| ๐ผ 15 In discharging its responsibility for information security, an APRA-regulated entity would typically assess the sufficiency of its information security capability. This could include reviewing the adequacy of resourcing, including funding and staffing, timely access to necessary skill sets and the comprehensiveness of the control environment โ preventative, detective and responsive. | | | | |
| ๐ผ 16 The current threat landscape has necessitated information security capabilities that extend beyond information technology general controls to more specialised information security capabilities. | 9 | | | |
| ย ย ย ย ๐ผ 16a vulnerability and threat management; | | 11 | 11 | |
| ย ย ย ย ๐ผ 16b situational awareness and intelligence; | | 6 | 7 | |
| ย ย ย ย ๐ผ 16c information security operations and administration; | | 2 | 2 | |
| ย ย ย ย ๐ผ 16d secure design, architecture and consultation; | | 1 | 1 | |
| ย ย ย ย ๐ผ 16e security testing, including penetration testing; | | 10 | 10 | |
| ย ย ย ย ๐ผ 16f information security reporting and analytics; | | 9 | 11 | |
| ย ย ย ย ๐ผ 16g incident detection and response, including recovery, notification and communication; | | 2 | 2 | |
| ย ย ย ย ๐ผ 16h information security investigation, including preservation of evidence and forensic analysis; | | | | |
| ย ย ย ย ๐ผ 16i information security assurance. | | | | |