The Information security measures implemented across the Australian financial industry have largely been governed by the principles laid down in CPG 234 circular that has been in effect since 2010 and was last revised in May, ’13. In view of the recently launched Information Security Prudential Standard CPS 234, APRA has also upgraded CPG 234 to accompany the standard and act as a guiding pillar for the entities nominated to comply with the mandate. The window for responding to the newly revised prudential practice guide (CPG 234) proposed by APRA has closed-down on 17thMay, ’19.
The prudential guideline CPG 234 is slated to usher regulated entities into employing a contemporary and forward-looking information security framework as charted out in CPS 234, coming in force on 01stJuly, ‘19. Note that, for the special cases involving complying entities’ information being managed by third-party via offshoring or outsourcing arrangements, APRA has provided extension till next contract renewal date or 01 July, ’20, whichever happens earlier.
CPS 234 aims at enforcing modernised security standards commensurate with the rising ways & means of internal and external threats to information assets owned by the financial industry. The standard puts onus on the board of directors to ensure that the organisation has implemented an information security management framework that is fully equipped to combat and fend off potential security incidents. APRA also expects to be duly notified within a fixed time period in the event of a breach or of the identification of potential weakness in controls pertaining to information security.
To help the industry in assessing their CPS 234 compliance readiness, compiled below is a list of 7 major areas that must be ticked off before the deadline arrives in about a month’s time.
1. Roles and Responsibilities
Role of board: As CPS 234 squarely puts the responsibility of information security on the board; the directors must, therefore, outline the means by which they will assess the soundness of the information security framework and in the process; the level, frequency & timing of reporting that they would rely upon. APRA prescribes four major aspects that can constitute the reporting to board members: Information security- capability, incidents, controls and education.
Information Security-related Roles: The board must also outline the roles pertaining to the information security of the regulated entity spanning across various departments including that of information technology.
2. Information Security Capability
Commensurate Security Measures: Advancement in technologies coupled with the interconnectedness of organisations via offshoring/outsourcing arrangement has invariably made information security an utmost priority for regulators. Therefore, APRA recommends the regulated entities to employ advanced defense measures capable of protecting information assets from modern threats. The entities must also ensure that the third-party handling their information also abide by the same levels of security requirements as the entities themselves.
3. Policy Framework
Information Security Framework: The complying entity must define high level information security principles which in-turn would act as the guiding posts in steering towards building policies framework. The policy framework thus formed, must: (a) complement other enterprise-wide frameworks (such as risk management) and; (b) be further broken down into enforceable standards, guidelines and procedures.
Blanket upgradation and Exceptions: The forward-looking approach as outlined in CPS 234 on managing information security must be extended to all the existing processes and procedures. The effectiveness of the framework must be assessed on a frequent basis and in cases where upgradation (to 234 standards) is not readily achievable, the firm must formulate strategies to overcome and handle such exceptions.