| ๐ผ 26 A thorough understanding of an APRA-regulated entityโs information assets and the impact of a security compromise of those assets is important to maintain effective information security. | | | | |
| ๐ผ 27 Under CPS 234, all information assets must be classified by criticality2 and sensitivity3 . This includes infrastructure, ancillary systems such as environmental control systems and physical access control systems as well as information assets managed by third parties and related parties. Furthermore, APRA-regulated entities could benefit from considering the interrelationships between information assets, including identifying information assets which are not intrinsically critical or sensitive but could be used to compromise information assets which are critical or sensitive. | | | | |
| ๐ผ 28 In order to maintain the classification of its information assets, an APRA-regulated entity would benefit from implementing a process which identifies where the classification of information assets requires change as well as allowing for the classification of new information assets. This would normally be undertaken at least annually, or when there is a material change to the regulated entityโs information assets or business environment. | | | | |