As the Consumer Data Right (CDR) Rules continue to evolve, RSM submitted a response to the request for submissions related to the draft ‘intermediary’ Rules, which were published in June 2020.
Given significant changes to the Rules are unlikely to occur prior to a tiered accredited data recipient (ADR) model being implemented, we focused our response on trying to make the information security accreditation requirements clearer and easier to understand.
This would save applicants time and effort when interpreting the Rules.
RSM welcomes the opportunity to comment on the ACCC’s proposed CDR Rules that would allow accredited persons to utilise other accredited parties to collect CDR data and provide other services that facilitate the provision of goods and services to consumers.
As a registered auditing firm (Chartered Accountants Australia & New Zealand), RSM has suitably experienced and qualified individuals who can complete independent assurance reports in accordance with International / Australian Standards on Assurance Engagements (ISAE/ASAE) as lead information security assurance practitioners.
RSM has completed independent assurance reports for the Consumer Data Right information security accreditation in accordance with ASAE 3150 – Assurance Engagements on Controls for two Accredited Data Recipient (ADR) applicants.
This experience has provided us with valuable insights on the CDR Rules, including defining the boundaries of the CDR data environment, Schedule 2 Part 1 and Part 2.
We would therefore like to highlight the following for consideration by the ACCC:
- Proposed minimum control: Encryption in transit
- Proposed minimum control: Data segregation
- Boundaries of the CDR data environment scope
- Current minimum control: Restrict administrative privileges
- Current minimum control: Limit physical access
- Current minimum control: Firewalls
- Current minimum control: Data loss prevention
- Current minimum control: Vulnerability management
- Current minimum control: Application whitelisting
The description of minimum controls does not specify whether this control applies to transit related to the internal (i.e. the trusted network of the CDR data environment) and/or external (untrusted) network.
This clarification is required to ensure ADRs and ADR applicants understand the investment and security requirements.
The description of minimum controls states that data needs to be segregated but does not specify whether other shared resources also need to be segregated.
Examples of this could include:
- Non-transactional audit logs (noting that transactional audit logs would be classified as derived CDR Data)
- Shared server or database resources
- Shared scripts, etc.
Further clarification on the segregation scope and whether it applies to these other shared resources would ensure ADRs and ADR applicants understand security requirements within a CAP arrangement.
It could also be made clear that the segregation of CDR data that is stored or hosted on behalf of an accredited data recipient from other CDR data should be explicitly included in the scope of penetration testing.
Whilst not directly requested by the ACCC, we would also like to provide the following feedback on the existing Consumer Data Right Rules based on our recent experience:
The Consumer Data Right Rules state that the CDR data environment means:
'the information technology systems used for, and processes that relate to, the management of CDR data.'
Whereas the ‘CDR - Supplementary accreditation guidelines information security’ states that the boundaries of the CDR data environment:
‘involves identifying the people, processes, technology and infrastructure that manages, secures, stores or otherwise interacts with CDR data,…may include infrastructure owned by, and management provided by, an outsourced service provider or third party’.
The inconsistent inclusion of the words ‘interacts with’ results in confusion for ADRs and ADR applicants.
‘Interacts with’ indicates that the Consumer Data Right Rules applies to all system components included in or connected to the CDR data environment, including system components indirectly connected, impacting the configuration or security, or providing security services to the CDR data environment.
‘The CDR Rules and the ‘CDR - Supplementary accreditation guidelines information security’ could be updated to align wording.
If ‘interacts with’ remains, the ACCC could provide further guidance to ADRs on the scope of the boundaries the CDR data environment, similar to that provided by the PCI Security Standards Council for scoping a cardholder data environment.
The controls states that:
‘Privileges granted on an ongoing basis are regularly reviewed to confirm their ongoing need.’
The use of the word ‘regularly’ provides a point of confusion for ADRs and ADR applicants, as regularly is interpreted differently.
Whilst the ‘CDR - Accreditation controls guidance.xls’ provides additional guidance that it should be monthly, this is not included in the Rules, unlike the ‘Access security’ minimum control, which states a frequency.
The control states that ‘premises of business operation’ are in scope. The modern working environment means that staff can do anything remotely that they can do whilst physically in the premises of business operation, making premises of business operation redundant as a physical control.
The Consumer Data Right Rules could be updated to remove this requirement (noting other controls on data loss prevention). It is noted that the ‘CDR - Accreditation controls guidance.xls’ states a combination of location and office network may be considered as an authentication factor for Multi-factor authentication.
Many information security professionals would disagree with physical access being a valid authentication factor. If this is still deemed appropriate by the ACCC, controls to limit physical access to premises of business operation should instead be linked to this control guidance.
The controls states ‘…review configurations on a regular basis.’ The use of the word ‘regular’ provides a point of confusion for ADRs and ADR applicants, as regular is interpreted differently.
The Consumer Data Right Rules could state that this should be aligned to industry best practice (six-monthly review) or state a frequency, like the ‘Access security’ minimum control, which states a frequency.
Whilst the controls stated seem valid, the scope of CDR data (and derived data) results in the control ‘email filtering and blocking methods that block emails with CDR data in text and attachments’ being impractical to implement. Filtering and blocking systems are unable to identify whether text is CDR data or non-CDR data with similar attributes.
The Consumer Data Right Rules could be updated to instead focus controls on preventing downloading of CDR data to locations outside the CDR data environment e.g. file shares, workstations, printers.
The controls states:
‘…regular vulnerability scanning and penetration testing on systems within the CDR data environment.’
The use of the word ‘regular’ provides a point of confusion for ADRs and ADR applicants, as regular is interpreted differently.
The Consumer Data Right Rules could state that this should be aligned to industry best practice (at least annually or after any significant change to the CDR data environment) or state a frequency, like the ‘Access security’ minimum control, which states a frequency.
The Australian Cyber Security Centre (ACSC) have recently updated terminology from application whitelisting (which is typically a specific solution used for Microsoft Windows operating systems) to the more generic term ‘implement application control’. The Consumer Data Right Rules could be updated to align terminology with the ACSC.
The ACSC recognises that implementing application control within Linux environments is challenging.
The Consumer Data Right Rules could be updated to provide options to comply with this control depending on whether the ADR operates a Microsoft Windows environments or a non-Microsoft Windows environment. As it is currently worded an ADR applicant operating a non-Microsoft Windows environment will likely have a qualified assurance report.
How can RSM help?
The Consumer Data Right information security accreditation process is complex. If you want to discuss your accreditation with one of our experienced team members, please get in touch with: Darren Booth, National Head of Security & Privacy Risk Services.
Want to read more about your Consumer Data Right (CDR) information security accreditation at RSM? Click here for more.