The Australian Prudential Regulation Authority’s (APRA) recent cyber resilience study offers valuable insights that can serve as a roadmap for all businesses, regulated or not. Below are the key gaps identified by APRA along with guidance on how to address each.
1. Identification and Classification of Information Assets
A significant gap identified in many entities is the incomplete identification and classification of critical and sensitive information assets.
Addressing the Gap: To bolster your organisation’s cyber security, it is imperative to establish and regularly update clear information asset classification policies and methodologies. This includes defining what assets should be considered critical and/or sensitive, regular reviews of the information in asset registers, and ensuring that assets managed by third parties are correctly identified and classified.
2. Information Security Controls of Third Parties
Many businesses have not sufficiently assessed their third-party information security controls.
Addressing the Gap: Understand which of your assets are managed by third parties and determine the level of testing required accordingly. This includes understanding the controls the third parties have in place, testing control effectiveness through various methods, and ensuring any identified capability gaps are addressed promptly.
3. Control Testing Programs
APRA noted that control testing programs are often inadequately defined and executed.
Addressing the Gap: Implement systematic testing programs that cover key controls like user access reviews, physical security control tests, and data loss prevention controls. Testing should be performed by functionally independent specialists and clear success criteria should be defined, including when re-testing is required.
4. Incident Response Plans
Many incident response plans are not regularly reviewed or tested.
Addressing the Gap: Ensure your incident response plans are tested at least annually and cover a broad range of plausible disruption scenarios. They should have sufficient details to minimize the amount of decision-making required during an incident and provide clarity regarding roles and responsibilities.
5. Internal Audit Reviews of Information Security Controls
The assessment found limited internal audit reviews of information security controls, especially those operated by third parties.
Addressing the Gap: Internal audit teams should focus on areas where the impact of an information security compromise is material and where reliance on other control testing is low. Reviews should extend to the scope and quality of the testing conducted by other areas and third parties.
6. Notification of Material Incidents and Control Weaknesses
The process to identify and report material incidents and control weaknesses is often inconsistent or not in place.
Addressing the Gap: Establish clear governance processes for escalating incidents and control weaknesses to relevant governance bodies in a timely manner. Various mechanisms should be utilized to identify material control weaknesses, including control testing, assurance activities, and information security incidents.
At 4walls Cyber Advisory, we’re committed to helping you navigate these challenges. We offer comprehensive solutions, designed to simplify the complex, and guide you from assessment to assurance, fortifying your digital infrastructure against cyber threats. Learn from APRA’s findings and leverage them to strengthen your own cyber resilience.
Read the whole article here: https://www.apra.gov.au/news-and-publications/cyber-security-stocktake-exposes-gaps
- What is APRA’s Cyber Resilience Study? The Australian Prudential Regulation Authority (APRA) conducted a comprehensive study examining the cyber resilience of financial institutions. The aim was to identify key areas of vulnerability and develop strategies to enhance cyber security.
- What were the main findings of the study? The study identified six key gaps: Incomplete identification and classification of information assets, insufficient assessment of third-party information security controls, inadequate definition and execution of control testing programs, irregular review and testing of incident response plans, limited internal audit review of information security controls, and inconsistent reporting of material incidents and control weaknesses.
- How can my organisation address these gaps? Each gap has its own tailored set of strategies for improvement. This ranges from establishing clear information asset classification policies to ensuring incident response plans are tested annually, and improving the consistency of reporting on incidents and control weaknesses.
- How can 4walls Cyber Advisory assist with enhancing cyber resilience? 4walls Cyber Advisory offers a range of services to help organisations address the gaps identified by APRA and strengthen their overall cyber resilience. These services include comprehensive cyber security solutions, cyber security education and training, and cyber threat detection and analysis.