The URL can be used to link to this page

11 Security PlanComprehensive Security Plan Comprehensive Security Plan v1.5 | Page 1 Introduction 3 Roles and Responsibilities 3 Chief Compliance Officer 3 Security Manager 4 Computing Security Manager 5 Facilities Manager 6 Employee Involvement 6 Security Emergency Action Plan (EAP) 6 Engineering Controls for Emergency Response 7 Armed Robbery 7 Burglary 8 Physical Security 9 Facilities Security 9 Perimeter Security 9 Ingresses and Egresses 10 General Security Protocols 11 Cash Management 12 Cash Storage 12 Cash Handling 12 Building Diagram - Locations Alarm Systems, Security Cameras, and Lighting 13 Lighting Description: Interior/Exterior Error! Bookmark not defined. Signage 14 Backup Power System 14 Alarm System 15 Digital Video Surveillance Plan 15 Equipment Standards 16 Recording Protocol 16 Recorded Surveillance Storage Protocol 17 Security Equipment Maintenance 17 Closing Procedure 18 Access Control/Anti-Diversion 18 Employee Background Checks 19 Employee Access Levels 19 Employee Identification 19 Comprehensive Security Plan v1.5 | Page 2 Facility Access Procedures 20 Key Issuance Procedure 20 Access Codes 20 Changes in Access Due to Promotion or Position Modification 21 Key Return and Access Termination Procedure 21 Locks/Cabinets/Safes/Vaults 22 Non-Employee Access 23 Security Training 23 Security Involvement in Product Transfers in/out of Building 24 Management of Waste including Expired Products 25 Waste Disposal Security 26 Business Property Records 26 Computing Security 27 Operational and Technical Controls 27 Physical Computer Controls 29 Electronic File Storage and Archiving 29 APPENDIX 1 - Security Access Log 30 APPENDIX 2 - Key/Key Card User Agreement 33 APPENDIX 3 - Non-employee Access Log 34 APPENDIX 4 - Network and Computing Resources User Agreement 35 APPENDIX 5 - Shipping Manifest 38 Comprehensive Security Plan v1.5 | Page 3 Introduction This Security Plan describes the policies, procedures, engineering and physical controls, and other measures that will be implemented to ensure a safe and secure environment for employees, customers, and the community, as well as to comply with local and state security requirements. A primary goal of Prime Arrow through this plan is to prevent unauthorized entry to the premises, deter theft, burglary and diversion of cannabis products or other valuables, and prevent access to cannabis products by individuals under 21 years of age. State and Federal Law supersedes any item in the Plan that does not meet local regulatory requirements. Within this plan THC- or CBD-containing material is referred to as “the product.” The policies in this plan apply to all individuals involved with Prime Arrow, including owners, officers, employees, agents and others representing the company. Roles and Responsibilities Chief Compliance Officer The Chief Executive Officer (CEO) will designate a Chief Compliance Officer (CCO), who will be responsible for implementing the Plan by hiring a qualified Security Manager (SM) who will be responsible for all security-specific tasks. The SM will ensure that all security procedures are followed related to facility access, emergency response, transportation, training, hiring and supervising security staff members, background checks, prohibiting the access of minors to the premises, and other procedures specified in this document. The SM is responsible for clearly designating who will serve as a senior security staff member in an emergency if the CEO, CCO and SM are not present. The CCO will regularly report to the CEO on the status and efficacy of the Security Plan. The CCO, in collaboration with the SM and the Quality Assurance Officer will review the Comprehensive Security Plan v1.5 | Page 4 Plan annually and recommend changes or amendments to the CEO to improve security features or processes. The CCO or the Security Manager will be the primary contact for all security equipment vendors. Security Manager The Security Manager will be responsible for ensuring that this Security Plan is properly implemented. Responsibilities: ● Implement and enforce security regulations and policies. ● Ensure the protection of people, property, and assets. ● Reduce risks, respond to incidents, and limit liability in all areas of financial, physical, and personal risk. ● Act as liaison to the local Police Department (PD). ● Schedule all security services and officers. ● Manage a budget covering security resources and employees. ● Ensure all security equipment and systems are operated and maintained according to manuals, standard security practices, and the Security Plan. ● Administer the access control program, including the enrollment of personnel in the company’s access control system. ● Compile reports as required by the CCO. ● Utilize all security systems to discover security breaches and identify compliance issues. ● Train personnel according to established procedures and conduct regular security meetings to discuss problems and future plans. ● Ensure the maintenance of training records and security logs. Comprehensive Security Plan v1.5 | Page 5 ● Manage all visitor access to the facility. ● Act as liaison to all departments on security measures, procedures, and needs. ● Coordinate the security of transportation activities, including the planning of delivery routes to ensure the safety and security of the delivered goods and employees. ● Conduct security evaluations to ensure constant improvement and compliance. ● Ensure the reporting and documentation of all incidents and provide initial information for investigations to the CCO. ● Ensure that all records are forwarded properly according to the Record Keeping Plan ● Foster a spirit of cooperation, respect and professionalism among employees and other managers. ● Stay up to date on security-related issues and trends by means of periodically reviewing the literature, becoming a member of one or more related organizations, participating in conferences, and/or other means of networking with and learning from other security experts. ● Add and remove access for other employees and contractors as they are hired and/or terminated. ● Managing problems related to fired employees that pose any kind of threat. ● Oversee product transfer into and out of the premises. ● Ensure no on site, or on-premises consumption of illegal substances through signage, meetings and premises patrolling. Computing Security Manager Under the direction of the CCO, the Computing Security Manager (CSM) with appropriate experience and training will manage the security related to data and technology will be responsible for ensuring compliance with the Computing Security Comprehensive Security Plan v1.5 | Page 6 portion of this Plan. Additional responsibilities are listed in the Staffing and Training Plan. Facilities Manager The Facilities Manager is responsible for planning and managing the portions of this plan related to evacuations. Employee Involvement Staff will be asked to review security procedures related to their specific tasks at least once per year and give recommendations for improvements. Security Emergency Action Plan (EAP) During a security-related emergency, if the SM is on the premises, he/she will serve as the senior security staff member and manage activities until the CCO or CEO is present. If the SM is not present, a designated senior Security Staff Member will call 911 and interact with Emergency Response personnel. Any staff member may call 911 if there is a risk to someone’s safety, but will bring the senior Security Staff member onto the call as soon as possible to take over. If there is no safety risk to staying on the premises and emergency responders do not direct otherwise, other employees will immediately monitor entrances and exits to prevent unauthorized access, and monitor products that are accessible to customers, contractors, or visitors. In the case of any emergency, all documents resulting from the event and receipts and other records related to associated expenses will be collected by the Security or Facility Manager as appropriate. A summary of the incident and an expense report will be provided to senior management within 60 days of the event. If cash is on the premises, all cash drawers and/or office doors will be locked upon leaving the area to deal with an emergency. See the Health and Safety Plan for information on completing an Incident Report Form after an emergency is resolved. Comprehensive Security Plan v1.5 | Page 7 Engineering Controls for Emergency Response ● A silent alarm for use during an armed robbery. ● An audible panic alarm to indicate the need for evacuation and a call to 911. ● A notification system generating a sound, text, or visual signal when the alarm/surveillance system malfunctions. ● These engineering controls will remain operational during a power outage. Armed Robbery Should an armed robbery incident occur, staff will be advised to follow recommendations that are commonly suggested by law enforcement entities (1) (2), including the following: During a robbery: ● Remain Calm. ● Obey the robber’s commands immediately. Others in the area should freeze in place and do nothing. ● Don’t argue with the robber. ● Consider all firearms to be loaded. ● Look at the robbers – notice details to aid you in describing them and their mannerisms. Note age, weight, height, clothing, tattoos or scars and write down the details at the first opportunity. ● Take note of the weapon. ● Watch the direction the robbers take – if they use a vehicle, try to note the license plate number. Comprehensive Security Plan v1.5 | Page 8 ● Only press the silent alarm if you can do so without being seen. ● Don’t call the police yet if there is a chance the robber can see or hear you. ● Don’t chase or follow the robber. You could be mistaken for the robber in a pursuit by police. After a robbery: ● Call 911 ● Give the address of the business and state that the location is a cannabis facility, give your name and telephone number, and stay on the phone until the dispatcher ends the call. ● Give a description of the suspect(s), direction of travel, and a license number if a vehicle was used. ● Advise whether or not weapons were used. ● Protect the crime scene. Keep customers or other employees away from the area of the store where the robbery occurred. ● Ask witnesses to wait until the police arrive. ● Do not touch anything. ● Save a note if one was used – do not handle it or let others handle it. ● Upon arrival of the police, the senior Security Staff Member should introduce him/herself, check the responder’s ID if there is any reason to be suspicious, and inform them that a higher-level manager is on the way (if applicable). Burglary If evidence of a burglary is discovered, staff will: ● Avoid entering areas that have not yet been searched. Comprehensive Security Plan v1.5 | Page 9 ● Notify law enforcement using a non-emergency number. ● Notify a senior staff member immediately. ● Prevent others from entering the area or touching anything. ● Upon arrival of the police, the senior Security Staff Member should introduce him/herself, check the responder’s ID if there is any reason to be suspicious, and inform them that a higher-level manager is on the way (if applicable). Physical Security Physical security is focused on limiting premises and product access to only those individuals permitted. Preventing the diversion of products involves the physical security of the premises, a system of strict control over access to materials, and the trac king of cannabis products. Security related to tracking of the products themselves is covered primarily in the separate Inventory Plan. These plans will meet or exceed state and local regulations related to product diversion prevention. Facilities Security This section covers securing the buildings and perimeter against intruders, including surveillance activities, alarms, lighting, warning signs, and other controls. All doors, gates, safes, vaults, cabinets and other secured locations will be labeled with an individual number or other designation (location code), which will correspond to maintenance and security records and the location on a premises map. A qualified security department employee will be designated at all times to monitor the inside and outside of the premises for suspicious activity during regular work hours. This will happen through a combination of video camera monitoring and walking patrols. Perimeter Security ● A security alarm, including a motion detection system within the perimeter, will notify management of an attempt to breach the perimeter in an unauthorized manner. Comprehensive Security Plan v1.5 | Page 10 ● Lighting will illuminate areas around exterior Building. ● A back-up alarm system will be provided by a second security system company, if required. ● A security company will be contracted to regularly patrol the location when employees are not present. Ingresses and Egresses ● Only management level and other authorized staff will have keys or access codes to open the building and turn off security alarms. ● The front door to the premises will serve as the only entrance for all staff and visitors. ● The front door will be staffed at times when visitors are expected. ● The front door will lead a monitored man trap where visitors and contractors must show ID, be recorded by surveillance video, and not be able to open the inner or outer doors without support from the receptionist or relevant security department employee. ● The entrance areas leading to and from the mantrap will be monitored by security cameras from multiple angles to ensure complete recording of incidents. ● Back and side doors will be locked such that occupants can exit the building for emergencies or special circumstances, but cannot re-enter. ● When a back door is used to bring in supplies, remove waste, or provide access to a service contractor, a security staff member will be present while the door is open. ● All doors will be alarmed, covered by security cameras, and well lit. ● All camera views will be unobstructed at all times. Comprehensive Security Plan v1.5 | Page 11 ● At the request of law enforcement or other emergency personnel, doors that are normally kept locked will be unlocked and de-armed for the minimum amount of time required, and a company security staff member will monitor the door. ● Rooms with windows will be armed with a system that sets off an alarm when the sound of breaking glass is detected. ● Windows and roof hatches will be secured so as to prevent unauthorized entry and also equipped with latches that may be released quickly from the inside to allow exit in the event of an emergency. General Security Protocols All inventory stored on the licensed premises will be secured in limited-access areas. Prime Arrow will store all cannabis products in regulation safes affixed to the property’s structure. Accordingly, cannabis-infused products that require refrigeration or to be frozen will be kept locked in a refrigerated unit that is incorporated into the building structure. Processed cannabis will never be stored outdoors. Employee break rooms, changing facilities, and bathrooms will be separate from all storage areas containing cash or cannabis materials. In the event of a disaster, a licensee or designated employee will be assigned to move cash and cannabis products to another location for a short time period to prevent loss, theft, or degradation of the cannabis products from the disaster. Prime Arrow maintains a secondary location for emergency storage of cash and cannabis and will disclose that location to the regulatory agency upon request. The Security Manager is responsible for protecting company products both during the production process and once they are stored. The SM will ensure good working order of mechanical systems associated with monitoring products, such as lights and cameras, and will track employee and Manager access to sensitive materials and stored company valuables. Steps for doing this include: ● Ensure that no valuable or sensitive post production products are visible to employees during their regular work activities. ● Implement policies to ensure that workers cannot easily remove cash, cannabis material or other valuables in their clothing or personal containers and will Comprehensive Security Plan v1.5 | Page 12 implement clear rules around pockets, containers and bags to avert employee diversion and theft. ● Monitor access of appropriate personnel and visitors to limited access areas. ● Maintain a video monitor of cameras showing both the outside and inside of the sensitive material storage areas and safes. ● Maintain logs of removal of sensitive and valuable products from their production or storage areas. ● Ensure that all materials have been logged out or transferred properly in the software tracking system as they are moved around or out of the facility. Cash Management Prime Arrow will ensure that tight controls are in place for all cash-related activities. Cash Storage ● A secure safe will be used for cash storage. This safe will meet national GSA standards for quality and weigh >150 lbs. It will be located inside a locked office and attached to the framing of the office wall. ● Access to the safe will be limited to the CEO, CFO. In addition to the individual opening the safe, a second member of the Senior Staff or a Manager will observe the activity. ● A log will be kept as a paper ledger in which all deposits to and withdrawals from the safe are recorded. The log will include the specific reason for the transaction and the signatures of the two individuals involved. ● The safe will only be opened when a full contingent of security personnel are on the premises. Cash Handling ● At least two employees will be present whenever cash is accessed or moved from one location to another, including transfers of cash to the bank. Comprehensive Security Plan v1.5 | Page 13 ● All expenses will be documented with a receipt or cash transaction report. ● An amount of no more than $1,000 will be kept in a secondary secured location within a locked office as a petty cash account. ○ The petty cash location will be secured with a heavy-duty combination lock, and the code will be divided between the Manager and Assistant Manager such that both individuals must be present to open the lock and observe the transaction. ○ The location will be in full view of a surveillance camera. ○ A receipt or cash transaction report is required for all removals of cash from the account. Two Managers will approve each petty cash transaction and initial the receipt or transaction report. ○ All receipts and transaction reports will be kept with the funds, and the account will always be in balance. Building Diagram - Locations Alarm Systems, Security Cameras, and Lighting TO BE DETERMINED ON THE FINAL FLOOR PLAN Lighting Description: Interior/Exterior Interior: ● Indoor lighting will be provided by both fluorescent and LED overhead bulbs. ● Lighting inside the building will be sufficient in all areas such that security cameras will be able to record the complete facial features of those in the facility. ● Burned out bulbs will be replaced within 24 hours and recorded in a facility maintenance log. Exterior: Comprehensive Security Plan v1.5 | Page 14 ● Outside lights will come on before sunset, and the light will be directed downward by a shade. ● Lights on the exterior of the building will use a minimum of a 250 Watts/125 Volt LED bulb. ● Exterior lighting on the building is to be checked every evening, and any burned out bulbs that can be reached with a ladder will be replaced before closing. Lights that require additional equipment to reach the apparatus will be changed as soon as the necessary equipment can be acquired. ● Any lights that have shifted position and no longer adequately illuminate the expected area will be adjusted within 24 hours if easily accessible or as soon as necessary equipment can be acquired. Signage The following signs will be prominently and clearly displayed Inside at the entrance as designated by state and local regulations: ● Persons under 21 Years of Age not Permitted on these Premises. ● No Trespassing - This Property is Protected by Video Surveillance. ● Warning: This product has intoxicating effects and may be habit forming. Smoking is hazardous to your health. ● Cannabis can impair concentration, coordination, and judgment. Do not operate a vehicle or machinery under the influence of this drug. ● Do Not Enter - Limited Access Area – Access Limited to Licensed Personnel and Escorted Visitors. Backup Power System A generator will provide enough power to the facility to support critical operations for at least 72 hours. Comprehensive Security Plan v1.5 | Page 15 Critical components include security features, lighting, and environmental controls sufficient to maintain the quality of the product on the premises. Alarm System ● The alarm system will meet or exceed the state’s requirements. ● The system will cover the perimeter the exterior and interior of the building. ● All doors that provide access to the building will be alarmed, as well as rooms with exterior windows, skylights or access points on the roof, the main office, and other rooms that contain vaults, safes, or stored product. ● The alarm system will be installed and monitored during non -business hours by a vetted, licensed alarm company that is capable of meeting all state and local regulations. Digital Video Surveillance Plan Prime Arrow will install a digital video surveillance and recording system that will monitor the following areas: ● The front and rear of the premises. ● Parking areas. ● The exterior within 20 feet of all doors and windows to the outside not adequately covered on the front or rear sides. ● The entrance area, such that all people who enter the building are clearly recorded. ● All locations where sales occur. ● All locations where products are on display or are stored. Comprehensive Security Plan v1.5 | Page 16 ● All locations where individuals interact with the product, including shipping and receiving areas. ● Areas such that individuals who are opening safes or vaults can be clearly viewed. ● Areas used for the destruction of products. ● All other rooms that require a higher level of access to enter. Equipment Standards ● The equipment will be capable of recording at a resolution of at least 720 ● The cameras will be capable of recording in both high and low light conditions. ● Cameras in parking areas will be capable of recording license plate numbers. ● The system will be a type in which live-feed video can be accessed through a secure web site. ● The equipment will be capable of stamping the video with the accurate date and time. ● Cameras and other recording equipment will be capable of signaling a failure to an operator within one hour. Recording Protocol ● Video of exterior locations will be recorded 24 hours a day. ● Live feeds of the video being recorded will be on screen at the security desk. ● Interior locations will be recorded during business hours. ● The management may record additional interior locations for 24 hours at their discretion. Comprehensive Security Plan v1.5 | Page 17 ● Industry standards will be followed to ensure the integrity and authenticity of video recordings to the level that they could be accepted as evidence in a court of law. ● Computer access to the recording system will be password protected. ● Recordings will be backed up before earlier recorded material is overwritten by the system. ● Backed-up recordings will be stored for 3 days. ● Each monitored location will have a clearly-visible sign with a statement advising those present they are being recorded. Recorded Surveillance Storage Protocol ● Video and storage equipment will be operated and stored in a secured room with limited access. ● A regularly-updated record will be kept of individuals who have access to the room. ● Storage files will be password protected. ● Backup copies of at least the most recent week of surveillance footage will be stored on a secondary secured server on the property or, if on removable media, off-site in a vault or safe where it is easy to access and easily reproducible. ● Video will be made available immediately upon request to company employees, state and local law enforcement and regulatory authorities, and to other entities as required by law. Security Equipment Maintenance ● The SM or his/her designee will be responsible for creating a security equipment maintenance checklist and activity log and periodically checking that they are being filled out appropriately. Comprehensive Security Plan v1.5 | Page 18 ● Recording equipment will be permanently attached to the property and be checked on a regular basis to check for loose or deteriorating connections, evidence of tampering, etc. ● Batteries in any equipment will either be replaced, recharged, or checked on a regular basis. ● Security system software will be updated on a regular basis. ● Other maintenance operations recommended by the equipment manufacturer will be included in the checklist and conducted on a regular basis. ● At least one extra camera will be stored in a limited-access location to replace a malfunctioning camera as soon as possible. Closing Procedure The SM will produce a Closing Procedure Checklist that will include the following tasks at a minimum. Ensure that: ● No one remains in the building ● Computers are shut down or have a lock screen on ● All doors, gates, safes, vaults and other lockable areas are secure ● Surveillance cameras and recording devices are on and operational ● Exterior lighting is on ● No suspicious vehicles or individuals are in the vicinity Access Control/Anti-Diversion Prime Arrow will implement the following policies to prevent access of products to minors, the unregulated market, or others intending to acquire the product through illegal means. Actions include careful vetting of new employees, badge use, carefully controlled access methods, secured storage and processing areas, and following secured waste management procedures. Comprehensive Security Plan v1.5 | Page 19 Employee Background Checks All background checks will be conducted through an FCRA-compliant company and follow EEOC and FTC guidance. Employee Access Levels Each employee will be assigned a level of access. The level of access will determine which sections of the facility the employee has permission to enter, access to safes or vaults, and which folders or files can be accessed within the computer system. Level 1: Senior staff. Those with this level of access may enter any part of the facility and open all safes or vaults and computer files. Level 2: Managers, Security Staff Members, Facilities Staff. Individuals in this group have access to areas and computer files they are responsible for and may be able to open one or more safes or vaults, depending on position requirements. Level 3: Regular staff. General employees have access to a limited number of rooms that contain the materials they work with and only computer files required to accomplish specific tasks. Employee Identification All employees or others operating on behalf of the company will display a laminated badge issued by the company at all times on the business premises or while representing the company at off-site locations. The badge will include: ● The company’s “doing business as” name and license number. ● The employee’s first name. ● The company-assigned employee identification number. ● A color photo of the employee that is at least 1.5” in height x 1” in width and clearly shows a front view of the employee’s face. ● The employee’s access level or a color code that indicates the access level. Comprehensive Security Plan v1.5 | Page 20 ● Optional: a bar code representing the employee’s company-assigned identification number for use with the inventory system. Facility Access Procedures All doors, safes, vaults, cabinets and other secured locations will be labeled with an individual number or other designation (location code), which will correspond to maintenance and security records and the item’s location on a premises map. Key Issuance Procedure ● An authorized senior staff member will record the issuance of keys or access cards to a new employee into a security access log (Appendix 1). ● The security access log will include the name of the person being issued the item, the employee’s company-assigned identification number, the employee’s position/title, the level of access being assigned, date, signature of employee, and the initials of the issuer. If the access permissions are not based on an access level described above, the log will note each location the employee will be able to enter. ● Extra keys and access cards are to be stored in a vault or safe in the Main Office. ● All employees issued a key or access card will sign a Key/Key Card User Agreement (Appendix 2) attesting to their understanding related procedures. ● The paper version of the security access log will be stored in a locked location when not in use. Access Codes ● For locations controlled by means of entering an access code into a keypad, each individual will have a separate access code, both to track who is accessing the controlled area, and to allow a single code to be terminated rather than rekeying the entire system after the employee’s last day. ● The issuance of an access code will be recorded in the security access log, including a list or designation which indicates the locations the employee is able to access. Comprehensive Security Plan v1.5 | Page 21 Changes in Access Due to Promotion or Position Modification Upon the promotion or change to the position of an employee that involves a change to the locations an employee may access: ● The CCO or SM will modify the access system to allow the employee to enter the appropriate locations. ● If there is a change in level of access, a new employee identification number will be assigned and a new badge will be provided. ● The CSM will modify the employee’s access to appropriate computer files. ● The exact modifications will be noted in the security access log. Key Return and Access Termination Procedure ● Upon learning of an employee’s final employment date, an authorized senior staff member will notify all staff involved in maintaining the security system, including the Computing Security Manager. ● A checklist will be generated by the CCO with a list of access system items related to the employee that need to be returned or cancelled. As each item is returned or cancelled, the authorized person will check the item off and initial the form. ● An authorized senior staff member will schedule an exit meeting with the employee, if possible, at the end of the day on the last day of employment. ● The employee shall return keys or access cards at the exit meeting. ● The form will be further circulated to those who are responsible for completing the remaining tasks. Comprehensive Security Plan v1.5 | Page 22 ● If an access code has been issued to the employee, it will be removed from the system within 24 hours. ● If an exit meeting cannot be scheduled with the employee within 2 of the employee’s last day, the facility’s access system will be rekeyed. ● The security access log and any other related logs will be updated. Locks/Cabinets/Safes/Vaults ● All locks on the premises will comply with ANSI/BHMA standards for Grade 1 products or the equivalent. ● Locks that show evidence of wear or tampering will be replaced within 48 hours, or if an outside vendor needs to replace the locks, a call will be made to the vendor within 24 hours or the next business day. ● Extra replacement locks kept on the premises will be stored in a locked cabinet to prevent tampering. ● Storage cabinets holding product or security-related items will be a minimum of 12-gauge steel and be secured to a permanent part of the building or to an adjacent cabinet. ● Any safe on the premises will be of commercial grade, made of metal, and large enough to store all items or products anticipated on the premises in each secured location. The safe will be securely anchored to a permanent part of the building or weigh more than 750 pounds. ● A vault refers to an enclosed area or room that is constructed of steel-reinforced or block concrete and has a door that contains a multiple-position combination lock or the equivalent, a relocking device or equivalent, and a steel plate with a thickness of at least one-half inch. Comprehensive Security Plan v1.5 | Page 23 Non-Employee Access ● Any non-employee who will have access to limited-access areas will be required to show ID and escorted by an authorized employee. ● A Non-employee Access Log (Appendix 3) will include the person’s name, company, date, times the individual entered and exited, and reason for visit. ● When not in use, the Non-employee Access Log will be kept in a locked location. ● Non-employees will not have access to products or product storage areas unless the person’s work must take place in that area. ● Prime Arrow will not receive consideration or compensation for permitting an individual to enter the limited-access areas. ● Entrances to all limited-access areas shall have a solid door and a lock that meets regulatory requirements. The door will remain closed when not in use during regular business hours. Security Training ● All security personnel hired or contracted for by the licensee will comply with state and local regulations with regard to registration, permitting, licensing, etc. ● Additional training will occur prior to working with any products and be repeated according to state and local regulations. ● The SM is responsible for keeping a record of training for each training module for every employee, including the date training occurred, type of training, the signature of the employee upon completion of training, the signature of an authorized person who can verify completion of training, and the date retraining is due. ● At a minimum, training will occur at a frequency specified by state and local regulations. Comprehensive Security Plan v1.5 | Page 24 ● The calendar or other training reminder system will be updated to track due dates for training updates. ● Any documentation related to an individual employee’s training will be kept in the employee’s file. Topics included in security training for all employees will include, but not be limited to: ● Caution in sharing information ● Diversion issues and detection ● Observing and reporting ● Risk management ● Robbery response, including practice drills ● Conflict resolution ● Cybersecurity ● Evacuation procedures, including practice drills ● State and local legal requirements ● Patient privacy (if applicable) Personnel hired specifically to manage security on the premises will be trained in the use of the Incident Command System (ICS) and the National Incident Management System (NIMS) to increase effectiveness in interactions with emergency response personnel. Coursework will include at a minimum IS-700 NIMS, an Introduction; ICS-100 Introduction to the Incident Command System; and ICS-200 ICS for Single Resources and Initial Action Incidents. Security employees may take the courses at work or at home and will be compensated for the number of hours indicated as the course length on the FEMA training website upon providing documentation that each course has been completed. Security Involvement in Product Transfers in/out of Building ● One access point (doorway or delivery dock) will be used for all delivery activities. Comprehensive Security Plan v1.5 | Page 25 ● A primary Security Staff Member will monitor the door and the outside environment during the transfer of any controlled product and observe the transaction. ● A second Security Staff Member or other trained employee designated by the CCO will assist the primary Security Staff Member. ● The primary Security Staff Member will check the ID of the person(s) delivering or picking up products. ● The Security Staff Member will record the transfer in a log (Appendix 4). ● The log will include the date and time of the transaction, whether the product is incoming or outgoing, the name of the outside company involved in the transaction, the outside employee’s name and ID number from his/her badge, the name of the Prime Arrow employee involved in the transaction, the initials of the primary Security Staff Member, and the initials of an authorized supervisor. ● The log will be stored in a secured location near the delivery access point when not in use. ● For the delivery of uncontrolled products, a security staff member will be present to monitor the delivery access point, but the delivery will not be logged. Management of Waste including Expired Products ● All waste will be collected and disposed of according to state and local regulations. ● Hazardous waste will be collected and disposed of according to procedures in the Chemical Safety Plan. ● Waste containing the product will be removed from its packaging and rendered unrecognizable and unusable prior to disposal. ● Any waste that contains the product will be placed in a secured waste container or locked in a secured location. ● Each item being disposed of will be tracked through the inventory control system. Comprehensive Security Plan v1.5 | Page 26 Waste Disposal Security If an authorized, outside waste hauler is used to dispose of the product, the following processes will occur: ● The waste hauler will provide documentation showing the date and time of each waste pickup. ● Waste will be delivered to a permitted solid waste, composting or other allowed disposal facility with 24-hour monitoring. ● The waste hauler or receiving facility will forward documentation related to each pickup certifying the weight of the waste delivery. ● If Prime Arrow self-hauls waste to an authorized disposal facility, documentation certifying the weight of the waste delivery will be provided to the hauling employee and turned over to an authorized supervisor upon completion of the delivery. ● Only employees of the company will be allowed to self-haul waste. Business Property Records ● All items purchased for business use costing $2,000 or more will be labeled with a Property Number. ● The CCO will designate an employee each year to carry out an annual property inventory to confirm the locations of all labeled property. ● If any inventory item is found to be missing, the CCO will notify the CEO immediately. ● The CEO or a designee will carry out a brief investigation and report the loss to the authorities and the insurance provider in a timely manner if the item is not recovered. Comprehensive Security Plan v1.5 | Page 27 Computing Security Prime Arrow is committed to ensuring that its computing resources are secured and compliant with legal requirements. Adequate funding will be applied to hiring staff such that the Computing Security Manager (CSM) has the necessary support to implement the Computing Security portion of this plan. The CSM will manage a budget related to computing resources and be responsible for vetting and managing relationships with outside vendors. The CSM shall stay up to date on computing security and digital archiving issues and trends by means of periodically reviewing the literature, becoming a member of one or more related organizations, participating in conferences, and/or other means of networking with and learning from other computing security experts. Operational and Technical Controls ● All employees who will have access to the computer system will be required to read and sign a Network and Computing Resources User Agreement (Appendix 5). ● Upon providing an employee with computer access, the event will be recorded in the Security Access Log or a computing-specific access log, including a list or designation which indicates the folders, files, or software systems the employee is able to access. ● Network and computer passwords must be composed of a combination of upper- and lower-case letters, numbers, and at least one additional character. ● Employees will be required to create new passwords every 2 months. ● An exit employee’s computer access will be deleted from the system within 24 hours. ● User credentials will be encrypted or otherwise secured to protect against password compromises. Comprehensive Security Plan v1.5 | Page 28 ● Permissions for computer folders, files, and online accounts will be limited based on the access needs of the individual. ● Sensitive business files will be encrypted and otherwise protected whenever there is a need to transfer them electronically outside the internal computer network. ● Sensitive data stored on removable media, including, but not limited to, laptops, smart phones, flash drives, and CD/DVDs, must be encrypted before the item is taken beyond the physical controls of the premises. ● Firewalls and intrusion detection systems will be implemented to control access to the network. These configurations will be subject to periodic testing and audits. ● Access logs will be monitored on a daily basis or a notification system will be used to identify unauthorized attempts to access the computing system and alert the Computing Security Manager and other relevant personnel. ● A detailed Security Incident Response Program will be developed and maintained in the event of outside access to internal files. The program will be tested throughout the company, and senior managers will be trained on their responsibilities in case of such an incident. ● The CSM will establish retention periods for logs and review audit logs periodically to ensure that appropriate events are consistently logged and abnormal events are identified and investigated. ● Only personal information on employees that is required by law will be collected and stored. ● Information related to credit and debit cards will only be held during the period of time needed to complete the financial transaction and will not be otherwise collected or stored. ● Sensitive business files will be maintained in a separately secured server location from files used on a daily basis by regular employees. ● If remote access to the video surveillance system or other files is allowed, the network will have appropriate endpoint security, and the accessible files will be maintained in a separately secured server location from other files. Comprehensive Security Plan v1.5 | Page 29 ● Antivirus and other software will be updated on a regular basis to ensure the integrity of the computing security system. ● If Prime Arrow implements a web application, the CSM will adopt policies recommended by the Open Web Application Security (OWASP) Project. ● The CSM will ensure that recommended guidelines by industry experts are implemented and maintained. Physical Computer Controls ● All computers will be screen locked whenever an employee leaves the unit for a period of time that could allow unauthorized access. ● Primary network and computing hardware will be stored in a secured room with limited access. ● Any paper logs related to computing resource access will be stored in locked drawers or cabinets. Electronic File Storage and Archiving ● Based on state and local requirements, and in consultation with the CEO and the CO, the CSM will identify which datasets will require backup, storage, and archiving and determine a retention schedule. ● For each type of dataset, the CSM will write a procedure for managing the dataset through its lifecycle. ● The CSM will develop a protocol to ensure the integrity and authenticity of the stored data to the level that they could be accepted as evidence in a court of law. ● Backup copies of archived material will be encrypted or password protected and stored in a secured cloud environment, or, if on removable media, off-site in a vault or safe where it is easy to access and easily reproducible. Comprehensive Security Plan v1.5 | Page 30 ● The CSM will be responsible for ensuring that the procedures are followed according to the retention schedule. In consultation with the CCO and the QAO, the CSM will recommend changes and amendments to the Computing Security portion of this plan on an annual basis. Comprehensive Security Plan v1.5 | Page 31 APPENDIX 1 - Security Access Log Use as many lines as needed to record information. Date Employee Name & ID # Position/Title Initials of Issuing Manager Type of Access & Item ID # if applicable* Allowed Access** Initials Comprehensive Security Plan v1.5 | Page 32 * Indicate whether the issued item is a Key, Key Card, or Access Code. If the item has an ID number or related code, indicate here. ** Indicate which doors, safes, vaults, etc. can be opened with the access item. Locations can be grouped and referenced using a code or designation. For example, for an employee who can open all doors and safes, a code of “Level 1” may be recorded here. Comprehensive Security Plan v1.5 | Page 33 APPENDIX 2 - Key/Key Card User Agreement Prime Arrow Policies Regarding Use of Borrowed Security Items I, _______________________________________ (Print Name) acknowledge my understanding that the key/key card being issued to me is the property of the Prime Arrow. On my last day of work, I agree to meet with an authorized representative to return the security access item(s) that has/have been temporarily placed in my custody to access business locations in order to complete the tasks I have been assigned. I further acknowledge my understanding that I may not let anyone outside the company borrow or otherwise use my access items, nor will I allow unauthorized personnel into an area they have not been given permission to enter. If I lose my access items or if they are stolen, I will notify a supervisor or manager as soon as possible. Signature: ______________________________ Date:_________________________ Items issued: Type: _________________________________ ID Code: _______________________ Type: _________________________________ ID Code: _______________________ Comprehensive Security Plan v1.5 | Page 34 APPENDIX 3 - Non-employee Access Log Record of non-employees allowed to enter limited-access areas. This log is to be stored in a secured location near the main entrance when not in use. Date Name Company Name (if applicable) Reason for Visit Initial here to verify ID check Time of Entrance Time of Exit Approving Manager’s Initials Comprehensive Security Plan v1.5 | Page 35 APPENDIX 4 - Network and Computing Resources User Agreement Prime Arrow Policies Regarding Use of Network and Computing Resources Use of Network and Computing Resources Prime Arrow network and computing resources (hardware and software) are privately owned and are provided to support the work-related activities of Prime Arrow. Users are responsible for all activities initiated from their accounts. Never share your password, user ID or other personal “log -on” information with anyone. Prime Arrow staff will never ask you for your password. Passwords must conform to Prime Arrow guidelines and be changed regularly. Read this statement carefully and initial below to indicate that you understand its implications. Prime Arrow will never send you an email or text asking you to log in through a link to a website or provide your username and password. Clicking on links or otherwise responding to emails asking for this type of information exposes the company to potential security breaches, including the possibility that your email contact list could be used to spread malware. If you receive an email that seems suspicious, forward it to a manager without clicking on any links or responding to it. Initial here: __________ Users are responsible for staying informed Comprehensive Security Plan v1.5 | Page 36 Prime Arrow will keep users informed of system and policy changes through a variety of means including email. It is the users' responsibility to read email messages addressed to them and be aware of the policy information contained therein. Tampering with installed hardware or software is prohibited Users shall not tamper with or dismantle installed hardware or software without prior approval from an authorized staff member; this includes operating system software, software used to access the Prime Arrow network, software related to data and network security or computer management software. Unlawful use of software is prohibited Most software used on Prime Arrow computers is covered by copyright, license and/or nondisclosure agreements. Installation of illegal, pirated or unlicensed software on Prime Arrow owned machines is prohibited. User Privacy Authorized staff are prohibited from arbitrarily accessing a user’s computer files or emails. However, in the course of performing their assigned duties, the content of an individual’s files or emails may become known to them. If the Prime Arrow Manager, or designee, has reasonable suspicion of violations of Prime Arrow policies or guidelines, that user's privacy is superseded by the company’s requirement to see that policies are properly enforced, and that the data integrity and security of the computer ne twork is maintained for all network users. The examination of files will be limited to the matter under consideration. If, for this reason, authorized staff are instructed to access the contents of a computer assigned to a user, Prime Arrow must notify the user 48 hours prior to, or within 48 hours after accessing the user’s computer. In the event of criminal or legal investigations, Prime Arrow may also be required to provide copies of email messages to the appropriate authorities. Comprehensive Security Plan v1.5 | Page 37 Unauthorized Use of Computing Resources Prime Arrow employees, agents, or representatives must not use any computing resource in a prohibited manner. Prohibited activities include but are not limited to: obtaining or attempting to obtain unauthorized access to information or system resources; putting viruses, worms or any other type of disruptive software into a computer system or network; maliciously causing computer system slowdowns or rendering systems inoperable; surfing or downloading sexually explicit materials from “adult” websites; sending or printing patently offensive email, documents, or images; using computers or networks in a fashion that causes harassment, abuse, or intimidation of another person. Enforcement Repeated minor infractions or serious misconduct may result in the loss of computer access privileges or the modification of those privileges to prevent the party or parties from further violations. Depending upon the severity of the infraction and its actual or potential effects upon Prime Arrow, additional disciplinary actions may be taken including termination. Any offense which violates local, state, or federal laws may result in the immediate loss of all computing privileges and may be referred to appropriate law enforcement authorities. By signing below, I certify that on this date I have read and understand the above information regarding my responsibilities for the use of Prime Arrow network and computing resources. Printed Name: ______________________ Signature: _________________________ Date: _____________________________ A copy of this signed form is to be filed with the employee’s permanent records. Comprehensive Security Plan v1.5 | Page 38 APPENDIX 5 - Shipping Manifest (click on the link above for the published formal pdf document. A screenshot appears below for reference). Comprehensive Security Plan v1.5 | Page 39 Comprehensive Security Plan v1.5 | Page 40 1. The name and contact information of the licensee’s transportation representative, the premises address and license number of the entity transporting the cannabis items; 2. The name, contact information of the representative, licensed premises address, and license number of the entity receiving the delivery; 3. Product name and quantities (by weight or unit) of each cannabis item contained in each trip, along with the unique ID for every batch or item; 4. The date of transport and approximate time of departure; 5. Arrival date and estimated time of arrival; 6. Delivery vehicle make, model and license plate number; 7. Name and signature of both the delivery and recipient representatives overseeing the trip. Sender Section: Sending Entity: Signature of Rep: Name of Driver: Contact #: Departure Time/Date: Arrival Time/Date: Delivery vehicle make, model: License Plate # & Driver’s DL #: Product Name & Batch ID Weight/Quantity: Recipient Section Recipient Entity: Recipient Address: Name of Recipient Rep: Contact # Confirm Accuracy of Sender’s info: (initial) Signature: