CPS 234 Information Standard is a prudential standard established by the Australian Prudential Regulation Authority or APRA. It calls for organizations in the financial and insurance industry to strengthen their information security framework in order to safeguard their customers and themselves from the growing threat of cyber attacks.
Our previous blog dove into what is APRA CPS 234 and how organisations can focus on becoming compliant. In this post, we put together an APRA CPS 234 checklist to give organisations a ready reckoner of all the related requirements they need to keep up with.
The CPS 234 requires APRA-regulated entities to:
- Explicitly define roles and responsibilities of the board, senior management, governing bodies and other employees regarding information security.
- Create and maintain an information security capability that is adequate enough to deal with emerging threats and existing vulnerabilities, so that the organization can continue to operate efficiently and effectively.
- Establish controls to protect information assets taking into consideration their individual criticality and sensitivity. Continue to evaluate these controls in a timely fashion so that improvements can be made so that they are always of a high standard.
- Report any cyber incidents to APRA
Lock Down Your Cybersecurity & Compliance
Protect, Certify & Grow Your Business
Build resilient governance practices that can adapt and strengthen with evolving threats.
These requirements stated above can be broken down further into eight categories, to offer a quick APRA CPS 234 checklist:
Information security capability
The information security capability requirements entail that an organization maintains an information security posture that has the ability to deal with all threats to information assets regardless of their size and extent. Also, organizations are required to assess the information security capability of third parties that they have relationships with and who have access to the organization’s information assets. Finally under this requirement, as threats and vulnerabilities evolve, so should the organization’s information security capabilities.
Policy framework
As the business environment and information assets change, vulnerabilities and possible threats to their safety may also evolve, therefore the policy framework requirements entail that an organization should update their policies and frameworks according to how threats and vulnerabilities are evolving. These policies need to provide direction on the responsibilities and roles for all parties who are actively involved in information security, for example, parties such as contractors, staff, third parties, customers etc.
Information assets identification and classification
This particular requirement of the CPS 234, requests that APRA-regulated entities identify the criticality and sensitivity of information assets and then proceed to classify them based on these two factors. It is important to also consider how information assets that are classified as non-sensitive and non-critical could affect information assets that are critical and sensitive. Classification of information assets needs to be done in a clear manner so that all stakeholders, whether that be internal or external can easily grasp the information presented.
Implementation of information security controls
Information assets need to be supported by information security controls, including those that are managed by third parties. Controls need to take into account existing and emerging threats and vulnerabilities, the life cycle stage of information assets and finally the consequences of information security breaches to critical and sensitive information assets.
Incident management
Organizations are required by CPS 234 to have mechanisms in place that are able to detect and respond to any type of incident at any given time. These mechanisms could include but are not limited to scanning, monitoring, sensing and logging solutions.
Detecting incidents is only one part of the challenge, an incident response plan needs to be constructed so that if an incident is identified appropriate action can be taken to mitigate its impact on information security and organizational operations as a whole.
As part of your incident response plan, Individuals in your organization need to be aware of their responsibilities through all stages of an incident so that the impact can be minimized or prevented altogether. Lastly, Incident response plans should be reviewed annually and tested to ensure they remain effective and fit for purpose.
Testing control effectiveness
Under CPS 234, organizations are required to test the effectiveness of information security controls via a systematic testing program, that takes into account the following factors:
- The rate at which the vulnerabilities and threats change
- Criticality and sensitivity of the information asset
- Consequences of an information security incident
- Risks associated with exposure to environments where the entity is unable to enforce its information security policies
- Materiality and frequency of change to information assets
APRA insists that information security controls need to be tested annually if and when the business environment changes or there are material changes to information assets. For these tests to be effective organizations must make sure success criteria are clearly defined and that results are properly communicated to a higher authority like your organization’s board of directors. Finally, an independent body outside of the organization should conduct the test to ensure that no biases are present.
Internal audit
Internal audit is a requirement that needs to be met so that the board can be assured that information security is being maintained by the organization. Under CPS 234, organizations are required to include information security within the internal audit activities of an organization
APRA notification
If an information security incident materially affects the organization or affects its stakeholder’s interests you are required to notify APRA as soon as possible and no later than 72 hours after you are aware that the incident has occurred. Similarly, if there is a material weakness in a particular information security control that the organization cannot remediate in a timely manner, APRA needs to be notified immediately and within 10 days.
If APRA is applicable to your organisation, StickmanCyber can help review your cybersecurity framework and offer recommendations to ensure compliance. Explore our APRA CPS 234 compliance services.
The First Step is Crucial. Start with a Cybersecurity Assessment
Where are you at your cybersecurity maturity journey? Get an assessment of your current security posture and identify the gaps and challenges that you need to act upon.