| ๐ผ 21 An APRA-regulated entityโs information security policy framework is commonly structured as a hierarchy, with higher level policies supported by underlying standards, guidelines and procedures. A policy framework would normally be informed by a set of information security principles that guide decision-making with regard to information security (refer to Attachment A for common information security principles). | 11 | | | | no data |
| ใ๐ผ 21a identification, authorisation and granting of access to information assets (refer to Attachment C for further guidance); | | | | | no data |
| ใ๐ผ 21b life-cycle1 management that addresses the various stages of an information assetโs life to ensure that information security requirements are considered at each stage, from planning and acquisition through to decommissioning and destruction; | | | | | no data |
| ใ๐ผ 21c management of information security technology solutions that include firewall, antimalicious software, intrusion detection/prevention, cryptographic systems and monitoring/log analysis tools; | | | | | no data |
| ใ๐ผ 21d definition of an overarching information security architecture that outlines the approach for designing the IT environment (encompassing all information assets) from a security perspective (e.g. network zones/segments, end point controls, gateway design, authentication, identity management, interface controls, software engineering and location of information security technology solutions and controls); | | | | | no data |
| ใ๐ผ 21e monitoring and incident management to address the identification and classification of incidents, reporting and escalation guidelines, preservation of evidence and the investigation process; | | | | | no data |
| ใ๐ผ 21f expectations with respect to the maintenance of information security when using third parties and related parties; | | | | | no data |
| ใ๐ผ 21g acceptable usage of information assets that define the information security responsibilities of end-users including staff, third parties, related parties and customers (refer to Attachment B and Attachment F for further guidance); | | | | | no data |
| ใ๐ผ 21h recruitment and vetting of staff and contractors; | | | | | no data |
| ใ๐ผ 21i information security roles and responsibilities; | | | | | no data |
| ใ๐ผ 21j physical and environmental controls; | | | | | no data |
| ใ๐ผ 21k mechanisms to assess compliance with, and the ongoing effectiveness of, the information security policy framework. | | | | | no data |
| ๐ผ 22 An APRA-regulated entityโs information security policy framework would typically be consistent with other entity frameworks such as risk management, service provider management and project management. | | | | | no data |