|
|
| Regulator |
APRA |
| Jurisdiction |
AU |
| Status |
live |
| Applicability |
Platform |
APRA Prudential Standard CPS 234 Information Security requires APRA-regulated entities to maintain
information security capability commensurate with their information security vulnerabilities and
threats. It mandates a board-approved information security (IS) policy framework, identification
and classification of information assets, implementation and testing of controls proportionate to
the risk of compromise, IS incident management with APRA notification within 72 hours of a
material incident, and information security requirements in third-party arrangements.
The platform's security modules (MOD-044, MOD-045, MOD-046, MOD-075, MOD-076) together deliver
the automated control layer. MOD-044 (SIEM) provides threat detection and alerting. MOD-045 manages
secrets and key rotation. MOD-046 provides privileged access management with no standing production
access. MOD-075 enforces API gateway controls. MOD-076 provides incident detection and ALERT
escalation. The IS policy framework, APRA notification, and annual IS review are institutional.
Compliance register
This register maps every material obligation under the standard to the platform control or
institutional process that satisfies it. It is the static traceability layer for the Totara
compliance report — dynamic data (module build status, test evidence, control test dates) is
overlaid at runtime.
Scope legend
| Symbol |
Meaning |
| 🤖 Automated |
Platform enforces or performs the obligation. Primary control mode is GATE, AUTO, CALC, or ALERT. Human action is not required in the normal case. |
| 📊 Evidenced |
Platform captures the evidence trail automatically. Human compliance decision sits on top. Primary control mode is LOG. |
| 🏛 Institutional |
Obligation is met by a process entirely outside the platform — training programmes, board governance, HR, legal. Platform may generate evidence inputs but does not own the process. |
| N/A |
Obligation does not apply to this deployment configuration. |
Build legend
| Symbol |
Meaning |
| ✅ |
Module built and deployed |
| 🔨 |
Module planned — not yet built (build_status: Not started) |
| ❌ |
Uncontrolled gap — no module attributed |
| Ref |
Obligation |
Scope |
Policy |
Platform controls |
Build |
| Para 15 |
IS policy framework — board-approved; covers all information assets and risks; reviewed at least annually |
🏛 Institutional |
DT-001 |
IS policy framework is a board-approved governance document. Platform controls operationalise the policies; the framework document is institutional. |
— |
| Para 16 |
Information asset classification — all information assets identified and classified by sensitivity and criticality |
🏛 Institutional |
DT-001 |
Asset classification is a CISO process. MOD-104 (GATE) enforces KMS encryption tiers by data classification at the infrastructure level; the classification register is institutional. |
🔨 |
| Para 17 |
Implementation and maintenance of IS controls proportionate to risk |
🤖 Automated |
DT-001, DT-002 |
MOD-044 (GATE) — JWT RBAC enforces least-privilege across all API calls; MOD-045 (AUTO) — secrets vaulted, developer extraction prevented, key rotation automated; MOD-046 (GATE) — no standing production access; MOD-075 (GATE) — all service-to-service traffic TLS-terminated with mutual authentication |
🔨 |
| Para 18 |
IS capability assessment — information security capability assessed at least annually |
🏛 Institutional |
DT-001 |
Annual capability assessment is a CISO-led process. MOD-076 provides the evidence base (security events, incident metrics, alert volumes). |
🔨 |
Part 3 — Control testing
| Ref |
Obligation |
Scope |
Policy |
Platform controls |
Build |
| Para 19 |
Vulnerability assessments and penetration testing on a risk basis |
🏛 Institutional |
DT-002 |
Penetration testing and vulnerability assessment are institutional security operations. MOD-076 (ALERT) surfaces CVE-triggered alerts from SAST pipeline; testing schedule and execution are institutional. |
🔨 |
| Para 20 |
Material weaknesses — board notified of any material IS control weakness within 10 days of identification |
🏛 Institutional |
DT-001, REP-009 |
Material weakness identification requires human assessment. MOD-076 (ALERT) surfaces control anomalies; MOD-058 (AUTO) routes material incidents to the notification workflow; board notification is institutional. |
🔨 |
Part 4 — IS incident management
| Ref |
Obligation |
Scope |
Policy |
Platform controls |
Build |
| Para 21 |
Incident detection and response — detect and respond to IS incidents in a timely manner |
🤖 Automated |
DT-001, DT-002, OPS-003 |
MOD-044 (AUTO) — SIEM provides threat detection and alerting; security events correlated automatically; MOD-076 (ALERT) — platform-level anomalies and availability incidents surfaced in real-time; MOD-150 (AUTO) — security anomalies (CloudTrail access failures, Cognito brute-force patterns, Secrets Manager anomalies) auto-classified as potential breaches |
🔨 |
| Para 22 |
Material IS incident notification to APRA — notify within 72 hours of becoming aware of a material information security incident |
🤖 Automated |
OPS-003, REP-009 |
MOD-058 (AUTO) — regulatory incident notification engine manages the IS incident register and routes notifications to APRA within required timeframes; notification timer starts automatically on incident creation |
🔨 |
| Para 23 |
Post-incident review — material IS incidents reviewed; lessons learned documented |
📊 Evidenced |
OPS-003 |
MOD-150 (LOG) — all P1/P2 incidents have a mandatory post-implementation review; MOD-151 (GATE) — P1 incidents require documented root cause and resolution action before the case can be closed |
🔨 |
Part 5 — Third-party IS arrangements
| Ref |
Obligation |
Scope |
Policy |
Platform controls |
Build |
| Para 24 |
IS obligations flowed down to all service providers with access to information assets |
🏛 Institutional |
DT-001, DT-008, OPS-005 |
Contract terms are institutional. MOD-150 (AUTO) monitors third-party health and SLA compliance continuously; contractual IS obligations are negotiated in procurement. |
🔨 |
| Para 25 |
ADI must assess the IS controls of its material service providers at least annually |
🏛 Institutional |
DT-008, OPS-005 |
Annual vendor IS assessment is a procurement process. MOD-150 (AUTO) provides continuous runtime SLA and health monitoring between assessments. |
🔨 |
| Obligation |
Owner |
Platform evidence input |
| Board approval and annual review of IS policy framework |
Board / CISO |
Platform controls operationalise the policies; framework is a governance document |
| Information asset identification and classification register |
CISO |
MOD-104 enforces encryption tiers configured from the classification register |
| Annual IS capability assessment |
CISO |
MOD-076 provides security event and incident evidence inputs |
| Vulnerability assessments and penetration testing |
CISO / Security Operations |
MOD-076 surfaces SAST-triggered CVE alerts; testing is institutional |
| Material weakness notification to board (within 10 days) |
CISO / Chief Compliance Officer |
MOD-076 and MOD-058 surface and route incidents; board notification is institutional |
| Material IS incident notification to APRA (within 72 hours) |
Chief Compliance Officer |
MOD-058 automates the notification workflow; ultimate accountability is institutional |
| Third-party IS obligations — contract negotiation and annual vendor review |
COO / Procurement |
MOD-150 monitors vendor SLA runtime; assessment is institutional |
Coverage summary
| Area |
Total obligations |
Platform automated 🤖 |
Platform evidenced 📊 |
Institutional 🏛 |
N/A |
| IS policy framework |
4 |
1 |
0 |
3 |
0 |
| Control testing |
2 |
0 |
0 |
2 |
0 |
| IS incident management |
3 |
2 |
1 |
0 |
0 |
| Third-party IS arrangements |
2 |
0 |
0 |
2 |
0 |
| Total |
11 |
3 (27%) |
1 (9%) |
7 (64%) |
0 (0%) |
The platform automates threat detection, incident response, access control, and APRA notification.
Policy governance, capability assessment, penetration testing, and vendor IS assessment are
institutional. All attributed modules are currently build_status: Not started.
| Policy |
Title |
| DT-001 |
Information Security Policy |
| DT-002 |
Cybersecurity Policy |
| DT-008 |
Third-Party & Outsourcing Risk Policy |
| DT-010 |
Environments and Deployment Standards |
| DT-011 |
AI Development Guardrails |
| OPS-003 |
Incident Management Policy |
| OPS-005 |
Third-Party & Critical Service Provider Policy |
| REP-005 |
Data Quality & Assurance Policy |
| REP-009 |
Regulatory Incident & Breach Notification |
See D05 Data & Technology for the full risk domain.
Official documentation
Policies referencing this standard
- DT-001 — Information Security Policy
- DT-002 — Cybersecurity Policy
- DT-010 — Environments and deployment standards
- DT-011 — AI development guardrails
- OPS-003 — Incident Management Policy
- REP-005 — Data Quality & Assurance Policy
- REP-009 — Regulatory incident & breach notification
Compiled 2026-05-22 from source/entities/regulations/au-cps-234.yaml