What is APRA CPS 230?
"APRA CPS 230 is a critical prudential standard that focuses on operational risk management within the Australian financial services industry. By adhering to its guidelines and requirements, APRA-regulated entities can enhance their operational resilience, minimize disruptions, and protect the interests of their customers and stakeholders.”
In managing technology risks, an APRA-regulated entity must monitor the age and health of its information assets and meet the requirements for information security as mentioned in Prudential Standard CPS 234 Information Security (CPS 234). (Refer: Page 6 Operational Risk Management )
APRA CPS 230 guideline also talks extensively about business continuity -
- Article 34 states: Organizations to maintain a credible Business Continuity Plan (BCP) that sets out how it would maintain its critical operations within tolerance levels through disruptions, including disaster recovery planning for critical information assets.
- Article 41. An APRA-regulated entity must maintain the capabilities required to execute the BCP, including access to people, resources, and technology.
Why Ensuring Data Confidentiality, Availability and Integrity is Critical for Business Continuity?
Data is the most valuable resource that an organization holds. Ensuring data availability is critical for the business continuity of an organization. Losing access to mission-critical data could bring your operations to a complete standstill resulting in financial loss and loos of reputation to your organization. Data breaches are the most common reason for data loss.
Cryptography or encryption is now commonly used by organizations to protect data confidentiality (preventing unauthorized viewing) and data integrity (preventing unauthorized changes).
ENCRYPTION IS EASY, KEY MANAGEMENT IS HARD. Most organizations rely on encryption to protect sensitive data, but they are still struggling to get the key management right. If you lose the encryption key you loose any data that was encrypted by that key. Managing your keys securely is therefore critical to prevent data breaches and ensure business continuity.
The proper management of cryptographic keys is essential to the effective use of cryptography for security. Keys are analogous to the combination of a safe. If a safe combination is known to an adversary, the strongest safe provides no security against penetration. Similarly, poor key management may easily compromise strong algorithms.
—NIST Recommendation for Key Management
That is why encryption key management should be one of your top priorities as far as data security and business continuity are concerned.