Critical Infrastructure Clearance

The relentless compromising of the private sector, which remains a soft but strategic target, has diluted the conventional boundaries of conflict, forcing the government to enhance its posture. Australia is not immune and there is clear recognition that we need to do more to protect our nation against attacks on our critical infrastructure. The Parliamentary Joint Committee on Intelligence and Security (PJCIS) notes that industry has a role to play to implement personnel security baseline uplift which will impose obligations on businesses. Personnel security is an important part of the overall response to the serious challenges we face as a nation.

Enhanced or positive security obligations will impact these sectors:

Banking and finance
Communications
Data and the Cloud
Defence industry
Education, research and innovation
Energy
Food and grocery
Health
Space
Transport
Water

The security uplift is being managed by the Critical Infrastructure Centre within Home Affairs and background checks fall under the critical infrastructure risk management program.

Critical infrastructure entities will implement policies and procedures which seek to mitigate the risk of employees (insider threats) exploiting their legitimate access to an organisation’s assets for unauthorised purposes. This may include ensuring only suitable employees and contractors access the entity’s resources and Assessing and managing the ongoing suitability of its personnel.

Some have argued that background checks done by the AusCheck scheme and the AGSVA for that matter offer level of assurances and clearances that are excessive for most Critical Infrastructure businesses. Although organisations acknowledge that the Protective Security Policy Framework (PSPF) is good for guidance and that ‘PSPF Personnel Security Clearances’ are appropriate at times, many feel it would incur additional expenses and interrupt hiring timelines. However, a Suitability interview and risk assessment for each candidate is now a ‘shall‘ requirement for the Australian Standard AS4811 2022 Workforce Screening.

Senior Executives at Auscheck agree. The AusCheck scheme provides an assessment from ASIO about someone’s possible threats to security. It also includes criminal conviction histories that aren’t otherwise released because of complex spent convictions schemes across Australian jurisdictions. These things aren’t necessary to treat every trusted-insider risk. The PSPF makes it clear that decisions about risk are really shared when it comes to businesses & the government. There is no single solution to treat the risk. If you want an ASIO assessment & a “full” criminal history assessment then these things do have a cost to it.

Northrop Grumman Critical Infrastructure submission is worth highlighting here:

Government represents a large element of Australia’s critical infrastructure and must be an exemplar. The Protective Security Policy Framework (PSPF) and the related Information Security Manual (ISM) sets out the requirements for protective security to ensure the secure continuous delivery of government business. The PSPF and ISM also apply to industry providing goods and services for government departments and agencies. If the PSPF and ISM represent Government’s best practice then it should be used to provide guidance for Critical Infrastructure.

Enter Australia’s first Critical Infrastructure Clearance Personnel Hazard Risk Management Program, powered by a national security vetting agency leader.

Prevetting (though our cleard life CL0-CL3 products) is an effective control measure solution with a standardised process and provides broad application. It offers strict interpretation and adherence to the PSPF12 vetting guidelines and standards and AS4811-2022. It bridges the gap between a police check and ID check on one side of the spectrum with Auscheck and AGSVA clearances (full ASIO Assessments) on the other. Even ASIO are recommending thorough pre-employment screening.

In short the CI Clearance allows for

(a) national security implications and insider threats to be investigated and considered appropriately,

(b) informational sharing can occur laterally and vertically

(d) costs are competitive

(e) the clearance maybe be recognised and transferred

(f) duplication is reduced

(g) processing times are very competitive

(h) third party auditing ensures that the standards and process are met and

(i) innovation is encouraged – eg. Blockchain, AI etc.

Here is a comparison chart of a sample selection of SECURITY CLEARANCES to assist you to understand the differences:

Note: Prominent “ID” and “Police checking” companies such as First Advantage, CV Check, Sterling Risq, Equifax, SAP, PharmacyID etc can include our “CI Clearance” into their bundles of offerings. If they can’t or won’t, then let us know.

Section 9 (6) (b) a responsible entity must have regard to whether the CIRMP describes the personnel risks, the occurrence of which could have a relevant impact on the asset. If your organisational risks differ from what the Auscheck CI check covers (eg. drug use, workplace violations, data breaches, suspicious overseas travel and connections, mental health, financial issues) then talk to us.

The average annual cost of an incident by malicious insiders was $4.8 million, up from $4.1 million in 2022. Only 10% of insider risk management budget was spent on preincident activity cost centres. Malicious insider incidents were by far the most expensive, costing on average $701,500 per incident.

Bonus: we can tailor supplementary questions to your specific sector and/or employer situation (an Organisational Suitability Assessment). We consult with you to discover your “go/no-go” risk thresholds. We then implement those questions and responses and assessment into our Green/Amber/Red light Result & the CI Clearance Certification. You get this:

ONGOING GRC – Governance, Risk & Compliance.

It is futile to think that a one-time Police check will save you from a malicious insider that can cause damage to the functioning of your critical infrastructure asset. We therefore help you with the responsibility of the ongoing suitability (PSPF13) of your workforce – including contractors and subcontractors. This is done through leveraging our insider threat management program, custom designed for CI Sectors (eg. here is our Defence Industry Insider Threat Program). It is sometimes called a Managed Personnel Security Services Provider. Broadly speaking, it includes Induction, Training, Awareness, Briefings and Reporting.

SEPARATING GRC

As the first and only civilian vetting agency to offer the full range of personnel risk management services, we naturally include the implementation a risk management program to manage personnel risks arising from the off-boarding process for outgoing or separating personnel (PSPF14) – including security exit briefings and risk assessments.

Summary

The CI Clearance and the Personnel Hazards Risk Management Program is a flexible risk treatment with Responsible Entities (and it’s Supply Chain) in mind – meeting the CI’s personnel security uplift mandate in “Rule 2 – Personnel hazards” which includes initial assessing (PSPF12) and managing the ongoing (PSPF13) suitability of critical personnel and persons holding critical positions, through personnel and human resource arrangements – ie. vetting and considering your risk environment with a vetting check for critical personnel. When personnel leave or separate from the Entity, we make sure the process is done correctly and a personnel risk assessment done (PSPF14).