Australian Prudential Regulation Authority (APRA) Prudential Standard CPS 234

Fortra’s Data Classification Suite (DCS) helps organizations across the finance and insurance sectors meet the information security regulations mandated by the Australian Prudential Regulation Authority (APRA) Prudential Standard CPS 234. Noncompliance with APRA can result in substantial fines as well as legal risks and damage to your organization’s reputation. A data breach resulting from noncompliance can also negatively affect consumer and investor confidence in your business.

To mitigate these risks, you need a broad solution that can identify personal and sensitive information, classify it, and protect it across your entire security ecosystem. You need consistent, efficient protection throughout the data life cycle, whether it’s in transit or at rest, on site or in the cloud. In addition, you need a way to educate users about the value of the data they handle from day to day. And, of course, you need to be able to prove compliance with privacy regulations such as APRA and others.

Fortra’s Data Classification Suite solutions empower you to more efficiently manage all these dimensions of information security. Deep learning algorithms built into our solutions consistently identify sensitive data in context and automatically classify files in transit and at rest. Open, persistent metadata enables you to write custom identifiers, which in turn inform the other security solutions in your ecosystem, such as data loss prevention (DLP), encryption and rights management technologies, security information and event management (SIEM) solutions, and other technologies. Alerts keep users aware of sensitive data and offer suggestions for how to handle it, and audit logs help administrators keep track of security events and verify compliance.

How DCS supports your compliance

DCS works in concert with your existing cybersecurity infrastructure to help you achieve end-to-end compliance with privacy regulations. The open, configurable policy engine enables your organization to enforce detailed information handling policies, tailored specifically to your business using award winning machine learning algorithms.

Discover

Sensitive information must be identified wherever it sits and however it is created. DCS automatically enforce identification across platforms and devices via easily adoptable workflows to ensure protection of all your information.

Classify and categories all data

The powerful DCS policy engine ensures that data is classified correctly according to your information security policy. Multiple layers of classification allow for highly granular control. Deep learning AI technology can be deployed to assess your information, recognize sensitive data and autonomously determine appropriate categories.

Protect

DCS integrates with the other technologies in your security ecosystem, such as messaging, DLP and electronic data rights management (EDRM) solutions to enforce your information security policies using open, persistent metadata embedded in documents at creation or upon discovery. Business leaders can give employees more freedom to innovate and have peace of mind knowing that sensitive information is safe.

The DCS platform supports compliance with the APRA Prudential Standard CPS 234 for information security through the following features and capabilities.

Information security foundation

DCS builds and maintains a foundation for your security capability, supporting both your technology infrastructure and your users. The DCS solution can discern the context of data, continuously safeguarding information across many systems by helping users understand its value and by informing your other security technologies.

Policy framework

Your policy framework defines the value of your information. DCS enables you to build a powerful but flexible framework, customized to your organization and the specific types of information and forms you use. Revisions can be quickly made and applied to respond to changing vulnerabilities and threats.

Information asset identification and classification

DCS identifies sensitive information as it is created or when it enters your organization from an outside source. Your policy framework is applied, and files are classified to a highly granular level, which is built in to the datafile. Advanced machine learning can also be enabled to suggest or enforce classifications.

Implementation of controls

The controls across your entire security infrastructure must adhere to your policy. DCS prevents unauthorized data access, transmission or loss on any device, whether in your offices or via the cloud. All data files are permanently marked with open metadata, which triggers DLP, email encryption, rights management and other solutions to apply your privacy restrictions as well.

Security policies must apply throughout the information life cycle. That’s why DCS classifications impose appropriate storage, transmission, archiving and destruction parameters. Watermarking
also permanently identifies classifications and reminds employees of the value of your sensitive information.

As users change roles and departments, and eventually leave the organization, their access control rights must keep up with their status. DCS allows multiple classifications to strengthen control of
the information users can access.

Incident management

Organizations must be warned of immediate and long-term threats. DCS can scan for anomalous behavior, such as repeated down classifying and downloads at unexpected times of day, and then flag it for administrators.

Testing control effectiveness

Controls must be thoroughly tested across your organization as well as any third-party organizations you work with on a regular basis. Use DCS to support end-to-end testing by creating test data with combinations of classifications and monitor the effectiveness of your employee training.

Internal audit

DCS supports internal audits by logging users’ data classification compliance levels with standard and enhanced audit logging capabilities. Audit logs support incident management processes and notification to APRA if necessary.