How to Effectively Review AND Test your Cannabis Facility’s Security Program
As part of the Cannabis Safety & Quality (CSQ) Certification Program’s general requirements, sites are required to conduct an “annual review and testing” of the site’s Security Program. Although, the requirement itself might seem simple, it is one of the most missed audit requirements.
So, let’s start with the basics… What is a Security Program? When in reference to cannabis operations, a Security Program consists of the policies and procedures that promote the efforts to protect cannabis products from acts of intentional adulteration and theft.
In the cannabis industry, the biggest threat to your operation is not outside influences (i.e., terrorist), but is often disgruntled employees or someone who has a relationship with the business. Intentional acts of adulteration are rare, but they do happen. For example, in Alaska an employee was accused of intentionally spraying cannabis plants with the illegal pesticide, Eagle 20, which contains myclobutanil, which is stable at room temperature, but releases hydrogen cyanide when combusted.
Cannabis Security Annual Review vs. Annual Test
Although facilities may conduct both of these verification activities together, they require a different process for each. The annual review of the cannabis Security Program involves verifying that all the information in the Security Program is still current, such as contact information, security plans or maps, process flows, etc. For example, if you added an additional building or a new product, then it is likely that your Security Program was updated to reflect these types of new processes and process flows. However, it is also very likely that you might have tweaked the new process over the course of the year and probably did not update the cannabis Security Program to reflect those changes. By having a scheduled annual review of the Security Program, you ensure that your program is updated to reflect any changes at a minimum, once per year, typically before your annual audit.
When you “test” or “challenge” your Security Program, you are physically testing your program to see if it works as intended.
Testing your Cannabis Security Program
One of the most common ways to test your cannabis Security Program is by creating a scenario where a designated person tries to penetrate through the site’s cannabis security systems to see if there are any gaps. The reason this is so effective is because the site will be able to see any holes in the facility’s physical security measures (e.g., surveillance cameras, fences, controlled access points, etc.). However, this testing method also gives sites insight into how a site’s employees react to a security breach. For example, are employees questioning the “intruder” upon discovery and are employees following reporting plant security procedures for suspicious activities.
Other methods to test your site’s Security Program include, but are not limited to, the following:
- Stop a delivery truck upon entrance into the facility and remove the tamper proof seal and see if receiving employees take notice.
- Remove an employee’s key card access to the facility or specific area of the facility and then try to see if the employee can enter the facility or restricted area.
- Unplug or tamper with a security camera and see how long it takes for the security team to notice and report the issue.
- Leave a restricted part of the facility (e.g., vault, chemical storage, etc.) open and see how long it takes for an employee to report the incident.
Continuous Cannabis Security Improvement
I’ve reviewed and tested my cannabis Security Program, now what? It is likely that during the review process or the mock threat scenario that you have found gaps or unsatisfactory results in your Security Program. This is ok! Once you have identified these potential gaps or threats to the Security Program, you should document those as non-conformances and follow your facility’s Corrective and Preventative Action (CAPA) procedures, which should include determining the root cause of the issue and implementing corrective or preventative measures to ensure the issue does not occur again or, at minimum, reduces the risk of the threat to an acceptable level.
By reviewing and testing your Security Program on an annual basis you are continuously improving your site’s cannabis security systems and providing your employees with the tools they need to successfully mitigate the risk of intentional adulteration or theft of your company’s products.