Obtaining assurance on the security of your CDR data environment

Does your organisation know:

  • The scope of the CDR data environment?
  • What security controls are needed?
  • What’s involved in obtaining an independent assurance report?
  • How long will the process take?
  • What are the ongoing requirements?
  • If there is more to CDR assurance than just compliance?

 

To become an accredited data Recipient (ADR), an organisation needs to demonstrate that they have effectively designed security controls and implemented those controls as designed.

 
 
Consumer Data Right (CDR) information security accreditation

The CDR Rules require an organisation applying to become an ADR to meet minimum requirements for protecting CDR data from two broad types of risk: (a) misuse, interference, and loss, and (b) unauthorised access, modification, or disclosure. The CDR Rules outline the controls required to manage these risks in Schedule 2 Part 1 (security governance) and Schedule 2 Part 2 (minimum control requirements).

The CDR Rules also require an applicant to document their CDR data environment (the people, processes and technology) in a comprehensive system description.

Options for reducing the scope of your CDR data environment include network segmentation, tokenisation, de-identification, anonymisation and pseudonymisation. This process can be complex, expensive and reduce the effectiveness of your business case for accreditation, so they need to be carefully considered.

To become an ADR, an organisation needs to demonstrate that they have effectively designed security controls and implemented those controls as designed. For a nonauthorised deposit-taking institution (non-ADI), this requires a “Type I” reasonable assurance report in accordance with the Standard on Assurance Engagements ASAE 3150 – Assurance Engagements on Controls, or accepted comparable standards, as identified by the ACCC in the ‘CDR - Supplementary accreditation guidelines information security’.

A Type I provides assurance on the design and implementation of controls at a date or point in time.

In Australia, these reports can only be prepared by an independent registered auditing firm (CAANZ or CPA) and only a suitably experienced, qualified and independent individual can sign the report as the lead information security assurance practitioner.

Contact our CDR specialists

The CDR information security accreditation process is complex.

If you want to discuss your accreditation with one of our experienced team members, please get in touch.