Commonwealth Consolidated Acts Commonwealth Consolidated Acts(1) A critical infrastructure risk management program is a written program:
(a) that applies to a particular entity that is the responsible entity for one or more critical infrastructure assets; and
(b) the purpose of which is to do the following for each of those assets:
(i) identify each hazard where there is a material risk that the occurrence of the hazard could have a relevant impact on the asset;
(ii) so far as it is reasonably practicable to do so--minimise or eliminate any material risk of such a hazard occurring;
(iii) so far as it is reasonably practicable to do so--mitigate the relevant impact of such a hazard on the asset; and
(c) that complies with such requirements (if any) as are specified in the rules.
(2) Requirements specified under paragraph (1)(c):
(a) may be of general application; or
(b) may relate to one or more specified critical infrastructure assets.
Note: For specification by class, see subsection 13(3) of the Legislation Act 2003 .
(3) Subsection (2) of this section does not, by implication, limit subsection 33(3A) of the Acts Interpretation Act 1901 .
(4) Rules made for the purposes of paragraph (1)(c) may require that a critical infrastructure risk management program include one or more provisions that:
(a) permit a background check of an individual to be conducted under the AusCheck scheme; and
(b) provide that such a background check must include assessment of information relating to one or more of the matters mentioned in paragraphs 5(a), (b), (c) and (d) of the AusCheck Act 2007 , as specified in the rules; and
(c) provide that, if such a background check includes an assessment of information relating to the matter mentioned in paragraph 5(a) of the AusCheck Act 2007 , the criteria against which that information must be assessed are the criteria specified in the rules; and
(d) provide that, if such a background check includes assessment of information relating to the matter mentioned in paragraph 5(d) of the AusCheck Act 2007 , the assessment must consist of whichever of the following is specified in the rules:
(i) an electronic identity verification check;
(ii) an in person identity verification check;
(iii) both an electronic identity verification check and an in person identity verification check.
(5) Subsection (4) does not limit paragraph (1)(c).
(6) In specifying requirements in rules made for the purposes of paragraph (1)(c), the Minister must have regard to the following matters:
(a) any existing regulatory system of the Commonwealth, a State or a Territory that imposes obligations on responsible entities;
(b) the costs that are likely to be incurred by responsible entities in complying with those rules;
(c) the reasonableness and proportionality of the requirements in relation to the purpose referred to in paragraph (1)(b);
(d) such other matters (if any) as the Minister considers relevant.
(7) For the purposes of this section, in determining whether a risk is a material risk, regard must be had to:
(a) the likelihood of the hazard occurring; and
(b) the relevant impact of the hazard on the asset if the hazard were to occur.
(8) The rules may provide that a specified risk is taken to be a material risk for the purposes of this section.
(9) The rules may provide that the taking of specified action in relation to a critical infrastructure asset is taken to be action that minimises or eliminates any material risk that the occurrence of a specified hazard could have a relevant impact on the asset.
Note: For specification by class, see subsection 13(3) of the Legislation Act 2003 .
(10) The rules may provide that the taking of specified action in relation to a specified critical infrastructure asset is taken to be action that minimises or eliminates any material risk that the occurrence of a specified hazard could have a relevant impact on the asset.
Note: For specification by class, see subsection 13(3) of the Legislation Act 2003 .
(11) The rules may provide that the taking of specified action in relation to a critical infrastructure asset is taken to be action that mitigates the relevant impact of a specified hazard on the asset.
Note: For specification by class, see subsection 13(3) of the Legislation Act 2003 .
(12) The rules may provide that the taking of specified action in relation to a specified critical infrastructure asset is taken to be action that mitigates the relevant impact of a specified hazard on the asset.
Note: For specification by class, see subsection 13(3) of the Legislation Act 2003 .