Security measures required to meet security outcomes

For each security-enhanced source the responsible person must ensure the source is protected by security measures that meet the physical use, storage and transport outcomes specified in the Code relevant to the source category.

Security measures must be developed using a risk-based process that:

• describes the source, its environment and existing security measures
• identifies credible threats to the source
• assesses the effectiveness of existing security measures
• identifies further or amended security measures necessary to achieve the security outcome.

To assist organisations in the risk assessment process, a template has been developed and is available on request from the Environment Protection Authority (EPA).

Security plans

If a source (or aggregation) is categorised as security-enhanced, the person responsible for the source must prepare a security plan that demonstrates how the security outcomes relevant to the category of the source are being achieved.

Section 2.1.3 and Schedule A of the Code provide details of what must be included in a security plan.

Source security plans must be approved by an independent security assessor. A national scheme for accrediting assessors is being developed.

The EPA, together with ARPANSA, has been working with stakeholders to develop security plans, including site inspections, provision of stakeholder training and feedback and guidance on draft security plans.

Responsible persons should prepare, maintain and have an independent audit of a draft source security plan.

Practice-specific security guides

The Australian Radiation Protection and Nuclear Safety Agency (ARPANSA) has developed a series of best practice guidelines for specific industries to assist organisations which are responsible for security-enhanced sources to meet the requirements of the Code. These guidelines provide strategies to manage risk and recommend options to secure security-enhanced sources.

The following practice-specific security guides are available to those responsible for preparing security plans on request from the EPA.

Transport security

Transportation of security-enhanced sources presents particular challenges, and the Code sets out the security outcomes to be achieved for the shipment of Category 1, 2 and 3 sources.

A separate transport security plan must be prepared for the transportation of Category 1, 2 or 3 security-enhanced sources. This plan must demonstrate how physical security measures will meet the security outcomes relevant to the categorisation of the source. Schedule A2 of the Code contains the information that must be included in transport plans.

Where a Category 1 source is being transported, a source transport security plan must be provided to the EPA at least seven calendar days in advance of the proposed date of transport. The EPA will liaise with NSW Police in relation to any additional measures required.

Where a Category 2 or 3 source is being transported, a plan must be provided to the EPA at least seven calendar days in advance of the proposed date of transport. If materials are likely to be moved frequently, the plan may be provided to EPA the first time that sources are moved.

The source transport security plan must be approved by an independent security assessor.

Access controls

To ensure that only appropriate persons with legitimate reason have access to security-enhanced radioactive sources, the Code sets out requirements for identity or security background checks, depending on the type of source and the circumstances of access.

National and state regulatory authorities are working to establish a nationally consistent approach to implementing identity and security background check requirements.

Duties of employees and contractors

Employees and contractors who deal with security enhanced radioactive sources are responsible for familiarising themselves with the applicable security plan’s requirements and complying with their organisation’s security plan.

Security incidents

Chapter 7 of the Code outlines what to do in the case of a security incident involving a radioactive source.

In the case of a security breach involving detectable theft, unexplained loss, unauthorised damage, unauthorised access or unauthorised transfer of a source, the person responsible for dealing with a radioactive source must notify NSW Police immediately and then Environment Line (131 555), advising:

• the circumstances of the breach
• the steps taken to rectify the breach
• any information that may assist in the recovery of the source if it has been lost or stolen.

The responsible person must make an initial written report as soon as possible and within three days.

A full report of the incident must be submitted to the EPA within seven days of the date of the notification. The report must contain the full incident details as described in chapter 7 of the Code and the Radiation Control Regulation 2003.

Threat level

The Code requires security plans to be scalable, based on the current national threat level. This means that if the threat level increases, the actions to limit access to a security-enhanced source can be scaled up.

The EPA maintains a record of contacts at organisations that are responsible for security-enhanced sources. In the event that national counter-terrorism authorities advise the NSW Government of a change to the threat level, responsible persons will be notified by NSW Police or the EPA.

Further information

For more information about the source security implementation program, contact the EPA's Hazardous Materials, Chemicals and Radiation Section by phone on 131 555 or by email.

• Code of Practice for the Security of Radioactive Sources
• Form to notify change of source (PDF, 181KB)
• NSW counter-terrorism planning
• Frequently asked questions.