Understanding SOCI is inherently complex
I’ve said it before and I’ll say it again – Australia’s Security of Critical Infrastructure Act, or SOCI for short, is a big, complex piece of legislation comprising the Act itself, supported by (5) legislative instruments (Rules) which provide more guidance on implementation. Anyone who claims the legislation is simple really hasn’t read it!
Working with legislation like this is likely to be completely new for many Australian executives and security professionals unless they have prior experience in highly regulated industries or in regulatory compliance.
If you are new to compliance or would like to understand how to build an ISO 37301:2021 Compliance Obligation Register, have a read of this article I wrote in March 2023:
Each time I read the legislation I pick up something new – this often requires my flicking back and forth throughout the various documents and sections of the Act to cross-reference each obligation or definition and understand its intent.
With legislation like this, you only start to understand it’s nuances as you apply it to real world examples, decomposing each element of a critical asset and applying the legislative tests to determine the appropriate treatment.
Developing a compliant CIRMP whilst minimising unnecessary costs and the impact on a critical infrastructure operators business, workforce and supplier ecosystem is the challenge.
SOCI creates two key documents
Information or data (as opposed to information system security) is a domain of SOCI, just like Personnel referenced in my previous article on Critical Workers:
Under SOCI, there are effectively two key documents which relate to information and information protection:
- Register of Critical Infrastructure Assets – this Register is not public and is maintained by the Secretary of Home Affairs. It comprises information on specific critical assets and beneficial ownership and control information for every piece of Australian critical infrastructure.
- Critical Infrastructure Risk Management Plan (CIRMP) – all Reporting Entities are required to have a complete RMP by six months after the day of commencement of the Rules, or 18 August 2023.
The Register needs to include your Operational Information
Operational Information is different to Sensitive Operational Information under SOCI. Divn 2 (19) of the Act requires Responsible Entities to provide an initial version of their Operational Information to the Department for inclusion in the Register.
Under s26 of the Act, should a Notifiable Event arise then an updated version of the Responsible Entities’ Operational Information must be provided to Home Affairs. Presumably, this information will enable the Australian Government to rapidly perform a damage assessment and to support any crisis or national security response that may be required.
Under SOCI, Operational Information related to a Critical Infrastructure Asset means:
- The asset’s location and a description of the area the asset services;
- Information about each organisation that is the Responsible Entity for (or an operator of) the asset, comprising: the entity’s name, business registration number, head office or principal place of business address, and country of incorporation or formation
- Information about the CEO (or equivalent) comprising their full name and citizenship(s),
- A description of the arrangements under which each operator operates the asset (or a part of the asset), including details of any control system of the asset if it is managed by a separate body;
- A description of the arrangements under which data prescribed by the rules relating to the asset is maintained;
- Information prescribed by the Rules for the purposes of this paragraph (see below)
The ‘information prescribed by the Rules‘ referenced above is currently only defined in Division 2.2 of the Security of Critical Infrastructure (Definitions) Rules (LIN 21/039) 2021, where Operational Information comprises six categories:
- Personal Information for at least 20,000 people (as defined in the Privacy Act 1998)
- Sensitive Information (as defined in the Privacy Act 1998)
- Critical Infrastructure Asset related Research and Development information
- Information on systems needed to operate the Asset
- Information about risk management (including security) and business continuity / crisis management / operational resilience about the Asset
- Other sector-specific information as defined in 2.2 (17) (1) (vi) of these Rules
For any of the above Operational Information, Responsible Entities must provide a description of the arrangements for the Department’s Register that comprises:
- The name of the entity that maintains the data; and
- If that entity is not the responsible entity for the asset (e.g. Microsoft, Google etc), the entity’s business registration number, head office or principal place of business address, and country of incorporation; and,
- The address where the data is held (e.g. where computers or servers holding the data are located) and whether the computers or servers are part of a cloud service; and if using a cloud service—the name of the cloud service (e.g. Microsoft) and the kind of data that the entity maintains in these computers / servers / cloud environment.
What is Sensitive Operational Information?
Sensitive Operational Information is only mentioned in the CIRMP Rules in relation to identifying Material Risks to a Critical Infrastructure asset. These Rules list six examples of what would be constitute sensitive information:
- Layout diagrams
- Geospatial information
- Configuration information
- Operational constraints or tolerances information
- Data that a reasonable person would consider to be confidential or sensitive about the asset
The above category of information is primarily technical in nature – such as pertaining to engineering or ICT applications – but is focused on minimising the disclosure of information about a critical infrastructure asset’s vulnerabilities, particularly where this information is stored, transmitted or processed outside of Australia.
- Australian Government (2018). Security of Critical Infrastructure Act 2018, https://www.legislation.gov.au/Details/C2022C00160
- Australian Government (2021). Security of Critical Infrastructure (Definitions) Rules (LIN 21/039) 2022, https://www.legislation.gov.au/Details/F2023C00097
- Australian Government (2023). Security of Critical Infrastructure (Critical infrastructure risk management program) Rules (LIN 23/006) 2023 https://www.legislation.gov.au/Details/F2023L00112
- Curwell, P. (2021). In business, confidential information is a critical asset
- Curwell, P. (2021). How is confidential information compromised?
- Curwell, P. (2023). Developing an compliance obligation register for your business
- Curwell, P. (2023). Who are SOCI Act Critical Workers?
DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.