CPS 234

From Glitchdata
Jump to navigation Jump to search

The Australian Prudential Regulation Authority's (APRA) Information Security Standard CPS 234 institutes requirements around information asset identification and classification, information security roles and responsibilities, implementation and testing of information security controls, incident management, internal audit, and breach notification.

  • It makes clear that the Board is ultimately responsible for information security.
  • It calls for protective measures to be commensurate with the size of the organisation and the threats faced.
  • It includes requirements around management of third party (supplier) risk management.

CPS 234 applies to all APRA-regulated entities including:

  • Authorised deposit-taking institutions (ADIs). This includes foreign ADIs, credit unions, banks, and non-operating holding companies authorised under the Banking Act
  • General insurers, including Category C insurers, non-operating holding companies authorized under the Insurance Act, and parent entities of Level 2 insurance groups
  • Life companies, including friendly societies, eligible foreign life insurance companies and non-operating holding companies registered under the Life Insurance Act
  • Private health insurers registered under the PHIPS Act
  • General insurers
  • RSE licensees under the SIS Act in respect to their business operations
  • Superannuation funds
  • APRA-regulated companies that utilise third-party services, CPS 234 also apply to those information systems and assets, kindling cloud service providers.