APRA CPS 234 Compliance for Third Parties - 4 Questions to Ask

Our previous blog dove into what is APRA CPS 234 and how organisations can focus on becoming compliant. We also looked at an APRA CPS 234 checklist of requirements.
Now let's take it a step further and explore CPS 234 compliance for your third-party vendors and partners.

Cyber security is of paramount importance for organizations as the frequency of cyberattacks increases all over the world. Securing information assets in your own organization may already be an objective of yours, but have you considered what would happen if a third party you were working with was compromised and therefore your information assets were stolen?

Third-party risk is a huge factor when it comes to handling cybersecurity, third party risk is the potential threat presented to organizations’ employee and customer data, financial information and operations from the organization’s supply-chain and other outside parties that provide products and/or services and have access to privileged systems. 

Here are four questions your organization needs to ask itself regarding its third parties, to ensure APRA CPS 234 compliance: 

Q 1: Which of your information assets can be accessed by third parties you work with? 

One of the first things you need to do as an organization is carrying out an audit on your third parties to find out which information assets are being managed by them. As the responsibility of complying with CPS 234 falls on your board they need to know who has access to information assets at all times, including the third parties you are in business with. 

Q 2:  Which information security roles and responsibilities are being completed by your third parties?

As part of the CPS 234, your organization is required to outline and define the roles and responsibilities of everyone who plays a part when it comes to handling information security. If you are engaging with a third party to conduct phishing training or one of your third party’s is managing and storing customer data, these roles and responsibilities need to be outlined so that it is recorded for reference.  

Q 3: How do your third parties go about managing information security?

As your organization will face the brunt of the impact if there is to be a security breach, it is responsible for making sure security standards are being maintained by even external third parties who in the event of a breach may compromise information security of your organization. The security features of third party vendors need to be evaluated so that they match the potential consequence of a security incident. Even if it is found that third parties have sufficient security measures in place it is your organization’s responsibility to make sure that they are maintained over time. 

Q 4: Are security controls by your third parties adequate?

CPS 234 insists that organizations need to protect information security internally as well as make sure that third parties have appropriate security controls in place. These controls need to reflect possible vulnerabilities and threats that could compromise information assets, the importance of individual information assets and any consequence of a security breach. Upon evaluation if any of the controls are found to be inadequate, organizations need to make sure that they are brought up to standard. 

If APRA is applicable to your organisation, StickmanCyber can help review your cybersecurity framework and offer recommendations to ensure compliance. Explore our APRA CPS 234 compliance services.

Similar posts

 

Optus has been hit with a major cyber attack

In today’s world businesses around the world as well as in Australia, face increasingly sophisticated and innovative cybercriminals targeting what matters most to them; their money, data and reputation. Download our guide to learn everything you need to know about the Optus Data Breach, as well as the nine steps every business around the world and in Australia needs to take to avoid being next.