Who is likely to be included in “information security roles and responsibilities”?
According to the text of CPS 234:
An APRA-regulated entity must clearly define the information security-related roles and responsibilities of the board, senior management, governing bodies and individuals with responsibility for decision-making, approval, oversight, operations and other information security functions.
While the whole of CPS 234 isn’t relevant to third parties, according to Refiti, the third parties involved with oversight of the information security capabilities of APRA-regulated entities will still be included.
However, Robinson added that there needs to be a distinction between general service providers and specific service providers that a responsible for the control of key information assets.
“In that third party space, that distinction between the general third party and specific service provider who is operating controls on behalf of the regulated entity, their requirement is different and therefore the role and the responsibility that they have will be different,” he said.
For those general third parties, he said it would be best for these businesses to prove their competency, like being compliant with the International Organisation for Standardisation 27001 which outlines a general standard for information security management systems.
Meanwhile, the specific third parties, like data processors should be able to assure the APRA-regulated entity that the business is operating effectively. The additional time to the deadline of 1 July 2020 can give these businesses time to update contracts to be able to ensure efficiency.
“They may need additional clauses in there to require that service provider to provide that evidence. This can be done through SOC 2 reports, which are service organisation control reports, or through the actual auditing and testing of those controls, by either the entity itself or a partner of that entity to give specific assurance that those controls are operating effectively,” Robinson said.
Howard added that even if the third party is acting as an information security management system, it should have its own information security management system, including its own policies and procedures.
This could include an information security manager, a chief information security officer and established information and/or cyber security teams with their own roles and responsibilities well defined.
“Similarly, you will have those in IT or information teams engaging with the risk management teams and similarly be engaging with the board or senior management level.”
However, to put exact numbers on who should be involved is difficult, in Howard’s words, or as Refiti puts it, it’s “like how long is a piece of string”.
Figuring out “commensurate”
According to the text of CPS 234:
Where information assets are managed by a related party or third party, the APRA-regulated entity must assess the information security capability of that party, commensurate with the potential consequences of an information security incident affecting those assets.
For Refiti, it comes down to the dollar mark of protection versus what you’re protecting.
“Basically what they're saying is they want you to take a risk-based approach. So, they want you to have tested the risks to your organisation, identify your high priority assets,” he said.
“And then, the security controls that you apply to that need to be commensurate based on that assessment.
“If I do a risk assessment, I only have, let's say, a million dollars’ worth of worth of assets. I'm not going to be expanding $10 million to protect those assets. So, my spend will be commensurate to what I'm actually protecting.”
Read more on the next page...