Thales banner

Data Security Compliance with the APRA Prudential
Standard CPS234 in Australia

Thales helps organisations comply with CPS234 by addressing APRA Prudential Practice Guidelines (PPG)

APRA Prudential Practice Guideline (PPG) to comply with CPS234

Test

Prudential Standard CPS234 is an information security law intended to ensure that regulated entities can withstand cyberattacks and other security threats. The purpose of Prudential Practice Guidelines (PPG) is to provide guidance to Boards, senior management, risk management and information security specialists (both management and operational) of APRA-regulated entities with respect to the implementation of CPS234 Information Security.

With extensive experience helping organizations comply with compliance mandates, Thales helps organisations by addressing APRA Prudential Practice Guidelines (PPG) on Information Security Capability, Policy Framework, Information asset identification and classification, implementation of controls and incident management.

  • Regulation
  • Compliance

Regulation Overview

Australian Prudential Regulation Authority (APRA)’s purpose is to ensure Australians' financial interests are protected and that the financial system is stable, competitive and efficient. This Prudential Practice Guideline (PPG) targets areas where weaknesses in information security management continue to be identified as part of APRA’s ongoing supervision activities. It is also intended to provide guidance with respect to the implementation of Prudential Standard CPS 234 Information Security (CPS 234) with key sections below:

  • Considerations for the Board
  • Roles and responsibilities
  • Information security capability
  • Policy framework
  • Information asset identification and classification
  • Implementation of controls
  • Incident management
  • Testing control effectiveness
  • Internal audit

Who needs to comply with CPS234?
CPS234 applies to APRA-regulated entities namely:

  • Authorised deposit-taking institutions (ADIs), including foreign ADIs, credit unions, and banks
  • General insurers
  • Life companies and friendly societies
  • Private health insurance companies
  • Non-operating holding companies
  • Superannuation funds

Thales helps organisations comply with CPS234 by addressing APRA Prudential Practice Guidelines (PPG) on Information Security Capability, Policy Framework, Information asset identification and classification, implementation of controls and incident management.

INFORMATION SECURITY CAPABILITY
Guidelines 18: Capability Of Third Parties And Related Parties

  • With the CipherTrust Data Security Platform (CDSP), administrators can create a strong separation of duties between privileged administrators and data owners and can enforce very granular, least-privileged-user access management policies, enabling the protection of data from misuse by privileged users.
  • CipherTrust Transparent Encryption provides a complete separation of administrative roles, so only authorised users and processes can view unencrypted data.
  • Thales OneWelcome Identity platform's fine-grained authorisation capability helps organisations by providing the right amount of access to the right people at the right time.

POLICY FRAMEWORK
Guidelines 21 – A policy hierarchy informed by a set of key principles

  • Thales OneWelcome Identity Platform allows organisations to associate devices and other digital identities with primary accounts, authenticate, authorise, collect, and store information about external and internal identities from across many domains.
  • SafeNet IDPrime smart cards can be leveraged for implementing physical access to sensitive facilities. These smart cards can also augment Passwordless authentication initiatives relying on PKI and FIDO technology.
  • CipherTrust Transparent Encryption protects data with file and volume level data-at-rest encryption, access controls, and data access audit logging without re-engineering applications, databases, or infrastructure with MFA feature limits privileged users' sensitive data.
  • Thales Luna Hardware Security Modules (HSMs) provide the highest level of encryption security by always storing cryptographic keys in hardware.
  • CipherTrust Manager manages key lifecycle tasks including generation, rotation, destruction, import and export, provides role-based access control to keys and policies, supports robust auditing and reporting, and offers developer-friendly REST API. It supports two-factor authentication for administrative access.
  • Audit trail of CipherTrust Data Security Platform allows risk owners and auditors to assess and demonstrate compliance against the information security policy framework. CipherTrust Transparent Encryption (CTE) provides detailed data access audit logs and CipherTrust Security Intelligence (CSI) with logs and reports to streamline compliance reporting and speedup threat detection using leading Security Information and Event Management (SIEM) systems.

INFORMATION ASSET IDENTIFICATION AND CLASSIFICATION
Guidelines 26 – Classification of all information assets by criticality and sensitivity

  • Classify all information assets by criticality and sensitivity with CipherTrust Data Discovery and Classification, it offers complete visibility into your sensitive data with efficient data discovery, classification, and risk analysis across heterogeneous data stores - the cloud, big data, and traditional environments - in your organisation.

IMPLEMENTATION OF CONTROLS
Guidelines 36 – Information security controls implemented at all stages

  • Thales OneWelcome identity & access management solutions limit the access of internal and external users based on their roles and context with strong authentication (MFA), granular access policies and fine-grained authorisation policies. The solution also facilitates external IoT device identity management via the OAuth2 Device Flow specification. Web-connected and user input-constrained devices can be linked with user identity accounts managed by OneWelcome tenants.
  • SafeNet IDPrime smart cards can be leveraged for implementing physical access to sensitive facilities. These smart cards can also augment Passwordless authentication initiatives relying on PKI and FIDO technology.
  • Digital Signing for a wide range of applications with Hardware security modules (HSMs) protects the private keys used for secure electronic signatures; it enhances security and ensures compliance.
  • CipherTrust Data Security Platform provides multiple capabilities for protecting data at rest in files, volumes, and databases by CipherTrust Transparent Encryption and CipherTrust Tokenisation.
  • CipherTrust Transparent Encryption encrypts sensitive data and enforces granular privileged-user-access management policies that can be applied by user, process, file type, time of day, and other parameters.
  • CipherTrust Manager centrally manages encryption keys and configures security policies so organisations can control and protect sensitive data with the separation of duties. It streamlines and strengthens key management in enterprise environments over a diverse set of use cases. 

Guidelines 44 – MINIMISE EXPOSURE TO PLAUSIBLE WORST CASE SCENARIOS

  • Hardware security modules (HSMs) safeguard the cryptographic keys used to secure applications, and sensitive data, it enhances security and ensures compliance.
  • CipherTrust Data Security Platform can enforce very granular, least-privileged-user access management policies, enabling protection of data from misuse by privileged users and attackers.
    • CipherTrust Transparent Encryption encrypts files, while leaving their metadata in the clear. so IT administrators perform their system administration tasks, without gaining privileged access to the sensitive data residing on the systems they manage.
    • CipherTrust Transparent Encryption Ransomware Protection (CTE-RWP) continuously monitors processes for abnormal I/O activity and alerts or blocks malicious activity before ransomware can take complete hold of your endpoints and servers.
    • CipherTrust Manager offers centralised Administration and Access Control, which unifies key management operations with role-based access controls that prevents unauthorised password changes and alerts on simultaneous logins by the same user.
  • Thales OneWelcome Identity Platform allows organizations to virtually (or logically) limit access to confidential resources with the use of MFA (including phishing-resistant authentication) and granular access policies. SafeNet IDPrime smart cards can be leveraged for implementing physical access to sensitive facilities.

Guidelines 46 (b) - PHYSICAL AND ENVIRONMENTAL CONTROLS

  • SafeNet IDPrime smart cards can be leveraged for implementing physical access to sensitive facilities. These smart cards can also augment Passwordless authentication initiatives relying on PKI and FIDO technology.

Guidelines 54 – CRYPTOGRAPHIC TECHNIQUES TO RESTRICT ACCESS; Guidelines 56 – INFORMATION SECURITY TECHNOLOGY SOLUTIONS & Guidelines 58 – END-USER DEVELOPED/ CONFIGURED SOFTWARE

  • Hardware security modules (HSMs) provide the highest level of encryption security by always storing cryptographic keys in hardware and offer strong access controls prevent unauthorised users from accessing sensitive cryptographic material.
  • Thales’s portfolio of certificate-based authentication form factors offers strong multi-factor authentication, enabling organisations to address their PKI security needs.

Protect Data in Transit/ Motion

  • Thales High Speed Encryptors (HSEs) provide network independent data-in-transit/ motion encryption (Layers 2,3 and 4) ensuring data is secure as it moves from site-to-site, or from on-premises to the cloud and back.
  • CipherTrust Manager centrally manages encryption keys and configures security policies so organisations can control and protect sensitive data with the separation of duties.

Protect Data in use

  • CipherTrust Vaultless Tokenisation protects data at rest while its policy-based Dynamic Data Masking capability protects data in use. A RESTful API in combination with centralised management and services enables tokenisation implementation with a single line of code per field.

Protect Data At Rest

INCIDENT MANAGEMENT – DETECTION OF SECURITY COMPROMISES
Guidelines 69

  • With the CipherTrust data security platform, administrators can create a strong separation of duties between privileged administrators and data owners.In addition, the CipherTrust Manager supports two-factor authentication for administrative access.
  • Thales OneWelcome Identity Platform allows organizations to virtually (or logically) limit access to confidential resources with the use of MFA (including phishing-resistant authentication) and granular access policies with analytics reports. It tracks identity events and provides analytics reports.

Attachment A: Security Principles 1. (a)

  • CipherTrust Manager offers centralised Administration and Access Control, which unifies key management operations with role-based access controls.
  • Hardware security modules (HSMs) safeguard the cryptographic keys used to secure applications and sensitive data, it further enhances security and ensures compliance with an additional layer of protection.

Attachment A: Security Principles 1. (e)

  • Thales OneWelcome Identity platform allows organizations to identify and authenticate internal and external users, manages third-party identity efficiently with its delegation management capability and mitigates risks from third-party as well as providing an immediate and an up to date audit trail of all access events to all systems.
  • After a user is identified, you can control and coordinate how users gain access to assets, and what they can do with those assets with CipherTrust Enterprise Key Management Solution.

Attachment C: Identity and Access

  • Thales OneWelcome identity & access management solutions limit the access of internal and external users based on their roles and context.
  • SafeNet IDPrime smart cards can be leveraged for implementing physical access to sensitive facilities.

Attachment E: Cryptographic Techniques

  • Luna HSMs from Thales provide a hardened, tamper-resistant environment for secure cryptographic processing, key generation and protection, encryption, and more.
  • CipherTrust Data Security Platform can enforce very granular, least-privileged-user access management policies, enabling protection of data from misuse by privileged users and attackers.

Recommended resources

Comply with the APRA Prudential Standard CPS234 in Australia

Comply with the APRA Prudential Standard CPS234 in Australia - Compliance Brief

The purpose of Prudential Practice Guidelines (PPG) is to provide guidance to Boards, senior management, risk management and information security specialists (both management and operational) of APRA-regulated entities with respect to the implementation of Prudential Standard...

Address Information Security Requirements of ASIC

Address Information Security Requirements of ASIC Market Integrity Rules in Australia - Compliance Brief

ASIC introduced the ASIC Market Integrity Rules (Securities Markets and Futures Markets) Amendment Instrument 2022/74 which amends the ASIC Market Integrity Rules (Securities Markets and Futures Markets) 2017. The background on the amendments can be found in Report 719:...

Get Ready for PCI DSS 4.0 with Thales Data Protection

Get Ready for PCI DSS 4.0 with Thales Data Protection - White Paper

Criminals continue to target consumers’ payment data, and IT security defenses need to keep pace. According to the 2024 Thales Data Threat Report, nearly two-thirds of financial services respondents (64%) report seeing an increase in attacks, versus 49% survey-wide. Notably,...

Get Ready for PCI DSS 4.0 with Thales  SafeNet Trusted Access

Get Ready for PCI DSS 4.0 with Thales OneWelcome Identity Platform - Solution Brief

The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard that provides a baseline of technical and operational requirements designated to protect payment data and reduce credit card fraud.

Data Security Compliance and Regulations - eBook

Data Security Compliance and Regulations - eBook

This ebook shows how Thales data security solutions enable you to meet global compliance and data privacy requirements including - GDPR, Schrems II, PCI-DSS and data breach notification laws.

Other key data protection and security regulations

GDPR

Regulation
Active Now

Perhaps the most comprehensive data privacy standard to date, GDPR affects any organisation that processes the personal data of EU citizens - regardless of where the organisation is headquartered.

PCI DSS

Mandate
Active Now

Any organisation that plays a role in processing credit and debit card payments must comply with the strict PCI DSS compliance requirements for the processing, storage and transmission of account data.

Data Breach Notification Laws

Regulation
Active Now

Data breach notification requirements following loss of personal information have been enacted by nations around the globe. They vary by jurisdiction but almost universally include a “safe harbour” clause.