A recent blog I wrote on the latest security standard update from the Payment Card Industry—PCI DSS V4.0—talked about going beyond a singular framework as a basis for compliance and recommended taking a risk-first approach to your payment processing and cardholder data security.
Today I want to highlight an example for our friends in Australia and showcase how you can use the Australian Prudential Regulation Authority (APRA) Cross-Industry Prudential Standard (CPS) 234 to reduce the risk associated with your financial data.
Introduction and background
It should be no surprise that as new technologies are deployed, new threats reveal themselves. And as organizations increase their reliance on cloud applications and globally distributed teams, the risk to your data has never been greater. In direct response to the growing number of data breaches, many governing bodies have created new or expanded existing standards.
One such standard, CPS 234, was developed to ensure that APRA-regulated entities have implemented sufficient security measures to protect, detect and reduce the risk of a data breach. Although required standards will vary based on your location, the principles of CPS 234 can be applied universally to reduce the risk associated with your financial data.
The basics of CPS 234
When I began researching CPS 234, the first thing that struck me was the fact that the standard takes a business asset (financial data) and applies a risk-first approach to securing it.
In fact, the key objective of CPS 234 is to “minimize the likelihood and impact of information security incidents on the confidentiality, integrity, or availability of information assets both held by the organization and managed by related parties”.
The authors of the standard clearly understood the value of a risk-first approach centralized around a business priority.
The standard requires APRA-governed entities to:
- Clearly define the information security-related roles and responsibilities of the Board, senior management, governing bodies and individuals
- Maintain an information security capability commensurate with the size and extent of threats to its information assets, and which enables the continued sound operation of the entity
- Implement controls to protect its information assets commensurate with the criticality and sensitivity of those information assets, and undertake systematic testing and assurance regarding the effectiveness of those controls
- Notify APRA of material information security incidents
Reduce risk through compliance
Like with any standard, to be successful, it is recommended that organizations take an iterative approach to testing and remediation. This includes conducting internal assessments to ensure readiness and gathering necessary evidence over time. So whether you’re prepping for a CPS 234 Tripartite Assessment or you’re just interested in reducing the risk to your data, consider the following steps:
It may seem obvious, but the first step is to review your organization’s existing environment and identify where your data is located. Depending on where you are in your compliance journey, this may be very well documented or it may not. However, in order to properly reduce the risk to your data, you need to know where it is and who has access.
That’s why we recommend taking this time to create or update your data asset register, or data asset map, to ensure you account for all in-scope data assets. This will also allow you to descope areas of your organization that aren’t applicable and focuses your risk reduction efforts in a more targeted manner.
The next step is to review each requirement and identify if you have a compensating control. If you utilize the SCF 2022.1, you’re in luck! CPS 234 is fully covered in the design of controls you likely already have in place! And if you’re utilizing Reciprocity® ZenGRC® we can easily add the CPS 234 standard including cross-mapping to your instance, enabling you to utilize previous compliance activities to support the new requirements.
As you review each control’s operational efficacy, be sure to consider if the control is sufficiently mitigating the risk to an acceptable level. If it isn’t, document a plan to remediate the gap. As part of this, consider rating the gaps in terms of criticality to ensure the highest risks are addressed and reduced first.
Remember, as you are assessing the requirements and your existing controls be sure to include any third parties that impact or have responsibility for your data. Even if all of your internal controls are sufficiently mitigating the risk, if you aren’t assessing your third parties that have access to your data, you have a large gap. Knowing how third parties manage, protect and report on data security is necessary to ensure proper oversight. If you’re an APRA-covered entity, consider updating your third-party risk management program to include validating your third parties’ compliance with CPS 234 to reduce that gap.
Measuring compliance through a gap analysis or audit provides assurance at a given point in time. And while this information is critical and necessary, is also essential to continuously monitor and assess the risk to your data. That’s why we advise creating a program tailored to your ability to protect financial data.
This will allow you to take into account all compliance requirements (CPS 234 and beyond), as well as any potential threats, risks, third parties, facilities, systems and assets that impact your financial data. Creating dashboards and custom reporting from this information will help you keep relevant stakeholders informed, highlight the highest areas of risk and enable you to make data-driven recommendations for improvement.
Monitor and report on incidents
Beyond monitoring risk, a key factor of CPS 234 is being able to accurately report on incidents. The concept of tracking incidents and their impact on the risk associated with your data is a key piece of the risk puzzle.
If you aren’t assessing your incients, both internal and third party, you aren’t creating a full picture of risk. Did the incident occur because a threat was exploited? Did it occur because of a failing control? Consider tracking incidents in alignment with your program and utilize them as leverage to update controls and reduce future risk.
As part of your control assessments, you should also conduct incident response testing to ensure your process aligns with the CPS 234 reporting requirements.
Whether you are an APRA-regulated entity or just looking to increase your data security, one thing to consider is the ramifications of non-compliance. For CPS 234, the standard denotes that the Board is ultimately responsible for ensuring that the entity maintains its information security. That means that if you aren’t properly reducing the risk to your data, your Board could be liable.
Want to become a boardroom hero? Reciprocity can help! We have CPS 234 available in ZenGRC cross-mapped to the SCF 2022.1. Contact support to have it loaded into your instance and then use the ZenGRC Compliance Posture dashboard to quickly assess your gaps, conduct audit readiness activities and track open risk reduction activities. And to ensure you’re including all impacting factors, you can use the various ZenGRC objects to track incidents, data assets and third parties.
Not a ZenGRC user? If you’re using a common control set, such as the SCF 2022.1, you can manually map the CPS 234 requirements to your existing compliance activities allowing you a mechanism to identify gaps. You can sign up for a free demo to see how Reciprocity can help reduce the risk associated with your financial data.