APRA Prudential Standard CPS 234
Consulting Services
At Shearwater, we help APRA-regulated entities to understand their obligations under Prudential Standard CPS 234 and comply with Information Security standards set by APRA.
APRA Prudential Standard CPS 234
The main aim of the CPS 234 Standard is to ensure that APRA-regulated entities maintain information security capability and resiliency against cyber threats targeting financial institutions and the wider business community.
“A key objective is to minimise the likelihood and impact of information security incidents on the confidentiality, integrity or availability of information assets, including information assets managed by related parties or third parties.”
The CPS 234 Standard places the ultimate responsibility for maintaining information security on the Board of the APRA regulated entity, and puts forward four key requirements that these organisations must undertake:
1 – Clearly define the information security-related roles and responsibilities of the Board, senior management, governing bodies and individuals;
2 – Maintain an information security capability that’s proportionate with the size and extent of threats to its information assets without disrupting operations;
3 – Implement and systematically test appropriate controls to protect its information assets – taking into consideration the criticality and sensitivity of those assets; and
4 – Notify APRA of material information security incidents.
How Shearwater can help your organisation meet the CPS 234 Standard:
We provide services and solutions to APRA-regulated entities to help them achieve compliance against the CPS 234 Standard.
When you engage Shearwater, you have the assurance that your security team is tackling security threats with the right structured approach – managing risks and protecting your organisation’s systems around the clock.
Scope of the Service
Incident Management and Response
We have extensive experience in incident management and incident response preparation, including notification requirements set by the CPS 234 Standard. Our team can also help you to review and test your incident response plan regularly.
Your organisation may be subject to the Notifiable Data Breach (NDB) Scheme, obliging you to notify individuals whose personal information was compromised due to a data breach. We can help you plan your actions and responses, integrating this into your incident response plan and processes.
Information Security Capability Development
We can assist in developing and improving your organisation’s information security capability while ensuring it is appropriate to the size of your organisation and the threats it faces. As part of this engagement, we can help you identify your key information assets as well as help with delivery of key policy framework documents.
If your organisation is already compliant (or needs to be compliant) with other information security standards (such as ISO/IEC 27001, PCI DSS or ISM), we can also help you align these standards with your CPS 234 requirements.
C-Level Executive briefings
Our C-Level Executive Briefings are designed to assist executives of APRA-regulated entities in discerning the requirements of the CPS 234 Standard and understanding how they apply to their organisation.
Policy Framework Development
Our team can review your existing policy frameworks and policies, align policies with both CPS 234 and other security standards, and lead the full development of policies in conjunction with your internal resources.
Information Asset Identification and Classification
We can conduct an information asset audit, complete with identification and prioritisation. Furthermore, our team of specialists can assist in segmenting your environment to ensure cost-effective security management.
Risk Management Consulting
We can work with your team to develop an overarching Risk Management framework that enables your organisation to effectively uncover, prioritise and manage risks within core systems.
Internal Audit Augmentation
CPS 234 requires that your internal audit activities include a review of the design and operating effectiveness of information security controls. We can provide this capability to your internal audit team or conduct an internal audit on your behalf.
Supplier Security Review
If your organisation’s information assets are managed by a related party or a third party, we can assist you with your CPS-234 obligations for suppliers and evaluate your supplier’s information security controls in line with APRA standards.
Vulnerability Assessments and Penetration Testing
We can assist in implementing a suitable testing program and regime to ensure the effectiveness of security controls.
We chose to engage an Australian company called Shearwater to lead that (IRAP) assessment because of their reputation for rigour and expertise.
James Kavanagh
CTO, Microsoft Australia
