CPS 234 Standard: What you need to know
As you may be aware, from July 1 2019, all APRA regulated entities will be required to adhere to a new prudential standard, CPS 234. According to APRA, “this Prudential Standard aims to ensure that an APRA-regulated entity takes measures to be resilient against information security incidents (including cyber-attacks) by maintaining an information security capability commensurate with information security vulnerabilities and threats.”
APRA-regulated entities that do not have a plan in place for being compliant with CPS 234 need not worry; in this blog, we break down the steps you need to take, as well as offer help in getting ready to be compliant.
Firstly, let’s look at the standard broadly. Minter Ellison offers a fantastic summary, which I’ve copied below:
- The board of an APRA-regulated entity is ultimately responsible for ensuring that the entity maintains its information security. More particularly the new standard requires that the board must 'ensure that the entity maintains information security in a manner commensurate with the size and extent of threats to its information assets and which enables the continued sound operation of the entity.
- Clearly defined roles/responsibilities: The new standard also requires that APRA regulated entities clearly define the information security-related roles and responsibilities of the Board, senior management, governing bodies, and individuals with responsibility for decision-making, approval, oversight, operations, and other information security function'.
- The new standard applies to 'all information assets managed by service providers, this includes 'all outsourcing of information assets, whether or not those assets form part of the outsourcing of material business activities' ie the new requirements on 'information security capability, information asset identification and classification, implementation of controls, testing control effectiveness and internal audit would apply to information assets, including those assets managed by related parties and third parties.
- Identifying and classifying information assets: The new standard requires regulated entities to classify all information assets by both 'criticality and sensitivity…irrespective of whether the regulated entity manages the information assets itself, or the information assets are managed by a third party or related party. Rather than establishing a threshold whereby controls would only apply to information assets deemed ’material’, APRA writes, the classification of assets in this way is intended to allow an entity to apply 'proportionate controls by assessing the impact of a loss of confidentiality, integrity, and availability of each information asset'.
- Implement controls to protect information assets and undertake regular testing and assurance of the effectiveness of controls: eg regulated entities will be required to annually review and test their information security response plans and internal audit activities will be required to include a review of the design and operating effectiveness of information security controls including those maintained by third parties.
Whilst the summary above offers a quick TL;DR version of the prudential standard, what does it mean in terms of activities, documents, and processes? So let’s break that down:
- A detailed set of roles, responsibilities, and accountabilities: Quite often, information security is dumped on the heads of a select few. With CPS 234 (and also sound reason) these responsibilities should be spread out as per the different roles in the organisational hierarchy. The goal here is to ensure that the right people are shouldering the responsibility of maintaining information security in a sustainable manner.
To understand how CPS 234 compares to ISO27001 and NIST download our helpful guide here.
These new standards are compulsory and are designed to help protect your organisation against a major security breach, which could seriously impact your business. InfoTrust can help you navigate your way to compliance through building a map of the required activities that you can take to ensure you build out a sound security management practice within your organisation.
If you would like any other information feel free to contact InfoTrust at info@infotrust.com.au or phone +61 2 9221 5555.
see our
Related resources
In today’s digital age, we all use a vast amount of information to conduct our business activities, sharing, and interacting with data across multiple devices and networks. As such confidentiality, integrity and availability are key. You only have to look at recent news headlines to realise that even organisations with comprehensive security strategies are still vulnerable to cybersecurity breaches. Vulnerabilities can lie within the technology being used, the cyber-awareness of its employees, and the sophistication of attacks.
During the great cloud rush, many organisations moved to various cloud environments, for the productivity advantages, improved reliability and security compared with running on premise environments. But the naysayers conveyed the risks associated of security concerns and outages, having the potential to bring down a company or even an economy if a there was a massive outage.
Based on InfoTrust analysis at the start of 2019 of over 9000 Australian company domain MX and SPF records, over a third of these organisations rely on Microsoft O365 Productivity suite.
This includes some of Australia’s largest organisations that would undoubtedly disrupt an economy if they were without email for a sustained period of time.
Phishing attacks have increased dramatically over the last few years, with the global pandemic escalating the situation further. Cybercriminals take advantage of insecurities and fear and play on human nature to trick and deceive. In fact, according to the OAIC, phishing attacks that involved compromised credentials accounted for 30% of all cyber incidents in the first half of 2021. And human error formed a major source of these breaches. Unfortunately, due to the clever social engineering tactics used by cybercriminals, technical filters alone aren’t sufficient to protect against phishing.
Mimecast recently released its State of Email Security Report for 2021. The fifth edition of its annual report used interviews with over twelve hundred of information technology and cybersecurity professionals across the globe to gather vital cybersecurity insights. The report offers an insight into the latest email threats along with advice on how to build cyber resilience and mitigate the risks of email-borne attacks.
Last month CrowdStrike released its 2020 Global Threat Report, reflecting on the past year’s cybercrime and the types of attacks and techniques criminals have been utilising. In this blog post, we take a look at the key trends from the report and what they mean to Australian businesses.
Earlier this month the CrowdStrike® Falcon® Overwatch™ team released their 2018 mid-year review, “Observations from the Front-Lines of Threat Hunting”. InfoTrust discusses the front-line and why security is everyone’s business. A brief precis, some thought provocation, and insight (hopefully) are below.
We're Here To Help