The Prudential Standard CPS 234 focuses on the management of information security risks within APRA-regulated entities, particularly those in the banking, insurance, and superannuation industries. It outlines specific requirements for these entities to enhance their resilience against potential cyber threats.
The purpose of CPS 234 is to ensure that regulated entities maintain effective information security capabilities and are well-prepared to respond to and recover from cybersecurity incidents.
However, CPS 234 not only mandates organizations to comply with the established standards but also holds them accountable for ensuring that their third-party partners align with these standards. This responsibility goes beyond the organizations themselves and extends to encompass the companies contracted by the organizations.
IPSI breaks down the complexity of the APRA CPS 234 standards and provide 9 key questions organisations should be asking to ensure they and their third-party suppliers meet these requirements.
Question 1 – What information assets do your third-party suppliers manage?
While this might seem like an obvious question, an audit must be completed to understand what assets are being managed by third parties. Ultimately, the board is responsible for CPS 234 compliance; therefore, they must be sure what information assets are managed by who.
Question 2 – What are the roles and responsibilities of those third parties you have identified?
To comply with CPS 234, entities must clearly define the security-related roles and responsibilities of the organisation. This also extends to third parties. Some third parties may be responsible for managing and storing customer payment data (like IPSI). Others may provide managed services that include conducting penetration testing, ensuring the security of information assets. What must be clear when complying with CPS 234 is what the roles and responsibilities are for those external parties. Once these are determined, they can then be matched with those of the internal parties.
IPSI secures highly sensitive payment data in the cloud, ensures data residency and security compliance while documenting on a customer-by-customer basis the roles and responsibilities via its responsibility matrix.
Question 3 – Have all the information assets managed by third parties been identified and classified?
To comply with CPS 234, assets managed by third-party suppliers, as well as internally managed, must be classified in terms of criticality and sensitivity. When classifying information assets in this manner, the entity must determine what the effect on customers, policyholders, depositors or beneficiaries would be if there were a security breach affecting that asset.
IPSI services, be they secure call centre solutions, online payment, tokenisation or sensitive data scanning tools, all clearly identify and secure critical information assets in transit and at rest.
Question 4 – Is your information security policy framework up-to-date?
To comply with CPS 234, an information security policy framework must be in place. The frameworks role is to provide direction on the responsibilities of all parties (internal and third-party) to maintain information security. To ensure you meet your obligations for third-parties, this framework must include them as well.
Question 5 – How capable (experience, expertise and credentials) is your third-party supplier regarding their ability to manage the security of your assets?
To comply with CPS 234, you must assess if the information security capability of your third-party supplier is commensurate with the potential consequences of a security incident affecting that asset. If you have determined that their capability is sound, what contractual controls do you have in place to ensure it is maintained? If the third party isn’t capable, what changes to they need to make to bring their capability into line with expectations? It’s essential that any changes that are required to be made by the third-party are included in the supplier’s contract and assessed once complete, e.g. data breach notification provisions, data residency, secure in-country support and independent security assessments annually etc.
Are all of your suppliers / third party channels, that store, process, or transmit credit card data PCI DSS certified, ideally to Level 1? Have they shown you a current PCI DSS certificate? If not, please feel free to contact IPSI to explore how we will be able to reduce your compliance costs, risks and lead times.
Question 6 – What security controls does the third-party supplier have in place?
CPS 234 states that entities must have security controls in place to protect all information assets, both internal and those managed by third parties. Those security controls must be commensurate with vulnerabilities and threats to the information assets, the criticality and sensitivity of the assets, the stage at which the assets are within their life-cycles, and the potential consequences of an information security incident.
If the entity identifies that the security controls by the third party are not adequate, any remediation requirements should be outlined in a new agreement with the third party.
Question 7 – Does the third party have an incident management process in place?
Entities are obligated under CPS 234 to ensure mechanisms are in place to ensure they can detect and respond to an incident in a timely manner. If a third party manages information assets, it then becomes critical that they too have processes in place for information assets that they manage.
To ensure entities meet their third-party compliance obligations, agreements with the third-party supplier must be reviewed to ensure they have a response process in place that allows the APRA entity to meet their obligations. Contract with third parties must be updated so that this requirement is included as part of their responsibilities in managing the information asset.
IPSI service many insurance companies and has tailored its agreements around the APRA requirements.
Question 8 – Do you have a testing program in place that test the effectiveness of your security controls and those of third parties?
To comply with CPS 234, a systematic testing program has to be in place to test security controls, including those of third parties. Entities must ensure their agreements with third parties allow for such testing. If the third party does have testing in place, the main entity must ensure the testing is commensurate with the rate at which vulnerabilities and threats change and that a process is in place for any remediation required where shortfalls in the testing program are identified.
Question 9 – Are your internal audit policies up to date?
An internal audit function is required to comply with CPS 234. This function must also review the effectiveness of security controls maintained by third parties and also assess the information security control assurance provided by the third-party. It’s also important to ensure your contract with a third-party ensures that they are audited annually, ideally by a third party QSA to ensure compliance with relevant security requirements.
Question 10 – Do you have a process in place to conduct regular reviews?
Achieving compliance with CPS 234 is not a once-off, set and forget exercise. To maintain on-going compliance, an entity must actively maintain information security capability commensurate with the size and extent of threats to the information assets. A review process must be maintained. It’s a fact that vulnerabilities and threats are continually evolving and any agreements with third parties must allow the main entity to conduct periodic reviews to ensure the third party maintains their information security capability, i.e. via annual independent security certification where possible.
At IPSI we always place data security at the top of our mind. Our solutions are designed to not only ensure compliance but also to reduce the associated costs and risks over time.
If you're interested in exploring how IPSI can help you secure sensitive payment data and ancillary customer information, please don't hesitate to reach out.
You can contact us at 1300 975 630 or via email at [email protected]. We look forward to assisting you.