Section DHS 157.9708 - General security program requirements(1) SECURITY PLAN. (a) Any licensee identified in s. DHS 157.9707 (1) shall develop a written security plan specific to its facilities and operations specifying the overall security strategy that ensures the integrated and effective functioning of the security program required by this subchapter. At a minimum, the security plan shall: 1. Describe the measures and strategies used to implement the requirements of this subchapter.2. Identify the security resources, equipment, and technology used to satisfy the requirements of this subchapter.(b) The security plan shall be reviewed and approved by the individual with overall responsibility for the security program.(c) A licensee shall revise its security plan as necessary to ensure the department's requirements are effectively implemented. A licensee shall ensure all of the following: 1. The revision to the security plan has been reviewed and approved by the individual with overall responsibility for the security program.2. Individuals affected by the revised security plan are notified and given instruction about changes to the plan before they are implemented.(d) A licensee shall retain a copy of the current security plan as a record for 3 years after the security plan is no longer required. A licensee shall retain a record of any superseded portion of the security plan for 3 years after it is superseded.(2) IMPLEMENTING PROCEDURES. (a) A licensee shall develop and maintain written procedures that document how the requirements of this subchapter and the security plan will be implemented.(b) The implementing procedures and revisions to these procedures shall be approved in writing by the individual with overall responsibility for the security program.(c) A licensee shall retain a copy of the current implementing procedures as a record for 3 years after they are no longer required. A licensee shall retain a record of any superseded portion of the implementing procedures for 3 years after they are superseded.(3) TRAINING. (a) A licensee shall conduct training to ensure that individuals implementing the security program possess and maintain the knowledge, skills, and abilities required to carry out their assigned duties and responsibilities effectively. The training shall include instruction in all of the following: 1. The licensee's security program, implementing procedures, and the purposes and functions of the security measures employed to secure category 1 or category 2 quantities of radioactive material.2. The responsibility to report promptly to the licensee any condition that causes or may cause a violation of the department's requirements.3. The responsibility of the licensee to report promptly to the LLEA and licensee any actual or attempted theft, sabotage, or diversion of category 1 or category 2 quantities of radioactive material.4. The appropriate response to security alarms.(b) In determining those individuals who will be trained on the security program, a licensee shall consider each individual's assigned activities during authorized use and response to potential situations involving actual or attempted theft, diversion, or sabotage of category 1 or category 2 quantities of radioactive material. The extent of the training provided to an individual shall be commensurate with the individual's potential involvement in the security of category 1 or category 2 quantities of radioactive material.(c) Refresher training shall be provided at a frequency not to exceed 12 months and when significant changes have been made to the security program. Refresher training shall include all of the following: 1. Review of the training requirements under sub. (3) and any changes made to the security program since the last training.2. Reports on any relevant security issues, problems, and lessons learned.3. Relevant results of the department's inspections.4. Relevant results of the licensee's program review and testing and maintenance.(d) A licensee shall maintain records of the initial and refresher training for 3 years from the date of the training. The training records shall include dates of the training, topics covered, a list of licensee personnel in attendance, and related information.(4) PROTECTION OF INFORMATION. (a) A licensee authorized to possess category 1 or category 2 quantities of radioactive material shall limit access to and unauthorized disclosure of their security plan, implementing procedures, and the list of individuals that have been approved for unescorted access.(b) Efforts to limit access shall include the development, implementation, and maintenance of written policies and procedures for controlling access to, and for proper handling and protection against unauthorized disclosure of, the security plan, implementing procedures, and the list of individuals that have been approved for unescorted access.(c) Before granting an individual access to the security plan, implementing procedures, or the list of individuals that have been approved for unescorted access, a licensee shall do all of the following:1. Evaluate an individual's need to know the security plan, implementing procedures, or the list of individuals that have been approved for unescorted access.2. If the individual has not been authorized for unescorted access to category 1 or category 2 quantities of radioactive material, safeguards information, or safeguards information-modified handling, the licensee shall complete a background investigation to determine the individual's trustworthiness and reliability. A trustworthiness and reliability determination shall be conducted by the reviewing official and shall include the background investigation elements contained in s. DHS 157.9702 (1) (a) 2. to 6. and (b).(d) A licensee need not subject any of the following individuals to the background investigation elements for protection of information: 1. The categories of individuals listed in s. DHS 157.9704 (1) (a) to (m).2. Employees of security service providers for whom written verification has been provided to the licensee by the security service provider that indicates the employee has been determined to be trustworthy and reliable based upon the background investigation elements contained in s. DHS 157.9702 (1) (a) 2. to 6. and (2).(e) A licensee shall document the basis for concluding that an individual is trustworthy and reliable and should be granted access to the security plan, implementing procedures, or the list of individuals that have been approved for unescorted access.(f) A licensee shall maintain a list of persons currently approved for access to the security plan, implementing procedures, or the list of individuals that have been approved for unescorted access. When a licensee determines that a person no longer needs access to the security plan, implementing procedures, or the list of individuals that have been approved for unescorted access, or no longer meets the access authorization requirements for access to the information, the licensee shall remove the person from the approved list as soon as possible, but no later than 7 working days, and take prompt measures to ensure that the individual cannot obtain the security plan, implementing procedures, or the list of individuals that have been approved for unescorted access.(g) When not in use, a licensee shall store its security plan, implementing procedures, and the list of individuals that have been approved for unescorted access in a manner to prevent unauthorized access. Information stored in non-removable electronic form shall be password protected.(h) A licensee shall retain all of the following as a record for 3 years after the document is no longer needed:1. A copy of the information protection procedures.2. The list of individuals approved for access to the security plan, implementing procedures, or the list of individuals that have been approved for unescorted access.Wis. Admin. Code Department of Health Services DHS 157.9708
Adopted by, CR 16-078: cr. Register January 2018 No. 745, eff. 2-1-18; renumbered from DHS 157.108 under s. 13.92(4) (b) 1, Stats., correction in (1) (a), (4) (c) 2., (d) 1., 2. made under s. 13.92(4) (b) 7, Stats., and correction in (4) (d) 2. made under s. 35.17, Stats., Register January 2018 No. 745, eff. 2/1/2018Amended by, CR 22-015: am. (4) (b), (c) (intro.), 1., (e) to (g), (h) 2. Register June 2023 No. 810, eff. 7/1/2023