Who are SOCI Act Critical Workers?

A recap on Australia’s SOCI Act

In 2022, Australia’s 2018 Security of Critical Infrastructure Act (SOCI Act or SOCI) was amended to strengthen the security and resilience of critical infrastructure. The number of industry sectors and asset classes deemed critical was expanded to eleven, and new legislative obligations were introduced for all Responsible Entities under SOCI.

Responsible Entities for a critical infrastructure asset are the bodies with ultimate operational responsibility for an asset.

A CIRMP is a Critical Infrastructure Risk Management Plan, as set out in the CIRMP Rules.

SOCI is a large, complex piece of legislation comprising the Act plus 5 Legislative Instruments (Rules). The CIRMP Rules, which became law on 17 February 2023, also require compliance with one of 5 accepted information security frameworks (although further time has been granted for organisations to complete these cybersecurity uplifts). To comply, Responsible Entities have 6 months to develop a CIRMP (i.e., by 18 August 2023).

In my opinion the focus of SOCI on uplifting national resilience is much needed in Australia and should be applauded, although it is noted that interpreting SOCI requires careful reading and research. Implementation is complicated by changes to legislation during the parliamentary processes which affects relevance of the guidance material.

scenic photo of water dam during daytime
Photo by Frans van Heerden on Pexels.com

How is a ‘critical worker’ defined?

Part 1, Divn 2, Section 5 of the SOCI Act

The term ‘Critical Worker’ means an individual, where the following conditions are satisfied:

(a) the individual is an employee, intern, contractor or subcontractor of the responsible entity for a critical infrastructure asset to which Part 2A applies (i.e., the asset is subject to a CIRMP);

(b) the absence or compromise of the individual:

(i) would prevent the proper function of the asset; or

(ii) could cause significant damage to the asset; as assessed by the responsible entity for the asset;

(c) the individual has access to, or control and management of, a critical component of the asset

Meeting all elements of the above test is required to be deemed a ‘Critical Worker’. Note that Element (b) applies both an insider threat and business continuity lens to identify those who could prevent the asset’s operation or cause significant damage.

Whilst not linked to personnel in the legislation, the way in which potential risk events could cause significant damage would ideally be via risk assessment based on residual risk ratings determined by the Responsible Entity.

What steps do I need to take to manage ‘Personnel Hazards’ under the Rules?

Identifying Critical Workers is only the start of the Personnel risk management process. Appropriate security measures and access controls must be implemented to ensure only Critical Workers who have passed the AusCheck (or comparable) processes gain access. Responsible Entities must also take reasonable steps to minimise or eliminate trusted insider risks (insider threats), including during the offboarding process.

Section 9 Personnel hazards

        (1)     For paragraph 30AH(1)(c) of the Act, for personnel hazards, a responsible entity must establish and maintain a process or system in the entity’s CIRMP:

(a)   to identify the entity’s critical workers; and

(b)   to permit a critical worker access to critical components of the CI asset only where the critical worker has been assessed to be suitable to have such access; and

(c)   as far as it is reasonably practicable to do so—to minimise or eliminate the following material risks:

             (i)  arising from malicious or negligent employees or contractors; and

            (ii)  arising from the off-boarding process for outgoing employees and contractors. 

Conceptually, getting your head around the idea that some positions in an organisation pose higher risks than others can take time. Some months ago, I wrote this primer on understanding high risk roles which may assist.

The High Risk Role concept is only one element of what SOCI calls Personnel Hazards. Whilst not mentioned in SOCI, a Personnel Security Risk Assessment is a broader activity used by the UK’s National Protective Security Agency and which provides the level of traceability and scruitiny needed to identify, assess and mitigate Personnel Hazards.

What are the implications for employers?

Employers of Critical Workers need to confront the fact that some employees or contractors (or those of their suppliers) may not pass the AusCheck process. Three options are likely for each individual:

  • Employees (or employees of a critical supplier) who meet the ‘critical worker’ test voluntarily submit to the AusCheck process, with no impacts to employee engagement or employment contracts
  • Employees (or employees of a critical supplier) with existing employment contracts object to participating in AusCheck along the grounds of ‘conscientious objections’ or the suspicion they may fail
  • Employees (or employees of a critical supplier) fail the AusCheck process

Conceivably, managing the legal, financial and workplace relations implications of people who object to, or fail, the AusCheck process could be onerous, especially for industries which have not historically employed rigorous workforce screening.

Real dilemmas are likely to be encountered by smaller Responsible Entities’ whose operations are not big enough to separate their critical and non-critical operations. This may mean those employers cannot move employees who fail or object to AusCheck into non-critical worker roles as there may not be any available. One thing is clear: Employers need to be proactive and focus on what this could mean for their workforce as early as possible. Every new employment contract issued before August that does not adequately address this issue may need future remediation.

Further Reading

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

Designing your workforce screening program

Author: Paul Curwell

Executive Summary

Workforce Screening is an important function for any business today, however it cannot be developed on the fly and needs to properly balance the organisations’ risk and regulatory obligations against an employee’s right to privacy and the cost and operational burden created by the screening program itself. Workforce Screening should form part of a well-governed, risk-based program managed by HR and Security / Integrity comprising a range of policies, a personnel security risk assessment, and associated guidance to enable effective implementation. This article provides an overview of the key considerations when designing any workforce screening progam in Australia.

What is Workforce Screening?

The practice of Workforce Screening goes by many names – vetting, background checks – all of which are the same thing. In Australia, the term Employment Screening has been used since at least 2006 with the introduction of Australian Standard AS4811:2006. However, this standard was recently updated and republished as AS4811:2022 Workforce Screening.

A Workforce Screening Program comprises the specific checks performed on each employee or contractor to determine initial and ongoing suitability for employment and the associated processes and records to manage those checks. In many organisations there are a few key artefacts which comprise any Workforce Screening Program:

  • Employment Policies
  • Corporate Security and Integrity frameworks and associated programs
  • Workforce Screening Guideline

The Workforce Screening Guideline (or Standard) details what identity verification, security and character checks are required for employees, contractors, or consultants as a condition of employment and under what circumstances these checks will be performed, such as the risk posed by an employees’ role. The relationship between these documents, and how they are created is outlined below:

Graphic illustrating the various inputs to the Workforce Screening Program and the supporting Guideline and SOPs.

In our book Terrorist Diversion, Oliver May and I provide a detailed process map and overview of all forms of vetting, including insiders and suppliers.

When should workforce screening be performed?

Typically, workforce screening is performed periodically with four triggers:

  1. During recruitment – ideally prior to the letter of offer being issued; and,
  2. Periodically throughout employment; and,
  3. In response to an incident; and,
  4. Upon resignation – particularly important for employees involved in creating Intellectual Property or where potential Conflicts of Interest may arise post-separation.

Workforce Screening is different to Insider Threat Detection. Whilst there is a relationship between the two functions, screening is holistically focused on who the individual is (taking into account the ‘whole person’) whilst insider threat detection is focused on what the individual does once they enter the organisation. One is not a substitute for the other: they are different controls.

Screening is a legal requirement for some industries

Workforce Screening is a mandatory obligation in Australia for many regulated industries under a variety of legislation, including:

  • Financial Services – Anti-Money Laundering and Counter Terrorist Financing Act 2006 and Rules
  • Aviation – Aviation Transport Security Act 2004 and Regulations
  • Ports, Maritime and Offshore Oil and Gas Platforms – Maritime Transport and Offshore Facilities Act 2003 and Regulations
  • Commonwealth Public Service – Public Service Act 1999, Subsection 22(6) Security and Character Checks
  • Australia’a 11 declared Critical Infrastructure sectors – Security of Critical Infrastructure Act 2018 and Rules
Having the right team is critical to success in the workplace
Photo by fauxels on Pexels.com

What checks are typically performed in workforce screening?

There is a standard menu of checks which are performed across public and private sectors in Australia, including:

  • Identity verification
  • Citizenship and / or work rights
  • Credit rating and bankruptcy status
  • Education and occupational licences / trade certificates
  • Criminal history (National Police Check)
  • Sanctions and Adverse Media
  • Psychometric testing (in accordance with applicable employment policies)
  • Litigation history
  • Regulatory Actions pertaining to their profession
  • Internal employer database and record checks (for ongoing employees)
  • Candidate interview
  • Referee interviews

More intrusive checks permissible in Australia under certain circumstances include:

Not everyone will pass workforce screening, potentially including ongoing employees. There are a number of considerations associated with any workforce screening adjudication process which will be addressed in a future article.

Example of an educational qualification

What’s the relationship between the PSRA and High Risk Roles in Workforce Screening?

Selecting which specific background checks to perform in your employment process should not be determined by way of a ‘lucky dip’. Many organisations require a ‘background check’ as a condition of employment, but fail to articulate why each check is necessary – such as where credit scores are used as a proxy for character tests.

Rather than ad hoc approaches, organisations need traceability from a regulatory obligation, personnel security risk, policy or similar instrument which establishes the risk and outlines how performing the respective background check will mitigate this risk. To provide this traceabiilty, the Register of High Risk Roles informs the Personnel Security Risk Assessment (PSRA), and the PSRA informs the design and implementation of the Workforce Screening Program as well as the Insider Risk Management Program.

The Register of High Risk Roles identifies:

  • Which positions pose a greater trusted insider risk due to a variety of factors, and therefore,
  • Which position numbers are most likely to require additional vetting and insider risk monitoring to mitigate inherent risks.

The PSRA identifies:

  • Suitable internal controls to manage the organisation’s inherent risk exposure (including that arising from High Risk Roles) to within risk appetite.
  • The specific trusted insider risks faced by an organisation and where these may arise by team, function, business line etc; and,

Cost and privacy are two important factors that also need to be considered: As with any security decision, there are tradeoffs. Workforce Screening is intrusive, expensive and has an operational impact, often delaying the commencement of new hires as well as reducing the total pool of candidates. The need for screening should be balanced against the PSRA to guide employers on what to check when, and why.

a mobile phone near the documents and laptop on the table
Photo by Leeloo Thefirst on Pexels.com

Further Reading

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

Mitigating risks from workplace sabotage

Workplace sabotage as an insider threat

My post ‘Product Tampering: A form of Workplace Sabotage’ defines sabotage as “to damage or destroy equipment, weapons, or buildings in order to prevent the success of an enemy or competitor” (Cambridge Dictionary).

When I think about how sabotage can occur in the workplace I find it easier to decompose it into three categories (which align to targets) for the purposes of prevention, detection and response:

  • Physical sabotage – intentional damage to a physical thing, such as critical, infrastructure, or device
  • IT sabotage – involving international damage to IT equipment or networks, software etc
  • Data sabotage – intentional destruction or compromise of valuable information or data, such as Intellectual Property or research data

Sabotage is typically discussed in a wartime context where either enemy agents or special forces, or alternately sympathetic or compromised insiders, do something to benefit a foreign power (for further discussion on threat actors see my previous post). However, we are increasingly seeing acts of sabotage being performed in the workplace.

Malicious insiders are well placed to commit workplace sabotage

Acts of workplace sabotage can be perpetrated in person (on-site) or virtually (online). From an insider threat context, we are likely to see cases of workplace sabotage involving disaffected employees, such as:

Does this article resonate with you? Please vote below or subscribe to get updates on my future articles

Interestingly, in its 2006 study CERT refers to workplace IT sabotage as ‘trust betrayal’ and also places espionage in this category, however the paper is silent on including fraud. Fraud is probably the most common form of breach of trust in the workplace.

Don’t forget that workplace sabotage can also be perpetrated by staff members of your suppliers (see here)

To understand sabotage in more detail, we need to examine the elements of this offence.

Sabotage offences in Australia

Sabotage is a criminal offence in Australia at both the federal and state / territory levels. Under Section 82 of the Criminal Code 1995 (Cth), the main elements (abbreviated) of sabotage offences include:

  • Intentional damage, destruction or impairment of any thing, substance or material (‘article’) used in connection with Australia’s defence
  • Intentional or reckless conduct which results in damage to critical infrastructure with a nexus to a foreign government or its principal
  • Intentionally or recklessly introducing a vulnerability into an article, thing or piece of software that has a critical infrastructure or national security purpose which makes it (a) vulnerable to misuse or impairment or (b) capable of being accessed or modified by someone not entitled to do so
  • Preparing for, or planning, a sabotage offence
  • Any instances of the above with a foreign nexus, including financing, support, oversight or participation

Under Commonwealth legislation, damage to public infrastructure includes anything that: destroys, interferes, results in loss of function or becomes unsafe / unfit for purpose, becomes unserviceable, is lost, limits or prevents access, becomes defective or contaminated, results in a degradation in quality, or causes serious disruption of an electronic system. This definition is quite broad and all-encompassing.

Image of public infrastructure

Some offences involving specialist products, such as food, pharmaceuticals or medical devices, may be considered acts of sabotage to the layperson, however these are actually criminalised under various product tampering offences. You can read more about this in my previous post.

How to investigate alleged sabotage in the workplace?

Whilst there is increasingly more research into workplace sabotage, there is very little in the literature on how to actually investigate such offences. This is likely because the majority of similar cases have a nexus to national security and would not be publicly available. However, there is some publicly available US Government guidance which I have adapted below in the following investigative strategy:

  • Preserve all evidence as quickly as possible in accordance with local laws and regulations
  • Who – determine the person(s) of interest (POI), including those with means, motive and opportunity and any facilators. Was the perpetrator an individual or part of a group? Background investigations should be performed as required
  • What – identify the actual target and qualify the extent of damage, noting the affected asset may not actually have been the intended target
  • When – confirm the exact time and date of the incident (or as close as possible) and begin building a time-event chart to document developments
  • Where – be clear on the precise location and understand any surrounding activities which may have influenced choice of target
  • Why – try to understand the reasons or rationale for the incident and the intended target, including consideration of motive and opportunity
  • How – understand the type of sabotage involved and methods used. This will likely involve a combination of investigation, analysis and technical examination
  • Was there any communication with the media, social media or internal office communications (a) indicating the POI(s) planned or was planning the act of sabotage, or (b) claiming responsibility?
  • Is there a foreign nexus such as direction, oversight, funding, communication or logistics?

The investigative steps above need to prove or disprove each element of the offence (previous section), meaning investigators need to prove the POI(s) did, tried, or intended to cause harm or damage or were reckless their actions.

Investigator analysing evidence

Can insider threat detection systems identify workplace sabotage before or during an event?

Having an understanding of what workplace sabotage is and how it typically occurs, we can turn our minds to how to detect it. There are quite a number of insider threat detection vendors on the market who claim their systems can do this, and there has been a number of academic studies performed in this area, primarily by Carnegie Mellon University (SEI CERT). In a follow up to this post, I will explore these concepts in more detail.

Further Reading

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

What is a Personnel Security Risk Assessment?

Why do a Personnel Security Risk Assessment?

Trusted Insiders – employees, contractors, suppliers and business partners – are the ideal threat vector given their legitimate access and inside knowledge, yet many businesses are immature in the way they manage these risks.

A 2007 CPNI survey found many organisations don’t employ a structured approach to Personnel security, leading to development of guidance material on Personnel Security Risk Assessments (PSRA) to change the status quo. My experience is this dial hasn’t really shifted in Australia since the survey was published. The PRSA forms the basis of a structured, risk-based approach to managing insider risk.

A team is only as strong as its weakest link: Personnel Security helps mitigate some risks.

What is a Personnel Security Risk Assessment?

The PSRA enables business to focus its limited prevention, detection and response resources to those areas, and position numbers (roles), of highest risk. In high security organisations, this often translates to low risk staff not being exposed to intrusive background investigations and ongoing monitoring in comparison to staff in high risk roles.

Does this article resonate with you? Please vote below or subscribe to get updates on my future articles

The PSRA also informs design of an organisational vetting standards (i.e. what background checks are performed given the risk). This ensures employees are not subjected to intrusive checks and expenses incurred by the business for no real purpose.

Under the CPNI methodology, there are three types of PSRA:

  • Organisational PSRA – identifies enterprise level threats and risks, including the main risk types. Organisational PSRAs lack sufficient detail to identify business unit specific risks and corresponding internal controls.
  • Group PSRA – focused at the Business Unit level (or lower) or alternately specific functional groups (e.g. finance, engineering, ICT, senior executives).
  • Individual PSRA – focuses on the risk a specific individual poses, typically managed through vetting (employment screening / background investigations) and Continuous Monitoring / Continuous Evaluation (CM/CE).

The remainder of this article focuses on Organisational and Group PSRAs.

Trusted insiders have access to valuable information and assets by virtue of their roles.

How do you complete a PSRA?

The PSRA follows the ISO31000 methodology, as follows:

Step 1 – Scoping

As with any risk assessment, scoping is probably the most important step as it can inadvertantly exclude material risks. When scoping, I ask questions such as:

  • What is the organisation’s strategy?
  • What are the critical assets (or core business activities) requiring protection?
  • What regulatory or ‘social licence to operate’ considerations are there?
  • What does the threat landscape look like (determined by the threat assessment)?
  • What are the organisation’s high risk roles?

Understanding these factors allows the PSRA to be properly scoped.

Setting the context for the PSRA - from context to treatment

Step 2 – Risk Identification

Risk Identification involves identifying sources of risk involving employees, contractors and other trusted insiders. Not every risk is applicable to every organisation, so there is an element of qualifying suggested risks whilst building the risk register.

Common categories of Personnel Security risk include:

Step 3 – Risk Analysis

Once identified, the risk assessment process can begin. This involves determining the Consequence and Likelihood of any risk materialising (i.e. a ‘risk event’). This formula results in the determination of a risk rating. It is customary to provide two risk ratings – inherent and residual – reflecting ratings without and with internal control coverage.

Adequate control coverage has the effect of reducing either the consequence or likelihood of a risk event occurring, whilst inadequate or ineffective control coverage has the opposite effect.

The ISO31000 Risk Assessment. Illustrating the effect of applying controls on an inherent risk as part of the risk treatment process.

Step 4 – Risk Evaluation

Risk Evaluation involves determining whether the risk rating assigned to a given risk lies within the organisation’s risk tolerance (‘risk appetite’). This is a topic in itself which I will cover later, however for any risk treatment there are four options:

  • Accept the risk
  • Reject the risk (i.e. don’t do something)
  • Transfer the risk (e.g. to a supplier, insurer)
  • Treat the risk

Step 5 – Risk Treatment

Risk treatment requires evaluating the specific situation to determine how you can change a situation to reduce or modify the risk. Ways to treat personnel security risks include:

  • Implementing additional controls such as vetting, user activity monitoring or management oversight
  • Business process redesign to increase transparency or reduce the need for high level account privileges
  • Policy changes, including implementing and enforcing compliance via IT systems
  • Use of analytics for insider threat detection
  • Implementing and communicating internal reporting programs for staff who identify suspicious acticity
  • Cultural change and security awareness training

Risk treatment plans should be incorporated into programs, frameworks, policies, systems or business processes to ensure they are implemented effectively.

Step 6 – Communication and Consultation

Communicating throughout any risk assessment process is critical, as is engaging with stakeholders including management and relevant business functions (e.g. HR, Legal, Security, Risk, etc) when completing the risk assessement, evaluation and treatement process. Employee representatives are another critical stakeholder group to ensure their privacy is respected.

Step 7 – Monitoring and Review

The last step in the PSRA process is to ensure the assessment is periodically updated, ideally through an annual or biannual refresh depending on the extent of change in your organisation. The longer personnel security risks go unrecognised, the greater the vulnerability.

Further Reading

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.