| ๐ผ 7 This section sets out key information a Board could consider in relation to its responsibilities under CPS 234. The remainder of the PPG elaborates on this information, and contains additional detail on information security aimed at a broader audience. A Board member may find it beneficial to acquaint themselves with this additional detail as necessary. | | | | |
| ๐ผ 8 Under CPS 234, the Board of an APRA-regulated entity is ultimately responsible for the information security of the entity. In order for a Board to be able to more effectively discharge its responsibilities (including oversight, seeking assurance and, as appropriate, challenging management), it could consider the following: | 6 | | | |
| ย ย ย ย ๐ผ 8a roles and responsibilities โ clearly outline for management how the Board expects to be engaged, including delegation of responsibilities, escalation of risks, issues and reporting requirements (including schedule, format, scope and content). Refer to Attachment H for common examples of the types of information that the Board might find useful to effectively fulfil its role and discharge its responsibilities. | | | | |
| ย ย ย ย ๐ผ 8b information security capability โ consider the sufficiency of the regulated entityโs information security capability in relation to vulnerabilities and threats; ensure sufficiency of investment to support the information security capability; and review progress with respect to execution of the information security strategy. | | | | |
| ย ย ย ย ๐ผ 8c policy framework โ whether information security policies reflect Board expectations. | | | | |
| ย ย ย ย ๐ผ 8d implementation of controls โ regularly seek assurance from and, as appropriate, challenge management on reporting regarding the effectiveness of the information security control environment and the overall health of the entityโs information assets. | | | | |
| ย ย ย ย ๐ผ 8e testing control effectiveness โ regularly seek assurance from and, as appropriate, challenge management on the sufficiency of testing coverage across the control environment; form a view as to the effectiveness of the information security controls based on the results of the testing conducted. | | | | |
| ย ย ย ย ๐ผ 8f internal audit โ consider the sufficiency of internal auditโs coverage, skills, capacity and capabilities with respect to the provision of independent assurance that information security is maintained; form a view as to the effectiveness of information security controls based on audit conclusions; and consider where further assurance, including through expert opinion or other means, is warranted. | | | | |
| ๐ผ 9 In considering the above, the Board would normally take into account the use of third parties and related parties (including group functions) by the APRA-regulated entity. | | | | |