The Controls Assessment Program goes hand-in-hand with your risk assessments, audits for CDR accreditation, and ongoing management of the CDR requirements.
Step 3: Information Security Capability, involves setting out the systems, processes, and people that support the 24 information security requirements of the CDR. Now it's important to have a formal process for ongoing monitoring and maintenance of those "controls". These controls need to be reviewed and updated at least annually or more often in response to changes in the risks, system design, and services. That's where the risk assessments and controls assessment program come together to provide that ongoing function.
These areas are a common point of confusion and pain for small and medium-sized businesses. You might already be thinking from the last paragraph; 'what is all this?' ... there's a reason for that!
Unlike the other information security practices that are industry-standard considerations for businesses of all sizes, the risk and controls function only become important for larger or more complex businesses.... or those going for CDR accreditation.
Risk management is an intuitive practice. Actually, it's the first practice performed by any business founder. Before you build any product, secure funding, design your services and even set your goals, you're considering the risks involved. It's like crossing the road where we look for cars or putting your wallet in a safe spot when out in a busy public place. The risk assessment happens in the founder's head. Material risks are communicated to employees or other stakeholders. The risks are addressed by what "makes sense".
It's because it's so intuitive and "common sense" that smaller businesses generally don't need to have a well-established function for it. As the organisation grows, the team becomes more dispersed, the risks become more prevalent, widespread, and complex. There's a growing list of requirements from multiple customers, regions, and regulations. The combination of those developments requires a systematic way to manage risks and controls.
The CDR and other information security standards like SOC 2, require a formal way to manage risks and controls. This "fast-tracks" what otherwise may not be a high priority for smaller scale of business. In any case, the same principles and systematic approach can be scaled down in a way that makes sense for smaller businesses without being too onerous or process-heavy.
The risk assessment process includes a combination of a Risk Framework or Risk Management Policy, a Risk Register to track the identified risks, and a formal periodic process to conduct and update the risk assessments. These are covered in more depth in our Best Practices - Risk Management post (includes a good template that's free to download).
The Control Framework
The control framework for CDR was set up in the last step (Step 3: Information Security Capability). This includes identifying the "controls" or business practices that address the risks specific to CDR. The 24 information security requirements have been designed to address the security and privacy risks of consumer data. The design and maintenance of the controls framework are covered in more detail in our Best Practices - Controls Framework post.
The Controls Assessment Program
The Controls Assessment Program pulls together the last two parts, and involves an ongoing review process to ensure your information security controls continue to meet the requirements of the CDR. That they are updated when things change, including the risks, scope of your system, environment, or services. This exercise, as described in our Controls Framework post, is periodically going through the list of controls to confirm they are in place (no changes), operating effectively (no deviations), and consider ongoing improvements.
If you're wondering what this looks like "on paper" - get in touch with our team <firstname.lastname@example.org>. We're happy to share examples and guide you through how this may look for your business.
The CDR Perspective
Schedule 2, Part 1 of the CDR requires the following in relation to implementing and maintaining a controls assessment program:
- (1) An accredited data recipient must establish and implement a testing program to review and assess the effectiveness of its information security capability which:
- (a) is appropriate having regard to the factors set out in paragraph 1.5(1)(b); and
- (b) requires testing at a frequency, and to an extent, that is appropriate having regard to:
- (i) the rate at which vulnerabilities and threats change; and
- (ii) material changes to the boundaries of its CDR data environment; and
- (iii) the likelihood of failure of controls having regard to the results of the previous testing.
- (2) The accredited data recipient must monitor and evaluate the design, implementation, and operating effectiveness of its security controls relating to the management of CDR data in accordance with its obligations under Part IVD of the Act and these rules, and having regard to the information security controls in Part 2 of this Schedule.
- (3) The accredited data recipient must escalate and report to senior management the results of any testing that identifies design, implementation or operational deficiencies in information security controls relevant to its CDR data environment.
- (4) The accredited data recipient must ensure that testing is conducted by appropriately skilled persons who are independent of the performance of controls over the CDR data environment.
- (5) The accredited data recipient must review the sufficiency of its testing program referred to in subclause (1):
- (a) when there is a material change to the nature and extent of threats to its CDR data environment or to the boundaries of its CDR data environment— as soon as practicable; or
- (b) where no such material changes occur—at least annually.
AssuranceLab is a modern cybersecurity audit firm that issues assurance reports (ASAE 3150, SOC 1/2). We're experts in the latest software and cloud providers. We guide your team through the compliance practices in a way that fits your environment and culture. We work closely with clients through our agile and collaborative approach; saving time, costs, and headaches along the way.