APRA Level Security Compliance
9 questions you should be asking to ensure your third party suppliers align with APRA CPS 234 compliance by 1 July 2020
APRA’s new standard for data security, CPS 234 began on 1 July 2019. An important deadline is also looming for APRA regulated entities who have any information assets managed by third parties. By 1 July 2020, those entities must comply with CPS 234 and ensure the third parties are also compliant.
To ensure the entity meets their compliance obligations, there are some key questions they should be asking to ensure they meet their requirements by the 1 July deadline.
Question 1 – What third parties manage information assets?
While this might seem like an obvious question, an audit must be completed to understand what assets are being managed by third parties. Ultimately, the board is responsible for CPS 234 compliance; therefore, they must be sure what information assets are managed by who.
Question 2 – What are the roles and responsibilities of those third parties you have identified?
To comply with CPS 234, entities must clearly define the security-related roles and responsibilities of the organisation. This also extends to third parties. Some third parties may be responsible for managing and storing customer payment data (like IPSI). Others may provide managed services that include conducting penetration testing, ensuring the security of information assets. What must be clear when complying with CPS 234 is what the roles and responsibilities are for those external parties. Once these are determined, they can then be matched with those of the internal parties.
IPSI secures highly sensitive payment data in the cloud, ensures data residency and security compliance while documenting on a customer by customer basis the roles and responsibilities via its responsibility matrix.
Question 3 – Have all the information assets managed by third parties been identified and classified?
To comply with CPS 234, assets managed by third-parties, as well as internally managed, must be classified in terms of criticality and sensitivity. When classifying information assets in this manner, the entity must determine what the effect on customers, policyholders, depositors or beneficiaries would be if there were a security breach affecting that asset.
IPSI services, be they secure call centre solutions, IVR, online payment, tokenisation or sensitive data scanning tools, all clearly identify and secure critical information assets.
Question 4 – Is your information security policy framework up-to-date?
To comply with CPS 234, an information security policy framework must be in place. The frameworks role is to provide direction on the responsibilities of all parties (internal and third-party) to maintain information security. To ensure you meet your obligations for third-parties by 1 July 2020, this framework must include them as well.
Question 4 – How capable is your third-party supplier regarding their ability to manage information security for your assets?
To comply with CPS 234, you must assess if the information security capability of your third party supplier is commensurate with the potential consequences of a security incident affecting that asset. If you have determined that their capability is sound, what contractual controls do you have in place to ensure it is maintained? If the third party isn’t capable, what changes to they need to make to bring their capability into line with expectations? It’s essential that any changes that are required to be made by the third-party are included in the supplier’s contract and assessed once complete, e.g. data breach notification provisions, data residency, secure in-country support and independent security assessments annually etc.
Are all of your suppliers / third party channels, that store, process, or transmit credit card data PCI DSS certified? Have they shown you a current PCI DSS certificate? If not, please feel free to contact IPSI to explore how we will be able to reduce your compliance costs, risks and lead times.
Question 5 – What security controls does the third-party supplier have in place?
CPS 234 states that entities must have security controls in place to protect all information assets, both internal and those managed by third parties. Those security controls must be commensurate with vulnerabilities and threats to the information assets, the criticality and sensitivity of the assets, the stage at which the assets are within their life-cycles, and the potential consequences of an information security incident.
If the entity identifies that the security controls by the third party are not adequate, any remediation requirements should be outlined in a new agreement with the third party.
Question 6 – Does the third party have an incident management process in place?
Entities are obligated under CPS 234 to ensure mechanisms are in place to ensure they can detect and respond to an incident in a timely manner. If a third party manages information assets, it then becomes critical that they too have processes in place for information assets that they manage.
To ensure entities meet their third party compliance obligations, agreements with the third party supplier must be reviewed to ensure they have a response process in place that allows the APRA entity to meet their obligations. Contract with third parties must be updated so that this requirement is included as part of their responsibilities in managing the information asset.
IPSI service many insurance companies and has tailored its agreements around the APRA requirements.
Question 7 – Do you have a testing program in place that test the effectiveness of your security controls and those of third parties?
To comply with CPS 234, a systematic testing program has to be in place to test security controls, including those of third parties. Entities must ensure their agreements with third parties allow for such testing. If the third party does have testing in place, the main entity must ensure the testing is commensurate with the rate at which vulnerabilities and threats change and that a process is in place for any remediation required where shortfalls in the testing program are identified.
Question 8 – Are your internal audit policies up to date?
An internal audit function is required to comply with CPS 234. This function must also review the effectiveness of security controls maintained by third parties and also assess the information security control assurance provided by the third-party. It’s also important to ensure your contract with a third-party ensures that they are audited annually to ensure compliance with relevant security requirements.
Question 9 – Do you have a process in place to conduct regular reviews?
Achieving compliance with CPS 234 is not a once-off, set and forget exercise. To maintain on-going compliance, an entity must actively maintain information security capability commensurate with the size and extent of threats to the information assets. A review process must be maintained. It’s a fact that vulnerabilities and threats are continually evolving and any agreements with third parties must allow the main entity to conduct periodic reviews to ensure the third party maintains their information security capability, i.e. via annual independent security certification where possible.
With July 2020 soon upon us, an essential compliance requirement is to ensure that your services and contracts with third-parties meet the obligations of CPS 234.
If you require more information about CPS 234, please download our ebook “What are your obligations under APRA Prudential Standard CPS 234” or call us to discuss your payment security compliance challenges on 1300 975 630