The information security capability is the necessary systems, processes, and people to meet the requirements of the 24 information security requirements of the Consumer Data Right (CDR).
Traditional enterprises require experts in security and compliance to support their information security program. With modern cloud products, advanced supporting software, and democratised security and compliance knowledge, this is no longer the case for modern cloud services businesses. What’s more important than people with the skills and expertise, are the resources, time, and commitment to security and compliance objectives. These are covered in more detail in Step 1: Security governance.
Of course, if your CDR environment is more complex, you’ll need the relevant expertise to have sufficient knowledge and skills to achieve the security requirements for that environment. Aside from the people capabilities, it's a matter of identifying the systems and processes you have in place to support the 24 information security requirements of the CDR and addressing any gaps.
The easy way to do this is with AssuranceLab’s free readiness software. This also identifies the system components to support Step 2: Define the boundaries of the system. Our software runs through a series of logic-driven questions to collect inputs on how your business operates, your scope, and the detailed practices in place. By comparison to the requirements of the CDR (and other standards), it identifies gaps and provides recommendations based on industry-standard approaches and software solutions.
The CDR requires that the information security capability is reviewed and adjusted in response to risks and material changes. These are covered as implicit parts of Step 4: Controls Assessment Program. This program includes performing a periodic, often quarterly, risk assessment process and reviewing the controls that address the CDR requirements and any other standards you are required or choose to maintain compliance with.
The other elements that commonly make up part of your information security capability include:
- Governance practices - Board and Senior Leadership meetings;
- Monitoring software - Solutions like Cloud Conformity or Vanta to holistically monitor and manage your information security practices;
- Human Resources security - background checks, security awareness training, employee acknowledgement of policies like the Code of Conduct and Acceptable Use, performance reviews and disciplinary policies;
- Business planning - Goal setting and operational resourcing and planning including information security considerations; and
- Security policies - the broader security policies that set out requirements, roles and responsibilities across the organisational security requirements.
If you're wondering what this all looks like "on paper" - get in touch with our team <firstname.lastname@example.org>. We're happy to share examples and guide you through how this may look for your business.
The CDR Perspective
The CDR Schedule 2, Part 1 requires the following in relation to having and maintaining an information security capability:
- (1) The accredited data recipient must have and maintain an information security capability that:
- (a) complies with the information security controls specified in Part 2 of this Schedule; and
- (b) is appropriate and adapted to respond to risks to information security, having regard to:
- (i) the extent and nature of threats to CDR data that it holds; and
- (ii) the extent and nature of CDR data that it holds; and
- (iii) the potential loss or damage to one or more CDR consumers, if all or part of the consumer’s data were to be:
(A), misused, interfered with, or lost; or
(B) accessed, modified, or disclosed without authorisation.
- (2) The accredited data recipient must review and adjust its information security capability:
- (a) in response to material changes to both the nature and extent of threats and its CDR data environment; or
- (b) where no such material changes occur—at least annually.
AssuranceLab is a modern cybersecurity audit firm that provides assurance reports (ASAE 3150, SOC 1/2). We're experts in the latest software and cloud providers. We guide your team through the compliance practices in a way that fits your environment and culture. We work closely with clients through our agile and collaborative approach; saving time, costs, and headaches along the way.