What is APRA’s CPS 234? Part 2

This is our second part of a two-part series regarding APRA’s new prudential standard of CPS 234 and how this can potentially impact an organisation.

Part 1 focused primarily on the background of the CPS 234 and the beginning of the controls necessary to put in place to begin getting ready. Today we are going to talk about the additional steps necessary around risk management and some of the best practices to assist with that risk management in regards to data within an organisation.

How Do I Implement Risk Management for APRA CPS 234?

CPS 234 details how a Risk Management plan should be laid out into a few different areas – Controls, Testing, and Auditing. We discussed the Controls already in Part 1, so let’s talk about the requirements around Testing and Auditing.

Testing as Part of Risk Management

The defined Controls need to be in place in a manner commensurate with the vulnerabilities, threats, criticality, and sensitivity to/of the information assets, the stage of the information asset’s lifecycle, and the potential consequences of an information security incident. The Testing area is designed to test the effectiveness of these controls with systematic testing in the organisation.

Timeliness of these testing options varies. Similar to so many other portions of CPS 234, this cannot be a “one-size-fits-all” approach to the validity of the testing processes. The nature and the frequency of the testing of the controls will be commensurate with:

• The rate at which the vulnerabilities and threats change
• The criticality and sensitivity of the information assets
• The consequences of an information security incident
• The risks associated with exposure to environments where the APRA-regulated entity is unable to enforce it’s information security policies
• The materiality and frequency of change to assets

As part of the defined controls associated with planning and responsibilities for CPS 234, the Board and Senior Management within the organisation need well-defined roles and responsibilities within the overall security process. One role that is required is being the endpoint for reporting when testing results identify deficiencies that cannot be remediated in a timely manner – a challenge that may or may not need to be reported to APRA.

Internal Auditing

Every APRA regulated entity is performing internal audit activities already. CPS 234 requirements to add to these audit activities a review of the design and operating effectiveness of the implemented Controls.

These audit events don’t solely apply to the regulated entity – this also involves related and third parties. The APRA regulated entity must assess the information security control assurance provided by these related and third parties where the following is true:

• An information security incident affecting the information assets has the potential to materially affect, financially or non-financially, the entity or the interests of depositors, policyholders, beneficiaries, or other customers.
• An internal audit intends to rely on the information security assurance provided by the related party or third party.

Effectively, this means that regulated entities need to ensure that all third parties they engage with from an asset perspective are following the same plans as the regulated entity, otherwise there can become challenges with compliance from the regulated entity. Third parties who are not traditionally under APRA compliance should look to implementing information security control plans regardless to ensure that they can continue to work with the regulated entities.

Generating Response Plans

Being able to show an appropriate response to incidents under CPS 234 is also important when attempting to remain compliant. A response plan needs to include mechanisms that manage all relevant stages of an incident; this includes not only the detection phase but also the post-incident review.

There must also be a plan in play for the escalation and reporting of information security incidents. These reports are generally going to be provided to the Board as part of their defined roles and responsibilities, but these need to also take into consideration additional governing bodies, APRA, and certain individuals that may be in play.

While the reviews of controls are defined by the criticality and sensitivity of the assets, the response plan review must occur annually to ensure it remains effective – this includes performing runs of the plan to ensure it is fit-for-purpose.

How Can I Prepare?

We’ll break this down into eight major steps to prepare for CPS 234 compliance:

1. Define roles and educate stakeholders
2. Understand and define Information Security Assets
3. Understand and define Information Security Threats
4. Ensure Asset Protection Aligns to Threats
5. Define Controls
6. Define Testing
7. Define Assurance
8. Prepare and Practice Response Plan

While hopefully this blog series and the associated webinar has helped somewhat with all eight of these, STEALTHbits really shines with steps two-through-five. Hence this blog will focus on these areas below specifically:

• Understand and define Information Security Assets
• Understand and define Information Security Threats
• Ensure Asset Protection Aligns to Threats
• Define Controls

Let’s break it down with some basic recommendations that will help you prepare and understand each of these gaps:

Discover Information Asset Resources

One of the largest challenges with security information assets is the identification of where those assets exist. All too commonly an individual user can raise up their own data platform (ex: Confluence, SQL, SharePoint, etc.) that is unknown by IT and is therefore ungoverned. One large portion of a plan to discover information assets should be a complete interrogation of all known hardware assets and networked assets to identify where information may reside and develop the appropriate reactions to it.

Once the assets themselves have been discovered, it’s important to identify as much information about the assets as is possible. Understanding the assets, including such areas as security controls, content sensitivity, utilization, etc. is extremely important for determining the threats and the controls necessary for the asset.

Analyze Content for Existing Information

One major portion of CPS 234 is that no two assets are created equal. The sensitivity may vary, the criticality may vary, and the controls needed will change commensurately. As a result, it’s important when reviewing digital assets that their exact sensitivity and classification level must be known. When reviewing all assets they should also be checked for sensitive financial information, PII, etc., classified, and controlled appropriately.

Threat Preparation

Identifying the threats associated with information assets is a major proponent of the CPS 234 standard. Some of the largest threats from a content perspective fall within the concept of insider threat and ransomware attacks. Both of those threats (plus many others) can generally be caught by looking at usage/activity of critical and sensitive resources. However, it’s important to implement a solution ahead of time that not only monitors for critical content activity but also monitors for when the activity on that content is outside of the traditional activity taken. Software platforms supporting UBA and UEBA would be the preferred method to monitor for threat activities and prevent them.

Optimize Your Content and Environment

The data in a regulated entity that is least likely to be associated with an incident is the data that doesn’t exist.

Too many organisations retain data over time periods above-and-beyond the necessity of that content. Performing a ROT (Redundant, Obsolete, Trivial) analysis on the environment to figure out what information is duplicated, aged, or not business-relevant will generally result in the ability to purge reasonable amounts of content from environments. If it is not actively adding value and it’s not part of a required retention plan, archival or destruction is likely the best route to take.

With these steps in play, hopefully, you are better poised to understand how CPS 234 impacts you, what the basic steps are that you need to take, and what granular actions you may need to take to securely manage your digital assets.

Check out my recent on-demand webinar “Impact of APRA’s CPS 234 on Organisation Data“.