AUCloud Response to Security Legislation Amendment (Critical Infrastructure) Bill 2020

AUCloud understands the intent of Government in reforming the Security of Critical Infrastructure (SOCI) Act. With deep, practical experience in cyber security, AUCloud appreciates the potential vulnerabilities of operating in a ubiquitously connected, always on, digital environment. We understand the changing nature of how critical infrastructure industries operate in this context and the increasing interconnectedness and interdependence of their operations. We equally understand the security risks posed by cyber vulnerabilities, the impact of cyber disruptions and the corresponding threat to the resilience of Australia’s critical Infrastructure and ultimately individuals, communities, business and Australia’s sovereign resilience.

We note a range of recent announcements and/or activities in development by Government also aimed to mitigate cyber related risk with a view to strengthening Australia’s resilience. For example:

• • Australia’s Cyber Security Strategy 2020;
  • The Draft Critical Technology Supply Chain Principles;
  • The Data Availability and Transparency Bill and Accreditation Framework;
  • ACSC’s Cloud Assessment and Authorisation Framework (“CAAF”)

In support of the common intent and underlying themes of these and the draft Security Legislation Amendment (Critical Infrastructure) Bill 2020, AUCloud supports the draft legislation with the following caveats, which will be explained in this response.

1. The current definition of Data for the purpose of defining the Data Storage and Processing Sector (Data includes information is any form) is vague and inconsistent with the definition applied elsewhere by Government.
2. The definition of storage and processing, as these relate to data, is not clear and requires definition.
3. Acknowledging the criticality of Australia’s Critical Infrastructure sectors and the potential impact of disruption or damage, AUCloud agrees that data storage and processing is a ‘sector’ in itself (as well as the potential underpinning infrastructure for other sectors) and should, in principle, be subject to the proposed legislation. However, we recommend that the scope of the proposed legislative changes for cloud services, apply to IaaS with SaaS and PaaS services excluded.
4. With recent changes introduced by the ACSC, IaaS is subject to best practice security assessment and compliance requirements in accordance with the CAAF. The CAAF is underpinned by the IRAP (Information Security Registered Assessors Program) against the controls of the Information Security Manual (ISM) and processes of the Protective Security Policy Framework (PSPF). Noting that these standards are the security benchmark endorsed by Government for its own purpose, we believe the requirements of the CAAF and IRAP largely align with the intent of the draft Legislation and consideration should be given to extending this best practice benchmark to other Critical Infrastructure sectors as it relates to data storage and processing. 
5. Noting the proposed CAAF benchmark, and to ensure consistent security risk mitigation, where a Critical Infrastructure sector organisation is operating an on-premise (or self-managed) environment, they should also be required to undertake and satisfy an IRAP assessment. Similarly, where a Critical Infrastructure organisation is migrating to the Cloud, those services should be assessed under the CAAF.