As 18 August 2024 approaches, many Australian critical infrastructure companies are gearing up to celebrate a significant milestone: the anniversary of the establishment of a Critical Infrastructure Risk Management Program (CIRMP). This date marks not only a commemoration of past efforts but also prompts reflection on the future of safeguarding essential services that underpin our daily lives as individuals and as a society.
In conjunction with this anniversary, another crucial deadline looms on the horizon. Responsible entities for critical infrastructure assets must provide an annual CIRMP Report to the Department of Home Affairs or another relevant regulator. This report, an in-house assessment of the effectiveness and maturity of the entity’s risk mitigation measures as set out in the CIRMP, is a vital component of ongoing risk management. The annual report must be approved by the entity’s Board or governing body, with the first Board-approved annual CIRMP report due between 30 June and 28 September 2024.
So, how are critical infrastructure companies planning to celebrate this pivotal moment? More importantly, what assurance mechanisms, performance evaluation tools, and continual improvement strategies has your entity put in place to uphold its obligations and commitment to security and resilience of its critical infrastructure assets?
BACKGROUND
With the approach the CIRMP anniversary, it is essential to reflect on the legislative framework that underpins the safeguarding of Australia’s critical infrastructure. Enacted under the Security of Critical Infrastructure Act 2018 (SOCI Act), this framework mandates that responsible entities for critical infrastructure assets develop robust risk management protocols. These protocols are designed not only to minimise, mitigate, or eliminate potential impacts from foreseeable hazards but also to ensure resilience of critical asset operation in the face of evolving threats.
Central to the SOCI Act’s requirements is the mandate for responsible entities to implement a comprehensive Critical Infrastructure Risk Management Program (CIRMP). The Security of Critical Infrastructure (Critical Infrastructure Risk Management Program) Rules 2023 details the mandatory baseline security standards for CIRMP. The CIRMP must address risk across nominated hazard vectors: personnel, cyber and information, physical and natural, and supply chain. The CIRMP process enables the identification of assets, relevant threats and management of risk.
The CIRMP process is pivotal in enabling responsible entities to systematically identify critical assets, assess relevant threats, and effectively manage risks. By adhering to these detailed guidance, Australian critical infrastructure entities not only enhance their ability to pre-empt and mitigate potential disruptions but also enable the continuous delivery of essential services to the nation.
HOW TO EVALUATE THE CIRMP PERFORMANCE?
It is important for critical infrastructure entities to ensure that the CIRMP have been implemented successfully and to assess how well risks are being controlled and if security business objectives are being achieved. As part of this process, entities should investigate breaches or gaps in security and ensure corrective action is taken – act to learn from these events.
To congratulate Australian critical infrastructure companies on celebrating the first CIRMP anniversary, Pentagram Advisory has put together a Six-Step Guide: How to Monitor and Evaluate the CIRMP Performance.
Six-Step Guide: How to Monitor and Evaluate the CIRMP Performance
Step 1: Performance Monitoring
Selection of Metrics: Identify and define metrics that reflect the security objectives and policies of the entity. Metrics should include aspects like what needs to be monitored and measured, time taken to resolve security issues, frequency of security incidents, and compliance with security protocols.
Data Collection and Analysis: Collect data systematically using defined methods. Ensure that the data collected is accurate, relevant, and timely. Use tools such as dashboards for visual representation and ease of analysis.
Responsibility Assignment: Clearly define roles for who is responsible for collecting, analysing, and reporting metrics. This includes security teams, human resources team, IT departments, and relevant stakeholders outside of the security team. Ensure that senior management has direct accountability for the CIRMP operation to help assure security and enable security objectives to be met.
Step 2: Incident Reporting Program
Incident Reporting: Design and implement a robust incident reporting program that allows for confidential or anonymous reporting. Capture details of all security incidents, non-conformances, and audit findings.
Action Implementation: Analyse incidents to identify root causes, implement corrective actions promptly, and record these actions. Develop measures to mitigate future risks and document these actions for future reference so if there is a similar event there is a defensible record to demonstrate action had been taken.
Step 3: Audit
Audit Program: Plan, establish, implement and maintain an audit program. Conduct audit at planned intervals to provide information on whether CIRMP is effectively implemented and maintained.
Audit Results: Provide audit results to inform senior management review of the security management system. Ensure that follow-up audit actions include the verification of the actions taken and the reporting of verification results. Audit should inform future planning and resource allocation.
Step 4: Management Review
Review Process: Schedule regular reviews of security performance metrics by senior management. These reviews should include risk assessments, audit reports, lessons learned, and overall security system performance.
Documentation: Maintain comprehensive records of management reviews. This ensures transparency and provides a historical record for future audits and reviews.
Step 5: Improvement
Lessons Learned: Incorporate lessons learned from incident analyses and management reviews into the security policy and procedures. This helps in continuously improving the CIRMP.
Policy Updates: Update CIRMP, security policies and objectives based on the insights gained from performance reviews and incident analyses. Ensure that changes are communicated effectively to all relevant stakeholders.
Step 6: Integration and Communication
Stakeholder Engagement: Communicate the value of security metrics and the importance of the CIRMP to all stakeholders. Check that key stakeholders are aware of and understand the metrics and their implications.
Continuous Feedback: Establish mechanisms for continuous feedback from stakeholders on the effectiveness of security measures. Use this feedback to refine and improve CIRMP, security metrics and policies.
By following these steps, critical infrastructure entities can develop a robust security framework for monitoring and improving CIRMP and internal security management systems. Improving CIRMP performance is the key enabler to better protecting assets and operations, which of course is good for business.
As we celebrate this milestone, it becomes clear that in an era where threats to critical infrastructure loom large — ranging from cyberattacks to supply chain disruptions — and are prescient, the efficacy of security risk management cannot be overstated. The commitment to excellence in risk management is not merely a regulatory obligation but a cornerstone of national security and resilience.
The ongoing refinement and enhancement of CIRMP underscore a proactive approach to safeguarding the infrastructure that sustains our daily lives and serves as the backbone of defence against disruptions that could ripple through sectors vital to our nation’s social stability and shared prosperity.