APRA-regulated

How Janusnet can help with CPS 234 compliance 

The Australian Prudential Regulation Authority (APRA) was established by the Australian Government in 1998 as an independent statutory authority that supervises Australian financial organisations across banking, insurance and superannuation. 

Twenty years on in November 2018, APRA released a final version of the Prudential Standard CPS 234; designed to ensure APRA-regulated entities have information security requirements in place that provide capabilities to be resilient against information security incidents. The transition period commenced 1 July 2019. Originally the deadline for all new contracts being entered into being compliant was 1 July 2020. In April, APRA announced that owing to COVID-19, APRA will consider requests for a six month extension to this deadline by regulated entities on a case-by-case basis until 1 January 2021Given the potential for increased vulnerability to cyber risks in the current environment, APRA emphasized the need for all regulated entities to remain vigilant in maintaining their information security. 

The key requirements of this Prudential Standard CPS 234 are that an APRA-regulated entity must ensure:

  • Accountability and responsibility the information security-related roles and responsibilities must be clearly defined throughout an organisation's hierarchy - from governing bodies, the Board, senior management to individuals
  • Information security capability must be maintained commensurate with the size and extent of the threats to its information assets, without impacting business as usual
  • Information security controls based on the criticality and sensitivity of their information assets - establishing, maintaining and testing the effectiveness of those controls for the APRA-regulated entities and any third-parties they may deal with
  • Incident planning and notification to APRA of any information security breaches. 

Janusnet can help with the Data Leakage section (52) of 'The Prudential Practice Guide CPG234 Information Security' (1).

GAIN CONTROL OVER YOUR INFORMATION

The first steps to securing your organisation's corporate information are to understand where sensitive information is located and who has access to it. Then you need to ensure users are aware they are dealing with sensitive information and to control access to it efficiently and effectively.

Here’s how security classification can integrate with, and enhance, your information security policy:

  • Identification: Identifying sensitive information may be achieved by running a discovery or identifying at source, in order to distinguish between public, personal and proprietary information
  • Classification: Once identified, information can be classified according to its sensitivity, which can be an automated process or based on human understanding; it's a quick and easy process, resulting in both visible and embedded classification
  • Control: It’s now easier than ever to control access to sensitive information, encrypt as required, and run efficient data loss prevention processes that leverage your security classification labels.

The Janusnet 'Security Classification 101' whitepaper describes the value, and simplicity of security classifications for APRA-regulated organisations.

Our Janusseal Suite can help with security classification for your organisation and is available for: Outlook (desktop, web, mobile), Microsoft Office Suite, Windows File Explorer for non-Microsoft file types.

Protecting Information without Impacting Productivity

To provide organisations with a secure solution that doesn’t stand in the way of productivity, Janusgate Mobile prevents emails containing sensitive information from being delivered to mobile devices, while allowing users to access the email from their corporate desktop.

By being instantly alerted to the email message, recipients can still respond quickly without any sensitive pre-trial information being held on the mobile device.

Contact us about CPS 234 compliance

Image supplied by courtesy of the Australian Prudential Regulation Authority. 

Reference: (1) The Prudential Practice Guide CPG 234 Information Security June 2019