Want insights and updates from us?
- Copyright © 2023 Core Integrity
- Privacy Policy
The Security of Critical Infrastructure Act 2018 (SOCI Act) is an Australian Federal Government Act that outlines the legal obligations for entities that own, operate, or have interests in critical infrastructure assets.
The Act defines critical infrastructure as those physical facilities, supply chains, information technologies, and communication networks, which, if destroyed, degraded, or rendered unavailable for an extended period, would significantly impact the social or economic wellbeing of the nation or affect Australia’s ability to conduct national defence and ensure national security3.
The SOCI Act includes several positive security obligations, such as the requirement to notify data service providers and implement a Critical Infrastructure Risk Management Program (CIRMP)
Enhanced Cyber Security Obligations (ECSO) are also part of the Act, aiming to ensure the security and resilience of critical infrastructure. The Act has undergone amendments in 2021 and 2022 to better capture assets critical to Australia’s defence, national security, economic, and social stability, and to respond to the deteriorating threat environment related to cyber-attacks.
The SOCI Act has significant implications for impacted businesses in Australia and mandates several obligations for such businesses. As an example, there is the requirement to notify data service providers if they are storing or processing business-critical data. This ensures that companies handling sensitive data for critical infrastructure assets are aware of their obligations under the Act and treat the security of the data appropriately.
Businesses must also register certain information related to critical infrastructure assets with the Cyber and Infrastructure Security Centre (CISC). This registration provides the government with a comprehensive understanding of the ownership and operational arrangements of critical infrastructure across the Australian economy, helping to better identify and respond to security risks.
Impacted businesses are also required to have and comply with a Risk Management Program for their critical infrastructure assets. This ensures that responsible entities have a comprehensive understanding of the threat environment and develop processes and procedures to effectively respond to any hazards impacting their assets.
Additional obligations include mandatory cyber incident reporting, which helps the government develop an aggregated threat picture to inform both proactive and reactive cyber response options.
A written risk management program, especially for compliance with the SOCI Act is a comprehensive document that outlines how an organisation identifies, assesses, and manages risks to its critical infrastructure assets. This program is essential for identifying, assessing, and managing risks to critical infrastructure assets. Set out below are key elements to consider:
A written risk management program is a detailed document that outlines how an organisation plans to handle risks associated with its critical infrastructure assets. The goal is to ensure that these assets remain secure, reliable, and resilient against potential threats.
The first step in developing a risk management program is to identify material risks. This involves taking an all-hazards approach to pinpoint risks that could impact the availability, integrity, reliability, and confidentiality of critical infrastructure assets. It’s crucial to consider both internal and external threats, ranging from cyber-attacks to natural disasters.
Once the risks are identified, the next step is to outline strategies to minimise or eliminate these risks. This includes proactive measures to prevent hazards from occurring and establishing processes to detect and respond to threats as they arise. The program should detail specific actions, such as implementing advanced cybersecurity measures, conducting regular security assessments, and developing incident response plans.
The risk management program must comply with the requirements set out in the SOCI Act and associated rules. This includes providing operational and ownership information to the Register of Critical Infrastructure Assets and reporting cyber incidents to the Australian Cyber Security Centre. Ensuring compliance with these obligations is critical for maintaining the security and resilience of critical infrastructure.
Implementing personnel security programs is another vital component of the risk management program. This involves conducting background checks, providing security training, and establishing protocols for monitoring and responding to potential insider threats. By addressing personnel security, organizations can mitigate risks associated with human factors.
The SOCI Act requires that the entity’s board, council, or other governing body submit an annual report to the relevant Commonwealth regulator. This report should contain information about the risk management program and how it has been maintained and updated over the year. Regular reporting ensures that the program remains effective and up to date.
The risk management program should provide an overview of the critical infrastructure risk management program obligation and why developing a CIRMP is important. It should also detail the requirements for a CIRMP, including identifying and managing material risks of hazards that could have a relevant impact on the asset. Continuous improvement is key, so the program should include guidance on maintaining the CIRMP and staying informed about the latest threats and best practices.
Maintaining open lines of communication with suppliers and other stakeholders is essential. The program should outline how the organisation will share information about potential risks, collaborate on security measures, and ensure that all parties are aligned in their efforts to secure critical infrastructure. This collaborative approach helps to enhance the overall security and resilience of critical infrastructure assets.
Developing a comprehensive risk management program is a critical step for businesses operating within key sectors identified by the SOCI Act. By including these key elements and deliverables, organisations can ensure compliance with the SOCI Act and enhance the security and resilience of their critical infrastructure assets. Remember, the goal is to create a living document that evolves with the changing threat landscape and continues to protect vital.
Leave us a message and we will get back to you to book a meeting:
Are you looking to submit a report? Please click here.
