APRA has released for consultation a proposed updated cross-industry Prudential Practice Guide 234 Information Security (CPG 234), which will replace the existing CPG 234 Management of Security Risk in Information and Information Technology.
After an eight-week consultation, APRA will review industry feedback before releasing the final version of CPG 234 prior to CPS 234 coming into force on 1 July 2019.
CPS 234 applies to all APRA-regulated entities.
The key matters covered in the updated draft CPG 234 include:
- guidance on information asset identification and classification;
- details to assist APRA-regulated entities when notifying APRA of information security incidents and information control weaknesses as required under CPS 234; and
- various matters where APRA, through its ongoing supervision, has identified deficiencies in the practices of regulated entities.
The guide is aimed at boards and senior management, as well as risk and information technology experts within regulated entities. It outlines how entities can maintain information security capabilities commensurate with the size and complexity of their business and the sensitivity of the data they possess. It also explains how entities can optimise their resilience when aspects of their information security are managed by third parties.
Subject to APRA’s prudential standards, an APRA-regulated entity has the flexibility to maintain its information security capability in the way most suited to achieving its information security objectives. When the content of the PPG refers to matters contained in prudential standards and PPGs other than CPS 234, the intent is to provide guidance on matters that directly relate to information security. In a number of areas, the PPG provides examples of practices to illustrate a range of controls that could be deployed to address a stated principle. APRA says that these examples are not intended to be exhaustive compliance checklists. Additionally, attachments have been included in areas where APRA has determined that more detailed guidance is warranted.