CDR Security Whitepapers

A checklist of requirements for your environment

The Consumer Data Right requires information security controls to be implemented at four levels; organisational, infrastructure, software, and endpoint devices. Our whitepapers provide a checklist to address each layer as it relates to your cloud environment. Get in touch if you want to explore our solution partners that offer out-of-the-box, compliant environments.

1) Google Cloud@2x
3) Amazon Web Services
Google CDR Security Whitepaper
AWS CDR Security Whitepaper
3) Working towards accreditation@2x

Three stages to audits and assurance reporting

There are three steps for working towards the assurance report for accreditation.

8) CDR Security Governance@2x

Step 1: Security governance of CDR data

Define and implement a formal governance framework for managing information security risks.

5) Defining the data environment boundaries

Step 2: Boundaries of  CDR data environment

Define and document the boundaries of your CDR data environment and underlying system components.

5) Security Capability@2x

Step 3: Information security capability

Maintain an information security capability that complies with Schedule 2 Part 2 requirements below.

6) Control Assesment Program@2x

Step 4: Controls assessment program

Implement a testing program to assess the effectiveness of the information security capability.

4) Manage and Report Security Incidents@2x

Step 5: Manage and report security incidents

Establish procedures and practices to detect, record, and respond to security incidents.


Access control

The Access Control Policy covers several specific requirements of the CDR for accreditation.


Joiners and leavers

Joiners and leavers checklists are a simple approach to support your access control practices. 

11) User Access Reviews@2x

User access reviews

Periodically reviewing system access ensures your users remain appropriate with continued business needs. 

12) Network Security Policy @2x

Network Security

Protecting the network perimeter with firewalls and monitoring of network traffic for suspicious activity.

13) Hardening and Patching Policy@2x-1

Hardening and Patching

Security hardening and patching of critical system components to reduce system vulnerabilities.

14) CDR Policy@2x

CDR Policy

The CDR Policy sets out the use of consumer data and the terms of use and rights of those users.

15) Physical Security@2x

Physical security

Ensuring access to the data centres and places of business are restricted to authorised personnel.

6) Encryption


Applying encryption and securing encryption keys to protect the CDR data from unauthorised access.

7) Segregation of Duties

Segregation of duties

Separating user access roles and duties to ensure the change control process is followed appropriately.

18) Data Loss Prevention copy@2x

Data loss prevention

Ensuring data remains secure within the boundaries of the system and not inadvertently disclosed.

19) Information Classification and Handling Policy copy@2x

Data handling policies

Defining the structure and approach to classifying and handling sensitive information.

20) Backup, Retention, Disposal Policy copy@2x

Backup and disposal

Established practices for backup, retention, and secure disposal of sensitive information.

21) Vulnerability Management Program@2x

Vulnerability program

An established program for identifying, assessing, logging, and resolving technical vulnerabilities.

22) Change Control Policy & Environment@2x

Change control

Defined policies, procedures, and steps to ensure appropriate and high-quality software development.

23) Release Management Checklist@2x

Change release checklist

A combined checklist of steps and functions to be performed for each software release.

24) Anti-Malware practices copy@2x-2

Anti-malware practices

A combination of security practices and employee behaviours to mitigate the risk of malicious software.

25) Application White-list Policy copy@2x-1

Application whitelisting

Establishing a listing of approved software and restricting the installation on endpoint devices.

26) Anti-Virus Software, Updates & Monitoring copy@2x-1

Anti-virus software

Software to identify, block, quarantine, and resolve malicious software from endpoint devices and servers.

27) Acceptable Use Policy@2x

Acceptable use

Terms of use and required security behaviours to protect the security of systems and data.

28) Security Awareness Training@2x

Security awareness

Training for employees to raise awareness of security and privacy risks, requirements and objectives.

29) Background Checks @2x

Background checks

Police checks and other background checks conducted on employees prior to hiring.