Data Security Compliance with the APRA Prudential
Standard CPS234 in Australia

Regulation Overview

Australian Prudential Regulation Authority (APRA)’s purpose is to ensure Australians' financial interests are protected and that the financial system is stable, competitive and efficient. This Prudential Practice Guideline (PPG) targets areas where weaknesses in information security management continue to be identified as part of APRA’s ongoing supervision activities. It is also intended to provide guidance with respect to the implementation of Prudential Standard CPS 234 Information Security (CPS 234) with key sections below:

• Considerations for the Board
• Roles and responsibilities
• Information security capability
• Policy framework
• Information asset identification and classification
• Implementation of controls
• Incident management
• Testing control effectiveness
• Internal audit

Who needs to comply with CPS234?
CPS234 applies to APRA-regulated entities namely:

• Authorized deposit-taking institutions (ADIs), including foreign ADIs, credit unions, and banks
• General insurers
• Life companies and friendly societies
• Private health insurance companies
• Non-operating holding companies
• Superannuation funds

Thales helps organizations comply with CPS234 by addressing APRA Prudential Practice Guidelines (PPG) on Information Security Capability, Policy Framework, Information asset identification and classification, implementation of controls and incident management.

INFORMATION SECURITY CAPABILITY
Guidelines 18: Capability Of Third Parties And Related Parties

• With the CipherTrust Data Security Platform (CDSP), administrators can create a strong separation of duties between privileged administrators and data owners and can enforce very granular, least-privileged-user access management policies, enabling the protection of data from misuse by privileged users.
• CipherTrust Transparent Encryption provides a complete separation of administrative roles, so only authorized users and processes can view unencrypted data.
• Thales OneWelcome Identity platform's fine-grained authorization capability helps organizations by providing the right amount of access to the right people at the right time.

POLICY FRAMEWORK
Guidelines 21 – A policy hierarchy informed by a set of key principles

• Thales OneWelcome Identity Platform allows organizations to associate devices and other digital identities with primary accounts, authenticate, authorize, collect, and store information about external and internal identities from across many domains.
• SafeNet IDPrime smart cards can be leveraged for implementing physical access to sensitive facilities. These smart cards can also augment Passwordless authentication initiatives relying on PKI and FIDO technology.
• CipherTrust Transparent Encryption protects data with file and volume level data-at-rest encryption, access controls, and data access audit logging without re-engineering applications, databases, or infrastructure with MFA feature limits privileged users' sensitive data.
• Thales Luna Hardware Security Modules (HSMs) provide the highest level of encryption security by always storing cryptographic keys in hardware.
• CipherTrust Manager manages key lifecycle tasks including generation, rotation, destruction, import and export, provides role-based access control to keys and policies, supports robust auditing and reporting, and offers developer-friendly REST API. It supports two-factor authentication for administrative access.
• Audit trail of CipherTrust Data Security Platform allows risk owners and auditors to assess and demonstrate compliance against the information security policy framework. CipherTrust Transparent Encryption (CTE) provides detailed data access audit logs and CipherTrust Security Intelligence (CSI) with logs and reports to streamline compliance reporting and speedup threat detection using leading Security Information and Event Management (SIEM) systems.

INFORMATION ASSET IDENTIFICATION AND CLASSIFICATION
Guidelines 26 – Classification of all information assets by criticality and sensitivity

• Classify all information assets by criticality and sensitivity with CipherTrust Data Discovery and Classification, it offers complete visibility into your sensitive data with efficient data discovery, classification, and risk analysis across heterogeneous data stores - the cloud, big data, and traditional environments - in your organization.

IMPLEMENTATION OF CONTROLS
Guidelines 36 – Information security controls implemented at all stages

• Thales OneWelcome identity & access management solutions limit the access of internal and external users based on their roles and context with strong authentication (MFA), granular access policies and fine-grained authorization policies. The solution also facilitates external IoT device identity management via the OAuth2 Device Flow specification. Web-connected and user input-constrained devices can be linked with user identity accounts managed by OneWelcome tenants.
• SafeNet IDPrime smart cards can be leveraged for implementing physical access to sensitive facilities. These smart cards can also augment Passwordless authentication initiatives relying on PKI and FIDO technology.
• Digital Signing for a wide range of applications with Hardware security modules (HSMs) protects the private keys used for secure electronic signatures; it enhances security and ensures compliance.
• CipherTrust Data Security Platform provides multiple capabilities for protecting data at rest in files, volumes, and databases by CipherTrust Transparent Encryption and CipherTrust Tokenization.
• CipherTrust Transparent Encryption encrypts sensitive data and enforces granular privileged-user-access management policies that can be applied by user, process, file type, time of day, and other parameters.
• CipherTrust Manager centrally manages encryption keys and configures security policies so organizations can control and protect sensitive data with the separation of duties. It streamlines and strengthens key management in enterprise environments over a diverse set of use cases. 

Guidelines 44 – MINIMISE EXPOSURE TO PLAUSIBLE WORST CASE SCENARIOS

• Hardware security modules (HSMs) safeguard the cryptographic keys used to secure applications, and sensitive data, it enhances security and ensures compliance.
• CipherTrust Data Security Platform can enforce very granular, least-privileged-user access management policies, enabling protection of data from misuse by privileged users and attackers.
  • CipherTrust Transparent Encryption encrypts files, while leaving their metadata in the clear. so IT administrators perform their system administration tasks, without gaining privileged access to the sensitive data residing on the systems they manage.
  • CipherTrust Transparent Encryption Ransomware Protection (CTE-RWP) continuously monitors processes for abnormal I/O activity and alerts or blocks malicious activity before ransomware can take complete hold of your endpoints and servers.
  • CipherTrust Manager offers centralized Administration and Access Control, which unifies key management operations with role-based access controls that prevents unauthorized password changes and alerts on simultaneous logins by the same user.
• Thales OneWelcome Identity Platform allows organizations to virtually (or logically) limit access to confidential resources with the use of MFA (including phishing-resistant authentication) and granular access policies. SafeNet IDPrime smart cards can be leveraged for implementing physical access to sensitive facilities.

Guidelines 46 (b) - PHYSICAL AND ENVIRONMENTAL CONTROLS

• SafeNet IDPrime smart cards can be leveraged for implementing physical access to sensitive facilities. These smart cards can also augment Passwordless authentication initiatives relying on PKI and FIDO technology.

Guidelines 54 – CRYPTOGRAPHIC TECHNIQUES TO RESTRICT ACCESS; Guidelines 56 – INFORMATION SECURITY TECHNOLOGY SOLUTIONS & Guidelines 58 – END-USER DEVELOPED/ CONFIGURED SOFTWARE

• Hardware security modules (HSMs) provide the highest level of encryption security by always storing cryptographic keys in hardware and offer strong access controls prevent unauthorized users from accessing sensitive cryptographic material.
• Thales’s portfolio of certificate-based authentication form factors offers strong multi-factor authentication, enabling organizations to address their PKI security needs.

Protect Data in Transit/ Motion

• Thales High Speed Encryptors (HSEs) provide network independent data-in-transit/ motion encryption (Layers 2,3 and 4) ensuring data is secure as it moves from site-to-site, or from on-premises to the cloud and back.
• CipherTrust Manager centrally manages encryption keys and configures security policies so organizations can control and protect sensitive data with the separation of duties.

Protect Data in use

• CipherTrust Vaultless Tokenization protects data at rest while its policy-based Dynamic Data Masking capability protects data in use. A RESTful API in combination with centralized management and services enables tokenization implementation with a single line of code per field.

Protect Data At Rest

• CipherTrust Data Security Platform safeguards and audits the integrity of customer records and information against a broad range of threats to data. Protecting data at rest through the use of CipherTrust Transparent Encryption for file and volume level data-at-rest encryption, CipherTrust Tokenization for database tokenization and dynamic display security as well as CipherTrust Application Data Protection.

INCIDENT MANAGEMENT – DETECTION OF SECURITY COMPROMISES
Guidelines 69

• With the CipherTrust Data Security Platform, administrators can create strong separation of duties between privileged administrators and data owners. In addition, the CipherTrust Manager supports two-factor authentication for administrative access.
• Thales OneWelcome Identity Platform allows organizations to virtually (or logically) limit access to confidential resources with the use of MFA (including phishing-resistant authentication) and granular access policies with analytics reports. It tracks identity events and provides analytics reports.

Attachment A: Security Principles 1. (a)

• CipherTrust Manager offers centralized Administration and Access Control, which unifies key management operations with role-based access controls.
• Hardware security modules (HSMs) safeguard the cryptographic keys used to secure applications and sensitive data, it further enhances security and ensures compliance with an additional layer of protection.

Attachment A: Security Principles 1. (e)

• Thales OneWelcome Identity platform allows organizations to identify and authenticate internal and external users, manages third-party identity efficiently with its’ delegation management capability and mitigates risks from third-party as well as providing an immediate and an up to date audit trail of all access events to all systems.
• After a user is identified, you can control and coordinate how users gain access to assets, and what they can do with those assets with CipherTrust Enterprise Key Management Solution.

Attachment C: Identity and Access

• Thales OneWelcome identity & access management solutions limit the access of internal and external users based on their roles and context.
• SafeNet IDPrime smart cards can be leveraged for implementing physical access to sensitive facilities.

Attachment E: Cryptographic Techniques

• Luna HSMs from Thales provide a hardened, tamper-resistant environment for secure cryptographic processing, key generation and protection, encryption, and more.
• CipherTrust Data Security Platform can enforce very granular, least-privileged-user access management policies, enabling protection of data from misuse by privileged users and attackers.