What is APRA’s CPS 234? Part 1

If you are located in Australia or do business in Australia, you may be an Australian Prudential Regulation Authority (APRA) regulated entity. If you are unsure, take a trip to APRA’s website and see whether it’s applicable to you or not.

For the sake of this blog let’s say you are regulated or are just interested in what it means if you are. In that case, you may be subject to the new prudential standard of CPS 234.

So, What Actually is CPS 234?

CPS 234 is a prudential standard that specifically defines information security controls for management of secured assets. CPS 234 specifically sets out these basic requirements that a regulated organisation must perform:

• Clearly define the information security-related roles and responsibilities of the Board of the organisation, senior management, governing bodies, and individuals.
• Maintain an information security capability commensurate with the size and extent of threats to the organisation’s information assets, and which enables the continued sound operation or the organisation.
• Implement controls to protect the organisation’s information assets commensurate with the criticality and sensitivity of those information assets, and undertake systematic testing and assurance regarding the effectiveness of those controls.
• Notify APRA of material information security incidents.

What Does That Mean in Layman’s Terms?

• Everyone needs to know exactly what their responsibilities are when it comes to securing data and infrastructure. These responsibilities need to be documented.
• There needs to be a plan in place to protect the data and infrastructure in the organisation. The context and scope of this plan depends on the type of data in play, the risk of threat, the common threats they may undergo, or other factors that impact it. This won’t be a “one-size-fits-all” approach to security.
• If there is a data breach or a similar event where information is compromised, APRA needs to be informed.

What Do I Need to Do to Be Compliant With CPS 234?

Before we get to the actions that an organisation would need to take in order to be compliant, let’s lay out the three big questions that need to be answered internally first:

1. What is the potential impact of a loss of availability, a loss of confidentiality, or a loss of integrity of the software, hardware, and data in my organisation?
2. Can we detect and respond to an actual or potential compromise of our software, hardware, and data in the organisation?
3. Does the organisation, or is the organisation capable of, conducting regular audits on both the design and operating effectiveness of security controls implemented internally?

If these three questions can be answered with certainty and comfort, you are probably ready to start looking into the actions needed to specifically convert this readiness to CPS 234 readiness. However, if you can’t answer those questions, doing so should be your first priority.

Once these questions are answered, there is one more big one to answer: how strong is the existing incident response plan, or how capable is the organisation in generating an incident response plan? The requirements around these response plans can be nuanced, but boil down to three major steps:

• Any incident that affects or has the potential to affect the organisation, it’s customers, or beneficiaries must be reported to APRA in 72 hours or less.
• Incident response plans can no longer be generic but instead must cover all possible incidents with a tailor-made response to each
• All response plans need efficacy of the plan confirmed annually which means that incident exercises are now a mandatory requirement

What Steps Should I Take to Comply With APRA’s CPS 234?

With the knowledge that information has to be secured, and assets need identification, there are steps that should be taken to be certain that coverage is adequate. We’ll boil them down to major areas:

Understanding Assets

An asset is defined as information and information technology, including software, hardware, and data (both soft and hard copy). You must be able to locate and identify all of those assets within an organisation and classify it by the potential impact of a loss of confidentiality, integrity, or loss of availability.

Understanding Threats

For any possible circumstance or event that has the potential to exploit a weakness in an information asset or information security control that could be exploited to compromise information security, the organisation needs to be able to identify the entire list as well as the assets that could be subject to it. This information is required when determining information security controls for an organisation and will be reported back to APRA.

Manage Asset Protection

Information security controls must be in place commensurate with vulnerabilities and threats to the information assets in play, with the criticality and sensitivity of the information assets, the stage of the asset’s lifecycle, and the potential consequences of an information security incident.

What Comes Next to Comply with APRA’s CPS 234?

These are all great pieces to start with to build a plan, but building a plan and executing on a plan are two different things. Read part 2 of our CPS 234 series where we talk about the execution of our planning to be sure we are staying in line with CPS 234 compliance.

In the meantime, check out my recent on-demand webinar “Impact of APRA’s CPS 234 on Organisation Data“.