Almost a quarter of regulated entities in Australia have taken part in the first tranche of APRA’s tripartite cyber assessment. This requires regulated entities to appoint an independent auditor to assess their compliance with prudential standard CPS 234 Information Security.
Given the spate of information security breaches we have seen here in Australia – and around the world – the initial findings are sobering.
The common control gaps identified from this first round include:
- Incomplete identification and classification for critical and sensitive information assets
- Limited assessment of third-party information security capability
- Inadequate definition and execution of control testing programs
- Incident response plans not regularly reviewed or tested
- Limited internal audit review of information security controls
- Inconsistent reporting of material incidents and control weaknesses to APRA in a timely manner
Let’s consider each of those in turn, and how a robust risk management framework can help you close the gaps.
Identification and classification of assets
APRA’s report notes that classification of information assets may not be regularly reviewed, and in some cases, particularly for information assets managed by third parties, may not be identified at all. This can result in critical or sensitive information assets that are not adequately protected or prioritized.
Information assets can’t be classified in a vacuum. One method to improve accuracy of classification is to map those assets to processes and critical operations, which allows for a more intimate understanding of the impact if those assets were compromised. Process mapping helps identify assets provided by third parties that are necessary to deliver services – addressing the gap related to overlooking third party assets. Once you have identified and classified them, you need to make sure you understand the:
Information security controls of third parties
Assessing information security controls of your third parties is becoming as important as assessing your own, but APRA found this to be a common challenge in industry. This includes gaps in testing programs, acceptance of third parties’ self-assessments without further review, and testing not aligned with criticality and sensitivity. In some cases, control assessment plans over third parties did not exist at all.
A comprehensive Information Security Management System (ISMS) allows for:
- Mapping of controls against multiple control frameworks
- Documenting those controls, whether they are owned internally or by a third-party vendor
- Capturing who is responsible for the testing of those controls
This comprehensive view, supported by accurate classification of assets, enables the development of control assurance program whose frequency and rigor matches the criticality and sensitivity of the assets. That rigour should include effective:
Control testing programs
When assessing both internally and externally owned controls, APRA found that many testing control programs did not meet standards of independence, completeness, consistency or otherwise provide adequate assurance to the board.
A consistently managed ISMS should cover:
- The frequency of the testing, based on the asset’s criticality or sensitivity
- Tracking of responsibilities and separation of duties where applicable, such as control owner, control operator, and independent testers
- Documented testing procedures to ensure consistency between tests, with criteria defined for design and operational effectiveness
- Documenting and attaching evidence of testing to support the testing outcomes
Tracking this data effectively will help you quickly highlight gaps in your testing program, such as enabling you to report on all the controls that are only tested by the operator, or where control tests have been recorded but not adequately defined.
No matter how effective your preventive controls, you still need to have operational:
Incident response plans
It’s natural to focus on prevention, but given the potential severity of information security incidents, it is integral that incident response plans are not only complete but are tested regularly. APRA found that even when incident response plans did exist, they did not always link to plausible scenarios, and they were not regularly reviewed or tested (which is essential in the ever-changing world of information security).
The involvement of third parties in incident response was also not clear in some plans, which can leave a large gap in response capability. Assumptions on how a third party will respond can undo the best laid plans.
Effective incident response can be incorporated into an enterprise risk management approach by:
- Identifying and linking plausible information security scenarios to critical operations
- Documenting your incident response plans as part of your business continuity and operational resilience framework
- Testing your plans against your plausible scenarios
- Involving your third parties in your incident response planning cycle
- Obtaining assurance from your third parties on their own business continuity and incident response as part of your vendor risk management program
- Documenting the outcomes of your incident response tests, including documenting actions to uplift your response plans, modifying controls, or improving relationships with third parties
To support these overall capabilities, you need:
Internal audit reviews of information security controls
APRA noted limited internal audit assessment of information security controls operated by third parties. Combined with the earlier observation that third party information security controls may not be identified in the first place, this provides very limited assurance over those third-party controls.
The second gap noted by APRA is that internal auditors may lack the necessary skills to perform the testing.
Capturing internal audit results alongside those by first- or second-line teams provides a more complete picture of the assurance across all three lines and highlight assurance gaps that need to be plugged. To address the skills gap, particularly for unfamiliar third-party controls, the internal audit team will need to consider how much it might be able to rely on testing results from those with specialist skills – ideally from the third parties own internal audit team, or other independent assurance provider.
If the organisation does identify major issues, it needs to enact:
Notification of material incidents and control weaknesses
While CPS 234 requires regulated entities to notify APRA of material incidents or control weaknesses, the stocktake found that:
- Entity policies and procedures don’t include these notification requirements, or specify the criteria under which they should be reported
- Third party contracts do not include the requirement to notify the entity of incidents or control weaknesses (notably contractual clauses for material service providers will become a more significant requirement under CPS 230 Operational Risk Management)
- There were no processes in place to ensure that reporting was timely, or even enforced at all.
An effective enterprise risk management system (linked to your ISMS) enables the classification of incidents and key control weaknesses to automate workflow and escalation to critical stakeholders. This enables teams to assess them against notification requirements, meet regulatory timelines, and most importantly address weaknesses in a timely manner.
Conclusions and next steps for your organisation
A complete enterprise risk management approach, supported by appropriate systems and tools can enable:
- Process mapping an end-to-end view of your critical operations and the information assets that support them, including those owned by third parties
- A vendor risk management program that enables ongoing monitoring and assessment of your third parties, including controls assurance
- An ISMS that enables comprehensive control testing and assurance
- Incident response playbooks linked to plausible scenarios and critical operations
You can find out more about how to build and manage the systems and programs laid out above in our free eBooks covering operational resilience, vendor risk management, and IT risk management.
Subscribe to our Knowledge Hub to make sure you catch the rest of our Vendor Risk Management blog series: