Introduction
If you are regulated by APRA, then this is for you.
Now that you have started ensuring that newly contracted third parties handle your information appropriately (right?), our friends at APRA have given you until July 1 this year to demonstrate compliance with CPS 234 for existing contracts.
That’s… just over 5 months away. Time to get busy!
Although on the surface, APRA CPS 234 appears quite straightforward, there are many challenges below the surface.
The first challenge is to identify where your customer’s sensitive information is stored or processed, exactly how sensitive it is and who handles it – including any access by third parties.
Other challenges sit in identifying the actual roles and responsibilities for information security, including implementation of controls, testing control effectiveness and performing audit activities.
However, your greatest challenge is completing any necessary rework across multiple third parties within the time frame given for compliance.
Working backwards from the 1 July 2020 deadline, you will need to:
1. Ensure you allow adequate time to report on the overall ‘status of compliance’ to the Board (and to APRA if there are any detected incidents or material weaknesses)
2. Perform an internal audit against the APRA CPS 234 requirements (possibly with expert option).
3. Conduct independent testing of controls.
That doesn’t leave much time!
Heads up.
APRA CPS 234 is closely aligned with ISO/IEC 27001. Meaning, it’s your achievable and comparative benchmark for information security!
It is not overly prescriptive, so depending on the size and nature of your business, it must be interpreted in proportion to the risk presented to you.
It is only a foundation and APRA is expected to look closely at the detail of risk assessments, security policies, test/audit results and reporting.
Who you gonna call?
We’re here to help. The combined assessment and management system functionality will help you continually improve over time.
With 6clicks, you can quickly and easily perform an internal assessment of compliance against ARPA CPS 234 or assessments against any number of third parties.
Assessment can be conducted by your own organisation or by working collaboratively with any number of Service Providers (consultancies) that now choose 6clicks when performing assessments for you.
Use of a Service Provider can help bring independence, expert opinion and credibility to your assessment of compliance.
Our platform can also help you:
– Implement the requirements of APRA CPS 234 on behalf of regulated entities.
– Map APRA CPS 234 requirements to internal controls and policies
– Record your information assets and classifications.
– Provide risks and treatment plans.
– Report progress of control implementation, security incidents and issues (including internal audit findings and feedback from the board!).
Grab a free trial account by clicking below. We’re here to sort this out for you.
Written by Andrew Robinson
Andrew started his career in the startup world and went on to perform in cyber and information security advisory roles for the Australian Federal Government and several Victorian Government entities. Andrew has a Masters in Policing, Intelligence and Counter-Terrorism (PICT) specialising in Cyber Security and holds IRAP, ISO 27001 LA, CISSP, CISM and SCF certifications.