- Compliance and Regulation
- Technology and Cyber Risk
From 1 July 2019, APRA regulated entities will be subject to the Prudential Standard CPS 234 Information Security. This four stage implementation guide is intended to assist with preparation for the standard coming into effect.
Stage 1: Evaluate
Review and update your organisation’s asset and risk registers.
With the up to date context of your organisation’s assets and risk landscape, undertake an evaluation of the following areas to identify any gaps against the Prudential Standard CPS 234 Information Security:
- Information security capability
- Policy framework
- Information asset identification and classification
- Control implementation and effectiveness (including testing of controls)
- Incident management (including required notifications)
- Internal audit security controls assurance
- Third party service provider management and assurance
Stage 2: Plan
Rank the changes required in terms of complexity and criticality in order to prioritise the work needed.
- Key stakeholders and obtain resources needed to have the changes successfully implemented.
- Milestones that the changes will need to be made by (including how you are going to monitor progress).
- Key dependencies and constraints that will need to be considered when confirming the approach taken.
Perform a risk assessment for the project (including the identification of the necessary risk mitigation needed).
Develop the plan outlining the activities needed that reflects the appropriate sequence of events.
Stage 3: Implement
Complete the consultation and design for any changes needed.
It is recommended that an information security specialist assists your business with providing guidance on the design of the changes.
Complete the changes by the agreed internal milestones.
With context provided by your current asset and risk registers, review the implemented changes against the Prudential Standard to determine the level of effectiveness achieved and to identify any further changes needed.
Complete further reviews and refinements as required.
Stage 4: Assess & Embed
Undertake assessments of the changes made as well as assessing any relevant outsourced services – prioritising any remediation actions needed.
Confirm the frequency of ongoing business as usual testing of controls to be completed within the Three Lines of Defence, ensuring that the frequency is informed by the context of your organisation’s assets and risk landscape.
Update your Risk Management Framework to include the relevant proactive risk analysis and stress tests to ensure vigilance for emerging Information Security threats.
Top 5 Focus Points
- Ensure that you allow sufficient time for the completion of all four stages of activities prior to 1 July 2019. Early preparation is key!
- Communicate regularly with your internal and relevant outsourced stakeholders for any changes being made as well as updates regarding the introduction of the Prudential Standard. This is critical to ensure that there is sufficient user awareness in order to support compliance. Ensure that you include the establishment of a communication plan that meets your organisation’s needs within your planning stage.
- Perform evaluations at critical points leading up to the Prudential Standard coming into effect from 1 July 2019. This assists in early identification of issues and supports preparation remaining on track.
- Remember to check on any open projects to ensure that project teams are aware of any changes that may affect the work that they are delivering. This supports both success for the open projects as well as for compliance with the Prudential Standard.
- Ensure that assessments against the Prudential Standard are included in regular evaluations undertaken by Line 1, 2 and 3 teams. Embedding the Prudential Standard and associated vigilance of Information Security within your Risk Management Framework is critical for overall compliance success as well as for protecting your organisation’s assets.
How we can help
The implementation of a new Prudential Standard into your risk and governance environment can present a number of considerations and complex challenges.
Based in Sydney, Australia, Amstelveen assists corporate and government clients to meet their technology project and risk needs. Our specialist consultants have a range of experience in risk management, project assurance and technology governance. We work with some of Australia’s largest and most iconic organisations.
Whether you’re a project, PMO, technology department, risk, audit or assurance function, we can help. We bring professionalism and pragmatism to help meet your needs, whether to fill capability gaps, to address resourcing shortages, or to provide advice on complex problems.
For further information on how we can help you and your organisation with the implementation of the Prudential Standard CPS 234 Information Security, please contact email@example.com.