MQ Uni Leading the development of an APRA CPS 234 Compliance Template.
APRA Prudential Standard CPS 234 Information Security aims to ensure that an APRA regulated entity takes measures to be resilient against information security incidents (including cyber-attacks), by maintaining an information security capability commensurate with information security vulnerabilities and threats.
In the recent CyBSA 2019 Cyber Breach Simulation Australia event, hosted by the Optus Macquarie University Cyber Security Hub, APRA Member, Geoff Summerhayes, spoke in his keynote how CPS 234 standard set the floor on the baseline metrics on cyber resilience with an “assumed breach” mentality. This mindset demands an enterprise wide focus on building cyber resilience against attacks through detection and response capability rather than relying solely on preventative measures.
The Hub commissioned a research project to develop a CPS 234 Compliance Template, enabling regulated entities to assess its information security capability commensurate with its enterprise risk appetite. This research is led by Denny Wan and supervised by Assoc Prof Christophe Doche, Executive Director of the Hub.
The template leverages the Open Group FAIR (Factor Analysis of Information Risk) cyber risk quantification framework for measurement. The compliance process quantifies the organisation risk appetite and risk tolerance, to serve as a baseline measurement against the quantified information security capabilities. This methodology provides assurance to the business board that their information security capabilities supports its approved risk appetite but remains within the risk tolerance.
Michael Collins (General Manager – Information Security, HESTA) says “This methodology brings to light a method with which the gaps in understanding can be closed when discussing what risk appetite and risk tolerance means in quantifiable terms."
Denny Wan (researcher, Macquarie University Cyber Security Hub) says “I am privileged to have the opportunity to collaborate with Michael in this practical and insightful research. I have learnt the inner workings of the enterprise security processes and the importance of aligning security programs with the organisation risk appetite and risk tolerance.”
Jack Jones (Chairman, FAIR Institute and author of the FAIR framework) says “I am delighted that the FAIR framework has been applied successfully to unite the business and information security teams delivering a complete security management solution reflective of the organisation risk appetite.”
Nick Sanna (President and Secretary, FAIR Institute) says “Macquarie University is a recognised education leader in cyber security and an education partner of the Institute, offering academic and training courses that teach FAIR to their students. We are pleased to see FAIR is actively integrated into its research program”.
About Optus Macquarie University Cyber Security Hub
Launched in 2016, the Optus Macquarie University Cyber Security Hub is a $10 million joint investment between Optus and Macquarie University. It promotes a uniquely interdisciplinary approach to tackle real-world challenges in cyber security by linking academics in information security, business, criminology, intelligence, law and psychology together with cyber security leaders from industry and government.
About the FAIR Institute
The FAIR Institute is a non-profit organisation made up of forward-thinking risk officers, cybersecurity leaders and business executives that operate with a central mission:
Establish and promote information risk management best practices that empower risk professionals to collaborate with their business partners on achieving the right balance between protecting the organisation and running the business.
Factor Analysis of Information Risk (FAIR) is the discipline, the framework, and the driver behind its mission.