| ๐ผ 21 An APRA-regulated entityโs information security policy framework is commonly structured as a hierarchy, with higher level policies supported by underlying standards, guidelines and procedures. A policy framework would normally be informed by a set of information security principles that guide decision-making with regard to information security (refer to Attachment A for common information security principles). | 11 | | | |
| ย ย ย ย ๐ผ 21a identification, authorisation and granting of access to information assets (refer to Attachment C for further guidance); | | | | |
| ย ย ย ย ๐ผ 21b life-cycle1 management that addresses the various stages of an information assetโs life to ensure that information security requirements are considered at each stage, from planning and acquisition through to decommissioning and destruction; | | | | |
| ย ย ย ย ๐ผ 21c management of information security technology solutions that include firewall, antimalicious software, intrusion detection/prevention, cryptographic systems and monitoring/log analysis tools; | | | | |
| ย ย ย ย ๐ผ 21d definition of an overarching information security architecture that outlines the approach for designing the IT environment (encompassing all information assets) from a security perspective (e.g. network zones/segments, end point controls, gateway design, authentication, identity management, interface controls, software engineering and location of information security technology solutions and controls); | | | | |
| ย ย ย ย ๐ผ 21e monitoring and incident management to address the identification and classification of incidents, reporting and escalation guidelines, preservation of evidence and the investigation process; | | | | |
| ย ย ย ย ๐ผ 21f expectations with respect to the maintenance of information security when using third parties and related parties; | | | | |
| ย ย ย ย ๐ผ 21g acceptable usage of information assets that define the information security responsibilities of end-users including staff, third parties, related parties and customers (refer to Attachment B and Attachment F for further guidance); | | | | |
| ย ย ย ย ๐ผ 21h recruitment and vetting of staff and contractors; | | | | |
| ย ย ย ย ๐ผ 21i information security roles and responsibilities; | | | | |
| ย ย ย ย ๐ผ 21j physical and environmental controls; | | | | |
| ย ย ย ย ๐ผ 21k mechanisms to assess compliance with, and the ongoing effectiveness of, the information security policy framework. | | | | |
| ๐ผ 22 An APRA-regulated entityโs information security policy framework would typically be consistent with other entity frameworks such as risk management, service provider management and project management. | | | | |