APRA CPS 234

The Australian Prudential Regulation Authority (APRA) is the prudential regulator of the Australian financial services industry. It is responsible for ensuring the financial safety and soundness of regulated institutions, including banks and insurance companies.

CPS 234 is a regulation that sets out information security requirements for APRA-regulated entities including: 

1. Information Security Roles and Responsibilities: APRA-regulated entities are required to clearly define information security roles and responsibilities for their staff, including the Board and senior management. This includes appointing an accountable person to oversee information security and ensuring that all staff are trained and aware of their information security responsibilities.

2. Information Asset Identification and Classification: Entities are required to identify and classify their information assets, based on their sensitivity and criticality. This includes personal information, financial information, and any other information that could impact the entity's operations or reputation if it were lost, stolen or compromised.

3. Control Implementation: Entities must implement appropriate information security controls, based on the sensitivity and criticality of their information assets. This includes both technical and non-technical controls, such as access controls, encryption, backups, incident management and third-party supplier management.

4. Testing and Assurance: Entities must regularly test and review their information security controls to ensure that they remain effective and appropriate. This includes regular penetration testing, vulnerability assessments, and third-party assurance activities.

5. Incident Management: Entities must have an effective incident management framework, including processes for identifying, assessing and responding to information security incidents. This includes having clear escalation procedures and notifying APRA of any incidents that meet the threshold for reporting.