Cyber resilience remains a top priority for the Australian Prudential Regulation Authority (APRA), as the evolving threat landscape continues to pose significant risks to financial institutions. To mitigate these risks, APRA-regulated entities are urged to proactively implement strategies that enhance their cyber defenses, particularly in the area of data backups.
In APRA’s recent Interim Policy and Supervision Priorities update, the emphasis on adhering to Prudential Standard CPS 234 Information Security (CPS 234) is clear. APRA expects entities to not only meet these standards but also to periodically self-assess against the guidelines in Prudential Practice Guide CPG 234 Information Security (CPG 234).
APRA has identified data backup practices as a common area of weakness within many organizations, despite their critical role in protecting against data loss. Through supervisory activities, APRA has observed issues that could limit the effectiveness of backups in restoring systems during a cyber incident.
Entities are expected to review and address any gaps in their backup arrangements, as failing to do so may constitute a material security control weakness, notifiable under CPS 234. APRA will continue to monitor and share insights on these vulnerabilities, ensuring that all regulated entities can strengthen their cyber resilience in a timely manner.
Here’s how Backrightup effectively addresses each of these inadequacies, including APRA’s observations regarding insufficient backup practices:
Backrightup have been supporting APRA-regulated organizations such as Telstra Super, Spirit Super, and Allianz with automated backup and restore testing.
1. Insufficient Segregation Between Production and Backup Environments
Isolation: Backrightup ensures sufficient isolation between production and backup environments by using separate storage accounts and applying strict access controls.
Access Controls: These controls prevent any single account or person from having permissions to modify or delete both production and backup data.
Compliance: Segregation is enforced through role-based access control (RBAC) and the principle of least privilege, aligning with the guidance from CPG 234, paragraphs 44 and 45.
Retention: Unlike Microsoft Azure DevOps and GitHub, which do not provide unlimited retention and can permanently delete data after 28 days if not restored, Backrightup offers secure and long-term data retention, ensuring that your critical backups are preserved and accessible when needed.
Are you confident in your backup strategy? Don’t leave it to chance. Contact us today for a complimentary Backup Assessment tailored to APRA’s stringent requirements. Let’s ensure your backups are resilient and fully compliant.
2. Insufficient Control Testing Coverage and Rigour to Ensure Backups Are Protected from Compromise
- Comprehensive Testing: Backrightup integrates a rigorous testing program that continuously validates the integrity and security of backups.
- Automated Audits: Automated audits and monitoring tools are in place to ensure backups are protected from unauthorized access, modification, or alteration.
- Regulatory Alignment: These measures align with CPG 234, paragraph 45, and Attachment G, ensuring the backup environment remains secure and uncompromised.
- Granular Control: While platforms like Azure DevOps and GitHub may lack granular control over backups and restoration, Backrightup’s solution provides detailed oversight and management, reducing the risk of gaps in business continuity.
- Support for APRA-Regulated Entities: Backrightup supports APRA-regulated organizations such as TelstraSuper, SpiritSuper, and Allianz by automating backup and restore testing, ensuring they meet regulatory requirements and maintain strong cyber resilience.
Worried about potential gaps in your backup environment? Schedule a risk-free consultation with our experts to evaluate and enhance your current backup solutions, ensuring alignment with APRA’s CPS 234 standards.
3. Insufficient Testing of Capability to Recover Systems and Data Within Tolerance Levels from Backups
- Regular Testing: Backrightup includes regular testing of backup coverage and recovery processes to ensure that critical business operations can be restored within defined tolerance levels.
- Recovery Drills: These recovery drills validate both the technical capability and the efficiency of the recovery process, ensuring compliance with the recovery requirements outlined in CPG 234 and Attachment G.
- Proactive Approach: This proactive approach guarantees that systems and data can be recovered instantly and effectively in the event of a disruption.
- Detailed Recovery Support: Unlike other platforms that may not support granular backups or comprehensive restoration capabilities, Backrightup is designed to support detailed recovery, helping businesses maintain continuity without disruption.
Secure your data with confidence. Discover how Backrightup can fortify your backup strategy against APRA’s identified vulnerabilities. Reach out to us today for a personalized demo and see how we can protect your business.
Conclusion
In addition to these targeted measures, Backrightup offers a unique “Restore Assured” feature, providing monthly restore testing and detailed reporting on the efficacy of backups. This proactive approach ensures that your backups are not only secure but also fully functional, giving you the confidence that critical business operations can be restored swiftly in the event of a disruption.
For a limited time, we’re offering a 20% discount on our automated backup and restore testing services. Don’t miss out—contact us now to take advantage of this offer and safeguard your business.
Our stakeholders recognize that “cloning all your repos down to an on-prem shared drive” is far from a robust backup strategy. They understand the critical need for comprehensive solutions that go beyond simple repository backups. Furthermore, with Microsoft Azure DevOps and GitHub not providing unlimited retention, data that’s not restored within 28 days is lost forever. Additionally, the lack of granularity in backups or restoration options can significantly impact business continuity. Backrightup addresses these challenges by providing advanced backup capabilities that ensure all aspects of your DevOps environment are protected. This gives your organization the resilience it needs.
Compliance is non-negotiable. Ensure your organization meets APRA’s backup requirements with Backrightup. Contact us to review your current setup and avoid potential regulatory pitfalls.