menu close
  • Back

Peter Kenny
Information Security Manager - Canon Australia Pty Ltd

As the Information and Security Manager for Canon Australia, Peter Kenny collaborates closely with CBS to provide guidance on compliance and governance impacting our customers. With over two decades of experience, he is an adept Governance, Risk, and Compliance professional driven to reach successful outcomes. He is highly knowledgeable in IT Services, Financial Services, Health, Aged Care industries and Security Services.

His experience includes detailed knowledge of standards across multiple industries, such as ISO27001, ISO31000, PCI DSS, APRA Prudential Standards, and best practice governance and risk management frameworks. 

Do you know that a breach in your organisation's software system has the potential to ruin the reputation and financial stability of your company? Nowadays, cyberattacks are becoming more common, and as such, organisations must take all aspects of information security, including cybersecurity, seriously. In Australia, the Australian Prudential Regulation Authority (APRA) has introduced the CPS 234 standard, which mandates organisations to comply with specific guidelines that ensure the safety and security of their software systems.

Overview of CPS 234 standard

The CPS 234 standard is an APRA developed standard governing Information Security for APRA regulated entities. It sets specific guidelines that organisations who hold sensitive data or provide critical services must follow. The APRA CPS 234 checklist is a comprehensive tool used by these organizations to ensure compliance with the standard. The primary aim of the CPS 234 standard is to minimise the security risk of data breaches, loss, and disruption of information and data systems. By adhering to the guidelines outlined in CPS 234 and implementing the necessary security measures, entities can enhance their cybersecurity posture and better protect sensitive information from potential threats and cyberattacks. Compliance with CPS 234 is not only a regulatory requirement but also a proactive approach to safeguarding valuable data and maintaining the trust of customers and stakeholders.

Purpose of the CPS 234 standard

The primary purpose of the CPS 234 standard is to assist in the management of Information security risks that may arise due to the use and integration of information technology, especially in organisations that hold critical data or provide essential services. Compliance with the CPS 234 standard provides assurance to customers, stakeholders, and executives that adequate security measures are in place to safeguard the organisation's operations and information assets.

The CPS 234 standard is a critical component of APRA's efforts to enhance the resilience of the Australian financial system against information security, including cybersecurity threats. It is designed to ensure that financial institutions are equipped with robust and effective cybersecurity measures to protect against cyber attacks that could potentially lead to financial loss or reputational damage.

The CPS 234 standard is also aligned with international security standards and best practices, such as the NIST Cybersecurity Framework and ISO 27001. Compliance with the CPS 234 standard can help organisations meet their obligations under these frameworks and demonstrate their commitment to cybersecurity.


cybersecurity diagram


Key components of the CPS 234 standard

The key components of the CPS 234 standard are:

1. Clearly defined information security-related roles and responsibilities

2. Maintenance of an information security capability commensurate with the threats to its information assets

3. Protection of Information assets, with ongoing testing and assurance

4. Notification of material information security incidents.

The first component affirms that Boards of organisations are ultimately responsible for their information security. It also affirms that the entity must clearly define the information security-related roles and responsibilities of the Board, senior management, governing bodies and individuals with responsibility for information security functions.

The second component establishes the requirement for an information policy framework to provide direction on responsibilities for maintenance of information security.

The third component requires that an APRA regulated entity must classify its information assets including those managed by related parties and third parties, by criticality and sensitivity, to reflect the potential to impact stakeholders. This requirement also requires information security controls over information assets, including those information assets managed by related and/or 3rd parties. These controls include technical controls, such as firewalls and intrusion detection systems, as well as administrative controls, such as security awareness training.

The final component deals with the need for a robust incident management regime including detection mechanisms and response plan. This also includes mandatory notification to APRA of any information security incident that may materially affect stakeholders.

Key requirements Obligation of APRA-regulated entity

Clearly define the information security-related roles and responsibilities of the Board, senior management, governing bodies and individuals

Board and senior management must:
understand the nature of their information assets;
understand application of CPS 234 to their organisation;
have a framework in place that enables them to assess and classify information assets.

Maintain an information security capability commensurate with the size and extent of threats to its information assets, which enables the continued sound operation of the entity

Affected organisations must increase resilience against information security incidents by: assessing and classifying information assets according to sensitivity and criticality
understanding the effect breach of a particular information asset would have on the organisation as well as its customers, policyholders, beneficiaries, or other affected persons; and
maintaining and reviewing annually an information security response plan that includes managing all relevant stages of an incident, from detection to post-incident review

NOTE 1: while the existing notifiable data breach regime under Australian privacy laws focus on data and personal information, CPS 234 also includes hardware, functionality and availability and would include security incidents even if there has been no breach of privacy or loss of data.

Implement controls to protect its information assets commensurate with the criticality and sensitivity of those information assets and undertake systematic testing and assurance regarding the effectiveness of those controls

APRA regulated entities must have ‘robust’ mechanisms to detect and respond to information security incidents.

Effectiveness of security controls, including those managed by third parties, must undergo a systematic testing program. This includes:
testing of security controls by independent specialists;
assessing the sufficiency of the testing program at least annually or when there is material change to information or business environment; and
mandatory review of design and operating effectiveness of controls as part of internal audit activities

Notify APRA of material information security incidents.

APRA regulated entities will have:
• 72 hours to report any material security breach
• 72 hours to report any incident that has been notified to other regulators, both within Australia or other jurisdiction. This obligation would be triggered by notifications under other legislation such as the Privacy Act, Philippines Privacy laws or GDPR.
• 10 business days to report any material information security control weakness that cannot be remediated in a timely manner

It appears the threshold to report under CPS 234 is lower than that required under the Australian Privacy Act which refers ‘serious harm’


Regulatory background and compliance

The APRA introduced the CPS 234 standard in 2018, and the first deadline to comply was set for July 1, 2019. Compliance with the CPS 234 standard is mandatory, and failure to comply may result in regulatory penalties.

Organisations that are subject to the CPS 234 standard are required to conduct regular assessments to identify and manage information security, including cybersecurity, risks effectively. They must also report any significant or material information security incidents to the APRA within 24 hours.

Compliance with the CPS 234 standard is an ongoing process, and organisations must continually review and update their cybersecurity measures to ensure they remain effective in the face of evolving threats and the threat landscape.

Get in touch

Your digital transformation journey starts here. We’ll show you how.

Contact Us

Importance of Software Quality Assurance

Software Quality Assurance (SQA) is a critical component in ensuring the overall reliability and performance of an organisation's software systems. SQA entails a set of activities and processes that guarantee the successful delivery of software products that meet customer requirements and expectations.

Software has become an integral part of our daily lives, from the apps on our smartphones to the software running on our computers at work. It is, therefore, essential to ensure that software systems are reliable, secure, and meet customer needs.

Ensuring reliability and performance

SQA plays a crucial role in guaranteeing the reliability and performance of software systems. With effective SQA practices, organisations can minimise the likelihood of software bugs, performance bottlenecks, or system failure, thereby ensuring seamless continuity in their operations.

For example, a software bug in a banking system can result in significant financial losses for customers and the bank. In contrast, a bug in a healthcare system can result in severe consequences for patients' health and well-being. Therefore, it is crucial to ensure that software systems are reliable and perform as expected.

Reducing risks and vulnerabilities

Effective SQA practices can help reduce risks and vulnerabilities associated with software systems. By conducting rigorous tests, evaluations, and code reviews, SQA can identify and address vulnerabilities in the software system that hackers may leverage to exploit the system.

For instance, with the increasing number of cyber-attacks, it is essential to ensure that software systems are secure and protected from potential threats. SQA can help identify and address vulnerabilities in the software system, thereby reducing the risk of cyber-attacks.

Improving customer satisfaction

Customers expect software products to meet their requirements and expectations adequately. Organisations can improve customer satisfaction by ensuring high-quality software products that fulfil customer needs and deliver the expected outcomes.

For example, a customer using an e-commerce website expects the website to be user-friendly, secure, and reliable. If the website has bugs or security vulnerabilities, the customer may lose trust in the website and switch to a competitor. Therefore, it is crucial to ensure that software products meet customer needs and expectations.

In conclusion, SQA is essential in ensuring the overall reliability, security, and performance of software systems. By implementing effective SQA practices, organisations can reduce the risk of software bugs, performance bottlenecks, or system failure, thereby ensuring seamless continuity in their operations. Additionally, SQA can help identify and address vulnerabilities in the software system, reducing the risk of cyber-attacks. Finally, by ensuring high-quality software products that meet customer needs and expectations, organisations can improve customer satisfaction and gain a competitive advantage in the market.

Implementing the CPS 234 standard in your organization

Implementing the CPS 234 standard is an essential step towards ensuring the security and protection of your organisation's information assets. The CPS 234 standard is designed to provide a framework for information security management that can help organisations to identify, assess, and manage risks to their information assets.

Implementing the CPS 234 standard requires a structured approach to ensure that all aspects of the standard are addressed. This approach involves several essential practices that organisations must follow to achieve compliance with the standard.

1. Board and senior management responsibilities

CPS234 is quite explicit – “..The Board of an APRA-regulated entity is ultimately responsible for the information security of the entity”. The board and senior management team bear the primary responsibility of ensuring that their organisations comply with the CPS 234 standard. They must understand the potential impact of all information security threats, not just cyber, on their organisation's operations and reputation and ensure that appropriate measures are in place to mitigate these risks.

Senior management must provide adequate resources, oversight, and governance to ensure that their organisation's cybersecurity practices are adequate for the protection of information assets. They must also ensure that cybersecurity risks are identified, assessed, and managed effectively.

The board must provide oversight and guidance on the organisation's cybersecurity strategy, policies, and procedures. They must also ensure that cybersecurity risks are incorporated into the organisation's risk management framework and that appropriate reporting mechanisms are in place to monitor and manage these risks.

2. Establishing a robust information security framework

Organisations must establish a robust information security framework that meets the requirements of the CPS 234 standard. This framework should provide a comprehensive approach to information security management that includes policies, procedures, and controls that are designed to protect your organisation's information assets.

The information security framework should be based on industry best practices and should be tailored to meet the specific needs of your organisation. It should include a risk management process that identifies, assesses, and manages risks to your organisation's information assets.

3. Identifying and assessing information assets

The first step in implementing the CPS 234 standard is to identify and assess your organisation's information assets. This involves identifying all the information assets that your organisation owns, manages, or controls. Information assets can include data, information systems, applications, networks, and other resources that are critical to the operation of your organisation.

Once you have identified your organisation's information assets, you need to assess their sensitivity, value, and criticality. This assessment helps you to understand the risks associated with each information asset and determine the appropriate level of protection required to safeguard them.

4. Developing and implementing security policies and procedures

Organisations must develop and implement appropriate security policies and procedures that align with the CPS 234 standard. These policies and procedures should guide the implementation of cybersecurity controls and operations.

The security policies and procedures should be designed to address the specific risks and threats faced by your organisation. They should be regularly reviewed and updated to ensure that they remain relevant and effective.

Implementing the CPS 234 standard is an ongoing process that requires continuous monitoring and improvement. Organisations must regularly review their information security framework, policies, and procedures to ensure that they remain effective in protecting their information assets.

By implementing the CPS 234 standard, organisations can improve their cybersecurity posture, protect their information assets, and demonstrate their commitment to information security to their stakeholders.

Roles and responsibilities under CPS 234

The CPS 234 standard is a cybersecurity standard that aims to improve the overall cybersecurity posture of organisations in the finance sector. The standard outlines the roles and responsibilities of various stakeholders in ensuring that information assets are adequately protected from cyber threats.

Board and senior management responsibilities

The board and senior management team bear the primary responsibility of ensuring that their organisations comply with the CPS 234 standard. They must understand the potential impact of cyber threats on their organisation's operations and reputation and ensure that appropriate measures are in place to mitigate these risks.

Senior management must provide adequate resources, oversight, and governance to ensure that their organisation's cybersecurity practices are adequate for the protection of information assets. They must also ensure that cybersecurity risks are identified, assessed, and managed effectively.

The board must provide oversight and guidance on the organisation's cybersecurity strategy, policies, and procedures. They must also ensure that cybersecurity risks are incorporated into the organisation's risk management framework and that appropriate reporting mechanisms are in place to monitor and manage these risks.

Employee and third-party responsibilities

Employees and third parties have a crucial role to play in ensuring the security of information assets. They must be aware of their responsibilities and understand not just cybersecurity risks, but information security risks in total.

Organisations must provide regular training and education to employees and third parties on cybersecurity practices and the CPS 234 standard's requirements. This training should cover topics such as password management, phishing awareness, and data security.

Employees and third parties must also be vigilant and report any suspicious activity or potential cybersecurity incidents to the appropriate authorities. They must also comply with the organisation's cybersecurity policies and procedures and ensure that they are taking appropriate measures to protect information assets.

In summary, compliance with the CPS 234 standard requires a collective effort from all stakeholders. The board and senior management team must provide leadership and oversight, the ISO must manage cybersecurity risks, and employees and third parties must be aware of their responsibilities and take appropriate measures to protect information assets.

Conclusion

The CPS 234 standard is crucial to every organisation that holds sensitive data or provides critical services. Compliance with the CPS 234 standard offers assurance that adequate security measures are in place to safeguard the organisation's operations and information assets. It is essential to implement effective SQA practices in conjunction with the CPS 234 standard, as this is critical in ensuring the reliability and performance of software systems.

Similar Articles

VIEW ALL

What are the advantages of Microsoft Azure

Discover the advantages of Microsoft Azure: Scalability, security, cost-efficiency, and innovation. Learn how Azure enhances operations and drives digital transformation in New Zealand.

What is Security Automation?

Learn how automated security transforms cybersecurity, making it simpler and more efficient. Protect your business data with CBS New Zealand’s expert insights now!

What are the effective Azure cost optimisation strategies

Maximise Azure efficiency for your New Zealand organisation. Reduce costs, optimise resources, and align spending with business goals using our expert strategies and tools!

What are the benefits of penetration testing?

Gain confidence in your digital security with the benefits of penetration testing. Enhance cybersecurity, identify vulnerabilities, and fortify your defences with CBS New Zealand's expert insights now!

What are the advantages of Microsoft Azure

Discover the advantages of Microsoft Azure: Scalability, security, cost-efficiency, and innovation. Learn how Azure enhances operations and drives digital transformation in New Zealand.

Cybersecurity Threat Detection: Proactive strategies

Stay ahead in cybersecurity with our 2024 guide on threat detection. Learn advanced technologies & response plans to protect your business against threats with CBS New Zealand.

The key differences between CIO vs CISO in business

Uncover the distinct roles of CIO and CISO in New Zealand business: Key responsibilities, overlaps, and IT leadership evolution.

Digital transformation in different industries

Discover how digital transformation is driving innovation across industries like healthcare, finance, and retail in New Zealand. Learn more.

A guide to digital transformation in education

Explore how digital transformation in New Zealand education revolutionises learning, enhancing engagement, personalisation, and accessibility!

Digital transformation in New Zealand's financial services

Discover key strategies and technologies driving digital transformation in Australia's financial services. Find out more!

Digital transformation in the manufacturing industry

Discover how digital transformation reshapes the manufacturing industry in New Zealand by integrating advanced technologies like IoT, AI, and cloud computing. Read here.

The essential drive behind healthcare IT outsourcing

Discover how IT outsourcing transforms healthcare efficiency and compliance in New Zealand.