Deadline Approaching for Submitting Reports on Critical Infrastructure Risk Management Program
The Australia's Cyber and Infrastructure Security Centre (CISC) has recently updated the Critical Infrastructure Risk Management Program (CIRMP) annual report form, aiming to provide a clearer attestation process and gather more detailed information about security and cyber security frameworks used by industry.
The updated form, introduced in May 2024, includes more specific questions about cyber and security frameworks and an attachments section, allowing for greater flexibility in reporting. This update comes as a response to feedback received from industry, which highlighted that the previous questions were not specific enough.
The CISC encourages entities to include attachments that provide assurance of compliance with obligations, such as board-approved documents, board attestations, or third-party audit results. The inclusion of attachments can reduce the likelihood of entities being asked for more information or facing auditing at a later date.
The reporting period for the 2023-24 Australian financial year ends on August 31, 2024. Mandatory risk management program (RMP) annual report submissions by sector are as follows: energy (47%), health (19%), data storage or processing (15%), transport (7%), water (6%), communications (2%), financial (2%), and food and grocery (2%). As of August 31, 2024, the CISC has received 53 annual reports from eight different sectors covering 137 assets. The energy and health sectors have submitted the most annual reports so far.
The CISC has stated that there is no requirement for entities to provide attachments, as long as they complete the form and provide the relevant board-approved information. However, the inclusion of attachments can provide a better picture of security frameworks in use and the maturity of industry against those frameworks, helping the government stay informed.
To ensure clarity and meet regulatory needs, the CISC will seek to test questions with industry through the Trusted Information Sharing Network (TISN). The CISC has also addressed queries around the wording of questions around 'security frameworks' through various platforms.
Industry has expressed a desire for more consultation prior to form changes, and the CISC has taken this feedback into account. In the 2022-23 financial year, the CISC encouraged industry to provide voluntary annual reports through a web form and requested feedback to improve the process.
Based on the feedback received, the CISC made changes to the CIRMP Form, providing more clarity about the attestation process, clarifying the information being sought, and ensuring the web form allows attachments to be added. The updated form now provides a better picture of security frameworks in use and the maturity of industry against those frameworks, helping the government stay informed.
As of now, the most used cyber security framework is the 2020-21 AESCSF Framework Core, followed by the Essential Eight Maturity Model. The CISC will seek to test questions with industry through the Trusted Information Sharing Network (TISN) to ensure clarity and meet regulatory needs.
The CISC expects an influx of submissions towards the end of September. However, the information about the specific agency that reported on the participation of 21 companies in an additional annex of the Critical Infrastructure Risk Management Program annual report for 2024 is not available in the provided search results.
In conclusion, the updated CIRMP annual report form aims to provide a clearer attestation process and gather more detailed information about security and cyber security frameworks used by industry. The CISC encourages entities to provide attachments to support their compliance with obligations and to provide a better understanding of the industry's security frameworks.
Read also:
- Top 15 Pivotal Risks to Mobile Application's Security
- Revising the title: Redefining "Bring Your Own Device" Policies for a Secure and Flexible Workspace in the Hybrid Work Environment
- "Global VPN Day: Is it a shield for privacy or a gap needing sealing? Exploring the implications"
- Summoning Shamans, Spirits, and Love in the Play 'Head Over Heels'
