For Official Use Only Sensitive Template for a Maritime Security Identification Card Plan Template to support the Maritime Security Identification Card Plan Released August 2015 <<Name of Issuing Body>> ASIC Program, Version #, Month and Year 1 For Official Use Only For Official Use Only Disclaimer The Department makes all reasonable efforts to ensure that the information provided in this document is accurate. However, the contents of this document are provided as a general guide only; the Department does not guarantee the accuracy, currency or completeness of any information contained in this document. The Department will not accept any responsibility or liability for any loss, however caused, arising from the use of, or reliance upon, the contents of this document. Therefore, before relying on any information contained in this document, you should always make your own enquiries, consider your individual circumstances, seek professional advice, and check that the information is accurate and current. 2 Template for a Maritime Security Identification Card Plan, August 2015 For Official Use Only For Official Use Only Introduction The template may be used to outline the Maritime Security Identification Card (MSIC) Plan of an Issuing Body authorised to issue MSICs. The MSIC Plan is regulated under the Maritime Transport and Offshore Facilities Security Act 2003 and the Maritime Transport and Offshore Facilities Security Regulations 2003 Using the Template This template includes instructions and prompt boxes where you must insert your own measures and procedures to demonstrate compliance with the Maritime Transport and Offshore Facilities Security Regulations 2003 as an MSIC Issuing Body. Please ensure ALL instructions and prompt boxes have been deleted from your MSIC Plan prior to submission. Where <<Name of Issuing Body>> presents throughout the document, please insert your legal entity name. Note: It is important to note that your MSIC Plan must detail your own specific and relevant measures and procedures. Submitting the Template Upon completion, submit your MSIC Plan electronically (minus these introductory pages) to: national.coordinator@infrastructure.gov.au or by mail to: National Coordinator Office of Transport Security GPO Box 1966 CANBERRA ACT 2601 Should you have any questions regarding your Plan or this template, please email the Issuing Body Coordinator at: issuingbody.coordinator@infrastructure.gov.au Template for a Maritime Security Identification Card Plan, August 2015 3 For Official Use Only For Official Use Only Template for a Maritime Security Identification Card (MSIC) Plan for <Insert Issuing Body Legal Entity Name> Trading Name <Insert Trading Name> ACN / ABN <Insert Australian Company Number or Australian Business Number> Physical Address <Insert Issuing Body’s Physical Office Address> Postal Address <Insert Issuing Body’s Postal Address> Date: DD/MM/YYYY <<Name of Issuing Body>> MSIC Plan, Version #, Month and Year For Official Use Only 4 For Official Use Only Contents This table of contents will automatically update when the document is printed. If you click on the table and press function key F9, it will update immediately. You will be able to confirm any changes you initiate at that time. This template has the classification of “For Official Use Only” in the header. This classification is applicable from the time you make your first entry into the template. [Please remove this highlighted area before submitting your MSIC Plan] Maritime Security Identification Card (MSIC) Plan Template ..............................................................4 Contents..................................................................................................................................................5 Glossary of Acronyms and Terms ........................................................................................................8 1 Plan Administration.......................................................................................................................10 1.1 Scope .......................................................................................................................................10 1.2 Applicant Types ........................................................................................................................10 1.3 Document Management ...........................................................................................................11 1.3.1 MSIC Plan Revision Record ...................................................................................................11 2 1.4 Document Protection ................................................................................................................12 1.5 Quality Assurance Measures ....................................................................................................13 1.6 Variations .................................................................................................................................14 1.7 Contact Details .........................................................................................................................14 Introduction ...................................................................................................................................15 2.1 3 Purpose....................................................................................................................................15 Issue and Production of MSICs ....................................................................................................16 3.1 MSIC Administration.................................................................................................................16 3.1.1 Agents ...............................................................................................................................16 3.1.2 MSIC Production ...............................................................................................................17 <<Name of Issuing Body>> MSIC Plan, Version #, Month and Year For Official Use Only 5 For Official Use Only 3.1.3 3.2 4 Issuing Body Staff Requirements ......................................................................................18 MSIC Application Procedure ....................................................................................................18 3.2.1 Verification of Identification Documentation .......................................................................19 3.2.2 Verification of Operational Need ........................................................................................20 3.2.3 Background Checks for MSIC Applications .......................................................................21 3.2.4 Issue of MSIC to ASIC Holders .........................................................................................22 3.2.5 MSIC Application Form .....................................................................................................22 3.3 Collection and Secure Transport of MSICs ...............................................................................23 3.4 Form of MSICs .........................................................................................................................24 Design, Distribution and Storage of Sample MSICs for Training Purposes ..............................25 4.1 Sample MSICs .........................................................................................................................25 5 Procedures for the Safekeeping, Secure Transport and Disposal of MSICs and Associated Equipment.............................................................................................................................................27 5.1 Safekeeping of MSICs and Associated Equipment ...................................................................27 5.2 Secure Transport of MSICs ......................................................................................................28 5.3 Disposal of MSICs and Associated Equipment .........................................................................28 6 Procedures for the Recovery and Secure Destruction of Issued MSICs that are No Longer Required................................................................................................................................................30 7 6.1 Recovery Procedures ...............................................................................................................30 6.2 Secure Destruction Procedures ................................................................................................31 Security of Records in Relation to Applicants for MSICs ...........................................................32 7.1 8 9 Procedures for Lost, Stolen or Destroyed MSICs .......................................................................34 8.1 Lost MSICs...............................................................................................................................34 8.2 Stolen MSICs ...........................................................................................................................34 8.3 Destroyed MSICs .....................................................................................................................35 Procedures to Ensure that MSICs are Returned when No Longer Required ............................36 9.1 6 Security of Records ..................................................................................................................32 Return of MSICs .......................................................................................................................36 <<Name of Issuing Body>> MSIC Plan, Version #, Month and Year For Official Use Only For Official Use Only 10 10.1 11 11.1 Revocation of Authority as an Issuing Body - Preservation of Records ...............................37 Procedures for the Preservation of Records .............................................................................37 Obligations of MSIC Holders .....................................................................................................38 Obligations of Holders ..............................................................................................................38 Attachment <<XX>>..............................................................................................................................39 Attachment <<XX>>..............................................................................................................................40 Attachment <<XX>>..............................................................................................................................41 <<Name of Issuing Body>> MSIC Plan, Version #, Month and Year For Official Use Only 7 For Official Use Only Glossary of Acronyms and Terms A range of terms are defined in the Act and Regulations. The legislation is available from www.comlaw.gov.au. Note: Insert any acronyms or definitions to the list above that are specific to the Issuing Body’s operations, for example the abbreviated name or acronym of the Issuing Body. Term Meaning Act, the Maritime Transport and Offshore Facilities Security Act 2003. AFP The Australian Federal Police established under the Australian Federal Police Act 1979. AGD Attorney-General’s Department. ASIO The Australian Security Intelligence Organisation established under the Australian Security Intelligence Organisation Act 1979. AusCheck scheme The scheme prescribed for the purposes of Section 8 of the AusCheck Act 2007. Background Check For an individual, means an assessment, under the AusCheck scheme, of information about any of the matters mentioned in Section 5 of the AusCheck Act 2007. Department, the Department of Infrastructure and Regional Development. Disqualifying Offence A maritime-security-relevant offence mentioned in Part 1 of Schedule 1 to the Regulations. Holder Holder of an MSIC, means the person to whom it is issued. Maritime Industry Participant (MIP) Maritime Industry Participant means: 8 <<Name of Issuing Body>> MSIC Plan, Version #, Month and Year For Official Use Only For Official Use Only a) a port operator; or b) a port facility operator; or c) the ship operator for a regulated Australian ship; or d) the ship operator for a regulated foreign ship; or a. an offshore industry participant; or e) a contractor who provides services to a person mentioned in paragraphs (a) to (d); or f) a person who: i. conducts a maritime-related enterprise; and ii. is prescribed in regulations. (regulation 1.05 of the Regulations). MSIC Maritime Security Identification Card. MSIC Plan A Plan of the kind described in regulation 6.07Q. Maritime Security Zone The term used to describe: A port security zone. A ship security zone. An on-board security zone. An offshore security zone. Operational Need A person has an operational need to hold an MSIC if his or her occupation or business interests require, or will require, him or her to have unmonitored access to a maritime security zone at least once each year. OTS The Office of Transport Security within the Department of Infrastructure and Regional Development. Regulation(s), the The Maritime Transport and Offshore Facilities Security Regulations 2003. Secretary, the The Secretary of the Department of Infrastructure and Regional Development. Secretary AGD The Secretary of the Attorney-General’s Department who is responsible for administering the AusCheck scheme. <<Name of Issuing Body>> MSIC Plan, Version #, Month and Year For Official Use Only 9 For Official Use Only 1 Plan Administration Reference: Part 6, Division 6.1A 1.1 Scope This Plan sets out the procedures under which <<Name of Issuing Body>> issues MSICs. <<Name of Issuing Body>> will comply with both the Regulations and the procedures set out in this Plan. <<Name of Issuing Body>> ensures that any agents (if applicable) engaged to undertake tasks specified within this Plan comply with both the Regulations and the procedures set out in this Plan. This Plan does not authorise the issue of temporary MSICs. Temporary MSICs are only to be issued to a person by a maritime industry participant (MIP), where its maritime security plan, ship security plan, or offshore security plan provides for the MIP to issue temporary MSICs. 1.2 Applicant Types <<Name of Issuing Body>> may issue MSICs for the following types of applicants:* Delete/Modify/Add below as appropriate Employees and contractors of <<Name of Issuing Body>>; Employees and contractors of <<Name of Port(s)/Port Facilities>>; Employees and contractors of tenancies at <<Name of Port(s)/Port Facilities>>; Employees and contractors of offshore facilities; Locally based contractors who provides services to Maritime Industry Participants at <<Name of Port(s)/Port Facilities >>; 10 Any locally based persons who meets the legislative requirements to be issued an MSIC; and/or Any person who meets the legislative requirements to be issued an MSIC. <<Name of Issuing Body>> MSIC Plan, Version #, Month and Year For Official Use Only For Official Use Only 1.3 Document Management <<Name of Issuing Body>>’s document management procedures are: Note: The Issuing Body may include document management procedures in their MSIC Plan to enable the Issuing Body to have better version control of this document. Once this Plan is approved, any further variations must be submitted to the Secretary for consideration and approval which must be received prior to implementation. In accordance with the Regulations, <<Name of Issuing Body>> submits their MSIC Plan and any future variations to the Secretary for approval. Once the MSIC Plan is approved by the Secretary, <<Name of Issuing Body>> will give effect to the measures and procedures contained within the approved MSIC Plan. 1.3.1 MSIC Plan Revision Record Section Page Number(s) 1.0 1.1 Approved By Number(s) Date of Latest Revision All All 31 May 2013 G.Smith 1.2 6 6 December 2014 G.Smith Version <<Name of Issuing Body>> MSIC Plan, Version #, Month and Year For Official Use Only 11 For Official Use Only [Please remove the example text in the table above and insert your own revision record details before submitting your MSIC Plan. The document footer must also be updated to reflect the latest version number and date of this MSIC Plan as per the above table.] 1.4 Document Protection <<The Port Facility Security Officer/ Port Security Officer/ insert relevant position title>> is responsible for the management and implementation of this MSIC Plan. The MSIC Plan is classified “For Official Use Only” and is protected from unauthorised access or disclosure to third parties using the following measures: Note: The Issuing Body may detail the measures in place to securely store and manage access to both electronic and hard copies of this document. Appropriate storage (electronic and hard copies) for this document may include lockable filing cabinets or drawers, password protection etc. with access limited to those persons responsible for the administration and issuing of MSICs under this MSIC Plan. Once completed, this document is "For Official Use Only". Revealing the information contained in this document to unauthorised people may cause damage to the Issuing Body, individual applicants and/or the Australian Government. 12 <<Name of Issuing Body>> MSIC Plan, Version #, Month and Year For Official Use Only For Official Use Only 1.5 Quality Assurance Measures <<Name of Issuing Body>> has implemented the following quality assurance measures to ensure compliance with this MSIC Plan and the Regulations: Note: To enhance security outcomes and ensure continuous improvement, the Issuing Body may implement quality assurance measures including reviews and audits to monitor its own compliance with the Regulations and its MSIC Plan. A review will evaluate whether the procedures contained within the MSIC Plan are effective and adequate. An audit will examine the procedures to determine whether they have been implemented correctly. If including quality assurance measures in the MSIC Plan, the Issuing Body should set out what matters will be evaluated (e.g. card production, process verification, card recovery and destruction, etc.). In addition to formal scheduled audits and reviews, the Issuing Body should conduct ongoing quality assurance checks to ensure that MSICs are issued in accordance with its MSIC Plan and the Regulations. Such ongoing quality assurance measures should also ensure that MSICs produced meet the requirements prescribed in the Regulations. Any quality assurance measures included in the MSIC Plan should specify the minimum frequency at which they occur. The frequency of these measures should be sufficient to ensure the security outcome is being achieved. An audit of this MSIC Plan should be conducted by an independent person. The person should: Have an understanding of MSIC Issuing Body obligations; Have an understanding of the relevant sections within the Regulations; and Be independent of the development and management of this MSIC Plan. For the purposes of this section, OTS is NOT an independent auditor. <<Name of Issuing Body>> MSIC Plan, Version #, Month and Year For Official Use Only 13 For Official Use Only 1.6 Variations Reference: r. 6.07T Where changes to service delivery are proposed which result in a change to procedures, a variation to this Plan will be submitted to the Secretary by <<Name of Issuing Body>> for approval before being implemented. 1.7 Contact Details The contact details for << The Port Facility Security Officer/ Port Security Officer/ insert relevant position title>> who is/are responsible for the management and implementation of this MSIC Plan are detailed in Attachment <<XX>>. 14 <<Name of Issuing Body>> MSIC Plan, Version #, Month and Year For Official Use Only For Official Use Only 2 Introduction 2.1 Purpose Reference: r. 6.07Q This document is the MSIC Plan of <<Name of Issuing Body>>, as an Issuing Body authorised to issue MSICs. Pursuant to the Regulations, the purpose of <<Name of Issuing Body>>’s MSIC Plan is to set out procedures to be followed for the following purposes: the issue and production of MSICs; the design, distribution and storage of sample MSICs (if applicable); the safekeeping, secure transport and disposal of MSICs and associated equipment; the recovery and secure destruction of issued MSICs that are no longer required; the security of records in relation to applicants for MSICs; lost, destroyed or stolen MSICs; ensuring MSICs are returned to issuing bodies when they are no longer required. This MSIC Plan must also set out the procedures that will be followed if the authorisation as an Issuing Body is later revoked, including procedures to ensure that information about applications for MSICs, and holders of MSICs is appropriately preserved. <<Name of Issuing Body>> MSIC Plan, Version #, Month and Year For Official Use Only 15 For Official Use Only 3 Issue and Production of MSICs Reference: r. 6.07Q(1)(a) The procedures set out in this Plan for the issue and production of MSICs include: verification of identity; verification of operational need; application process; applications for background checks to the Secretary AGD (AusCheck); and collection of MSICs by applicants. 3.1 MSIC Administration 3.1.1 Agents <<Name of Issuing Body>> engages/does not engage* agents to undertake functions contained within this MSIC Plan. * Delete as appropriate Note: Where an Issuing Body engages a third party (agent) to undertake elements of the MSIC issuing process on its behalf, the agent must comply with this MSIC Plan to ensure that the Issuing Body meets its regulatory obligations. The Issuing Body is responsible for the actions undertaken by its agent(s) in connection with the issue and production of MSICs. The Issuing Body must identify who those agents are and what functions they undertake in accordance with this MSIC Plan and the Regulations. Where an agent’s procedures differ from those of the Issuing Body itself, the agent’s procedures must also be contained within this MSIC Plan. Where no agent(s) are engaged, please delete the appropriate text. 16 <<Name of Issuing Body>> MSIC Plan, Version #, Month and Year For Official Use Only For Official Use Only If no agents are used, delete text below <<Name of Issuing Body>> will ensure that any agents engaged will comply with this MSIC Plan and the Regulations. Where agents are engaged to undertake MSIC issuing functions on its behalf, <<Name of Issuing Body>> will have the following control mechanisms in place to ensure that the agents conduct those functions accordingly: A list of agents is at Attachment <<XX>>. 3.1.2 MSIC Production <<Name of Issuing Body>> does/does not* produce / manufacture MSICs. * Delete as appropriate <<Name of Issuing Body>> does/does not* have a Kinegram(R) machine. * Delete as appropriate Note: Where the Issuing Body does not have a Kinegram® machine and does not produce / manufacture its own MSICs, please nominate the Issuing Body that produces / manufactures them on its behalf. <<Name of Issuing Body>> MSICs are produced / manufactured by <<XX>>. (Delete if the Issuing Body produces / manufactures their own). <<Name of Issuing Body>> produces MSICs for the Issuing Bodies listed in Attachment <<XX>>. (Delete if the Issuing body does not produce / manufacture MSICs for other Issuing Bodies). Note: If the Issuing Body does not produce / manufacture MSICs on behalf of other Issuing Bodies please delete above. <<Name of Issuing Body>> MSIC Plan, Version #, Month and Year For Official Use Only 17 For Official Use Only 3.1.3 Issuing Body Staff Requirements Reference: r. 6.07V, 6.08C(1)(b), (c), (d) and (e) <<Name of Issuing Body>> does not allow a person to be directly involved in the issue of an MSIC unless he or she is able to satisfy the security-relevant criteria for the issue of an MSIC. Note: In some cases, MSIC issuing staff may not have an operational need sufficient to satisfy the requirement to be issued an MSIC. Nevertheless, the Issuing Body must apply to AusCheck for a background check on a person employed by them, before they are directly involved in the issue of MSICs. 3.2 MSIC Application Procedure Reference: r. 6.07Q <<Name of Issuing Body>> receives MSIC applications via the following methods: * Delete/Modify/Add below as appropriate Directly to <<Name of Issuing Body>> in person Online <<insert website address>> By post Directly to <<Name of Entity>> (an agent of the Issuing Body) in person The procedure to apply for an MSIC through <<Name of Issuing Body>> is as follows: Note: The Issuing Body must set out the procedures of how applicants apply for an MSIC (e.g. in person, online or through agents of the Issuing Body etc.) 18 <<Name of Issuing Body>> MSIC Plan, Version #, Month and Year For Official Use Only For Official Use Only 3.2.1 Verification of Identification Documentation Reference: r. 6.07F, 6.07G, 6.07H <<Name of Issuing Body>>will not issue an MSIC to a person unless it satisfied that the identification of the applicant has been verified. Note: An Issuing Body must confirm an applicant’s identity for both initial and renewal applications. The Regulations do not make a distinction between new or renewal applications in regards to the requirements that must be met in order for an applicant to be issued an MSIC. <<Name of Issuing Body>> undertakes the following procedures in order to verify the identity of the applicant: Note: Procedures may include, but are not limited to: How documentation is authenticated as genuine; How documentation is provided to the Issuing Body (personally/by post); Who checks the documentation presented; How is it checked; If not presented personally, how is it confirmed or verified; If presented through an agent, how is the documentation confirmed or verified against the applicant; In the case of certified documentation, how is it certified; If the documentation is not recognised by the Issuing Body; and How the copies of documentation are retained by the Issuing Body. <<Name of Issuing Body>> MSIC Plan, Version #, Month and Year For Official Use Only 19 For Official Use Only <<Name of Issuing Body>> accepts the kinds of documents as prescribed in regulation 6.07G for the purposes of verifying the identity of an MSIC applicant. Note: Documents that are deemed to be primary, secondary and tertiary identification documents are identified in Regulation 6.07G. Where an applicant presents foreign documents as identification, <<Name of Issuing Body>> undertakes the following procedures to verify the documents: Note: The Issuing Body may set out the procedures to be followed to confirm foreign documents. These procedures may require the person to have the document(s) authenticated and translated. 3.2.2 Verification of Operational Need Before issuing an MSIC, <<Name of Issuing Body>> ensures that the applicant’s operational need has been established. Note: An Issuing Body must confirm an applicant’s operational need for both initial and renewal applications. The Regulations do not make a distinction between new or renewal applications in regards to the requirements that must be met in order for an applicant to be issued an MSIC. 20 <<Name of Issuing Body>> MSIC Plan, Version #, Month and Year For Official Use Only For Official Use Only <<Name of Issuing Body>> ascertains an MSIC applicant’s operational need through the following measures: Note: The Issuing Body must set out the procedures to ascertain an applicant’s operational need for an MSIC. In determining whether an applicant has operational need, the Issuing Body must consider the frequency and specific reasons provided by the applicant for unmonitored access to a maritime security zone. An applicant’s occupation/position title alone is not sufficient to establish operational need. Consideration must be given to checking the authenticity of any documentation presented by the applicant to establish operational need, for audit purposes. Operational need should be confirmed through some form of independent corroboration, for example: 3.2.3 A letter from the applicant’s current employer. A letter from the applicant’s current contracting party. A letter from an Industry Participant who has responsibility for a relevant maritime security zone. Background Checks for MSIC Applications Reference: r. 6.08CA, 6.08BA, 6.08LD, 6.08LB, 6.08LBA <<Name of Issuing Body>> lodges all background check applications with AusCheck. A background check application to AusCheck will not be made unless <<Name of Issuing Body>> has provided the applicant with a notice explaining how AusCheck will use and disclose personal information about the individual for the AusCheck scheme. <<Name of Issuing Body>> will obtain copies of these notices from AusCheck. <<Name of Issuing Body>> MSIC Plan, Version #, Month and Year For Official Use Only 21 For Official Use Only <<Name of Issuing Body>> will not issue an MSIC to a person unless it has received a notice from AusCheck stating that the person does not have an adverse criminal record, or that the person has a qualified criminal record but is not a threat to the security of maritime transport or an offshore facility. Where an MSIC holder notifies <<Name of Issuing Body>> of a change of name and/or address, <<Name of Issuing Body>> will update the AusCheck facility with the changed name and/or address within 7 days. <<Name of Issuing Body>> will apply to AusCheck for a subsequent background check where an MSIC holder has provided notification that he/she has been convicted of a maritime-security-relevant offence. If a person has an adverse criminal record, <<Name of Issuing Body>> or the person may apply to the Secretary under regulation 6.08F, in writing, for approval to issue the MSIC. 3.2.4 Issue of MSIC to ASIC Holders Reference: r. 6.08E <<Name of Issuing Body>> may issue an MSIC to a person who currently holds a valid Aviation Security Identification Card (ASIC), as issued under the Aviation Transport Security Regulations 2005, and has demonstrated an operational need for an MSIC. The ASIC holder will not be required to undergo identity confirmation, as an ASIC holder has already undergone a background check. 3.2.5 MSIC Application Form A copy of the MSIC application form is at Attachment <<XX>>. 22 <<Name of Issuing Body>> MSIC Plan, Version #, Month and Year For Official Use Only For Official Use Only 3.3 Collection and Secure Transport of MSICs Reference: r: 6.07Q <<Name of Issuing Body>> undertakes the following procedures for the collection of an MSIC by the applicant: Note: The Issuing Body must set out the procedure for issuing an MSIC and its collection by the applicant, once the application has been approved and the card has been produced. For example, are MSICs required to be personally collected from the Issuing Body? Is Australia Post or a courier utilised? If an agent is used for the distribution of MSICs, how does the agent establish the identity of the addressee? Procedures may include, but are not limited to: Confirmation by an officer of the Issuing Body when the card has been collected in person by the applicant. Confirmation by an agent of the Issuing Body when the card is collected in person by the applicant. Secure postal or courier delivery where the applicant must sign to confirm that they have received the card. <<Name of Issuing Body>> MSIC Plan, Version #, Month and Year For Official Use Only 23 For Official Use Only 3.4 Form of MSICs Reference: r. 6.08J <<Name of Issuing Body>> complies with the Regulations, as to the form of an MSIC. The form of the front of an MSIC is detailed in Figure 1: Figure 1: MSIC Insert image of Issuing Body’s MSIC The back of the MSIC has the following statement in at least 10 point Arial: “You must report a maritime-security-relevant offence to your Issuing Body or AusCheck”. Note: The Issuing Body may insert a diagram or copy of the MSIC it will be issuing. 24 <<Name of Issuing Body>> MSIC Plan, Version #, Month and Year For Official Use Only For Official Use Only 4 Design, Distribution and Storage of Sample MSICs for Training Purposes 4.1 Sample MSICs Reference: r. 6.07Q(1)(b) <<Name of Issuing Body>> produces/does not produce* sample MSICs. * Delete as appropriate <<Name of Issuing Body>> undertakes the following procedures for the design, distribution and storage of sample MSICs for training purposes as follows: Note: The Issuing Body must set out the procedures of how it produces and stores sample MSICs for training purposes, including those for other ports if applicable. * If sample MSICs are not produced, please delete the appropriate text and figures. <<Name of Issuing Body>> MSIC Plan, Version #, Month and Year For Official Use Only 25 For Official Use Only The form of the front of a sample MSIC is detailed in Figure 2: Figure 2: Sample MSIC Insert image of Issuing Body’s sample MSIC Note: The Issuing Body may insert a diagram or copy of the sample MSIC it issues. 26 <<Name of Issuing Body>> MSIC Plan, Version #, Month and Year For Official Use Only For Official Use Only 5 Procedures for the Safekeeping, Secure Transport and Disposal of MSICs and Associated Equipment 5.1 Safekeeping of MSICs and Associated Equipment Reference: r. 6.07Q(1)(c) <<Name of Issuing Body>> undertakes the following measures and procedures for the safekeeping of MSICs and associated equipment: Note: The Issuing Body must set out the security measures to safeguard equipment and information technology systems used in the production of MSICs. For example, specific security arrangements such as access control, alarms, patrols (including frequency), CCTV (monitored/unmonitored and duration of storing footage) for the MSIC production area, etc. Security measures for the Kinegram® machine and card printing equipment may include, but are not limited to: Storage of the Kinegram® machine and card printer; Storage and location of the spare Kinegram® foils, keys, keypad, etc. when not in use; Who is responsible for the Kinegram® machine and card printer and is there any documentation of this responsibility; Who is responsible for the Kinegram® machine and card printer maintenance and is there approved authority; Security of stocks of MSICs (either blank or pre-printed); Auditing procedures conducted on the stock of cards and/or Kinegram® rolls and frequency thereof; and Processes for reconciling and destroying mis-struck Kinegrams® and mis-printed MSICs. <<Name of Issuing Body>> MSIC Plan, Version #, Month and Year For Official Use Only 27 For Official Use Only 5.2 Secure Transport of MSICs <<Name of Issuing Body>> undertakes the following procedures to ensure the secure transport of MSICs: Note: The Issuing Body must set out the procedures for the secure transport of MSICs between: The Issuing Body; and Agent(s) (if any); and The applicant. Where MSICs are produced / manufactured by an agent, the MSIC Plan must also include the procedures for the secure transport of MSICs between that agent and the Issuing Body and/or the applicant. Ensure that this section aligns with the procedures documented in section 3.2 ’Collection and Secure Transport of MSICs’ (where applicable). 5.3 Disposal of MSICs and Associated Equipment <<Name of Issuing Body>> undertakes the following procedures to ensure the secure disposal of MSICs and associated equipment in relation to the production / manufacture of MSICs: 28 <<Name of Issuing Body>> MSIC Plan, Version #, Month and Year For Official Use Only For Official Use Only Note: MSICs and associated equipment (printers, Kinegram® machines, foils etc.), must be disposed of in a secure manner. The Issuing Body must set out the procedures in respect to the disposal of MSICs and associated equipment. This may include, but is not limited to, the use of specialist providers for the disposal of secure information/MSICs/equipment, or return of equipment to the manufacturer, i.e. Kurz Australia. Where associated equipment is decommissioned, <<Name of Issuing Body>> maintains effective disposal records/registers. <<Name of Issuing Body>> MSIC Plan, Version #, Month and Year For Official Use Only 29 For Official Use Only 6 Procedures for the Recovery and Secure Destruction of Issued MSICs that are No Longer Required Reference: r. 6.07Q(1)(d). 6.08P, 6.08Q 6.1 Recovery Procedures <<Name of Issuing Body>> undertakes the following procedures to recover MSICs that are no longer required: Note: All reasonable measures must be undertaken by the Issuing Body to recover an MSIC that is no longer required, including cards that have expired or been cancelled. The Issuing Body must detail procedures used to recover an MSIC. The timeframe and frequency of these recovery attempts must be sufficient to ensure that MSICs are recovered within a timely period. Regulation 6.08P(1) requires MSICs to be returned to the Issuing Body within one month of the card expiring or no longer being required. Numerous contact methods (e.g. contact with the holder via a combination of emails, telephone calls, SMS messages, letters etc.) should be used in order to have the greatest chance of making successful contact with the applicant and therefore the recovery of the MSIC. The Issuing Body may consider further initiatives, such as establishing a refundable bond. The Issuing Body should measure the effectiveness of its recovery procedures against the number of outstanding MSICs not returned. Ensure that this section aligns with the procedures documented in section 9.1 ‘Return of MSICs’ (as applicable). 30 <<Name of Issuing Body>> MSIC Plan, Version #, Month and Year For Official Use Only For Official Use Only 6.2 Secure Destruction Procedures <<Name of Issuing Body>> undertakes the following procedures to ensure the secure destruction of MSICs that are no longer required: The destruction is noted in the MSIC register. Note: The Issuing Body must set out the procedures and methods they use to securely destroy an MSIC that is no longer required, including cards that have expired or been cancelled. Procedures may include shredding or similar to render the MSIC unusable. <<Name of Issuing Body>> MSIC Plan, Version #, Month and Year For Official Use Only 31 For Official Use Only 7 Security of Records in Relation to Applicants for MSICs Reference r. 6.07Q(1)(e) 7.1 Security of Records Reference: r. 6.08T, 6.08U <<Name of Issuing Body>> securely stores records (including the MSIC register) containing information relating to the issue of MSICs through the following measures and procedures: Note: The Issuing Body must set out the measures relating to the secure storage of MSIC records and its MSIC register. For example, specific security arrangements such as access control, alarms, patrols (including frequency), CCTV (monitored/unmonitored and duration of storing footage), measures in place to secure cabinets, etc. These measures and procedures may include, but are not limited to: How access is restricted to employees with a need-to-know; How cabinets are secured (e.g. combination locks, keys, etc.); How the applicant’s personal information is securely forwarded to/from agent(s) (if applicable); and How the agent(s) securely stores records in relation to applicants on their premises (if applicable). Measures for electronic records must include how the Issuing Body prevents unauthorised access to records from both internal and external parties. For example, password protection, removal of access for employees that no longer have a need-to-know, firewalls etc. See http://www.staysmartonline.gov.au/business for further information. <<Name of Issuing Body>> maintains records that are sufficient to demonstrate that it has complied with its MSIC Plan. These records are held within <<Name of Issuing Body>>’s office. 32 <<Name of Issuing Body>> MSIC Plan, Version #, Month and Year For Official Use Only For Official Use Only <<Name of Issuing Body>> will retain the record of issue of an MSIC for at least seven years after the creation of the record, in accordance with regulation 6.08U(2). <<Name of Issuing Body>> maintains a register of MSICs in accordance with regulation 6.08T. <<Name of Issuing Body>> MSIC Plan, Version #, Month and Year For Official Use Only 33 For Official Use Only 8 Procedures for Lost, Stolen or Destroyed MSICs Reference: r. 6.07Q(1)(f) 8.1 Lost MSICs Reference: r. 6.08R <<Name of Issuing Body>> undertakes the following procedures regarding lost MSICs: Note: The Issuing Body must set out procedures regarding lost, stolen and destroyed MSICs. This may include, but is not limited to: The Issuing Body requires a statutory declaration of the loss, theft or destruction from the holder; Seeking the destroyed MSIC to be returned to the Issuing Body; The minimum statement of facts to be contained within the statutory declaration, e.g. circumstances surrounding the loss, theft or destruction; If the Issuing Body is a port/port facility operator and the MSIC has access control enabled, ensure access control is disabled for lost, stolen or destroyed MSICs; Procedures or advisories for the card holder (if any), to minimise the loss, theft or destruction of MSICs. 8.2 Stolen MSICs <<Name of Issuing Body>> undertakes the following procedures regarding stolen MSICs: 34 <<Name of Issuing Body>> MSIC Plan, Version #, Month and Year For Official Use Only For Official Use Only 8.3 Destroyed MSICs <<Name of Issuing Body>> undertakes the following procedures regarding destroyed MSICs: <<Name of Issuing Body>> MSIC Plan, Version #, Month and Year For Official Use Only 35 For Official Use Only 9 Procedures to Ensure that MSICs are Returned when No Longer Required Reference r. 6.07Q(1)(g) 9.1 Return of MSICs Reference r. 6.08P <<Name of Issuing Body>> undertakes the following procedures to ensure the return of MSICs that are no longer required: Note: All reasonable measures must be undertaken by the Issuing Body to ensure that MSICs are returned when no longer required, including cards that have expired or been cancelled. The Issuing Body must detail procedures used to recover an MSIC. The timeframe and frequency of these recovery attempts must be sufficient to ensure that MSICs are recovered within a timely period. Regulation 6.08P(1) requires MSICs to be returned to the Issuing Body within one month of the card expiring or no longer being required. Numerous contact methods (e.g. contact with the holder via a combination of emails, telephone calls, SMS messages, letters etc.) should be used in order to have the greatest chance of making successful contact with the applicant and therefore the recovery of the MSIC. The Issuing Body may consider further initiatives, such as establishing a refundable bond. The Issuing Body should measure the effectiveness of its recovery procedures against the number of outstanding MSICs not returned. Ensure that this section aligns with the procedures documented in section 6.1 ‘Recovery Procedures’ (as applicable). 36 <<Name of Issuing Body>> MSIC Plan, Version #, Month and Year For Official Use Only For Official Use Only 10 Revocation of Authority as an Issuing Body - Preservation of Records Reference: r. 6.07Q(2) 10.1 Procedures for the Preservation of Records Reference: r. 6.07W, 6.07X, 6.07Z Where the authorisation as an Issuing Body is revoked by the Secretary, <<Name of Issuing Body>> will undertake the following procedures to ensure that information about applications for MSICs and holders of MSICs is appropriately preserved: Note: The Issuing Body must set out procedures for how it preserves information about applications for MSICs and the holders of MSICs. <<Name of Issuing Body>> MSIC Plan, Version #, Month and Year For Official Use Only 37 For Official Use Only 11 Obligations of MSIC Holders 11.1 Obligations of Holders <<Name of Issuing Body>> undertakes the following procedures to promote MSIC holder awareness to ensure compliance with their obligations and responsibilities under the Regulations: Note: While MSIC holders are responsible for complying with card holder obligations as set out in the Regulations, the Issuing Body may have ongoing measures to communicate these obligations to the MSIC holders. This may be through a combination of training, advisories on the Issuing Body’s web site / intranet, emails, signage, lanyard cards, etc. An Issuing Body may have procedures for how it communicates to card holders, to ensure they are aware of their individual obligations under the Regulations, in respect to the following matters: 38 Requirement to properly display the MSIC when in a maritime security zone (regulation 6.07J(1); Notification of conviction and sentence for a disqualifying offence or a conviction of any other maritime-security-relevant offence and a sentence of imprisonment, within 7 days after being sentenced (regulation 6.08LB(1)(a) and (b); Notification, in the prescribed manner, of a change of name and/or address (regulation 6.08L(2) and 6.08LD); Return of MSIC to Issuing Body on expiry, suspension, cancellation, if damaged/altered/defaced or the holder no longer has an operational need to hold the MSIC (regulation 6.08P, 6.08Q); Notification of a lost, stolen or destroyed MSIC in the form of a statutory declaration (regulation 6.08R); Notification of potential penalties which may be incurred by an MSIC holder for nondisplay of an MSIC. <<Name of Issuing Body>> MSIC Plan, Version #, Month and Year For Official Use Only For Official Use Only Attachment <<XX>> Issuing Body Contact Details Trading Name [Insert Trading Name] ACN / ABN [Insert Australian Company Number or Australian Business Number] Physical Address [Insert Issuing Body’s Physical Office Address] Postal Address [Insert Issuing Body’s Postal Address] Primary Contact Person Name Position Phone Mobile Email Phone Mobile Email Secondary Contact Person Name Position <<Name of Issuing Body>> MSIC Plan, Version #, Month and Year For Official Use Only 39 For Official Use Only Attachment <<XX>> Issuing Bodies for Whom <<Name of Issuing Body>> Produces MSICs Note: With reference to section 3.1 of the Plan The Issuing Body must list the names of those Issuing Bodies for whom it produces MSICs. 40 Issuing Body Written Agreement Date of Agreement XYZ Port Ltd Yes 01 Jan 2012 <<Name of Issuing Body>> MSIC Plan, Version #, Month and Year For Official Use Only For Official Use Only Attachment <<XX>> Attach copy of MSIC Application Form here. <<Name of Issuing Body>> MSIC Plan, Version #, Month and Year For Official Use Only 41