What is the Security of Critical Infrastructure Act?
On 25 November 2024, the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill 2024 (SOCI Act), which was included in the Cyber Security Legislative Package was passed into law. The SOCI Act gives the Government broader powers to deliver on Shield 4 of the Cyber Security Strategy 2023-2030 (protecting critical infrastructure) and to address gaps and issues of the evolving cyber threat landscape.
- Data storage systems that hold business critical data would be regulated as critical infrastructure assets under the amendments.
- New government consequence management powers under which the government may direct an entity to take action to respond to incidents more broadly than just cyber incidents.
- New definition of ‘protected information’ that includes a harms-based assessment and a non-exhaustive list of relevant information plus clarifications as to when protected information can be shared or used for other purposes.
- New power for the regulator to issue directions to a responsible entity to address any serious deficiencies that are identified in a critical infrastructure risk management program.
Data storage systems that hold business critical data
- #16: “…strengthen the protection of data storage systems and business critical data.”
- #19: “Schedule is not to capture all non-operational systems that hold business critical data, only those where vulnerabilities could have a relevant impact on critical infrastructure. Examples of the types of systems this could capture include: data storage systems that hold business critical data where there is inadequate network segregation between information and operational technology systems, or data storage systems that hold operational data such as network blueprints, encryption keys, algorithms, operational system code, and tactics, techniques and procedures.”
- #20: “…Where the responsible entity outsources to a third party, then the third party becomes responsible for the data storage system.”
- #31: The various criteria being proposed make clear the intent that not all non-operational systems that hold business critical data should be captured, only those where vulnerabilities could have a relevant impact on critical infrastructure. They also clarify that the responsible entity for the main critical infrastructure asset is responsible for data storage systems that they own or operate.
COMPLIANCE BRIEF
Ensuring Compliance with Australia’s SOCI Act
Learn how Thales helps organizations comply with Australia’s SOCI Act by securing critical infrastructure, protecting data, and managing encryption keys.
How Thales Helps with SOCI Act (Amendments) Compliance
Thales’ solutions can help organizations comply with the SOCI Act by simplifying compliance and automating security reducing the burden on security and compliance teams.
We provide comprehensive cyber security solutions in three key areas of cybersecurity: Application Security, Data Security, and Identity & Access Management.
SOCI Compliance Solutions
Application Security
Protect applications and APIs at scale in the cloud, on-premises, or in a hybrid model. Our market leading product suite includes Web Application Firewall (WAF), protection against Distributed Denial of Service (DDoS) and malicious BOT attacks, security for APIs, a secure Content Delivery Network (CDN), and Runtime Application Self-Protection (RASP).
Data Security
Discover and classify sensitive data across hybrid IT and automatically protect it anywhere, whether at rest, in motion, or in use, using encryption tokenization and key management. Thales solutions also identify, evaluate, and prioritize potential risks for accurate risk assessment as well as identify anomalous behavior, and monitor activity to verify compliance, allowing organizations to prioritize where to spend their efforts.
Identity & Access Management
Provide seamless, secure and trusted access to applications and digital services for customers, employees and partners. Our solutions limit the access of internal and external users based on their roles and context with granular access policies and Multi-Factor Authentication that help ensure that the right user is granted access to the right resource at the right time.
Address the requirements in SOCI Act (Amendments) – SCHEDULE 1
How Thales helps:
- Discover and classify potential risks for all public, private, and shadow APIs.
- Identify structured and unstructured sensitive data at risk on-premises and in the cloud.
- Identify the current state of compliance, documenting gaps, and providing a path to full compliance.
How Thales helps:
- Data activity monitoring for structured and unstructured data across cloud and on-prem systems.
- Produce audit trail and reports of all access events to all systems, and stream logs to external SIEM systems.
Solutions:
Data Security
Identity & Access Management
How Thales helps:
- Encrypt data at rest on-premises, across clouds, and in big data or container environments.
- Protect data in motion with high-speed encryption.
- Gain full visibility of sensitive data activity, track who has access, audit what they are doing, and document.
How Thales helps:
- Limit the access of internal and external users to systems and data based on roles and context with policies.
- Apply contextual security measures based on risk scoring.
- Leverage smart cards for implementing physical access to sensitive facilities of critical infrastructure.
Solutions:
Data Security
Identity & Access Management
How Thales helps:
- Build and deploy adaptive authentication policies based on the sensitivity of the data/application.
- Protect against phishing and man-in-the-middle attacks.
Solutions:
Identity & Access Management
How Thales helps:
- Protect cryptographic keys in a FIPS 140-2 Level 3 environment.
- Streamline key management in cloud and on-premises environments.
- Manage and protect all secrets and sensitive credentials.
Related resources
Other key data protection and security regulations
PCI HSM
MANDATE | ACTIVE NOW
The PCI HSM specification defines a set of logical and physical security compliance standards for HSMs specifically for the payments industry. PCI HSM Compliance certification depends on meeting those standards.
DORA
REGULATION | ACTIVE NOW
DORA aims to strengthen the IT security of financial entities to make sure the financial sector in Europe is resilient in the face of the growing volume and severity of cyber-attacks.
Data Breach Notification Laws
REGULATION | ACTIVE NOW
Data breach notification requirements following loss of personal information have been enacted by nations around the globe. They vary by jurisdiction but almost universally include a “safe harbor” clause.
GLBA
REGULATION | ACTIVE NOW
The Gramm-Leach-Bliley Act (GLBA)--also known as the Financial Services Modernization Act of 1999--requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data.