The Clock is Ticking on CPS 234
With the deadline for APRA regulated businesses to ensure their compliance with the CPS 234 security standard, the clock is ticking for many organisations. InfoTrust Senior Security Consultant, Indra Gunawan, takes a look at the origins of the standard, what it means for APRA regulated entities and the requirements for businesses.
What is the CPS 234 Standard?
In July last year (2019), as a direct response to the changing cyber landscape, a new prudential standard was implemented for all Australian Prudential Regulatory Authority (APRA) regulated entities. It was introduced as a measure to improve the overall security capability of the entire industry, making businesses more resilient against security incidents. It’s no surprise such a measure was introduced, you only have to read the news to know that security breaches will happen, and businesses need to be prepared. As cybercriminals use increasingly sophisticated tools and techniques, cybersecurity should do the same, constantly evolving to protect information security.
CPS 234 is a mandatory regulation that requires organisations to significantly raise their information security capabilities in line with the size and extent of the threats to their assets. All APRA regulated businesses must ensure compliance with the security standard by 1 July 2020. The primary objective is to minimise the chance and scale of a security incident on the confidentiality, integrity, or availability of information assets, and that includes assets managed by third parties. The introduction of the regulation highlights yet again the importance of strong cybersecurity in the digital age.
How Does it Affect APRA Regulated Businesses?
APRA has recognised that the boards of its regulated entities need to improve their understanding of cyber risk. As such, under the CPS 234 standard, the board of APRA-regulated businesses is responsible for ensuring that the organisation maintains its information security by:
- Defining roles and responsibilities – clearly defining all security-related roles including within the board, senior management, government bodies, and individuals, ensuring the right people are shouldering responsibility.
- Policy framework – your organisation must maintain an information security policy that is proportionate to your business’ exposure to vulnerabilities and threats. This policy should also communicate the defined roles and responsibilities as covered in the first point.
- Classifying information assets – assets should be classified according to their criticality and sensitivity, considering how different groups would be affected should a breach occur.
- Assessing the information security capability of your organisation and your third parties – your organisation’s security capabilities should be appropriate in relation to the size and extent of threats to your company assets. Where information assets are managed by third parties, it is your responsibility to determine their information security capabilities too.
- Implementing controls – protecting information assets, including those managed by third parties, with measures that are suitable for the critical nature and sensitivity of those assets.
- Undertaking testing – ensuring controls remain to be effective on a systematic basis. Tests should be conducted at a minimum annually or when there is a material change to information assets or the business environment.
- Preparing an incident response plan – ensuring your business is able to robustly respond to security threats when they happen, including reporting and evaluating information to the board.
- Internal audit – the design and operating effectiveness of any information security controls must be reviewed to ensure their effectiveness (this includes any maintained by third parties). You must also ensure the person undertaking the audit is appropriately skilled to provide assurance of these controls.
- Notifying APRA of security incidents – promptly informing APRA within 72 hours of any cybersecurity incidents and within 10 days after becoming aware of any material information security weaknesses that can’t be resolved.
The Time to Check Your Compliance is Now
The clock is ticking with 1 July fast approaching; check your compliance to the compulsory regulation and ensure your business is capable of standing up to cyber threats. While protecting your company’s digital assets can seem like a battle, with a prudent and proactive approach, it is one that can be won. InfoTrust can help you to navigate your way to compliance by outlining the actions you need to take to build a sound security capability within your organisation.
To find out more about how your business stacks up against the CPS 234 standard, request a complimentary two-hour assessment with us today by clicking here.
see our
Related resources
Mimecast recently released its State of Email Security Report for 2021. The fifth edition of its annual report used interviews with over twelve hundred of information technology and cybersecurity professionals across the globe to gather vital cybersecurity insights. The report offers an insight into the latest email threats along with advice on how to build cyber resilience and mitigate the risks of email-borne attacks.
Cyber attacks and data breaches have been commonplace in the news headlines for some time now. Although a warning from the media is certainly helpful, there is so much more that can be done when it comes to threat intelligence sharing. Threat intelligence sharing is an important part of the global cybersecurity community effort to tackle cybercrime and should form a part of every organisation’s cybersecurity strategy. Sharing cyber threat intelligence enables organisations to make informed decisions about their cybersecurity, building more effective and robust cyber defences.
One of my favourite annual reports to read is the Verizon Data Breach Investigations Report. It’s packed full of insights about the threat landscape and security leaders, in my opinion, should read this report to get a pulse on what’s happening in cyber-scape.
After all, as cyber leaders, we are here to stop breaches – so the insights gained from real cyber incidents and breaches is gold in learning how to tighten up our defences.
All businesses, large and small, are under increasing pressure to demonstrate that they are managing the risk of cyberattacks. This means having the right processes and controls in place to identify risks and vulnerabilities, protect information, as well as detect, respond, and recover in the event of cybersecurity incidents. As such, many businesses are turning to certification authorities and security frameworks to demonstrate privacy and security best practice and achieve compliance with regulatory bodies. System and Organisation Controls (SOC 2) is one such compliance framework that can help organisations to create a structured approach to cybersecurity.
Frost & Sullivan has recently released its 2021 Frost Radar: Email Security report, where its findings provide a benchmarking framework to help businesses protect their email from cyber threats.
As we operate in an increasingly digital world, every business collect, store, and share more and more data. And, amongst that data is personal information. With the OAIC marking this year’s Privacy Awareness Week (PAW) from Monday 3 May to Sunday 9 May 2021, it’s time for us all to review how we protect our customers’ personal information.
We're Here To Help