| ๐ผ 8a roles and responsibilities โ clearly outline for management how the Board expects to be engaged, including delegation of responsibilities, escalation of risks, issues and reporting requirements (including schedule, format, scope and content). Refer to Attachment H for common examples of the types of information that the Board might find useful to effectively fulfil its role and discharge its responsibilities. | | | | |
| ๐ผ 8b information security capability โ consider the sufficiency of the regulated entityโs information security capability in relation to vulnerabilities and threats; ensure sufficiency of investment to support the information security capability; and review progress with respect to execution of the information security strategy. | | | | |
| ๐ผ 8c policy framework โ whether information security policies reflect Board expectations. | | | | |
| ๐ผ 8d implementation of controls โ regularly seek assurance from and, as appropriate, challenge management on reporting regarding the effectiveness of the information security control environment and the overall health of the entityโs information assets. | | | | |
| ๐ผ 8e testing control effectiveness โ regularly seek assurance from and, as appropriate, challenge management on the sufficiency of testing coverage across the control environment; form a view as to the effectiveness of the information security controls based on the results of the testing conducted. | | | | |
| ๐ผ 8f internal audit โ consider the sufficiency of internal auditโs coverage, skills, capacity and capabilities with respect to the provision of independent assurance that information security is maintained; form a view as to the effectiveness of information security controls based on audit conclusions; and consider where further assurance, including through expert opinion or other means, is warranted. | | | | |