💼 15 In discharging its responsibility for information security, an APRA-regulated entity would typically assess the sufficiency of its information security capability. This could include reviewing the adequacy of resourcing, including funding and staffing, timely access to necessary skill sets and the comprehensiveness of the control environment — preventative, detective and responsive.