The CPS 234 Information Standard, established by the Australian Prudential Regulation Authority (APRA), mandates that organizations in the financial and insurance industries bolster their information security frameworks to safeguard themselves and their customers from the growing threat of cyber attacks.
Our previous article delved into what APRA CPS 234 entails and how organizations can work toward compliance. This article offers a detailed APRA CPS 234 checklist to comprehensively overview the related requirements.
CPS 234 Compliance Requirements
APRA-regulated entities must:
- Define Roles and Responsibilities: Clearly outline the roles and responsibilities regarding information security for the board, senior management, governing bodies, and other employees.
- Maintain Adequate Information Security Capability: Ensure the organization's information security capabilities can handle emerging threats and existing vulnerabilities to maintain efficient and effective operations.
- Implement Information Security Controls: Establish and continually evaluate controls to protect information assets based on their criticality and sensitivity.
- Report Cyber Incidents to APRA: Promptly report any cyber incidents to APRA.
APRA CPS 234 Checklist
To further break down these requirements, here's a concise APRA CPS 234 checklist:
Information Security Capability
- Posture Maintenance: Maintain an information security posture capable of addressing all threats to information assets, regardless of size and extent.
- Third-Party Assessment: Evaluate the information security capabilities of third parties with access to the organization's information assets.
- Capability Evolution: Continuously update information security capabilities as threats and vulnerabilities evolve.
Policy Framework
- Policy Updates: Regularly update policies and frameworks to reflect evolving threats and vulnerabilities.
- Defined Roles and Responsibilities: Clearly define the responsibilities and roles for all parties involved in information security, including contractors, staff, third parties, and customers.
Information Asset Identification and Classification
- Asset Identification: Identify the criticality and sensitivity of information assets.
- Asset Classification: Classify information assets based on their criticality and sensitivity, ensuring clarity for all stakeholders.
- Impact Consideration: Consider how non-sensitive and non-critical assets might affect critical and sensitive assets.
Implementation of Information Security Controls
- Control Support: Ensure the support of information assets through appropriate security controls, including those managed by third parties.
- Threat and Vulnerability Management: Address existing and emerging threats and vulnerabilities.
- Lifecycle and Impact Consideration: Consider the lifecycle stage of information assets and the potential impact of security breaches on critical and sensitive assets.
Incident Management
- Detection and Response Mechanisms: Implement mechanisms such as scanning, monitoring, sensing, and logging solutions to detect and respond to incidents.
- Incident Response Plan: Develop and maintain an incident response plan that outlines appropriate actions to mitigate the impact of identified incidents.
- Responsibility Awareness: Ensure individuals understand their responsibilities throughout all stages of an incident.
- Annual Review and Testing: Review and test the incident response plan annually to ensure its effectiveness.
Testing Control Effectiveness
- Systematic Testing Program: Implement a systematic testing program that considers the rate of change in vulnerabilities and threats, the criticality and sensitivity of information assets, the consequences of incidents, and risks associated with environments where security policies cannot be enforced.
- Annual Testing: Test information security controls annually and after significant changes to the business environment or information assets.
- Defined Success Criteria: Ensure success criteria are clearly defined, and results are communicated to higher authorities, such as the board of directors.
- Independent Testing: Have tests conducted by an independent body to eliminate biases.
Internal Audit
- Inclusion in Audit Activities: Incorporate information security into the organization's internal audit activities to assure the board of its maintenance.
APRA Notification
- Incident Notification: Notify APRA as soon as possible and no later than 72 hours after becoming aware of an incident that materially affects the organization or its stakeholders.
- Material Weakness Notification: If a material weakness in information security controls cannot be remediated promptly, notify APRA immediately and within 10 days.
By following this checklist, organizations can ensure they meet the stringent requirements of APRA CPS 234, thereby enhancing their information security frameworks and safeguarding against cyber threats.
For more information on how to comply with APRA CPS 234, download our solution brief and see how CimTrak can help.
.png?width=50&height=50&name=Mark%20%20(3).png)
Mark is the VP of Business Development at Cimcor and is responsible for driving the strategic focus and alignment with industry initiatives and partnerships. Mark has held executive management positions at six enterprise software companies and one venture capital firm over the past two decades.
