Increasing frequency, sophistication and impact of cyber security attacks on the financial sector created increased awareness for strong information security controls in Australia. In June 2019, the independent regulatory authority for Australian superannuation institutions, the Australian Prudential Regulation Authority (APRA), released new guidelines for information security for all institutions within its purview. Pragma were engaged by MTAA Super to undertake a review of MTAA’s current Information Security Controls and develop an implementation strategy to enhance those controls to meet the APRA standard.
Pragma worked closely with MTAA Super stakeholders to review and assess current state information security controls, forming a baseline of knowledge to build upon. These baseline controls were then compared against APRA guidelines, enabling Pragma to evaluate the differences and formulate a suite of enhancements for implementation.
Pragma’s implementation strategy for enhancements utilised an agile approach. A strategic roadmap was developed in collaboration with MTAA stakeholders balancing business value, urgency and impact to inform the prioritisation of each enhancement. Enhancements were then added to a backlog for implementation.
Pragma worked closely with MTAA to develop a number of the enhancements including hardware and application whitelisting and blacklisting policies, segregation of duties policy, browser control policy and a forensic analysis and cyber security incident processes. MTAA Super are now custodians to a robust suite of information security controls that meet and exceed the standards set by APRA. The information security policies and processes developed in partnership with Pragma are flexible and adaptive, able to respond to the ever-changing cyber security landscape and ensure they can protect the assets of their members.