This Publicly Available Specification (PAS) has been written to help prevent attacks on mail systems. PAS 97 is a specification for mail screening and security to help organizations reduce the risk of harm to operations and staff. Publication comes just weeks after the Government updated its anti-terror strategy to take account of the increased likelihood of a chemical or biological terrorist attack in Britain.
Even in this electronic age, most businesses and other organizations rely on the ability to receive and send physical items of mail. As an essential part of normal operations, mail presents various potentially significant vulnerabilities. Mail streams into and within an organization provide a vector for malicious attacks and scope for other security incidents, all of which can adversely affect the day-to-day business of the organization, as well as its reputation.
This Publicly Available Specification (PAS) gives the requirements and recommendations for mail screening, set in the broader context of postal security. It will be useful to anyone responsible for planning, delivering or procuring mail handling and screening services within organizations, as well as commercial providers of such services.
The specification is for use by organizations of any size, sector or complexity. It sets out a comprehensive framework for protective security including:
- Assessment of risks associated with postal incidents
- Identification of appropriate measures to take in screening mail
- Help with decisions on the investment in equipment and facilities
- Implementation of these measures with regular review
- Establishment of conditions to be imposed upon suppliers
Annexes in PAS 97 include guidance on possible indicators of suspicious items (e.g. an additional inner envelope that may be difficult to remove; an unusual postmark or no postmark) and suggested action upon discovery of suspicious items.
PAS 97 specifies measures to assist businesses and other organizations in identifying and minimizing the impact of items of mail that represent a threat, or could otherwise cause concern or disruption. It also addresses broader postal security measures aimed at ensuring all incoming, outgoing and internal mail streams are managed to minimize the risk of loss or theft of valuable or sensitive items or information.
This publication concentrates on letters and small parcels entering the organization from any external source, including public/commercial postal services, by hand or by courier delivery.
Attacks may be intended to cause physical damage to property, harm to individuals, create fear or merely to cause disruption. It is also quite possible for perfectly benign objects to appear suspicious, causing disruption through emergency responses that prove unnecessary.
In addition, incoming and outgoing mail streams may contain valuable items or sensitive information that warrant protecting from loss or theft.
Mail screening and security measures can be used to reduce the risk and impact of such incidents. This PAS aims to assist organizations in identifying and implementing appropriate postal security measures that meet their particular needs.
Too few or inappropriate measures increase the risk of significant security incidents that harm the organization and its business. Excessive measures are likely to be an unnecessary expense and may otherwise reduce the efficiency of the organization, for example by causing delays or using scarce staff and space resources.
In working to identify and implement the appropriate measures for an organization, it is important to consider factors both within and external to the organization as well as potential future changes to these. For example, the nature of the organization’s business could change in a way that affects mail throughput requirements, as could the public profile of the organization in a way that makes it more likely to be targeted by single-issue groups, terrorists or disaffected individuals.
Contents of PAS 97 A specification for mail screening and security contain:
- Terms and definitions
- Outline of process
- Assessing the risk
- Understanding the threat
- Understanding the organization’s mail streams
- Screening levels
- Selecting appropriate screening levels for different mail streams
- Physical protective measures
- Summarizing the organization’s requirements
- General postal security measures
- Management and responsibility
- Operating procedures (including emergency procedures)
- Mail room / screening facility
- Screening methods and equipment
- Human factors
- Health and safety considerations
- Sources of advice and information
- Possible indicators that a delivered item may be of concern
- Action upon discovery of any suspicious delivered item
- Mail facility layout and construction to minimize the effects of an explosive device
- Additional information on X-ray machines for mail screening
Whilst many of the principles detailed in this document can also be applied to improving the security of other, larger-scale deliveries, these are not explicitly covered.
PAS 97 does not propose a single standard of postal security and screening. Instead, it sets out to assist organizations in assessing their particular level(s) of risk, and selecting and implementing commensurate security measures. A series of screening levels (1 to 5) is defined in terms of progressively more complex screening measures; this is complemented by a series of physical protection classes (A to D) that describe incremental physical protective measures for mailrooms and personnel. Another factor contributing to the overall level of protection an organization derives from its postal security measures is the location of its mail facilities.
The security of electronic mail and associated IT systems is outside the scope of this PAS.