Cyber Security Framework for Finance
The standard, called APRA “CPS 234”, requires that all APRA-regulated
entities do the following:
Define information security roles and responsibilities of the
organisation’s board of directors, senior management, governing bodies and individuals.
The business maintains information security capabilities that are
appropriate to the size, scale and extent of the threats to their assets.
Commission cyber security controls capable of protecting the
organisation’s assets, and “undertake systematic testing and assurance,”
regarding the effectiveness of those controls;
Develop mechanisms to detect and respond to information security
incidents in a timely manner; and
Notify APRA of material information security incidents.
Interestingly, these security controls are all taken from the
international standards, as proposed in frameworks like ISO 27001, so this is
nothing new to the security industry.
However, the good thing is that APRA sees the need to publish
enforceable standards to the businesses they regulate, which means cyber
security will be a requirement rather than a nice to have.
It’s worth noting that there are a variety of improvements that can be
introduced into the business over time regarding security posture. These
improvements should be managed by a security professional, hired into the role
of Information Security Manager, or at board level, Chief Information Security
Officer. This head of security role should be charged with demonstrating
continual service improvement across the organisation’s entire security
programme, that way allowing the board to rest assured the business is always
striving to be ahead of the threats.