Case Studies

CPS 234 Compliance Program

The Client

A NSW based credit union providing a range of deposit and lending financial products

The Objective

In 2019, APRA its Prudential Standard CPS 234 for Information Security. The objectives and key requirements of this Prudential Standard was to ensure that an APRA-regulated entity takes measures to be resilient against information security incidents (including cyberattacks) by maintaining an appropriate information security capability. A key objective of the standard is to minimise the likelihood and impact of information security incidents on the confidentiality, integrity, or availability of information. The standard also instituted the relatively new paradigm that Board of an APRA-regulated entity is ultimately responsible for ensuring that the entity maintains its information security. The client needed to assess its compliance and implement / enhance the necessary controls to ensure compliance within the APRA stipulated timelines, providing visibility and assurance to board members on compliance against the organisations responsibilities.

Centropy's Approach

Due to the high level visibility of the program, it was essential to frame the program in the context of risk identification and management. As the first step, a board endorsed Risk Appetite Statement was established which was used to establish benchmarks and standards for the controls to be implemented. Subsequently a gap assessment was conducted to identify the opportunities for improvement in the controls in place. This set the scope for the remainder of the program with a roadmap of initiatives to be implemented. Centropy consultants then worked with the client in coordinating and delivering the enhanced controls including endorsement and approvals from the Board and the Executive Leadership team, to achieve compliance within the stipulated timeframes.

What We Achieved

  1. Bringing together disparate expert skills to assess, design and implement the network segmentation
  2. Support for the Risk identification and management framework.
  3. Managed on time delivery of the necessary enhancements to controls.
  4. Helped achieve target compliance within the stipulated timeframes.

Relevance

# Cyber Security, # Risk management, # Policies & Procedures, # CPS234
ALL CASE STUDIES