Almost a quarter of regulated entities in Australia have taken part in the first tranche of APRA’s tripartite cyber assessment to assess their compliance with the CPS 234 Information Security standard. The findings are sobering.
The common control gaps identified from this first round include:
- Incomplete identification and classification of critical and sensitive information.
- Limited assessment of third-party information security capability.
- Inadequate definition and execution of control testing programs.
- Incident response plans not regularly reviewed or tested.
- Limited internal audit review of information security controls.
- Inconsistent reporting of material incidents and weaknesses to APRA.
Identification and classification of assets
APRA’s report notes that the classification of information assets may not be regularly reviewed and, in some cases, particularly for information assets managed by third parties, may not be identified at all. This can result in critical or sensitive information assets that are not adequately protected or prioritised.
Information assets can’t be classified in a vacuum. One method to improve the accuracy of…
