WHAT IS CPS234 AND WHAT DOES IT MEAN FOR ME?

Assessment & Audit | Compliance & Legal | Governance & Risk

Posted: Friday, May 21

KBI.Media
$
Posts
$
TECHNOLOGY
$
Assessment & Audit
$
WHAT IS CPS234 AND WHAT DOES IT MEAN FOR ME?

i 3 Table of Contents

WHAT IS CPS234 AND WHAT DOES IT MEAN FOR ME?

An increase in the risk of cyber security brings an increase in the publicity surrounding the issue and the regulations governing it. This year we have already seen a number of new regulations coming into effect that will impact the majority of both Australian and international organisations.

In March 2018, the Australian Prudential Regulation Authority (APRA) released a dedicated draft prudential standard for cyber security. The aim of this draft prudential standard, known as Information Security CPS234, is to ensure that financial institutions are keeping their IT environments and systems secure against cyber risks. The release of this draft prudential standard is very important as it is sure to become published, and as a result will be a legally binding standard from the 1st of July, 2019 onwards.

CPS234: OBJECTIVES & REQUIREMENTS

The key objectives and requirements of this draft prudential standard include: • Minimising the likelihood and impact of an information security incident; • Ensuring that APRA regulated entities take the correct measures to become resilient against cyber security events; • Having a set of clearly defined IT Security related roles and responsibilities for all of the following: – Board, – Senior management, – Governing bodies, and – Individuals; • Clearly defining and documenting the information security capability and policy framework; • Implementing controls which protect data assets and are subject to systematic testing and assurance for effectiveness; • Ensuring robust mechanisms are in place to detect and respond to cyber incidents in a timely manner; and • Ensuring notification is given to APRA for all material information security incidents within 24 hours.

Ultimately, APRA are putting the responsibility of information security in the hands of the boards. They are looking to ensure that the boards can maintain their data assets in a way that is commensurate with the size and extent of threats, while still allowing for the continuous operation of their entity/entities.

DOES CPS234 APPLY TO ME?

Now that we know the key objectives and requirements of this draft prudential standard, it’s important to consider whether or not this will be applying to you. Once published, this prudential standard will apply to the following entities: • Banks, • Building societies, • Credit unions, • Friendly societies, • General insurance and reinsurance companies, • Life insurance companies, • Private health insurers, and • Most members of the superannuation industry.

“If your framework does not yet cover the requirements of this draft prudential standard, then you have more than enough time to assess and remediate your current controls and framework before the 1st of July, 2019.”

CPS234 APPLIES TO ME, NOW WHAT?

If this prudential standard will be applying to you and your organisation, it’s best to understand the requirements and perform a gap analysis against your current cyber security governance framework.

If your framework does not yet cover the requirements of this draft prudential standard, then you have more than enough time to assess and remediate your current controls and framework before the 1st of July, 2019.

KNOW YOUR DATA The main focus of this draft prudential standard is to protect the data that comes through your environment. This data could be coming through many different channels and stored by either hard or soft copy.

It is very important to understand and know your data perimeter: • Where it is stored, • The type of data that is coming through and being stored, and • Who has sufficient access to the data to be able to accurately and appropriately build the right security controls.

Tulin is a strategic thinker and cyber risk management specialist with experience in public and private sectors. Tulin has held senior positions with Commonwealth Bank, Westpac, Optiver and Deloitte. Whilst Tulin’s working experience spans enterprise risk management, business continuity, risk culture analysis, project management, issues management, IT audit, data analytics, internal audit and external audit, Tulin specializes in cyber risk management including cyber risk threat analysis, prevention, control and assurance.

The Production Team

The KBI Production Team is a staff of specialist technology professionals with a detailed understanding across much of cybersecurity and emerging technology. With many decades of collective industry experience, as well as expertise in marketing & communications, we bring news and analysis of the cybersecurity industry.

Independent Cyber News.

i 3 Table of Contents

CPS234: OBJECTIVES & REQUIREMENTS

DOES CPS234 APPLY TO ME?

CPS234 APPLIES TO ME, NOW WHAT?

Get Your Cyber News Delivered

Similar Posts

Australian Companies Urged to Consider Pros and Cons of Paying a Ransom

BeyondTrust Releases Cybersecurity Predictions for 2024 and Beyond

How To Prevent Payment Redirection Fraud At Your Conveyancing Practice

Recorded Future’s Monthly CVE Report Records 2,200 Cyber Vulnerabilities for April, Microsoft Still Topping the List

Business News

Tech News

Global News

Our Podcasts

Partner With KBI

Content Production

Business News

Tech News

Global News

KBI.FM - The Cyber Podcast Network

Threats & Reports