fbpx

Critical Infrastructure Clearance

The relentless compromising of the private sector, which remains a soft but strategic target, has diluted the conventional boundaries of conflict, forcing the government to enhance its posture. Australia is not immune and there is clear recognition that we need to do more to protect our nation against attacks on our critical infrastructure. The Parliamentary Joint Committee on Intelligence and Security (PJCIS) notes that industry has a role to play to implement personnel security baseline uplift which will impose obligations on businesses. Personnel security is an important part of the overall response to the serious challenges we face as a nation.

 

 

Enhanced or positive security obligations will impact these sectors:

Banking and finance
Communications
Data and the Cloud
Defence industry
Education, research and innovation
Energy
Food and grocery
Health
Space
Transport
Water

The security uplift is being managed by the Critical Infrastructure Centre within Home Affairs and background checks fall under the critical infrastructure risk management program.

Critical infrastructure entities will implement policies and procedures which seek to mitigate the risk of employees (insider threats) exploiting their legitimate access to an organisation’s assets for unauthorised purposes. This may include ensuring only suitable employees and contractors access the entity’s resources and Assessing and managing the ongoing suitability of its personnel.

Some have argued that background checks done by the AusCheck scheme and the AGSVA for that matter offer level of assurances and clearances that are excessive for most Critical Infrastructure businesses. Although organisations acknowledge that the Protective Security Policy Framework (PSPF) is good for guidance and that ‘PSPF Personnel Security Clearances’ are appropriate at times, many feel it would incur additional expenses and interrupt hiring timelines.

Senior Executives at Auscheck agree. The AusCheck scheme provides an assessment from ASIO about someone’s possible threats to security. It also includes criminal conviction histories that aren’t otherwise released because of complex spent convictions schemes across Australian jurisdictions. These things aren’t necessary to treat every trusted-insider risk. The PSPF makes it clear that decisions about risk are really shared when it comes to businesses & the government. There is no single solution to treat the risk. If you want an ASIO assessment & a “full” criminal history assessment then these things do have a cost to it.

Northrop Grumman Critical Infrastructure submission is worth highlighting here:

Government represents a large element of Australia’s critical infrastructure and must be an exemplar. The Protective Security Policy Framework (PSPF) and the related Information Security Manual (ISM) sets out the requirements for protective security to ensure the secure continuous delivery of government business. The PSPF and ISM also apply to industry providing goods and services for government departments and agencies. If the PSPF and ISM represent Government’s best practice then it should be used to provide guidance for Critical Infrastructure.

Enter Australia’s first Critical Infrastructure Clearance, powered by a security vetting agency leader.

It is an effective control measure solution with a standardised process and provides broad application. It offers strict interpretation and adherence to the PSPF vetting guidelines and standards. It bridges the gap between a police check and ID check on one side of the spectrum with Auscheck and AGSVA clearances on the other. The CI Clearance is deep, fair and fast. In many ways it is a more flexible treatment for CI businesses while meeting the CIC’s personnel security uplift mandate.

How so? In short the CI Clearance allows for (a) national security implications and insider threats to be investigated and considered appropriately, (b) informational sharing can occur laterally and vertically (c) companies can choose (or keep) their own ID & Police checking external providers if they which to do so (d) costs are competitive (e) the clearance maybe be recognised and transferred (f) duplication is reduced (g) processing times are competitive (h) third party auditing ensures that the standards and process are met (i) innovation is encouraged – eg. Blockchain, AI etc.

Here is a comparison chart of a sample selection of SECURITY CLEARANCES to assist you to understand the differences:

Note: Prominent “ID” and “Police checking” companies such as CV Check, Sterling Risq, Equifax, SAP, First Advantage, PharmacyID etc can include our “CI Clearance” into their bundles of offerings. If they can’t or won’t, then let us know.

Bonus: We can tailor supplementary questions to your specific sector and/or employer situation. We consult with you to discover your “go/no-go” risk thresholds. We then implement those questions and responses and assessment into our Green/Amber/Red light Result & the CI Clearance Certification.

Get in touch with us today to discuss your requirements or call 02-6171 4171.

 

Read more

https://www.cleard.life/critical-infrastructure-entities-must-now-hunt-for-spies

https://www.cleard.life/critical-infrastructure-public-submissions-react-to-trusted-insider-risk-mitigation-options/