SSBA Fact Sheet 11 Upgrading a Facility from Tier 2 to Tier 1 SSBAs - September 2013

The purpose of the SSBA Fact Sheets is to support the education and awareness of the SSBA Regulatory Scheme and provide information to stakeholders on topics of particular interest.

Page last updated: January 2014

PDF printable version of Fact Sheet 11 Upgrading a Facility from Tier 2 to Tier 1 SSBAs - September 2013 (PDF 357 KB)

Release Date: September 2013

Tier 1 security sensitive biological agents (SSBAs) are of the highest security concern and Tier 2 SSBAs are of high security concern. This fact sheet outlines the additional requirements for handling Tier 1 SSBAs if you are already registered for handling Tier 2 SSBAs. Refer to the National Health Security Act 2007, the National Health Security Regulations 2008 and the SSBA Standards for requirements that relate to both Tier 1 and Tier 2 SSBAs.

SSBA standards requirements

The clauses outlined below are requirements specific to handling Tier 1 SSBAs under the SSBA Standards.

Part 2 – Risk and incident management

Subclause 2.2.3 – Risk assessment process

A risk assessment and risk management plan must be undertaken and implemented for the Tier 1 SSBAs to be handled. As part of this assessment, a vulnerability analysis must be undertaken for all Tier 1 SSBAs. Vulnerability is defined as any weakness that can be exploited to make an asset susceptible to change. A vulnerability analysis is defined in the SSBA Standards as the determination of how each credible threat can be realised against a critical asset. Further information on the vulnerability analysis can be found under Clause 2.2.3 in the SSBA Standards.

Clause 2.5 – Review

Risk assessment and risk management plans must be reviewed every 12 months for risks involving Tier 1 SSBAs.

Part 3 – Personnel

Clause 3.4 – Approved Persons

Approved persons who will handle or who will have access to a facility that handles or has access to sensitive information about Tier 1 SSBAs, must be escorted by an authorised person at all times when in the facility or when handling or having access to Tier 1 SSBAs or sensitive information about Tier 1 SSBAs. Escorted is defined under the SSBA Standards as remaining in the line of sight of the authorised person at all times in the secure area or while having access to sensitive information.

Clause 3.6 – National Health Security (NHS) checks

The entity must apply to AusCheck for a National Health Security check for all persons who will be authorised persons handling Tier 1 SSBAs, accessing the facility where Tier 1 SSBAs are handled or accessing sensitive information relating to Tier 1 SSBAs. National Health Security checks are not required if the person currently holds a national security clearance of Negative Vetting Level 1, Negative Vetting Level 2 or Positive Vetting.

Clause 3.9.1 – Training and competency

Training for personnel handling Tier 1 SSBAs must include personal security awareness. Personal security is concerned with personnel during their off-duty hours. During this time personnel may be vulnerable due to their function or position. Personal security awareness should cover potential risks associated with their role and provide advice on how to handle and report situations of concern.

Competencies must be reviewed at least annually for all persons who handle a Tier 1 SSBA, have access to facility containing a Tier 1 SSBA or have access to sensitive information about Tier 1 SSBAs.

Part 4 – Physical Security

Clause 4.3 Physical access controls

Facilities handling Tier 1 SSBAs must:

  • have two forms of access control before reaching a Tier 1 SSBA. One form of access control must be at the perimeter of the secure area and an additional access control must be in place to prevent physical access to the Tier 1 SSBA. This second control may be within the secure area, for example at the last physical barrier to the SSBA (e.g. at the freezer door)
  • have effective measures to prevent tailgating
  • The access control must record the identification of the person, the time and date of entry to the secure perimeter and to the secondary access control and the identification of the person, time and date of exit from the secure perimeter
  • Access records must be maintained for six months
  • access control systems must be tested every six months.

Part 4A – Storage

Clause 4.4 Storage of Tier 1 SSBAs

The entity must only store Tier 1 SSBAs within the secure perimeter (as defined under clause 4.2) of the registered facility.

top of page

Part 5 – Information management

Clause 5.2 – Record keeping

Records of all activities relating to the SSBA Standards must be maintained for a minimum of five years for Tier 1 SSBAs (unless otherwise specified in the Standards).

Clause 5.3 – Information security

Permissions regarding who is able to access sensitive information relating to Tier 1 SSBAs must be reviewed every six months. Sensitive information relating to Tier 1 SSBAs must be stored on a secure system and backed-up regularly.

Part 8 – SSBA management system requirements

Subclause 8.4.3 – Internal inspection

Entities handling Tier 1 SSBAs must conduct internal inspections at planned intervals of no more than six months.

How to register to handle Tier 1 SSBAs

Before receiving a Tier 1 SSBA, the entity should ensure that the facility meets the Tier 1 requirements in the SSBA Standards. If the facility has received a Tier 1 SSBA and is not compliant with the SSBA Standards, the facility must dispose of the SSBA and report the transfer or destruction to the Department of Health (Health).

Once the facility is compliant with the SSBA Standards, Tier 1 SSBAs may be transferred into the facility. The facility has two business days after the transfer of the new SSBA, in which to report to Health using a Start to Handle New SSBA form.

CHECKLIST Yes No
Have you updated or created a risk assessment and risk management plan for the Tier 1 SSBAs?
Does your risk assessment and risk management plan include a vulnerability analysis?
Is your risk assessment and risk management plan reviewed annually (or will be)?
Do you have two forms of access control to the Tier 1 SSBA?

- Is at least one form of access control at the secure perimeter?

Are there effective measures to prevent tailgating?
Is the sensitive information regarding Tier 1 SSBAs held on (or will be held on) a secure system?
Are Tier 1 SSBAs only stored within the secure perimeter?
Have internal practices been put in place to ensure that:

- Approved persons will be escorted at all times when handling or accessing a facility that handles SSBAs or accessing sensitive information?

- National Health Security checks have commenced?

- Training requirements include personal security awareness for people handling Tier 1 SSBAs?

- Competencies are reviewed at least annually for people handling or with access to sensitive information regarding Tier 1 SSBAs?

- Permissions regarding who is able to have access to sensitive information are (or will be) reviewed every six months?

- Records relating to the SSBA Standards maintained for a minimum of five years (unless otherwise specified in the Standards)?

- Internal inspections are to be carried out at planned intervals of no more than six months?

top of page