The Information security measures implemented across the Australian financial industry have largely been governed by the principles laid down in CPG 234 circular that has been in effect since 2010 and was last revised in May, ’13. In view of the recently launched Information Security Prudential Standard CPS 234, APRA has also upgraded CPG 234 to accompany the standard and act as a guiding pillar for the entities nominated to comply with the mandate. The window for responding to the newly revised prudential practice guide (CPG 234) proposed by APRA has closed-down on 17thMay, ’19.
The prudential guideline CPG 234 is slated to usher regulated entities into employing a contemporary and forward-looking information security framework as charted out in CPS 234, coming in force on 01stJuly, ‘19. Note that, for the special cases involving complying entities’ information being managed by third-party via offshoring or outsourcing arrangements, APRA has provided extension till next contract renewal date or 01 July, ’20, whichever happens earlier.
CPS 234 aims at enforcing modernised security standards commensurate with the rising ways & means of internal and external threats to information assets owned by the financial industry. The standard puts onus on the board of directors to ensure that the organisation has implemented an information security management framework that is fully equipped to combat and fend off potential security incidents. APRA also expects to be duly notified within a fixed time period in the event of a breach or of the identification of potential weakness in controls pertaining to information security.
To help the industry in assessing their CPS 234 compliance readiness, compiled below is a list of 7 major areas that must be ticked off before the deadline arrives in about a month’s time.
1. Roles and Responsibilities
Role of board: As CPS 234 squarely puts the responsibility of information security on the board; the directors must, therefore, outline the means by which they will assess the soundness of the information security framework and in the process; the level, frequency & timing of reporting that they would rely upon. APRA prescribes four major aspects that can constitute the reporting to board members: Information security- capability, incidents, controls and education.
Information Security-related Roles: The board must also outline the roles pertaining to the information security of the regulated entity spanning across various departments including that of information technology.
2. Information Security Capability
Commensurate Security Measures: Advancement in technologies coupled with the interconnectedness of organisations via offshoring/outsourcing arrangement has invariably made information security an utmost priority for regulators. Therefore, APRA recommends the regulated entities to employ advanced defense measures capable of protecting information assets from modern threats. The entities must also ensure that the third-party handling their information also abide by the same levels of security requirements as the entities themselves.
3. Policy Framework
Information Security Framework: The complying entity must define high level information security principles which in-turn would act as the guiding posts in steering towards building policies framework. The policy framework thus formed, must: (a) complement other enterprise-wide frameworks (such as risk management) and; (b) be further broken down into enforceable standards, guidelines and procedures.
Blanket upgradation and Exceptions: The forward-looking approach as outlined in CPS 234 on managing information security must be extended to all the existing processes and procedures. The effectiveness of the framework must be assessed on a frequent basis and in cases where upgradation (to 234 standards) is not readily achievable, the firm must formulate strategies to overcome and handle such exceptions.
4. Information Assets
Identification & Classification of Information Assets: Some assets are of significantly higher value for a firm than others. It is important that an entity has identified its critical as well as sensitive information and employed security measures accordingly. It must also establish how the loss of critical information can affect business from aspects such as legal, compliance, financial etc. and in addition, how sensitive data once compromised, can lead to loss of information confidentiality and integrity. Further multi-level/grades classification of critical as well as sensitive information assets is also advisable for effective management of security measures.
Information lifecycle: APRA expects the regulated entities to have implemented end-to-end controls over the information lifecycle while also maintaining its sanctity in the event of addition or removal of information assets from the lifecycle and/or usage. The controls must seamlessly extend to third-party in case of offshoring/outsourcing arrangements.
Proactive Approach: APRA expects entities take a proactive approach towards identifying and remedying potential security threats especially from the emerging technologies and thereby, implement effective controls accordingly. Measures must be in place to minimize exposure to plausible worst-case scenarios.
Physical and Non-physical Controls: The controls being implemented must take into account both physical as well as non-physical information assets. Physical information controls may comprise of environmental controls, physical access controls and on-site deployment of third-party security providers to allow access to authorised personnel only. Non-physical controls may involve software security, firewalls, cryptographic techniques. Note that, some controls can involve both physical and non-physical aspects, such as change management in access to hardware & software, data leakage controls.
6. Incident Management
Detect Security Compromises: Under CPS 234, an APRA-regulated entity is required to have robust mechanisms in place to detect and respond to actual or potential compromises of information security in a timely manner. Alongside assigning roles on incident management, early detection can also be achieved by employing techniques such as scanning for unauthorised hardware/software access, user profiling, monitoring & logging etc.
Responding and tackling Incidents: It is important from both business continuity as well as crisis management perspective that a firm must have in place plans to address the events of information compromise including timely communication and clear accountability to limit the damage and ring-fencing of the compromised information assets to protect the unharmed areas.
7. Testing Controls & Internal Audit
Testing Controls Effectiveness: A prudent information security framework will rely upon regressive testing carried out by independent testers, at least once a year with a pre-set testing agenda in place including remedial plans and continuous (re)testing of ‘untrusted environments’.
Internal Audit: The third line of defense plays a significant role in maintaining sound information security and assuring the board of its effectiveness. To ensure a holistic coverage of the process, the internal audit must also cover any third-party that handles the firm’s data.
While some of the aspects to the information security mandate are only ‘upgrades’ from the existing version with remaining being novel additions; APRA has unequivocally maintained that it expects regulated entities to employ a forward-looking approach towards protecting their information in the era of rising cyberattacks and the open-banking regime.
Therefore, it has been widely anticipated that the new information security law that takes effect on 01 July 2019, will bring about the much-needed resilience in the information security landscape of the Australian Financial industry.
To learn more or to find out how RegCentric can help in enhancing your firm’s resilience in the face of rising threats to information assets, contact us here.