Thursday, 11 June 2020

APRA CPS 234 - Summary of Security Compliance Requirements


In my work with NTT, I've recently been dealing with several FSI-based (Financial Services Industry) organisations who have to comply with the
Australian Prudential Regulation Authority (APRA) Standard CPS 234 July 2019. Here's a brief overview of what that compliance with CPS 234 entails:
  1. APRA CPS 234 is Cybersecurity 101 for Banks, Insurers and related institutions.
  2. As with standards like ISO27001:2013, it is a risk-based approach about ensuring that adequate CIA (Confidentiality, Integrity and Availability) is maintained for information assets.
  3. The Board is ultimately responsible for ensuring appropriately robust policies and controls are in place for both the organisation and 3rd party contractors.
  4. Per basic concepts in CISSP (Certified Information Systems Security Professional), controls should really only be implemented if the cost of control implementation is less than the costs of the data being lost/breached.
  5. To this effect - the information security capability basically has to pass the "reasonableness" test
    1. The security capability should match the size and extent of threats
    2. The controls should match criticality and sensitivity of the assets
  6. CPS 234 aims to ensure that an APRA-regulated entity takes measures to be resilient against information security incidents (including cyberattacks) by maintaining an information security capability commensurate with information security vulnerabilities and threats:
    • Know your responsibilities (The board is ultimately responsible).
    • Know what you have and protect it appropriately. An APRA-regulated entity must classify its information assets, including those managed by related parties and third parties, by criticality and sensitivity.
      • Ideally - should be using Azure Info protection or similar to provide security labels (e.g. classification, sensitivity or dissemination limiting markers) to drive preventative and detective controls. 
      1. Detect and React appropriately:
        • Have Incident Plans and RACIs (Responsible, Accountable, Consult, Inform) in terms of response
        • Appropriately skilled people to detect incidents. This requires user awareness and security practices.
        • Notification of breach within 72 hours.
          • Implies that proper threat detection (pro-active) and monitoring systems should be in place. If you don't know it's happening then you can't comply.
      2. Test and Audit Regularly. Must test effectiveness of controls with a systematic testing program - that is run at least annually.
          • This lends itself to regular, automated (static/dynamic) testing.

    It is always critical to keep in mind that threats come from both threat actors inside (insider threat) and outside the organisation (organised or individual actors) - which lends itself to zero trust approaches to cybersecurity.


    18 comments:

    sara mohamed said...

    Company cleaning boards in Hail
    Swimming pool cleaning company in Hail
    Tank cleaning company in Hail
    A carpet cleaning company in Hail
    Hail Cleaning Company
    Pest control company in Hail
    A sofa cleaning company in Hail



    Anonymous said...

    Hey, you:)! Yeah, most of my wishes are yours blog-related. Awesome blog!!!!
    Thanks to sharing this with us! Thanks a lot!!!!!!!!!
    France VPS

    Bhavana said...

    Nice blog and articles. I am realy glad to visit your blog. Presently I am discovered which I really need.

    360DigiTMG

    360DigiTMGMY said...

    This was certainly one of my preferred web journals. Each post distributed impressed me.
    hrdf claimable courses

    dataanalyticscourse said...

    I was looking at a portion of your posts on this site and I consider this site is really enlightening! Keep setting up..
    https://360digitmg.com/course/data-analytics-using-python-r

    tejaswini said...

    incredible article!! sharing these kind of articles is the decent one and I trust you will share an article on information science.By giving an organization like 360DigiTMG.it is one the best foundation for doing guaranteed courses
    data scientist malaysia

    360DigiTMG said...

    This is a great motivational article. In fact, I am happy with your good work. They publish very supportive data, really. Continue. Continue blogging. Hope you explore your next post
    what is hrdf

    360digitmgdelhi said...

    Happy to visit your blog, I am by all accounts forward to more solid articles and I figure we as a whole wish to thank such huge numbers of good articles, blog to impart to us.
    data science course in delhi

    Cyber Security Course said...

    Writing in style and getting good compliments on the article is hard enough, to be honest, but you did it so calmly and with such a great feeling and got the job done. This item is owned with style and I give it a nice compliment. Better!
    Cyber Security Training in Bangalore

    360digitmg said...

    I think about it is most required for making more on this get engaged
    business analytics course

    Data Science Training said...

    I am very enjoying to read your well-written article posts. It seems that you devote a great deal of hard work and time onto your own blog. Tableau Course in Bangalore

    KT Travel Blogger said...

    Such an amazing post,enjoy to read this article,like the way you write, informative post, keep posting.
    3 Star Hotel of Mussoorie mallroad
    Latest Sport News
    Top 10 hotels in himachal pradesh
    Top 5 Shopping Places Of Singapore

    Arjun singh said...

    Interesting stuff to read and useful to improve knowledge.
    Keep posting.
    your article is so convincing.
    Thanks for posting.
    Also Check out
    Top hill stations of india
    Best Valley View Hotel of Mussoorie
    reasons to visit mussoorie
    Latest International News

    Eva Wilson said...

    Thank you so much for sharing this blog! I just want to mention I am just new to blogging and really enjoyed you’re web blog. Most likely I’m want to bookmark your blog post.

    Regards,
    Online Essay Help

    360DigiTMG-Pune said...

    Wow, amazing post! Really engaging, thank you.
    Data Science Training in pune

    Data Science said...

    I am glad to discover this page. I have to thank you for the time I spent on this especially great reading !! I really liked each part and also bookmarked you for new information on your site.
    Data Science Training in Chennai

    PMP Training in Malaysia said...

    360DigiTMG, the top-rated organisation among the most prestigious industries around the world, is an educational destination for those looking to pursue their dreams around the globe. The company is changing careers of many people through constant improvement, 360DigiTMG provides an outstanding learning experience and distinguishes itself from the pack. 360DigiTMG is a prominent global presence by offering world-class training. Its main office is in India and subsidiaries across Malaysia, USA, East Asia, Australia, Uk, Netherlands, and the Middle East.

    Anonymous Girl said...

    Thanks for sharing. I really appreciate your blog. Read my blog Latest Hair Styles For 2022.