Governance, Risk & Compliance

Risk & Governance Frameworks

Risk Management framework is a structed process used to identify potential threats to an organisation and help devise a strategy for treating and effectively monitoring the risks.

Centropy consultants have vast experience in devising Risk Management Frameworks for the clients which incorporate mechanisms that can help clients to evaluate, monitor and treat the relevant risks within their business units.

Governance framework is a set of rules and guidelines that provides an understanding on how an organisation is managed and controlled. Centropy team helps to develop a framework that the client’s business users can access and follow as part of their everyday business activities.

Centropy assists the client’s organisation to build governance frameworks to assist the organisation to manage and control their business units and raise their cyber maturity.

Risk Assessments

Centropy has assessed and helped develop appropriate IT risk management controls for many Government agencies and state-owned organisations. During our assessment, we determine whether:

  • IT risk management is in line the organisation’s Enterprise Risk Management (ERM) frameworks and aligning to relevant IT risk appetite and IT risk tolerance levels when making risk-aware decisions.
  • Roles, responsibilities and accountability for IT Risk Management, Awareness and Communication has been established.
  • Principles and process for IT Risk Evaluation covering, Risk Identification, Risk analysis and measurement, Risk ranking, Risk mitigation, Risk monitoring have been established.
  • Principles and processes for IT Risk Response covering, risk articulation, triage, risk treatment and risk reporting has been established and in operation

Third Party Risk Management

TPRM has taken on a new meaning and complexity in the age of cloud computing and Global sourcing. 

A number of recent instances have gained notoriety for the Global impacts and issues that have been triggered out of the supply chain. 

Identifying and managing your Third Party risk exposures requires a unique and customised approach, that not only caters for the small suppliers but also the Global corporations that a majority of Australian businesses rely on.

Our experts’ unique combination of technology and contract law, has enabled us to assist a number of clients put in place policies, procedures and contracts that help ensure that their third party risks are maintained within acceptable limits.    

Regulatory compliance

PCI –DSS

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards formed in 2004 by Visa, MasterCard, Discover Financial Services, JCB International and American Express. Governed by the Payment Card Industry Security Standards Council (PCI SSC), the compliance scheme aims to secure credit and debit card transactions against data theft and fraud.

The PCI SSC has outlined 12 requirements for handling cardholder data and maintaining a secure network.

Centropy’s approach towards PCI-DSS compliance support is:

  • Assess
  • Remediate
  • Report

Centropy has assisted clients with the identification and remediation of gaps identified. This includes the development and formalisation of various documentation and associated artefacts. Centropy provides guidance and assistance in the development of the documents and artefacts by (a) providing a template/shell based on Centropy’s experience, and (b) checking the completed draft document/artefact.

Centropy provides support in consolidating and unifying existing and (to be developed during the remediation phase) PCI DSS documentation set. Depending on the PCI DSS Level Centropy provides support in updating the SAQ and consolidate all the artefacts (e.g. policies, procedures, standards, checklists etc.)

CPS 234

CPS 234 is a mandatory information security regulation issued by the Australian Prudential Regulatory Authority (APRA) and commences on 1st of July 2019. This regulation aims to assist APRA regulated entities in uplifting their information security capabilities in order to sustain the current cyber landscape and provide quality services to their end customers.

Key requirements listed within CPS 234

  1. Information security Capability
  2. Policy Framework
  3. Information Asset Identification and Classification
  4. Implementation of Controls
  5. Incident Management
  6. Testing control effectiveness
  7. Internal Audit
  8. APRA Notification

Centropy team provides services to assess the security controls addressing the CPS 234 requirements and devise a strategy and procedures to meet the control requirements.

Policies and Procedures

Centropy has assisted client organisations in developing and socialising a variety of policies and procedures related to IT Governance, Cyber Security, Business Continuity and Disaster Recovery.

The Centropy team assess and develops relevant policies and procedures that outlines best practices which the client business units can follow.

Controls Testing

Centropy performs audits of IT functions against an IT assurance control framework which is in line with COBIT based controls.  This covers

  • general IT controls,
  • identity and access controls,
  • privileged rights review,
  • user access monitoring and auditing,
  • change management controls,
  • software development controls,
  • incident and problem management controls,
  • business continuity and disaster recovery controls.

Our reviews assess the maturity and effectiveness of controls deployed by our client organisations.

ISO 22301 based – IT DR and Business Continuity

Centropy has decades of experience in performing Business Impact Assessment for various NSW government agencies and helping them uplift their business continuity management processes in the following manner:

  • Develop an annual review program:

Develop an annual review program (rolling) to ensure Business Impact Analyses (BIAs) and Business Continuity Plans (BCPs) are reviewed, maintained and tested

Develop a checklist to facilitate review by Corporate Governance (including guidance for reviewing outsourced functions), which will also assist with reporting to management. Develop review reporting templates that can be provided to business units to facilitate required actions. Feedback into a framework for continuous improvement of the BCM.

  • BCP Training:

Deliver face-to-face training, eLearning modules and slides for Business Continuity Coordinators (BCCs) that includes an overview of Departmental requirements per policies and procedures, as well as the roles and responsibilities of the Business Continuity team.

  • Monitoring and Reporting:

Develop reports to support management, Executives, and Audit and Risk Committees that suggests metrics to enable an assessment of whether BCM objectives have been met.

  • IT Disaster Scenario testing

Perform tabletop or live scenario-based testing of the predetermined business impacts and its BCM activities to ensure planned recovery options will work effectively and efficiently for minimal risk and impact to the business.