If you are located in Australia or do business in Australia, you may be an Australian Prudential Regulation Authority (APRA) regulated entity. If you are unsure, take a trip to APRA’s website and see whether it’s applicable to you or not.
For the sake of this blog let’s say you are regulated or are just interested in what it means if you are. In that case, you may be subject to the new prudential standard of CPS 234.
CPS 234 is a prudential standard that specifically defines information security controls for management of secured assets. CPS 234 specifically sets out these basic requirements that a regulated organisation must perform:
Before we get to the actions that an organisation would need to take in order to be compliant, let’s lay out the three big questions that need to be answered internally first:
If these three questions can be answered with certainty and comfort, you are probably ready to start looking into the actions needed to specifically convert this readiness to CPS 234 readiness. However, if you can’t answer those questions, doing so should be your first priority.
Once these questions are answered, there is one more big one to answer: how strong is the existing incident response plan, or how capable is the organisation in generating an incident response plan? The requirements around these response plans can be nuanced, but boil down to three major steps:
With the knowledge that information has to be secured, and assets need identification, there are steps that should be taken to be certain that coverage is adequate. We’ll boil them down to major areas:
An asset is defined as information and information technology, including software, hardware, and data (both soft and hard copy). You must be able to locate and identify all of those assets within an organisation and classify it by the potential impact of a loss of confidentiality, integrity, or loss of availability.
For any possible circumstance or event that has the potential to exploit a weakness in an information asset or information security control that could be exploited to compromise information security, the organisation needs to be able to identify the entire list as well as the assets that could be subject to it. This information is required when determining information security controls for an organisation and will be reported back to APRA.
Information security controls must be in place commensurate with vulnerabilities and threats to the information assets in play, with the criticality and sensitivity of the information assets, the stage of the asset’s lifecycle, and the potential consequences of an information security incident.
These are all great pieces to start with to build a plan, but building a plan and executing on a plan are two different things. Read part 2 of our CPS 234 series where we talk about the execution of our planning to be sure we are staying in line with CPS 234 compliance.
In the meantime, check out my recent on-demand webinar “Impact of APRA’s CPS 234 on Organisation Data“.
As a VP of Product Strategy at STEALTHbits, Ryan is responsible for the vision and strategy of their Data Access Governance solutions. Ryan has a tenure of thirteen years in the technology space across multiple different areas. Prior to joining STEALTHbits he most recently served as the Director of Product Management at Metalogix Software helping to lead them to acquisition by Quest software. He has also previously held positions in R&D, Presales Engineering, and Technical Support.
Proper data security begins with a strong foundation. Find out what you're standing on with a free deep-dive into the security of your Structured and Unstructured Data, Active Directory, and Windows infrastructure.Read more
Start a Free Stealthbits Trial!
No risk. No obligation.