APRA has released a new Prudential Standard “CPS 234: Information Security”. This sets out minimum standards for all Regulated Financial Services Institutions (FSIs) in Australia, regarding resiliency towards security incidents and information security capability. This standard is based on the Prudential Practice Guide CPG 234: “Management of Security Risk in Information and Information Technology” published May 2013. Regulated FSIs are expected to adhere to all aspects of the new standard as it becomes effective on 1st of July, 2019.
APRA applies relevance, international standards consistency, good practice, facilitating sound risk management and industry consultation in the ongoing review of the prudential framework. APRA has engaged with industry bodies, regulated entities and service providers and taken on board feedback in the creation of CPS 234 Information Security.
A recent review by Capital Consult of selected FSIs concluded that over 68% do not yet fully adhere to the new standard and over half of these are not fully aware of their gaps to adherence.
The responsibility and accountability of adherence to the standard sits not only within the IT or Security department, but more broadly across the organisation. The standard covers nine key areas:
1. Roles and Responsibilities
These need to be clearly defined related to security regarding decision making, approvals, oversight and operations. It’s important to ensure this covers all levels of governance, including Board responsibilities, governing bodies and individuals. “The Board must ensure that the organisation maintains information security”.
2. Information Security Capability
The continued sound operation of the organisation can be directly aligned to the maturity of people, processes and technology. Capability must be maintained in respect to changes in vulnerabilities, threats, information assets and the business environment. APRA also expects capability of any related or third party managing information assets to be assessed and potential consequences understood and acted upon.
3. Policy Framework
An information security management policy framework must be current and approved. This needs to cover all parties who have an obligation to maintain information security.
4. Asset Identification and Classification
All information assets including those managed by related and third parties, must be classified by criticality and sensitivity. This classification must be aligned to the potential impact on the organisation of security incidents.
5. Implementation of Controls
Security controls must be implemented. These need to consider vulnerability, criticality vs sensitivity, life cycle and potential consequence. For any controls managed by related and third parties, the organisation must evaluate their design and effectiveness.
6. Incident Management
The ability to detect and respond to security incidents in a timely manner is required. This must include response plans for impacting incidents which need to be annually reviewed. These must cater for all stages of incident management and include escalation and reporting.
7. Testing and Control Effectiveness
Information security controls must be tested through a systematic test program, at least annually. For any controls managed by related and third parties, the organisation must assess the nature, frequency and effectiveness of this testing. Testing must be done by independent specialists with appropriate skills. Any deficiencies that cannot be remediated must be escalated to the Board or senior management.
8. Internal Audit
Activities conducted by the internal audit function must include reviewing the design and operating effectiveness of information security controls including those maintained by related and third parties.
9. APRA Notification
The organisation must notify APRA no later than 72 hours after any material security incident. It must also notify APRA within 10 business days of any security control weakness that cannot be remediated in a timely manner.
CPS 234 Information Security is effective from 1st July, 2019. APRA would expect regulated entities to be able to provide evidence as to the effectiveness of their operating environment to ensure it adheres to all aspects of the standard.
Our recommendation is that entities undertake a detailed gap analysis and remediation of their security related operating environment against the CPS 234 requirements. Capital Consult have identified 56 specific areas of adherence and expected supporting evidence that should be reviewed. In our experience, common areas of weakness include:
- Data loss prevention capabilities, including aligning cloud and on premise controls
- Inadequate data life cycle controls
- Security posture metrics and reporting
- Informal assurance of vendor security capability
- Limited clarity on roles and responsibilities in cloud shared responsibility environments
- Insufficient security awareness through the organisation
- Board or exec oversight of security effectiveness
Priority should be given to identifying and categorizing all information security assets managed by related and third parties. An assessment and response by these parties should be analysed with areas of weakness addressed.
Capital Consult is currently assisting FSI organisations with adherence to the new Prudential Standard CPS 234 Information Security. For more information, advice or assistance contact us at Capital Consult.
