APRA has issued a new mandatory regulation, CPS 234 which commences on 1st July 2019. The standard aims to improve the resilience of APRA regulated entities against information security threats.
APRA regulated entities will have to go beyond following the practice guide to now demonstrate compliance with the new standard.
The CPS 234 is a direct response to the ever changing cyber landscape.
The team at Criterion Conferences interviewed Jean Baptiste-Bres, Chief Information Security
Officer at StatePlus who sheds light on StatePlus’s CPS 234 implementation journey.
Here is what he had to say:
How do you build an information security policy framework that is agile to changing threats?
As with everything in life, it is a matter of focusing on the right priorities and adapting quickly when they change. It is expressed well in the APRA CPS 234: security capabilities should be maintained commensurate with the size and extent of the threats.
Information Security is all about risk management. How do you decide what needs to be secured and how? What is an acceptable risk? Risk is very often described as the correlation between the impact and the likelihood. For information security, the impact is what would occur if a given asset or data were compromised, exposed or made unavailable. The likelihood is defined by how vulnerable the asset is or, if you prefer, the robustness of the controls that protect the asset.
Once you have identified what is of value for your organization (through the impact) and how it can potentially be compromised (through the likelihood), it is now easier to define an adequate framework and implement the right solutions or “controls” – from a technology, but also from a process and business perspective.
Trying to protect every asset, regardless of their importance for the organization, or to remediate every threat, regardless of their likelihood, is very often counterproductive. It is an amount of work that most companies cannot assume and it distracts from what really is of value.
However, It is very important to know and always keep in mind what these assets and threats are, even if you decide not to deal with them for now. Your framework flexibility will come from the fact that, you focus on what is important for you, but also that if something changes – your assets or the threats – you are very quickly able to identify where and how you need to adapt.
What were the lessons learnt in implementing the CPS 234 standard at State Plus?
For StatePlus, a key aspect of the implementation was ensuring that all stakeholders were involved as early as possible and understand what the new standard was about to change for them. There was a lot of discussion with the Board early on to ensure responsibility are clearly defined and understood.
Audit and Compliance functions were key to reviewing and challenging the analysis and action plan, ensuring that everybody was working towards the same goal. We also consulted with external partners and peers in the industry to benchmark our roadmap and align our understanding.
What were the key highlights of the implementation journey?
It is important to keep in mind that CPS 234 defines high-level minimum standards expected by APRA from the regulated entities. With the exception of some timeframe around reporting to the regulator, most of the requirements can be seen as framework orientations and do not contain details of technical or functional expectations. It remains the responsibility of the regulated entity to define what is appropriate and to setup the appropriate controls and protections.
In APRA’s own terms, the capabilities need to be “commensurate with the vulnerabilities and threat to which the regulated institutions information assets are exposed” and “enables the continued, sound operation of the entity”. It is for the regulated entity to decide to what level of risk it is exposed, and what its appetite is to manage it.
What do organisations need to know to prepare for the APRA standards by 1st of July 2019?
Going through a CPS 234 gap assessment is a great place to start. To do so, you need to understand what is important for the company and how mature your current capabilities are, especially in the following areas:
- having a clear definition of the information-security related roles and responsibilities, especially of the Board, senior management, governing bodies and individuals;
- maintaining information security capability commensurate with the size and extent of threats, and which enables the continued sound operation of the entity;
- implementing controls to protect the information assets commensurate with the criticality and sensitivity of those information assets, and ensuring a 3-lines-of-defence (control, test, assurance) is in place; and
- managing information security incidents and timely notification to APRA if the incident is material.
- ensuring related parties and third parties are considered and treated commensurate with the risk the parties represent.
He will be sharing his insights on:
- Conducting a gap analysis in current processes and re-prioritising information security strategy
- Asset classification strategies
- Developing robust procedures for information security incidents
- The journey to information security maturity – lessons learnt