Home > Continuous Controls Assurance

Continuous Controls Assurance for APRA Regulated Workloads

Gain clear and attestable insights into the security, risk and compliance posture of your APRA regulated workloads hosted on AWS. Always on, always assured, we deliver enterprise-level security to keep your business operations safe 24/7.

Ongoing, proactive approach to risk management, reducing vulnerabilities and enhancing the robustness of your organisation.

Save costs by optimising business processes, reducing the need for traditional audits, and preemptively preventing losses.

Enhance transparency by providing a clear, ongoing view into business operations, building trust among stakeholders, and ensuring compliance.

What is Continuous Controls Assurance?

Through a process of defining key information security Objectives and Key Results, Key Risk Indicators and Key Performance Indicators in a normalised, machine readable format, we can map these to security controls catalogues and standards and implement continuous controls effectiveness testing and reporting with retention of evidence to substantiate test conclusions.

Continuous controls effectiveness testing and reporting helps organisations maintain visibility of their risk position despite the rate of technology and threat landscape change prevalent in modern enterprises.

Leading and lagging indicators provide insights into current and future risk posture by measuring the performance of operational security capabilities and security improvement programs and predicting changes that can guide prioritisation and investment decisions.

By normalising and mapping data from multiple controls frameworks, baselines and higher level standards, guidelines and best practices, objective, consistent and actionable data is made available to business stakeholders ranging from board risk committees, executive leadership teams, security governance forums (service owners and control owners) and business unit executives.

Outcome

A continuous controls assurance testing and reporting capability
will provide your organisation with the following key benefits:

Make the right security and risk information available to the right people at the right time to improve decision making and manage risk

Measure the performance of security improvement programs and operational security capabilities in real-time

Predict changes in risk position to guide prioritisation and investment decisions in a threat landscape where continuous change is becoming the norm

Introduce consistent controls effectiveness testing and retention of evidence to support external audits and assessments

Reduce time and effort associated with conducting manual security assessments

Accelerate innovation with real time and actionable risk and security posture information so that security defects can be addressed as early as possible in the development lifecycle

Why Continuous Controls Assurance?

If you are using spreadsheets to report on information security controls effectiveness you are lagging behind your competitors.

An APRA-regulated entity must test the effectiveness of its information security controls through a systematic testing program. Findings from the APRA CPS 234 tripartite assessment of a quarter of APRA’s regulated entities (~24%) published in July 2023 highlight that in many cases, the testing programs of entities are incomplete, inconsistent, lack independence and do not provide adequate assurance for management and the Board.

Internal security teams are struggling to address the complexity of reporting control effectiveness across a range of security controls catalogues and baselines such as NIST 800-53, ISO 27002, AWS Foundational Security Best Practices (FSBP), Microsoft cloud security benchmark (MCSB), PCI DSS and higher level standards, guidelines and best practices used to manage cybersecurity risk such as APRA CPS 234, CPS 232, CPG 234 and others.

Manual periodic assessment processes, (often supported by dreaded excel spreadsheets), are expensive, ineffective and can impede innovation and competitiveness by introducing delays to digital transformation initiatives.

What our clients are saying

"We engaged CMD Solutions Managed Service team to uplift and operate our environment. The relationship with CMD has substantially improved our risk profile through improved monitoring and alerting, automation pipelines and DevOps practices. The highly skilled team of Site Reliability engineers combined with CMD's 'runCMD' platform has reduced our total cost of ownership of operating our environment in the Cloud."

Danny Bosevski

CareSouth Everyday | IT and Communications Manager