Obtaining assurance on the security of your CDR data environment
With CDR going live on 1 July 2020, Accredited Data Recipient (ADR) applicants must demonstrate the security effectiveness of their people, processes and technology. The key is to demonstrate security, whilst minimising the cost.
The seven stages to being accredited and active in the CDR
RSM Australia, Adatree, Trend Micro, DNX Solutions & Fintech Australia present a detailed guide to being an ADR efficiently, from use case to active status.
Accelerating your journey to receiving CDR data and bringing Open Banking to life in your business is outlined in seven key stages.
Download our comprehensive information guide to navigate the Data Recipient path.
What security controls are needed?
The CDR Rules require an organisation applying to become an ADR to meet minimum requirements for protecting CDR data from two broad types of risk: (a) misuse, interference, and loss, and (b) unauthorised access, modification, or disclosure. The CDR Rules outline the controls required to manage these risks in Schedule 2 Part 1 (security governance) and Schedule 2 Part 2 (minimum control requirements).
The CDR Rules also require an applicant to document their CDR data environment (the people, processes and technology) in a comprehensive system description.
Options for reducing the scope of your CDR data environment include network segmentation, tokenisation, de-identification, anonymisation and pseudonymisation. This process can be complex, expensive and reduce the effectiveness of your business case for accreditation, so they need to be carefully considered.
What is required when applying for accreditation?
To become an ADR, an organisation needs to demonstrate that they have effectively designed security controls and implemented those controls as designed. For a nonauthorised deposit-taking institution (non-ADI), this requires a “Type I” reasonable assurance report in accordance with the Standard on Assurance Engagements ASAE 3150 – Assurance Engagements on Controls, or accepted comparable standards, as identified by the ACCC in the ‘CDR - Supplementary accreditation guidelines information security’.
A Type I provides assurance on the design and implementation of controls at a date or point in time.
In Australia, these reports can only be prepared by an independent registered auditing firm (CAANZ or CPA) and only a suitably experienced, qualified and independent individual can sign the report as the lead information security assurance practitioner.
Darren has delivered security and privacy assessments across multiple countries for large multinational corporations, and locally for Australian based organisations in both the public and private sectors across all industries.
The CDR information security accreditation process is complex.
If you want to discuss your accreditation with one of our experienced team members, please get in touch.