Building a Maturity Model for CPS 234 Compliance

The Australian Prudential Regulation Authority (APRA) Prudential Standard CPS 234 (commonly referred to as CPS 234) is considered to be one of the few foundational cybersecurity compliance frameworks. Released by the APRA in July 2019, CPS 234 establishes critical guidelines for securing information assets. Its objectives are clear: to ensure that regulated entities maintain an information security capability that is proportionate to their risks and is capable of mitigating the impact of security events, incidents, and breaches.

Meeting the objectives of CPS 234, however, is not a one-size-fits-all endeavor, and many organizations face challenges meeting the specification’s requirements. Achieving compliance requires a strategic approach that evolves as an organization matures in its cybersecurity efforts. A maturity model can help organizations along this journey.

In this blog, I break down how organizations can develop a structured maturity model that will allow entities to benchmark their current state, set a path for continuous improvement along their unique journey, and ultimately create a robust, defensible security posture aligned with CPS 234 requirements.

A maturity model provides a guided journey to assess the organization’s cybersecurity capabilities at various stages of development. It outlines a pathway from basic security measures to an advanced, adaptive security program that is resilient against a broad spectrum of threats. By aligning the maturity model with CPS 234, APRA-regulated entities can ensure that they meet the standard’s demands while advancing their cybersecurity objectives.

A maturity model for CPS 234 compliance can be divided into five distinct levels:

1. Initial –Roles and responsibilities are defined, and initial policies and procedures are created in line with business operations.
2. Defined – Policies and procedures are expanded and tested, and existing solutions are tested in order to determine which controls can be met and which ones need new solutions or revised workflows.
3. Managed – Cybersecurity controls are tested end-to-end within an organization and refined to constantly meet any objections. In addition, supply chains and external entities that are crucial to the business should be documented to ensure external factors do not cause an incident.
4. Integrated – The operations of a managed security program are set to expand into all aspects of the business. Board reporting, training, external security assessment questions, etc. should now be integrated into the business’s culture and daily operations. Third-party supply chains should be tested and evaluated on a regular basis to ensure they do not pose a risk to the organization.
5. Adaptive – Once the first levels are complete, it is time to make the changes needed to stay flexible. As the business and threat landscape evolve, so should cybersecurity. Having regular processes, plans, and testing in place for any and all changes will help the organization stay adaptive.

For this maturity model, each level represents a progression in the organization’s ability to manage information security risks, from the establishment of basic policies and controls to the integration of real-time threat intelligence and advanced incident response mechanisms. Each level is a step in the organization’s journey that can be measured, monitored, and documented for success.

Level 1: Initial

At the Initial level of the maturity model, an organization’s information security efforts are ad-hoc and reactive. Security policies may exist, but they are not well-documented, enforced, or even periodically reviewed. Incident response is uncoordinated, and there is little-to-no systematic testing of controls to determine whether they work or should be discarded.

For organizations at this stage, compliance with CPS 234 is minimal. The board’s role in overseeing information security is often undefined, there are no defined metrics, and there is little clarity around the roles and responsibilities of key personnel. Third-party information assets, which are critical under CPS 234, may not be evaluated for their security risks.

The goal at this stage is to establish a foundational information security capability. Organizations should begin by defining the roles and responsibilities of the board, senior and executive management, and key stakeholders, as required by CPS 234. Basic information security policies must be documented, covering key areas, such as access control, data protection, and incident response. Importantly, organizations should also initiate efforts to classify their information assets by criticality and sensitivity, starting with the most sensitive and high-risk resources first.

Level 2: Defined

In the Defined stage, the organization begins to move from reactive to proactive security measures:

• Policies are more comprehensive and contain operational details, ownership, and revision status.
• Procedures and processes for managing security incidents are in operation and regularly tested.
• All assets that contain sensitive information or are critical to the business have been defined.
• Roles and responsibilities, particularly those of the board and senior management, are now clearly articulated.

At this level, organizations start to implement the systematic controls outlined in CPS 234. This includes the establishment of a security policy framework that is equal to the organization’s size and risk profile. Additionally, third-party assets are evaluated for their potential security risk, ensuring that external threats are documented, known, and managed effectively.

Finally, at this level, systematic testing of controls begins—although it is likely to be limited in scope. Organizations are required to perform periodic assessments of their security measures to ensure they are relevant and effective. Incident management plans should be developed and tested, ensuring that the organization is prepared to respond to the most plausible threats, like malware, ransomware, and credential theft.

Level 3: Managed

The Managed stage represents a significant step forward in cybersecurity maturity. At this level, information security capabilities are well-defined and consistently applied across the vast majority of the organization. Any resource in scope is tested for applicable controls and regularly reviewed for effectiveness. The board takes an active role in overseeing information security, receiving regular reports on the organization’s security and risk posture and the effectiveness of its controls.

Managed organizations begin to address CPS 234’s requirement for robust incident detection and response. Incident management plans are considered living documents and should regularly be reviewed and updated based on the organization’s evolving threat landscape. Additionally, the organization’s information security capabilities are actively maintained and updated to address new attack vectors.

Third-party risk management also takes a on a heightened sense of importance after being documented in previous levels. The organization not only evaluates third-party information assets, but also ensures that third-party security controls are aligned with the organization’s own security policies. This is commonly performed using Security Assessment Questionnaires (SAQs), or similar processes. Contracts with third-party providers include explicit provisions for managing information security risks, as required by CPS 234, and also should be tested and reviewed on a periodic basis.

Level 4: Integrated

The Integrated level is characterized by the alignment of cybersecurity efforts with broader business objectives. Information security is no longer seen as a standalone function, but is integrated into the organization’s overall risk management framework and business operations. Security policies, controls, and incident management processes are aligned with the organization’s strategic goals and objectives and should be a part of every new or revised project.

In addition, at this level, compliance with CPS 234 is deeply embedded in the organization’s operations. Information security controls are regularly tested and updated based on the organization’s risk profile, and the board is fully engaged in overseeing the organization’s security posture. Incident management plans are sophisticated, with detailed processes for escalation, reporting, and post-incident review. All stakeholders understand and participate in their development and testing.

Finally, organizations at the Integrated level use data and threat intelligence to inform their security efforts. Real-time monitoring and analytics provide insights into emerging threats, allowing the organization to respond preemptively. The organization’s information security program is dynamic, evolving in response to changes in the business environment and the threat landscape at large.

Level 5: Adaptive

The Adaptive stage represents the pinnacle of cybersecurity maturity. In fairness, many organizations may never achieve this threshold. This is why it is a goal. At this level, the organization’s information security capability is fully integrated, adaptive, and self-improving. The organization doesn’t just meet the requirements of CPS 234, but exceeds them, using preemptive technology and processes to continually enhance its security posture.

Adaptive organizations use real-time threat intelligence (internal and third-party) to anticipate and respond to security events before they occur. Mature incident management is automated, with AI-driven systems that detect and respond to anomalies in real-time. All stakeholders are fully engaged (including the executive team and board), using data-driven insights to make informed decisions about the organization’s security strategy and future business operations.

At this level, the organization’s third-party risk management processes are highly sophisticated and mapped to multiple compliance and regulatory frameworks. Third-party providers are subject to rigorous security assessments, and their controls are continuously monitored to ensure they remain effective. Contracts with third parties include detailed provisions for managing information security risks, and third-party security incidents are escalated to the board as part of the organization’s overall incident management process, using metrics like service level agreements to ensure timely disclosure.

Finally, the Adaptive stage is characterized by continuous improvement. The organization regularly reviews and updates its security policies, controls, and incident management processes based on lessons learned from previous events and emerging threats. The organization’s information security capability is not static, but evolves in response to new challenges, ensuring that it remains relevant in the face of ever-changing attack vectors.

For APRA regulated entities, achieving and maintaining compliance with CPS 234 is not just about meeting a regulatory requirement. The intent is to build a resilient organization that is capable of protecting its most valuable technology assets in the face of increasingly sophisticated cyber attacks. The maturity model provides a step-by-step journey for organizations to achieve this goal, starting with the establishment of basic security policies and controls and progressing toward a fully integrated, adaptive security system.

By following this type of maturity model, organizations can ensure that their information security efforts are aligned with the requirements of CPS 234. At the Initial and Defined stages, organizations focus on establishing the foundational policies and controls necessary for compliance. As they progress to the Managed and Integrated stages, they build a more sophisticated security capability that is capable of addressing the full spectrum of threats. Finally, at the Adaptive stage, organizations are not only compliant with CPS 234 but are leaders in information security, using technology and processes to stay ahead of modern attacks.

Achieving compliance with CPS 234 requires more than just ticking off a checklist of regulatory requirements. It requires a strategic approach to information security that evolves as the organization matures. The maturity model provides a clear pathway for organizations to follow, ensuring that they not only meet the requirements of CPS 234, but also build a resilient, future-proof information security capability using security best practices that have been documented and tested over the last decade.

For more information about how privileged access management (PAM) can help you align your organization to meet APRA CPS 234 standards and gain cyber resilience, download our whitepaper.