2007. Ultimately, companies in both the commercial and public sectors have suffered as a result.
Even in this electronic age, most businesses rely on their ability to receive and send physical items of mail. As an essential part of normal operations, mail presents various potentially significant vulnerabilities.
Mail streams into and within an organisation provide a vector for malicious attacks and scope for other security incidents, all of which can adversely affect the day-to-day business of a business as well as its reputation.
Attacks may be intended to cause physical damage to property, harm to individuals, create fear or merely to cause disruption. It’s also quite possible for perfectly benign objects to appear suspicious, causing disruption through emergency responses that prove unnecessary.
In addition, incoming and outgoing mail streams may contain valuable items or sensitive information that warrant protecting from loss or theft.
It’s very much hoped that PAS 97: Specification for Mail Screening and Security will help to mitigate the risk and impact of attacks such as those mentioned.
Key topics concentrated upon
Developed by the Centre for the Protection of National Infrastructure (CPNI) in collaboration with BSI British Standards, PAS 97 is aimed squarely at those individuals responsible for planning, delivering or procuring mail handling and screening services.
It focuses on letters and small parcels entering the organisation from any external source, including public or commercial postal services, either by hand or by way of courier delivery services.
The specification – which can be used by organisations of any size, sector or complexity – sets out a comprehensive framework to help with protective security, focusing on (among other areas):
– assessment of risks associated with mail streams into and within an organisation
– identification of appropriate measures to take when screening mail
– requirements for formal recording, implementation and regular review
– establishment of conditions to be imposed upon suppliers
Investment in equipment and facilities
The specification will help end users when it comes to making decisions on investment in equipment and facilities. It also provides guidance for requirements relating to outsourcing and the occupation of shared premises.
Annexes in PAS 97 include guidance on possible indicators of suspicious items (for example, an additional inner envelope that may be difficult to remove, an unusual postmark or no postmark at all) and suggested action upon discovery of suspicious items.
While many of the principles detailed in this document can also be applied to improving the security of other, larger-scale deliveries, these are not explicitly covered.
Implementation of commensurate security
What PAS 97 doesn’t do is propose a single standard of postal security and screening. Instead, it sets out to assist organisations in assessing their particular level(s) of risk, and selecting and implementing commensurate security measures.
A series of screening levels (1 to 5) is defined in terms of progressively more complex screening measures. This is complemented by a series of physical protection classes (A to D) that describe incremental physical protective measures for mailrooms and personnel.
Another factor contributing to the overall level of protection an organisation derives from its postal security measures is the location of its mail facilities.
Appearance in the wake of CONTEST 2
This document sees the light of day just weeks after the Government launched its updated counter-terrorism strategy (CONTEST 2) which, among other things, includes new initiatives to counter threats from chemical, biological, radiological, nuclear and explosive devices.
Speaking about PAS 97, Mike Low – director of BSI British Standards – told SMT Online: “BSI has a strong track record of publishing standards and other guidance for the security sector. PAS 97 addresses a growing risk by offering organisations a robust framework within which they can develop their own protective security systems.”
Other organisations involved in the development of PAS 97 include Arup Security Consultancy, BP, G4S, the Home Office, Mail Source (UK), the MFD Group, the Palace of Westminster, Pfizer, Pitney Bowes, Royal Mail and the Sister Banks Group.
BSI publishes benchmark document on postal security
The last decade has witnessed several criminal attempts to infiltrate organisations’ mail systems with intent to cause disruption and damage. […]
IFSEC Insider
IFSEC Insider | Security and Fire News and Resources