Cybersecurity: The big lessons from APRA’s stocktake
Almost a quarter of regulated entities in Australia have taken part in the first tranche of APRA's tripartite cyber assessment to assess their compliance with the CPS 234 Information Security standard. The findings are sobering.
The common control gaps identified from this first round include:
- Incomplete identification and classification of critical and sensitive information.
- Limited assessment of third-party information security capability.
- Inadequate definition and execution of control testing programs.
- Incident response plans not regularly reviewed or tested.
- Limited internal audit review of information security controls.
- Inconsistent reporting of material incidents and weaknesses to APRA.
Identification and classification of assets
APRA's report notes that the classification of information assets may not be regularly reviewed and, in some cases, particularly for information assets managed by third parties, may not be identified at all. This can result in critical or sensitive information assets that are not adequately protected or prioritised.
Information assets can't be classified in a vacuum. One method to improve the accuracy of classification is to map those assets to processes and critical operations, which allows for a more intimate understanding of the impact if those assets are compromised. Process mapping helps identify assets provided by third parties that are necessary to deliver services – addressing the gap related to overlooking third-party assets.
Information security controls of third parties
Assessing information security controls of your third parties is becoming as important as assessing your own, but APRA found this to be a common challenge in the industry. This includes gaps in testing programs, acceptance of third parties' self-assessments without further review, and testing not aligned with criticality and sensitivity. In some cases, control assessment plans over third parties did not exist at all.
A comprehensive Information Security Management System (ISMS) allows for:
- Mapping of controls against multiple control frameworks.
- Documenting those controls, whether they are owned internally or by a third-party vendor.
- Capturing who is responsible for the testing of those controls.
Control testing programs
When assessing both internally and externally owned controls, APRA found that many testing control programs did not meet standards of independence, completeness, consistency or otherwise provide adequate assurance to the board.
A consistently managed ISMS should cover:
- The frequency of the testing, based on the asset's criticality or sensitivity.
- Tracking of responsibilities and separation of duties where applicable, such as control owner, control operator, and independent testers.
- Documented testing procedures to ensure consistency between tests, with criteria defined for design and operational effectiveness.
- Documenting and attaching evidence of testing to support the testing outcomes.
Tracking this data effectively will highlight gaps in your testing program, such as enabling you to report on all the controls that are only tested by the operator or where control tests have been recorded but not adequately defined.
Incident response plans
It's natural to focus on prevention, but given the potential severity of information security incidents, it is integral that incident response plans are not only complete but are tested regularly.
APRA found that even when incident response plans did exist, they did not always link to plausible scenarios, and they were not regularly reviewed or tested. The involvement of third parties in incident response was also not clear in some plans, which can leave a large gap in response capability.
Effective incident response can be incorporated into an enterprise risk management approach by:
- Identifying and linking plausible information security scenarios to critical operations.
- Documenting your incident response plans as part of your business continuity and operational resilience framework.
- Testing your plans against your plausible scenarios.
- Involving your third parties in your incident response planning cycle.
- Obtaining assurance from your third parties on their own business continuity and incident response.
- Documenting the outcomes of your incident response tests, including actions to uplift your response plans, modifying controls, or improving relationships with third parties.
Internal audit reviews of information security controls
APRA noted limited internal audit assessment of information security controls operated by third parties. Combined with the earlier observation that third-party information security controls may not be identified in the first place, this provides very limited assurance over those third-party controls.
The second gap noted by APRA is that internal auditors may lack the necessary skills to perform the testing.
Capturing internal audit results alongside those by first- or second-line teams provides a more complete picture of the assurance across all three lines and highlights assurance gaps that need to be plugged.
Notification of material incidents and control weaknesses
While CPS 234 requires regulated entities to notify APRA of material incidents or control weaknesses, the stocktake found that:
- Entity policies and procedures don't include these notification requirements or specify the criteria under which they should be reported.
- Third-party contracts do not include the requirement to notify the entity of incidents or control weaknesses.
- There were no processes in place to ensure that reporting was timely or even enforced at all.
An effective enterprise risk management system enables the classification of incidents and key control weaknesses to automate workflow and escalation to critical stakeholders. This enables teams to assess them against notification requirements, meet regulatory timelines, and, most importantly, address weaknesses.
Conclusions and next steps for your organisation
A complete enterprise risk management approach, supported by appropriate systems and tools, can enable:
- Process mapping an end-to-end view of your critical operations and the information assets that support them, including those owned by third parties.
- A vendor risk management program that enables ongoing monitoring and assessment of your third parties, including controls assurance.
- An ISMS that enables comprehensive control testing and assurance.
- Incident response playbooks linked to plausible scenarios and critical operations.
You can find out more about how to build and manage effective systems in Protecht's Speaking the Same Language: Bringing IT and Cyber Risk to your Enterprise View webinar. Register now
Protecht also offers a range of free eBooks covering operational resilience, vendor risk management, cyber risk management and IT risk management.