Complying with the SLACIP and SoNS Critical Infrastructure Laws

In an effort to increase its security posture, Australia has introduced the Australian Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 (SLACIP Act). It amends the Security of Critical Infrastructure Act 2018 (SOCI Act), and Systems of National Significance (SoNS) regulations. The regulations look to improve resilience and risk management practices of the Critical Infrastructure sector and facilitate the secure sharing of information between these organisations and the government. This article outlines what is required for compliance as well as solutions to help you quickly implement the security mechanism required.

Understanding the new critical infrastructure obligations

The SLACIP Act and SoNS legislation require Critical Infrastructure providers and those managing Systems of National Significance to meet specific requirements for data management, security and protection. SLACIP also expands the scope of organisations that are deemed critical infrastructure.

Under SLACIP, the general obligations for all Critical Infrastructure providers include the ability to:

• Establish, maintain, implement and regularly review a risk management program;
• Identify, prevent and mitigate risks and hazards that could impact the availability, integrity, reliability and confidentiality of critical infrastructure assets; and
• Provide an annual report to the Government regarding its risk management program.

Additional obligations for SoNS entities include the need to:

• Develop cyber security incident response plans to prepare for a cyber security incident;
• Undertake cyber security exercises to build cyber preparedness;
• Undertake vulnerability assessments to identify vulnerabilities for remediation; and/or
• Provide system information to develop and maintain a near real-time threat picture.

What organisations do SLACIP and SoNS apply to?

If you’re wondering whether or not these regulations apply to your organisation, the list below outlines the industries that are subject to the requirements laid out in the SLACIP Act:

• Critical Data Storage or Processing
• Financial Services and Markets
• Communications
• Defence
• Higher Education and Research
• Food and Grocery
• Healthcare and Medical
• Water and Sewage
• Space Technology
• Transport
• Energy

Additionally, some critical infrastructure entities must also adhere to SoNS if they are considered an asset of national significance. The two key factors used to determine this include the following assessment criteria:

• Does the asset have interdependencies with other critical infrastructure assets?
• Would its compromise significantly impact Australia’s national security, defense, or social/economic stability?

If your organisation falls under the Critical Infrastructure definitions above, you must adopt and maintain a risk management program. This includes any cyber threats to the digital ecosystem of a critical infrastructure asset and insider threats within a Critical Infrastructure workforce. In addition to the obligations for critical infrastructure assets under the SLACIP Act, any organisation classified as SoNS must also comply with Enhanced Cyber Security Obligations (ECSO).

Any company that works with and supplies these Critical Infrastructure entities must also employ secure systems to exchange and collaborate on sensitive information.

While risk management and governance are critical to SLACIP and SoNS compliance, implementing the level of security required by the legislation can be challenging. It can be costly, time-consuming and difficult to achieve the compartmentalised access and strict sharing controls required for the management of sensitive and classified information, especially for SMEs.

Fast Track Compliance with Kojensi

Kojensi SaaS provides a turnkey solution. It offers a ready-to-deploy government-accredited PROTECTED document management and information sharing cloud service to support SLACIP and SoNS compliance requirements, as well as those for ISM, DISP and PSPF.

Kojensi’s industry-leading attribute-based access control (ABAC) model offers the level of granular access and sharing control needed for compliance. User and document attributes control the flow of information and facilitate secure sharing to validate access and sharing policies each and every time a file is accessed or shared internally or with industry partners. A full audit trail, version control, and tracking capabilities assist with meeting auditing requirements.

Critical Infrastructure organisations can consume the SaaS-based platform as needed, without the substantial costs of implementing new on-premises secured ICT infrastructure. Within minutes of deploying, users can set up a shared workspace and invite internal and external partners to share and collaborate on the information required to carry out projects, knowing that users will only have access to information they are authorised to.

Kojensi allows the Critical Infrastructure Responsible Entity to:

• Provide knowledge transfer using an accredited, safe and controlled hosted environment without having to grant partners access to internal networks.
• Enable secure collaboration between internal users, partners and government.
• Support the sharing of files with multiple classifications within a single repository for ease of management.
• Enforce strict control over information access and sharing using ABAC-enabled policies set by the information owners.
• Grant access only if a user meets the policy requirements based on key attributes such as a user’s organisation, nationality, clearance, and compartmentalisation of information.
• Record a full history of user interaction, and changes made to files, workspaces and other administrative tasks for auditing purposes.

Kojensi ensures that Critical Infrastructure information can be securely shared and collaborated on with authorized internal users and third parties while preventing unauthorized access. Discover the advantages of the accredited Kojensi SaaS platform to quickly meet SLACIP, SoNS, and other government information security requirements.