Skip to content

What does CPS 234 stand for?

Explore some of our latest AI related thought leadership and research

6clicks has been built for cybersecurity, risk and compliance professionals.

Learn more about our Hub & Spoke architecture, Hailey AI engine and explore the other content in our platform here

Developing responsible AI management systems through the ISO/IEC 42001 standard

Using artificial intelligence has propelled global economic growth and enriched different aspects of our lives. However, its ever-evolving nature and...

Incorporating Generative AI into Cybersecurity: Opportunities, Risks, and Future Outlook

Key Takeaways Generative AI is a branch of artificial intelligence that focuses on creating new content with human-like creativity. The rise of...

Understanding RAG: Retrieval-Augmented Generation Explained

Natural Language Processing (NLP) has come a long way in the past few decades. With the goal of enabling more efficient communication between humans...

Responsible AI is here to stay

Artificial Intelligence (AI) and Machine Learning (ML) continue to be a much talked about topic since the release of ChatGPT last year but also well...

Responsible AI in risk management: Diving into NIST’s AI Risk Management Framework

Artificial intelligence has since changed the way we use technology and interact with organizations and systems. AI solutions such as automation and...

The Imperative of Governance to Achieving Responsible AI

AI brings many opportunities to businesses and we can see the AI boom across different industry verticals. However, it also questions who would be...


What is CPS 234?

CPS 234 stands for Prudential Standard CPS 234 on Information Security. It is a regulation implemented by the Australian Prudential Regulation Authority (APRA) for APRA-regulated entities in the financial services industry. The standard aims to ensure that these entities have robust security controls in place to protect their sensitive information assets from cyber threats. CPS 234 requires organizations to establish a security capability commensurate with the size and complexity of their operations, and to demonstrate a resilient security posture. It outlines specific requirements for asset identification, security risk management, security incident management, and the testing and assurance of security controls. By implementing CPS 234, APRA-regulated entities can enhance their security frameworks and practices to effectively manage and mitigate the risks associated with cyber incidents and breaches. Compliance with CPS 234 helps to ensure the sound operation of the financial services sector and enhance customer confidence in the security of their sensitive information.

What does CPS 234 stand for?

CPS 234 stands for Prudential Standard CPS 234: Information Security, which is a requirement introduced by the Australian Prudential Regulation Authority (APRA) for information security controls. This standard applies to all APRA-regulated entities, including banks, credit unions, insurers, and superannuation funds.

CPS 234 aims to ensure that APRA-regulated entities have adequate measures in place to protect their information and system assets from cyber threats and other security risks. The prudential standard focuses on areas such as information asset identification and classification, incident management, internal audit, and breach notification.

Under CPS 234, APRA-regulated entities are required to establish and maintain a security capability commensurate with the size and complexity of their operations. This includes identifying and classifying their information assets and implementing controls to protect them. Entities must also have robust incident response plans in place to effectively manage and mitigate the impact of security incidents.

Furthermore, CPS 234 mandates regular testing and evaluation of the effectiveness of security controls, as well as appropriate governance and oversight by senior management. In the event of a security incident or breach, entities must promptly notify APRA, demonstrating a commitment to transparency and accountability.

By imposing these requirements, CPS 234 aims to enhance the overall security posture of APRA-regulated entities and contribute to a resilient financial services industry in Australia.

Overview of the prudential standard

CPS 234, a prudential standard set by APRA, focuses on ensuring the security and protection of information and system assets of APRA-regulated entities. The standard encompasses various areas such as identifying and classifying information assets, incident management, internal audit, and breach notification. APRA-regulated entities are required to establish a security capability that is in line with the size and complexity of their operations. This involves implementing controls to safeguard information assets and developing robust incident response plans. Regular testing and evaluation of security controls are mandatory, along with governance and oversight by senior management. Transparency and accountability are emphasized, as entities must promptly notify APRA in case of security incidents or breaches. By implementing CPS 234, APRA-regulated entities aim to maintain a strong and resilient security posture, safeguarding their sensitive information assets and mitigating cyber threats and security risks.

Scope of CPS 234

CPS 234, issued by the Australian Prudential Regulation Authority (APRA), is a prudential standard that sets out the requirements for information security in the financial services industry. The standard covers a wide range of areas to ensure the protection of sensitive information assets, mitigate cyber risks, and maintain a sound operation in the sector.

One of the key aspects of CPS 234 is information asset identification and classification. It requires organizations to identify and classify their sensitive information assets, ensuring that appropriate security measures are in place to protect them. This includes understanding the value and criticality of different information assets and assigning responsibility for their protection.

Another important element of CPS 234 is the establishment of clear information security roles and responsibilities. The standard emphasizes the involvement of senior management and the board, who are ultimately responsible for information security within their organizations. This highlights the importance of top-level commitment to ensuring a robust security capability, with clearly defined roles and responsibilities for all employees.

CPS 234 also focuses on the implementation of security controls. Organizations are required to have a comprehensive set of security controls in place to mitigate security vulnerabilities and protect against potential cyber threats. This includes the use of security frameworks, practices, and capabilities commensurate with the size and complexity of the organization.

Furthermore, CPS 234 details requirements for incident management, outlining the need for organizations to develop and maintain effective incident response plans. It also emphasizes the importance of promptly reporting and escalating any material information security incidents.

Outline of the requirements in CPS 234

CPS 234 outlines several requirements that organizations need to comply with to ensure the security of their sensitive information assets.

Firstly, organizations must establish an information security capability that is commensurate with the size and complexity of their operations. This requires having a robust security framework, practices, and controls in place to mitigate security vulnerabilities and protect against potential cyber threats.

Secondly, organizations need to establish a comprehensive policy framework that outlines their approach to information security. This includes clear roles and responsibilities for all employees, involvement of senior management and the board, and a commitment to a resilient security posture.

Thirdly, organizations must identify and classify their sensitive information assets. This involves understanding the value and criticality of each asset and implementing appropriate security measures to protect them.

Fourthly, organizations need to implement a set of security controls that are appropriate for their unique circumstances. These controls should effectively mitigate security vulnerabilities and protect against cyber threats.

Furthermore, organizations must develop and maintain effective incident management capabilities. This includes having incident response plans in place and promptly reporting and escalating any material information security incidents.

These requirements in CPS 234 align with ISO 27001 security standards, which are globally recognized and provide a framework for establishing and maintaining an information security management system. By complying with CPS 234, organizations can demonstrate their commitment to protecting sensitive information assets and mitigating cybersecurity risks.

Benefits of compliance with CPS 234

Compliance with CPS 234, the prudential standard issued by the Australian Prudential Regulation Authority (APRA) for APRA-regulated entities, brings numerous benefits to organizations in the financial services industry. By adhering to CPS 234, organizations ensure board accountability for information security risks, leading to a more proactive and robust approach to protecting sensitive information assets.

One of the key benefits of compliance is the better management and security of information assets. CPS 234 requires organizations to identify and classify their sensitive information assets, enabling them to prioritize their protection based on their value and criticality. This ensures that adequate security measures are implemented to safeguard these assets from unauthorized access, alteration, or loss.

Compliance with CPS 234 also promotes alignment of the organization's information security strategy with its overall business strategy. This ensures that information security measures are not seen as standalone activities but are integrated into the organization's overarching goals and objectives. This alignment helps organizations achieve a more comprehensive and effective security posture.

Furthermore, complying with CPS 234 also emphasizes the importance of effective third-party security compliance management. Organizations are required to assess and evaluate the security controls of their third-party service providers to ensure that these providers meet the same high standards for information security. This helps mitigate the risks associated with outsourcing and ensures the protection of sensitive information handled by third parties.

Security controls and practices required by CPS 234

CPS 234, a prudential standard issued by the Australian Prudential Regulation Authority (APRA), sets out the requirements for the management of information security in APRA-regulated entities. One of the key aspects of CPS 234 is the implementation of robust security controls and practices. These controls and practices aim to ensure the protection of sensitive information assets, resilience against cyber threats, and the ability to respond effectively to security incidents. Under CPS 234, organizations are required to establish a security policy framework, implement security measures commensurate with the size and complexity of their operations, and regularly test and review their security capabilities. This emphasis on security controls and practices helps organizations in the financial services industry achieve a strong and resilient security posture, protect against security breaches and vulnerabilities, and demonstrate compliance with regulatory requirements. Additionally, CPS 234 recognizes the importance of engaging senior management and establishing clear security roles and responsibilities to ensure a proactive and coordinated approach to security throughout the organization.

Asset identification and management

Asset identification and management is a critical component of information security within APRA-regulated entities. It involves the process of identifying and classifying all the information assets that are owned, stored, processed, or transmitted by these entities.

The first step in asset identification is to conduct a comprehensive inventory of all the information assets within the organization. This includes both tangible assets like servers, computers, and data storage devices, as well as intangible assets like data, software, and intellectual property. By identifying and documenting these assets, organizations have a better understanding of what needs to be protected.

Once the assets are identified, they need to be classified based on their criticality and sensitivity. Criticality refers to the level of impact an asset's compromise would have on the organization's operations, while sensitivity refers to the level of confidentiality, integrity, and availability required for the asset. This classification helps organizations prioritize their security efforts and allocate resources appropriately.

It is important to note that even non-sensitive and non-critical assets can impact those that are critical and sensitive. For example, a cyber incident that compromises a non-critical server could still provide an entry point for attackers to access sensitive information. Therefore, all assets must be protected with a commensurate level of security controls and measures.

Access control requirements

Access control requirements outlined in CPS 234 are an integral part of ensuring the security of sensitive information assets for APRA-regulated entities. These requirements aim to protect these assets from unauthorized access, modification, or misuse.

APRA-regulated entities should ensure appropriate access controls are in place by implementing key measures such as user authentication, privilege management, and segregation of duties. User authentication involves verifying the identity of users before granting them access to sensitive information assets. This can be achieved through methods like passwords, biometrics, or multi-factor authentication.

Privilege management ensures that users only have access to the information and resources necessary for their roles. It involves assigning appropriate access levels and permissions based on job responsibilities, limiting the potential for unauthorized access.

Segregation of duties is another critical measure, as it ensures that no single individual has complete control over a process or system. By separating responsibilities among different individuals, entities can prevent unauthorized modification or misuse of sensitive information assets.

Regularly assessing the effectiveness of access controls is crucial to identifying any unauthorized access or modification. This involves monitoring access logs, performing audits, and conducting systematic testing to ensure the controls adequately protect sensitive information assets.

Incident response plans and procedures

Incident response plans and procedures play a crucial role in meeting the requirements outlined in CPS 234. These mechanisms are essential for detecting and responding to information security incidents in a timely manner, minimizing the potential impact on an organization.

To effectively detect incidents and respond promptly, entities should employ various techniques. One common technique is network and user profiling, which involves monitoring network traffic and user behavior to identify any abnormal or suspicious patterns. By establishing baselines for normal network and user activity, deviations can be quickly detected and investigated.

Scanning for unauthorized hardware and software is another important detection technique. Regular scans should be performed to identify any unauthorized devices or software that may pose a security risk. Any identified vulnerabilities or weaknesses should be addressed promptly to prevent potential security breaches.

Logging and alerting of access to sensitive data is also a critical component of incident detection. Logging allows for the recording of events and activities on systems and networks, enabling retrospective analysis of incidents. By setting up real-time alerts, entities can receive immediate notifications of any unauthorized access attempts or suspicious activities, facilitating a swift response.

System hardening guidelines

System hardening guidelines, as mandated by CPS 234, play a crucial role in ensuring the security of information assets and mitigating the risk of cyber threats. System hardening refers to the process of enhancing the security of systems by reducing their attack surface, minimizing vulnerabilities, and implementing protective measures.

Implementing system hardening measures is important because it establishes a strong security posture, making it difficult for cyber attackers to exploit weaknesses. By adhering to system hardening guidelines, organizations can reduce the risk of unauthorized access, data breaches, and disruption to their operations.

To achieve system hardening, several specific measures and best practices should be implemented. These include regularly updating and patching systems, configuring firewalls and access controls, disabling or removing unnecessary services and protocols, applying secure configuration settings, implementing intrusion detection and prevention systems, conducting regular vulnerability assessments and penetration testing, and enforcing strong password policies.

Additionally, organizations should ensure the continuous monitoring and logging of system activities, centralize log data for analysis, and implement appropriate incident response plans to detect and respond to any security incidents promptly.

Following the system hardening guidelines not only helps organizations comply with CPS 234 requirements but also strengthens their overall security posture, safeguarding their information assets against cyber threats.

Vulnerability scanning requirements

CPS 234, a prudential standard set by the Australian Prudential Regulation Authority (APRA), outlines the vulnerability scanning requirements that organizations must adhere to in order to ensure the security of their information assets. These requirements help organizations identify and assess any security vulnerabilities that may exist within their systems.

Under CPS 234, organizations are required to regularly conduct vulnerability scans using reputable scanning tools and techniques. These scans are essential in identifying any potential weaknesses or loopholes that could be exploited by cyber attackers. By conducting regular vulnerability scans, organizations can proactively identify and address security vulnerabilities before they are exploited.

Once vulnerabilities are identified, prompt remediation is crucial. Organizations must take swift action to address and mitigate these vulnerabilities to prevent potential security breaches or unauthorized access. This involves implementing appropriate security controls and measures to ensure the protection of sensitive information assets.

Security awareness training requirements

Under CPS 234, organizations are required to provide security awareness training to their employees. This training ensures that employees are educated and aware of information security best practices and the potential risks associated with cybersecurity threats.

Security awareness training is crucial in helping employees understand their roles and responsibilities in maintaining information security. It equips them with the knowledge and skills to identify and mitigate security risks effectively. By receiving proper training, employees are less likely to fall victim to phishing attempts, social engineering tactics, or other types of cyber attacks.

The training should cover various topics, including password security, email and internet usage, data protection, handling sensitive information, and incident response procedures. It should also highlight the importance of maintaining a secure and vigilant mindset at all times.

Organizations must regularly review and update their security awareness training programs to address evolving cybersecurity threats. Training can be conducted through workshops, online courses, or mandatory educational modules. Records of completed training should be maintained to demonstrate compliance with CPS 234.

Achieving compliance with CPS 234 requirements

Achieving compliance with CPS 234 requirements is essential for all Australian businesses and entities regulated by the Australian Prudential Regulation Authority (APRA). CPS 234 sets out the prudential standard for information security management, focusing on the need for robust security controls and a strong security capability. Compliance with CPS 234 ensures that organizations have appropriate measures in place to protect their sensitive information assets from cyber threats. This includes implementing comprehensive security frameworks and practices, conducting regular risk assessments, and establishing incident response plans. Organizations must also ensure that senior management takes responsibility for information security and that there is a clearly defined security assurance function. Achieving compliance with these requirements not only helps protect the organization from security breaches but also helps build trust with customers and stakeholders, demonstrating a commitment to the sound operation and security of the financial services industry.

Developing a comprehensive cybersecurity program

Developing a comprehensive cybersecurity program is of utmost importance for organizations looking to protect sensitive information assets and mitigate cyber threats. Under the Australian Prudential Regulation Authority's (APRA) standard CPS 234, all APRA-regulated entities are required to establish an information security capability that is commensurate with their exposure to cyber risks.

To meet the CPS 234 requirements, organizations must develop a program that covers eight key areas:

  1. Information security capability: This involves implementing security controls and ensuring senior management's commitment to cybersecurity.
  2. Asset identification and classification: Organizations need to identify and classify sensitive information assets to prioritize their protection.
  3. Cybersecurity policy framework and standards: A framework should be established to guide the implementation and maintenance of security practices.
  4. Control implementation: Organizations must deploy security controls to address identified threats and vulnerabilities.
  5. Incident management: Having effective incident response plans in place enables timely and appropriate action in the event of a security incident.
  6. Testing and assurance: Systematic testing should be conducted to assess the effectiveness of security measures and identify potential security breaches or vulnerabilities.
  7. Compliance monitoring: Organizations must consistently evaluate their compliance efforts and ensure adherence to the CPS 234 requirements.
  8. Internal audit activities: Regular internal audits should be carried out to assess the effectiveness and maturity of the cybersecurity program.

By developing a comprehensive cybersecurity program that encompasses these eight categories, organizations can demonstrate a resilient security posture and effectively protect their sensitive information assets. This approach to security governance practices ensures compliance with the CPS 234 standard and enhances the overall security capabilities of Australian businesses in the financial services industry.

General thought leadership and news

From Compliance to Cybersecurity: The 6clicks Ideal Customer Profile

From Compliance to Cybersecurity: The 6clicks Ideal Customer Profile

In an era where digital threats loom larger by the day, the intersection of compliance and cybersecurity has never been more critical. For businesses...

AI Hype and GRC

Beyond the AI Hype: Crafting GRC Solutions That Truly Matter

In the relentless chase for innovation, it's easy to get caught in the dazzling allure of AI. Everywhere you turn, AI seems to be the silver bullet,...

Reflections from my time as Chief Digital Officer at KPMG

Reflections from my time as Chief Digital Officer at KPMG

Between 2016 and 2018 I held the role of Chief Digital Officer at KPMG, responsible for strategy and the development of software assets to underpin...

6clicks Partners with Microsoft to run 6clicks on Private Azure Clouds

6clicks Partners with Microsoft to run 6clicks on Private Azure Clouds

Summary 6clicks, a cyber governance, risk, and compliance (GRC) platform, has partnered with Microsoft to offer a privately hosted option of its...

6clicks Fabric - Hosted on private Microsoft Azure clouds

Empowering enterprises: Get in control with your own GRC SaaS platform-in-a-box

In today's dynamic business landscape, enterprises are constantly seeking innovative solutions to streamline their operations, improve the value they...

6clicks Fabric for GSIs: Tailoring cybersecurity GRC programs for global markets

6clicks Fabric for GSIs: Tailoring cybersecurity GRC programs for global markets

Robust cybersecurity measures and the effective and safe implementation of IT infrastructure are critical for organizations to successfully do...