Security of Critical Infrastructure (SOCI) Act 2018

Overview

The Australian government has taken steps to strengthen its cyber-security resilience through legislative amendments to the Security of Critical Infrastructure (SOCI) Act 2018, which introduces a new cyber-security framework to protect the country’s critical infrastructure assets.

Get Started
Sterling Logo

Cyber-security Risk

Cyber-threats are a key risk to organisations around the world, particularly as attacks become increasingly frequent and sophisticated, with AI (Artificial intelligence) adoption being a significant driver. Whether the threat comes from an internal party or an external source, a successful cyber-attack has the potential to compromise data, disrupt operations, and damage an organisation’s reputation. Organisations throughout the world consistently rank the threat presented by malicious employees within their top three risks of greatest concern. Though below the global average, in 2023, Australia experienced the highest number of ransomware attack across key countries in the APAC region.

Per data published by The Office of the Australian Information Commissioner (OAIC), 23 large-scale cyber-incidents were reported to OAIC during just the first half of 2023. The Latitude breach in 2023 was one of the largest in Australia’s history, following the Optus and Medibank breaches of 2022, which resulted in personal information of multiple customers being exposed to cyber attackers. The challenge for security and business leaders is to implement the best solutions to mitigate threats, whilst maintaining alignment with ever evolving compliance and regulatory requirements.

Co-workers looking at a laptop.

About the SOCI Act

The SOCI Act was passed in 2018 and was further amended to provide a framework for managing and protecting Australia’s critical infrastructure assets. It outlines the potential risks and the steps to be taken to mitigate the risk of cyber-threat. The SOCI Act applies to the following 11 sectors in Australia:

  1. Communications
  2. Financial services and markets
  3. Data storage and processing
  4. Defence
  5. Higher education and research
  6. Energy
  7. Food and grocery
  8. Healthcare and medical
  9. Space technology
  10. Transport
  11. Water and sewerage

The SOCI Act requires responsible entities to establish and document a Critical Infrastructure Risk Management Program (CIRMP) or risk a penalty of 200 points. One penalty unit is currently $330.

Critical Infrastructure Risk Management Program (CIRMP)

A CIRMP is one of the positive security obligations set out under the SOCI Act. The requirement for a CIRMP is to identify each potential hazard that poses significant risk to a critical infrastructure asset. One type of hazard that poses a threat to critical infrastructure assets is “Personnel Hazard”, which should be addressed and documented in a CIRMP.

G-1705357580

Personnel Hazard

The SOCI Act requires impacted organisations to take the following steps towards establishing and maintaining a process in their CIRMP that directly addresses risks associated with personnel:

Malicious or negligent employees or contractors

  • Identify personnel required to access critical infrastructure (critical workers).

  • Define which components of critical infrastructure they are required to access.

  • Define method of assessing suitability prior to granting access.

  • As far as it is reasonably practicable to do so, minimise or eliminate material risks arising from:

    — Malicious or negligent employees or contractors

    — Off-boarding outgoing employees and contractors

A “Critical Worker” as defined in the SOCI Act is an employee, intern, contractor, or subcontractor of the responsible entity for a critical infrastructure asset to which a CIRMP applies and:

  1. Where the absence or compromise of the individual would prevent the proper function of the asset or could cause significant damage to the asset; and
  2. The individual has access to, or control and management of, a critical component of the asset.

Background Checks for Personnel Risk

The SOCI Act requires responsible entities to proactively assess and manage the risk presented by personnel. A background check is one of the recognised and recommended methods to effectively manage personnel risk. Background checks can help to evaluate an individual’s character, competency, and trustworthiness to determine suitability and reliability to perform a particular role.

Example Screening Packages

First Advantage provide a wide range of robust screening services to help our customers hire smarter and onboard faster. The following example packages may be considered by employers in Australia who are required to comply with the SOCI Act when onboarding or rescreening a permanent, temporary, or contracted candidate. Specific services selected for a screening package will depend on the responsibilities of each role.

Lower-risk Position
Medium-risk Position
High-risk Position
Identity Check
Right to Work Verification
Criminal Records Check
Employment Verification
Education Verification
Professional Qualification (if applicable)
Global Sanctions, Politically Exposed Persons (PEP), & Adverse Media
Financial Regulatory
Credit Report (Bankruptcy or Civil Litigation)
Professional Reference Check
Directorship
Explore Packages
Lower-risk Position
Identity Check
Right to Work Verification
Criminal Records Check
Employment Verification
Education Verification
Professional Qualification (if applicable)
Global Sanctions, Politically Exposed Persons (PEP), & Adverse Media
Financial Regulatory
Credit Report (Bankruptcy or Civil Litigation)
Professional Reference Check
Directorship
Explore Packages
Medium-risk Position
Identity Check
Right to Work Verification
Criminal Records Check
Employment Verification
Education Verification
Professional Qualification (if applicable)
Global Sanctions, Politically Exposed Persons (PEP), & Adverse Media
Financial Regulatory
Credit Report (Bankruptcy or Civil Litigation)
Professional Reference Check
Directorship
Explore Packages
High-risk Position
Identity Check
Right to Work Verification
Criminal Records Check
Employment Verification
Education Verification
Professional Qualification (if applicable)
Global Sanctions, Politically Exposed Persons (PEP), & Adverse Media
Financial Regulatory
Credit Report (Bankruptcy or Civil Litigation)
Professional Reference Check
Directorship

Example Annual Rescreening Package

Background screening should not be a one-off event. Implementing a policy of periodic rescreening, especially for those in senior positions, can help to ensure that organisations have screening programs that address compliance requirements. Specific services selected for a rescreening package will depend on the responsibilities of each role, but may include:

Annual Re-screen Package
Criminal Records Check
Right to Work Verification (If subject to visa renewal)
Global Sanctions, Politically Exposed Persons (PEP), & Adverse Media
Financial Regulatory
Directorship
Explore Packages
Annual Re-screen Package
Criminal Records Check
Right to Work Verification (If subject to visa renewal)
Global Sanctions, Politically Exposed Persons (PEP), & Adverse Media
Financial Regulatory
Directorship

About Our Services

The 100-point ID check is a verification of the candidate’s identity using the 100-point model, which lays out the minimum required documentation to establish a candidate’s identity under the Financial Transaction Reports Act 1988 (FTR Act).

A right to work check is conducted to ensure that each candidate you hire is legally eligible to work under Australian laws. First Advantage’s Right to Work check confirms a candidate’s visa and passport status with the relevant immigration authorities. By assessing this status, we will confirm whether or not the candidate is entitled to work in the country, and/or provide details of any limitations attached to their visa.

▪ For Non-Citizens: A check with the Department of Immigration and Border Protection will confirm the visa’s authenticity and the candidate’s right to work in Australia, as well as a description of any conditions or limitations.

▪ For Citizens: First Advantage conducts a proof of citizenship document collection based on documents required to prove citizenship by the Department of Immigration and Border Protection. If the candidate has provided an Australian address, the electoral roll will also be checked to further support the applicant’s claim to citizenship. If an Australian passport has been provided, the Passport Validation search based on the machine-readable zone (MRZ) will also be conducted.

First Advantage’s Nationwide Criminal History Check with Certificate check searches the National Names Index for disclosable court outcomes across police records in all Australian states and territories. The search does not include spent convictions unless a statutory obligation exists to disclose information. This search is undertaken through the Australian Federal Police (AFP).

We conduct our background checks for employment by going directly to the source to verify your candidate’s employment history. In instances where a candidate has worked for an employment agency while employed as a financial regulated person at a financial institution, First Advantage will reach out directly to the financial institution to complete the verification.

In instances where we are unable to complete the verification after all attempts have been exhausted, documents may be collected from the candidate to share with the customer regarding the employment history.

Our Education Verification will verify the candidate's academic history and education directly with registrars and administration offices, many of whom know us well, owing to our long-established relationship with them. We verify information provided by candidates with information on the official files, flagging any inconsistencies or discrepancies from the information provided by the candidate.

In instances where we’re unable to complete the verification after all attempts have been exhausted, then documents will be collected from the candidate which may be shared with the customer noting that authentication of the documents is not a part of the service offering.

A professional qualification verification verifies the candidate’s industry accreditation, qualification and/or professional membership information directly with registrars and administration offices, many of whom know us well owing to our long association.

Global Sanctions Search:

The Global Sanctions search is an expansive, government-published watch lists and sanctions database detailing financial and medical fraud, criminal and terrorism activity, sanctions, and debarments. A Global Sanctions search will compare the candidate’s name against lists of individuals, companies, and governments listed on the law enforcement, regulatory enforcement, and sanctions lists, or associated with or involved in any sort of terrorist organisation. This search also includes individuals who have a history of violations of export laws or have been denied export privileges, for example exporting chemical/biological weapons without proper licensing.

Politically Exposed Person Search:

Information on Politically Exposed Persons (PEP), their family members, and close associates comes from our partner sources.

Adverse Media:

This search uses the candidate’s current and previous names against a database collated from more than 12,000 sources taken from the world’s major trade, business, and scholastic journals, local newspapers, regional business publications, national and international business newspapers, industry newsletters, corporate news releases, and newswires from all regions of the globe, for any information pertaining to the candidate.

The search is conducted using thousands of adverse keywords relating to crime, terror, fraud, and other illicit activities. All articles found are reviewed directly with the source to ensure only relevant and recent information is being considered.

The financial regulatory search checks for information from the Australia Securities and Investments Commission (ASIC) and the Australian Prudential Regulation Authority (APRA) as sources.

Certain roles require a more holistic view of a candidate, and credit checks can be an invaluable way to validate a person's suitability for a role. In Australia, Part IIIA of the Privacy Act 1988 provides limitations on the disclosure of personal information by credit reporting agencies. An individual’s consumer credit file is therefore generally not available for background checking purposes. However, an individual is able to access their own credit file. First Advantage offers a Basic Credit check which is comprised of an individual’s commercial credit file.

A search of office-holdings in privately owned Australian companies, including directorships and shareholdings. Determines the office-holdings of an individual and exposes any conflicts of interest.

Based on the candidate’s address history in the last 3 years or more, First Advantage can launch a directorship check, or a best practice equivalent, in almost every country of the world.

Why Choose First Advantage?

With advanced technology and AI-powered platforms, First Advantage transform the background screening process into a seamless, efficient experience for customers and candidates. Operating in over 200 countries and territories, our global software, data, and regional expertise enables us to be a one-stop shop. First Advantage bring innovation, automation, scalability, and customer success to the forefront, modernising the way businesses hire smarter and onboard faster.


 

Learn more