ABOUT OUR GUIDES

All you need to know to became an ADR

AssuranceLab’s CDR guides summarise the security and compliance activities required to become an Accredited Data Recipient.

As specialists in cloud services and cybersecurity, our team at AssuranceLab knows the ins and outs of modern products and approaches to satisfy compliance without overburdening your business.

contact us book a call
alab-why-us-team-working-together-1

CDR SECURITY WHITEPAPER

A checklist of requirements for your environment

The Consumer Data Right requires information security controls to be implemented at four levels; organisational, infrastructure, software, and endpoint devices. Our white papers provide a checklist to address each layer as it relates to your cloud environment. Get in touch if you want to explore our solution partners that offer out-of-the-box, compliant environments.

Google Security CDR White paper (2)

Google CDR Security White Paper

Download now

AWS Security CDR White paper

AWS CDR Security White Paper

Download now

PART O1

Governance requirements

There are five steps to implement the governance requirements of the
CDR Schedule 2, Part 1. The three stages to audits and assurance
reporting outline the stages of working to accreditation.

The 3 steps to an assurance report

Three stages to audits and assurance reporting

There are three steps for working towards the assurance report for accreditation.

READ MORE 

Security Governance

Step 1: CDR security governance

Define and implement a formal governance framework for managing information security risks.

READ MORE

Define the boundaries of your CDR environment

Step 2: Boundaries of CDR data environment

Define and document the boundaries of your CDR data environment and underlying system components.

READ MORE 

Information security capability

Step 3: Information security capability

Maintain an information security capability that complies with Schedule 2 Part 2 requirements below.

READ MORE 

Controls Assessment Program

Step 4: Controls assessment program

Implement a testing program to assess the effectiveness of the information security capability.

READ MORE 

Manage and Report Security Incidents

Step 5: Manage and report security incidents

Establish procedures and practices to detect, record, and respond to security incidents.

READ MORE 

PART 02.1

Access control

An accredited data recipient must have processes in place to limit the
risk of inappropriate or unauthorised access to its CDR data environment.

Access Control Policy

Access control

The Access Control Policy covers several specific requirements of the CDR for accreditation.

READ MORE 

_Joiners & Leavers Checklists

Joiners and leavers

Joiners and leavers checklists are a simple approach to support your access control practices. 

READ MORE 

User Access Reviews

User access reviews

Periodically reviewing system access ensures your users remain appropriate with continued business needs. 

READ MORE 

PART 02.2

Network security

An accredited data recipient of CDR data must take steps to secure their
network and systems within the CDR data environment.

Network Security

Network Security

Protecting the network perimeter with firewalls and monitoring of network traffic for suspicious activity.

COMING SOON

Hardening and Patching

Hardening and Patching

Security hardening and patching of critical system components to reduce system vulnerabilities.

COMING SOON

The CDR Policy

CDR Policy

The CDR Policy sets out the use of consumer data and the terms of use and rights of those users.

READ MORE 

Physical Security

Physical security

Ensuring access to the data centres and places of business are restricted to authorised personnel.

READ MORE 

Encryption

Encryption

Applying encryption and securing encryption keys to protect the CDR data from unauthorised access.

READ MORE 

Segregation of Duties

Segregation of duties

Separating user access roles and duties to ensure the change control process is followed appropriately.

READ MORE 

PART 02.3

Information Asset Lifecycle

Separating user access roles and duties to ensure the change control process
is followed appropriately.

Data Loss Prevention

Data loss prevention

Ensuring data remains secure within the boundaries of the system and not inadvertently disclosed.

READ MORE 

Data handling - information Classification and Handling Policy

Data handling policies

Defining the structure and approach to classifying and handling sensitive information.

READ MORE 

Backup, Retention, Disposal Policy

Backup and disposal

Established practices for backup, retention, and secure disposal of sensitive information.

COMING SOON

PART 02.4

Vulnerability Management

An accredited data recipient must implement a formal vulnerability management
program to identify, track and remediate vulnerabilities within the CDR data
environment in a timely manner.

Vulnerability Management Program

Vulnerability program

An established program for identifying, assessing, logging, and resolving technical vulnerabilities.

READ MORE 

Change Control Policy & Environment

Change control

Defined policies, procedures, and steps to ensure appropriate and high-quality software development.

READ MORE 

Change Release Checklist

Change release checklist

A combined checklist of steps and functions to be performed for each software release.

READ MORE 

PART 02.5

Anti-malware

An accredited data recipient must take steps to limit prevent, detect and remove
malware in regards to their CDR data environment.

Anti-malware practices

Anti-malware practices

A combination of security practices and employee behaviours to mitigate the risk of malicious software.

READ MORE 

Application whitelisting

Application whitelisting

Establishing a listing of approved software and restricting the installation on endpoint devices.

COMING SOON

Anti-virus software

Anti-virus software

Software to identify, block, quarantine, and resolve malicious software from endpoint devices and servers.

READ MORE 

PART 02.6

Security Awareness

An accredited data recipient must implement a formal information security
training and awareness program for all personnel interacting with CDR data.

The Acceptable Use Policy

Acceptable use

Terms of use and required security behaviours to protect the security of systems and data.

READ MORE 

Security Awareness Training

Security awareness

Training for employees to raise awareness of security and privacy risks, requirements and objectives.

READ MORE 

Background Checks

Background checks

Police checks and other background checks conducted on employees prior to hiring.

READ MORE