What are SLACIP and SoNS?
The Australian Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 (SLACIP Act) which amends the Security of Critical Infrastructure Act 2018 (SOCI Act), and Systems of National Significance (SoNS) regulations are aimed at improving the resilience and risk management practices of Australia’s Critical Infrastructure sector and making it easier for organisations and governments to securely share information. The regulations impact a range of industries deemed critical infrastructure including Energy, Telcom, Financial Services, Utilities, Healthcare and Education.
The Australian Federal Government’s Critical Infrastructure legislation requires Critical Infrastructure providers, and those managing Systems of National Significance, to meet specific requirements as regards data management, security and protection.
The general obligations for all Critical Infrastructure providers are that they must:
- Establish, maintain, implement and regularly review a risk management program;
- Identify, (and as far as is reasonably practicable) prevent and mitigate risks and hazards that, could impact the availability, integrity, reliability and confidentiality of critical infrastructure assets; and
- Provide an annual report to the Government regarding their risk management program.
The additional obligations for Systems of National Significance are to:
- Develop cyber security incident response plans to prepare for a cyber security incident;
- Undertake cyber security exercises to build cyber preparedness;
- Undertake vulnerability assessments to identify vulnerabilities for remediation; and/or
- Provide system information to develop and maintain a near real-time threat picture.
Who does SLACIP Apply to?
The following categories of organisations are subject to the requirements laid out in the SLACIP Act:
- Critical Data Storage or Processing
- Financial Services and Markets
- Communications
- Defence
- Higher Education and Research
- Food and Grocery
- Healthcare and Medical
- Water and Sewage
- Space Technology
- Transport
- Energy
A small subset of critical infrastructure entities must also adhere to SoNS if they are an asset of national significance. There are two key factors used to determine whether an asset is of national significance:
- Does the asset have interdependencies with other critical infrastructure assets?
- Would its compromise significantly impact national security, defense, or social/economic stability of Australia?
What does this legislation mean for my organisation?
If your organisation falls under Critical Infrastructure in Australia you need to adopt and maintain a risk management program, including any cyber threats to the digital ecosystem of a critical infrastructure asset and insider threats within a Critical Infrastructure workforce. In addition to the obligations for critical infrastructure assets under the SLACIP Act, any organisation classified as SoNS must also comply with Enhanced Cyber Security Obligations (ECSO). Companies that work with and supply these organisations must also have a secure method to collaborate on sensitive information.
What are the Challenges to Becoming SLACIP and SoNS Compliant?
Risk management and governance are critical to SLACIP and SoNS, however, enforcing these mandates is another matter. The level of compartmentalised access and sharing controls required for the management of sensitive and classified information can be costly and difficult to achieve. Bespoke solutions can take months or longer to build and the expense is prohibitive for small to medium enterprises. A hosted platform that is built to meet the requirements of SLACIP, SoNS and other Australian government requirements including ISM, DISP and PSPF provides a viable option for rapid deployment and onboarding to help quickly assist with information security requirements.
SLACIP Compliance with Kojensi
Kojensi provides a turnkey solution with a government-accredited PROTECTED information sharing cloud service and is also available on-premises to support SLACIP compliance requirements. Kojensi’s industry-leading attribute-based access control (ABAC) model makes the platform unique. User and document attributes control the flow of information and facilitate secure sharing to validate access and sharing policies each and every time a file is accessed or shared internally or with industry partners. A full audit trail, version control, and tracking ensure transparency and help meet auditing requirements.
Critical Infrastructure organisations can consume the platform as needed, without the substantial costs of implementing new on-premises secured ICT infrastructure. Within minutes, users can set up a shared workspace and invite internal and external partners in to share and collaborate on the information required to carry out projects, knowing that users will only have access to information they are authorised to.
The Kojensi document management and file sharing platform:
- Allows for easy knowledge transfer in an accredited, safe and controlled hosted environment without having to grant access to your internal networks.
- Enables secure collaboration between internal users, with partners and government.
- Supports the sharing of files with multiple classifications within a single repository for ease of management.
- Enforces strict control over information access and sharing using ABAC-enabled policies set by the information owners.
- Grants access only if a user meets the policy requirements based on key attributes including a user’s organisation, nationality, clearance, and compartmentalisation of information.
- Includes a robust auditing platform that records a full user interaction history of all changes made to files, workspaces and other administrative tasks.
Kojensi ensures that Critical Infrastructure information can be securely shared and collaborated on with authorized internal users and third parties while preventing unauthorized access. Discover the advantages of the Kojensi platform for meeting SLACIP, SoNS, and other government information security requirements.
