Australia's Secured Configuration Regulations
Australia’s cybersecurity regulatory landscape is multifaceted, with a blend of federal laws, sector-specific regulations, and strategic initiatives aimed at enhancing national cybersecurity resilience.
By combining Australia’s secured configuration regulations within comprehensive legislative frameworks, sector-specific regulations, and strategic initiatives, Australia is working towards a robust cybersecurity posture to protect its digital infrastructure and critical national assets.
Key Regulatory Bodies and Frameworks:
- Australian Cyber Security Centre (ACSC): The primary government agency responsible for coordinating cyber security efforts.
- Office of the Australian Information Commissioner (OAIC): Oversees privacy and data protection.
- Critical Infrastructure Centre (CIC): Focuses on protecting critical infrastructure from cyber threats.
Key Regulations and Standards:
- Privacy Act 1988
- Security of Critical Infrastructure Act 2018 (SOCI Act)
- Australian Cyber Security Strategy 2023-2030
- ASDs Critical Infrastructure Uplift program
- Australian Cyber Security Centre (ACSC) Essential Eight
What is the new Privacy Act in Australia?
The Privacy Act 1988 was initially introduced to promote and safeguard individual privacy and to regulate the handling of personal information by Australian Government agencies, organizations with an annual turnover exceeding $3 million, and certain other entities.
In September 2023 the Australian government outlined reforms to the existing Privacy Act 1988 from the Office of the Australian Information Commissioner (OAIC). These reforms aim to bring Australian privacy laws up to date with the digital age and give citizens more control over their personal information which will affect businesses starting in 2024.
The response in September 2023 by the Australian government outlined reforms to the existing Privacy Act 1988 from the Office of the Australian Information Commissioner (OAIC). These reforms aim to bring Australian privacy laws up to date with the digital age and give citizens more control over their personal information which may affect your businesses starting in 2024.
Entities covered by the Privacy Act 1988 Australia
- Small business
- Employee records
- Political entities
- Journalism
The key changes target:
- Stronger consent and control: Australians would have a clearer right to opt-out of direct marketing and more control over how their data is used for targeted advertising.
- Expanded data security obligations: Organisations will need to demonstrate stronger data security measures to protect personal information.
- Removing the small business exemption: Previously exempt businesses with a turnover under $3 million will now be subject to the Privacy Act.
- Increased enforcement powers: The Office of the Australian Information Commissioner (OAIC) will have greater ability to take action against privacy breaches.
Security of Critical Infrastructure Act 2018 (SOCI Act)
The Security of Critical Infrastructure Act 2018 defines each category of critical infrastructure assets. A single critical infrastructure asset comprises multiple components that work together as a system or network, including premises, computers, and data.
Security Legislation Amendment (Critical Infrastructure) Bill 2020 seeks to amend the Security of Critical Infrastructure Act 2018 and expands its coverage from four sectors (electricity, gas, water and ports) to the following eleven critical infrastructure sectors:
- communications
- financial services and markets
- data storage or processing
- defence industry
- higher education and research
- energy
- food and grocery
- health care and medical
- space technology
- transport
- water and sewerage
Australian Cyber Security Strategy
Reforming Australia's privacy framework will complement other reforms being progressed by the Government, including the 2023-2030 Australian Cyber Security Strategy, Digital ID, the National Strategy for Identity Resilience, and Supporting Responsible AI in Australia.
It has been proposed that entities should be required to comply with a set of baseline privacy outcomes, aligned with relevant outcomes of the Government's 2023-2030 Australian Cyber Security Strategy.
The Australian government agrees on Proposal 28.1 to 'Undertake further work to better facilitate the reporting processes for notifiable data breaches to assist both the OAIC and entities with multiple reporting obligations.'
ASDs Critical Infrastructure Uplift program
Critical Infrastructure Uplift Program (CI-UP) focuses on hardening against attack pathways on CI assets and operational technology (OT) environments. This initiative involves collaboration between the Australian Signals Directorate and critical infrastructure providers to bolster cybersecurity measures and resilience.
What is the Essential 8 in Australia?
The Essential Eight is a baseline set of mitigation strategies for cybersecurity measures, significantly hindering adversaries from compromising systems. The Essential Eight has been designed to protect organizations' internet-connected information technology networks.
Essential Eights mitigation strategies are:
- patch applications
- patch operating systems
- multi-factor authentication
- restrict administrative privileges
- application control
- restrict Microsoft Office macros
- user application hardening
- regular backups
Australia Secured Configuration Best Practice
The ACSC issues standards and best practices, such as the Australian Government Information Security Manual (ISM) for their Cyber Security Guidelines. Each cybersecurity guideline addresses the security risks related to the topics it covers. Alongside these discussions, it provides controls that the ASD considers to be efficient and effective mitigations, tailored to meet the security objectives of a system.
The ACSC’s Guidelines for System Hardening include over a hundred controls tailored to different operating systems, environments, and users. Given the complexity, system updates and volume of these controls, automation becomes essential. Automated hardening ensures that these controls are applied consistently across systems, significantly reducing the risk of human error. It also enhances efficiency by speeding up the implementation process, allowing for quicker deployment and updates.