How To Manage Personnel Hazards In Supply Chains
This article dissects the personnel-related hazards in critical infrastructure supply chains and explores viable solutions to mitigate them.
Share This Article:
The recent five eyes intelligence chiefs’ warning on the threat of IP theft from China highlights the threat of state-based espionage to business, combined with the additional attraction of state actors in the defence industry and critical infrastructure, it is yet another warning that commercial entities in these sectors must be vigilant. And all must be vigilant as a breach in the defences of one trusted partner presents a threat to all partners in the chain.
As the global focus sharpens on the security of critical infrastructure, one aspect often remains underrepresented: the potential risks arising from personnel within the supply chain. Members of the Defence Industry Security Program (DISP) have highlighted these concerns, especially when interfacing with the Critical Infrastructure Security Centre (CISC).
Background
Before delving into the challenges, it’s vital to understand the existing frameworks that underscore the significance of personnel risks and their management:
- Defence Security Principles Framework: DISP Members adhere to this, which includes security clearances, AS 4811-22 Screening and insider threat programs (such as regular security awareness training and briefings) to meet the Personnel Security Pillar.
- Security of Critical Infrastructure (SoCI) Act: Parts of the Defence sector that fall within this Act have additional responsibilities, especially when they collaborate with entities managing Critical Infrastructure Assets under the Act.
- CISC’s Role: Critical Infrastructure Asset Owners are mandated to register their assets with the CISC, develop a Critical Infrastructure Risk Management Plan (CIRMP) for each asset, and notably, detail their strategy for personnel background checks, ensuring alignment with the Act and related regulations.
- Hosting Certification Framework (HCF): Providers of cloud and data centre services to the Australian government are required to meet security clearance standards for specified categories of personnel as part of certification under this framework.
- Border Security Related Personnel Compliance: Entities operating at and across the border must comply with regulations such as ASIC, MSIC and B103 processes.
- International Obligations: Those involved in the US supply chain must adhere to international obligations like ITARS.
Personnel Hazards: The Underestimated Risk
With today’s focus on cyber threats and information security treatments, the focus is often on the technology and associated controls. An uninformed staff member, whether exploited by an external threat actor or a malicious insider, can undo all of the investment in technology and associated policies. This is recognised by the government, hence the emphasis on confirming identity and character checks in the aforementioned programs and frameworks.
It’s important to note that people change; they are not the same person they were when they joined the organisation. Changes in relationships, life stressors and access to information can alter one’s risk profile. Hence the importance of a personnel security program that allows people to report changes of circumstances and overseas contacts and international travel reporting obligations, to name a few.
People also leave, some on bad terms or are disgruntled for one reason or another. This can be a source of risk to an entity’s assets, people, information, IP and systems.
Personnel Security Treatments: Necessary But Complex
The convergence of DISP Members with the CISC and the obligations under the SoCI Act along with other frameworks brings forth several personnel-related challenges:
- Inconsistent Protocols: Different entities might have varied standards and depths for personnel screening and analysing the risk – sometimes called suitability tolerance thresholds (in other words, how bad is bad). This inconsistency can lead to weak links in the supply chain, making it vulnerable. For example, consider ongoing management of personnel security clearances under DISP as opposed to the management of a “critical worker” under SOCI, and the point in time AusCheck for that worker. Will an organisation’s CIRMP manage the ongoing personnel security risk of this worker? (More on this below)
- Multiple Obligations: DISP Members face the unique challenge of balancing their obligations under the Defence Security Principles Framework with those arising from Critical Worker interactions under the SoCI Act and other frameworks. It is necessary to understand the personnel security requirements of each framework so industry participants can avoid duplication whilst still meeting the requirements of each.
- Documentation Overload: With the rigorous requirements for asset registration and CIRMP development, there’s a risk that the personnel aspect gets overshadowed or inadequately addressed, as mentioned above under protocols. Where there are multiple obligations, mapping what staff need and what clearance is for what program or framework is complex and burdensome, but as a DISP Member will need to be addressed in their DISP Security Risk Assessment.
Towards a More Secure Personnel Framework
Addressing these challenges requires a multifaceted approach:
- Unified Screening Standards: Establishing a standard protocol for personnel screening across the board, where different processes can be “accepted” by other entities, will eliminate inconsistencies and ensure that every individual within the supply chain is vetted adequately.
- Clearer Guidelines: Providing DISP Members with clear, actionable guidelines that harmonise their dual obligations can prevent oversights and potential risks.
- Emphasis on Personnel in CIRMPs: Ensuring that the personnel aspect is highlighted and adequately addressed in each CIRMP can significantly enhance risk management.
- Leverage Existing Security Treatments: In the meantime, organisations with a security clearance and staff screening process, combined with insider threat and training programs, are in a sound position. They should maximise these personnel security risk treatments to their advantage and apply them as part of their evidence base against the requirements of programs and frameworks.
What can we do?
Personnel hazards in the critical infrastructure supply chain may not always be in the limelight, but their potential impact is profound. As the landscape of critical infrastructure continues to evolve, addressing these risks head-on is not merely advisable – it’s imperative. If you find yourself navigating these complex waters, here are some actions to consider:
- Know your compliance environment as part of understanding your obligations for treating supply chain risk.
- Know the personnel security component of these risk treatments.
- Look for efficiency in maximising the application of your current security treatments, be they clearances, vetting or other controls and include them in your security risk register as evidence.
- Communicate with your people about why this is required and what their involvement requires of them. A fair and open approach lays a strong foundation for building a robust organisational security culture.
- Know where to go for help. Information is available on government and departmental sites, but admittedly it can be overwhelming to join the pieces together.
If in need of help, don’t hesitate to consult with Anchoram Consulting for expert advice tailored to your needs. We have people experienced in the programs and frameworks and well-versed in the application of security controls.
For a thorough and compliant personnel screening process, consider the expertise of the Cleard Life Vetting Agency and its Critical Infrastructure Clearance, along with its vetting support services for DISP and other programs requiring AGSVA clearances.
By prioritising personnel security today, we can ensure our other investments in security are supported, not wasted. This proactive approach will fortify our critical infrastructure and prepare us for the challenges of tomorrow.
This article dissects the personnel-related hazards in critical infrastructure supply chains and explores viable solutions to mitigate them.
Share This Article:
Categories
Subscribe
Subscribe to our newsletter and get the latest news and information from Anchoram.