Cover Feature
Financial industry security APRAisals
J By David Stafford-Gaffney
uly 2020 looms, and like impending doom, the pressure keeps mounting while no solution seems viable. As an organisation in the financial sector, you have been advised that you need to demonstrate awareness of and alignment to the Australian Prudential Regulation Authority’s (APRA) CPS 234 Standard. You struggled to manage GS007 financial regulation, and now you need to also comply with CPS 234, not to mention all this new Privacy legislation. What are you to do? This article follows on from last one when I looked at how to select the best framework to use as your primary control set, and how to baseline and manage your security environment (using both NIST and ISO 27001). Baselining the security environment against a single standard is the easiest way to start and quickly make some real progress, developing an Information Security Management System (ISMS) as the documentation set that can be evidenced by an auditor.
36 | Australian Cyber Security Magazine
Getting started with CPS 234 Back to the story. With a reasonable grasp of information security and working with other standards such as ISO 27001, you ask yourself the most fundamental question: which of these financial standards should you start with and which should be drawn upon as additional requirements you need to meet at some point later. Finding a suitable answer can get complicated, especially is you try to map all the necessary elements in each standard that must be addressed. I’ve found the best way to do this is to put the controls (all of them) in a spreadsheet and map each one from the first standard (the primary standard) to new columns for the second standard. Where there is an exact match, the primary standard is the one that delivers it, and where there is a gap, it falls to the second standard to pick up the slack. This process works for two, three and even four standards or frameworks, but be warned compliance against more than two separate
