Â鶹Éçmadou
MyIT

Systems of Critical Infrastructure Act (SOCI) Guidance

Personalise
Data scientists. Programmer using laptop analyzing and developing in various information on futuristic virtual interface screen. Algorithm. marketing and deep learning of artificial intelligence

Welcome to the Systems of Critical Infrastructure (SOCI) Guidance and asset declaration webpage. From here you can access information to help you understand how to comply with SOCI legislation and declare a critical research asset. If you're aware of the legislation and want to fast track the process, view the Ìýor scroll down to find relevant section below.

(now the ) commenced several key Government initiatives such as critical infrastructure law reforms to protect and improve the resilience of Australia’s critical infrastructure. This includes the and the subsequent .

The SOCI Act, commenced on the 31st of March 2022. The act creates a framework for regulating sectors that operate, support, or maintain critical infrastructure assets, as per the definition. The original act has been amended under the (SLACIP Bill) to include the Higher Education and Research sector. Â鶹Éçmadou is now obligated to comply with the requirements of the act.

The assets in scope of the act are limited to the following, as defined in the Security of Critical Infrastructure Act:

" an asset that is an Australian university category of the National Register of Higher Education Providers and is used in connection with undertaking a program of research that is critical to:

(i) a critical infrastructure sector
(ii) the defence of Australia
(iii) national security.

Per item (i), critical infrastructure (CI) sectors include communications, data storage and processing, financial services and markets, water and sewerage, energy, health and medical, food and grocery, transport, space technology and defence industry.

Overview

  • Critical Infrastructure entities (Â鶹Éçmadou Included) are required to report cyber security incidents that impact critical research being performed in support of the 11 sectors in scope (communications, data storage and processing, financial services and markets, water and sewerage, energy, health and medical, food and grocery, transport, space technology, and defence industry). The incident must be reported to the Australian Cyber Security Centre (ACSC) after being made aware, within the following time frames:

    • 12 hours, if the incident is having a significant impact on the availability of the asset
    • 72 hours, if the incident impacts the availability, integrity, or reliability of the asset, or the confidentiality of information about, or held by the asset.

    Under this legislation, Â鶹Éçmadou must comply with the reporting time frames in the event of an incident impacting (or has the potential to impact) the assets in scope. Penalties of up to 50 penalty units exist where reports are not given within the required time frames. the Cyber Security team has established a process to help identify and capture relevant details for critical research assets to be prepared for this event and meet our regulatory obligations under the act.

  • The Cyber Security team have provided an online form to help key personnel declare assets that potentially fall within the definition of critical research, to help support the University in meeting the obligations under the SOCI legislation.

    All research applications/investigators are required to attest on whether their research does or does not fall within the definition of critical research by completing the online form in the link below.

    Note: Research investigators and sponsors are accountable for ascertaining whether their research meets the definition of critical research.

    When thinking about risks to help contextualise what would be considered critical, think also about the provisioning and operation of learning resources for universities, affecting the higher education of students in a specialised field of study and/or the ability to conduct critical research.

  • For more information about the act, please visit the resources below:

    • Ìý(Original SOCI Act)​
    • Ìý(SLACIÌý Act/Bill 1)​â¶Ä‹â¶Ä‹
    • Ìý(SLACIP/ Bill 2)​​

Reporting cyber incidents

It is important to report any cyber security incidents as quickly as possible so that Â鶹Éçmadou IT’s Cyber Security team can address any issues and mitigate risk exposure.

What should I report?

  • Suspecting your computer or account has been compromised.
  • Having evidence on how technology or University data may be vulnerable.
  • Noticing a colleague inappropriately sharing Highly Sensitive or Sensitive data.
  • Losing a University asset containing sensitive information.

Report a cyber security incident by calling the Â鶹Éçmadou IT Service Centre on 02 9385 1333 or using the link below.

Cyber security is everyone’s responsibility and by learning a few rules, simple steps, and following guidelines, we can protect ourselves and our University from cyber security threats and keep data safe. Go to Cyber Security Training and AwarenessÌýfor more information.
Ìý

"Enhancing cyber security, including protecting information and privacy, is of paramount importance to our core functions of education and research. We all play a part in being cyber smart."Ìý

Professor Attila Brungs, Vice-Chancellor and President, Â鶹Éçmadou Sydney