Accredited Data Recipient (ADR) applicants must demonstrate the security effectiveness of their people, processes and technology for accreditation. The key is to demonstrate security, whilst minimising the cost.

The Supplementary Accreditation Guidelines - Information Security provides information and guidance to accreditation applicants and accredited persons to assist them in meeting the information security obligation, and to demonstrate that they satisfy the information security obligation for the purposes of accreditation. But practically how does an ADR applicant prepare for the assurance audit?

Boundaries of the CDR data environment scope

CDR data also includes data derived from ‘raw’ CDR data. I describe CDR data as being toxic, contaminating any derived data or connected systems with the CDR Rules.

The CDR data environment involves identifying the people, processes, technology and infrastructure that manages, secures, stores or otherwise interacts with CDR data. The CDR Rules therefore apply to all system components included in or connected to the CDR data environment, including system components indirectly connected, impacting the configuration or security, or providing security services to the CDR data environment.

Typically I find that ADR applicants design and implement a new system architecture for their CDR data environment, to ensure that CDR data is appropriately segregated and segmented from the rest of the enterprise infrastructure, thus minimising the scope of compliance obligations. This is similar to the approach usually taken for an organisation to comply with PCI DSS, and the Guidance for PCI DSS Scoping and Network Segmentation is a useful reference for the boundaries of the CDR data environment given no practical guidance has been provided for the scope of the CDR data environment.

If CDR data has not been de-identified per The De-Identification Decision-Making Framework published by the Office of the Information Commissioner and Data61, per CDR Rules Privacy Safeguard 12, Schedule 2 information security controls apply. This means that tokenisation or using any identifier (even if that identifier is a 'business identifier' with no personally identifiable information (PII)) does not reduce the scope of information security compliance, as it still allows the data to be re-identified by someone with the token/identifier key.

The CDR data environment includes outsourced service providers (OSPs) that the ADR has disclosed CDR data to. If the data has not been de-identified per The De-Identification Decision-Making Framework the OSP needs to comply with and demonstrate that it complies with the Schedule 2 information security controls. This is a carve-in audit approach that will increase the audit costs for the ADR applicant if the OSP is not accredited themselves. Any other organisations that provide services to the CDR data environment, but are not disclosed CDR data, are third-party providers.

To prepare for the audit, the ADR applicant should document their Network Architecture Diagram, System Architecture Diagram, Data Flow Diagram and a description of people, processes, technology and infrastructure in the CDR data environment.

What security controls are needed?

In my experience, ADR applicants focus on Schedule 2 Part 2 but forget about Schedule 2 Part 1 controls which, whilst not difficult, can be time-consuming to implement. The security requirements are a combination of PCI DSS, CPS 234, ISO 27001, the Australian Government Essential Eight and Data Privacy. The more difficult CDR requirements relate to application whitelisting, system (end-user and server) hardening and data loss prevention, where compensating controls may be required.

What information security assurance frameworks can be used?

Given CDR will likely require a new system architecture to be built, the scope of any existing assurance reports may not cover the new CDR data environment. The scope needs to be discussed and agreed prior to being used in the accreditation.

ISO27001 certification is not sufficient by itself to meet the information security accreditation. ISO 27001 is an information security framework, whereas the CDR Schedule 2 controls are based on both information security and data privacy/protection controls, so there are a number of Schedule 2 controls not covered by the ISO 27001 certification. These controls need to be covered by an additional assurance report (ASAE or SOC) to support the ISO 27001 certification. To leverage an existing ISO27001 certification the organisation also needs to have an additional internal audit report that has been performed by an ISO 27001 Lead Auditor covering all the ISO27001 controls. Even if ISO 27001 certified, where the organisation does not already have an annual internal audit by an ISO 27001 Lead Auditor, a standalone ASAE 3150 is likely the most cost-effective way to obtain a CDR information security assurance report for accreditation. It is likely that leveraging the ISO 27001 certification will be more cost-effective for the ongoing assurance reports required every two years from accreditation.

If the organisation has an existing SOC 2 (or ASAE 3402) report, the control activities in the report will need to be mapped to the specific CDR requirements to identify where controls need to be covered by an additional assurance report. In our experience, a typical SOC 2 report will only cover 4 of the 5 requirements in Schedule 2 Part 1, and 15 (60%) of the requirements in Schedule 2 Part 2. If OSP's are used the SOC 2 will not cover these. Any gaps need to be covered by an additional limited scope ASAE 3150 report (i.e. you need to get audited again).

If obtaining a SOC 2 report for the first time this will be more expensive and take longer to complete than a standalone ASAE 3150, but there are additional benefits in then having the SOC 2 report for other purposes. The cost benefit and time required needs to be carefully considered. You will need to obtain a SOC 2+CDR assurance report to ensure the differences between the Trust Services Criteria and the CDR Rules are addressed. Australian audit firms can prepare SOC 2 reports, you don't need to use a US audit firm. 

Audit approach

To become an ADR, an organisation needs to demonstrate that they have effectively designed security controls and implemented those controls as designed. The design of the controls is primarily assessed by auditing the organisation's documented policies and procedures for compliance for the CDR Rules. The implementation of the controls is primarily assessed by auditing the organisation's systems.

I refer to the assurance report as a transparency report, providing visibility on control effectiveness. Our experience shows it is very hard to get an unqualified report due to the specific wording of some of the CDR control requirements, but a qualified report does not neccessarily prevent the organisation from becoming accredited provided they can demonstrate compensating controls. The following table outlines the key phases that would be performed as part of the assurance process:

What are the ongoing assurance requirements?

Once accredited, the ADR organisation (both non-ADIs and ADIs) will need to provide:

• An attestation statement of compliance to the ACCC at the end of the first year of being accredited and every other year thereafter (i.e., end of 1st year, 3rd year, 5th year, and so on).
• A “Type 2” assurance report covering (a) the 12-month period from the date of submission of the first attestation and (b) every two-year period thereafter (i.e., 2nd year, 4th year, 6th year, and so on), where the period covered is a minimum of 12 months within the relevant two-year period.

A “Type II” reasonable assurance report involves a sample to be tested over the 12 month period to demonstrate that the ADR has effectively designed security controls, implemented those controls as designed and that those controls have been operating effectively since accreditation.

The Type II assurance report is significantly more onerous than the Type I report. Any organisation becoming an ADR needs to understand the ongoing costs to maintain accreditation.

Is there more to CDR assurance than just compliance?

Many of the CDR control requirements encompass a scope beyond the CDR data environment, with 15 of the Part 2 controls having an enterprise-wide reach. This is on top of the Part 1 controls which are already, by their nature, enterprise-level controls.

For organisations applying for accreditation, compliance with the CDR information security requirements also provides substantial visibility into the strength of the enterprise information security program. This also enables organisations to better quantify the value that can be obtained on top of CDR compliance and the implementation of controls that align to other information security frameworks like ISO 27001 and CPS 234.

Taking the CDR Rules’ ongoing information security reporting obligations into consideration, this focus on value makes a stronger case for integrating information security and assurance programs throughout the organisation.

Darren Booth is a Partner at RSM Australia, and the National Head of Cyber Security & Privacy. Darren was the lead assurance practitioner for the ASAE 3150 assurance reports for Frollo, Intuit and Adatree's ADR accreditation. RSM Australia is a leading provider of audit, tax and consulting services. RSM assists ADR applicants with:

• ADR application advisory support
• Security control assessment program or ISO 27001 Lead Auditor internal audit
• CREST accredited Penetration Testing
• Security by Design / Gap Assessment
• Defining CDR data environment boundaries
• Pre-Audit / Readiness Assessment
• Security Assurance Report Audit (ASAE 3150/3402 or SOC 1/2).