| ๐ผ 34 Under CPS 234, an APRA-regulated entity must have information security controls to protect its information assets commensurate with, amongst other things, the stage at which the information assets are within their life-cycle. This includes ensuring that information security controls remain effective at each stage of the life-cycle of the information asset and that there is formal allocation of responsibility and accountability for the information security of an information asset to an information asset owner. Typically, the information asset owner would be an individual located within the business function which is most dependent on the information asset | | | | |
| ๐ผ 35 As the first phases of an information asset life-cycle, planning and design controls would typically be in place to ensure that information security is incorporated within the information assets of the APRA-regulated entity, the solutions implemented would typically comply with the information security requirements of an APRA-regulated entity as embodied in its information security policy framework. | | | | |
| ๐ผ 36 Acquisition and implementation controls would typically be in place to ensure that information security is not compromised by the introduction of new information assets. Ongoing support and maintenance controls would typically be in place to ensure that information assets continue to meet the information security requirements of the APRAregulated entity | 13 | | | |
| ย ย ย ย ๐ผ 36a change management โinformation security is addressed as part of the change management process and the information asset inventory is updated; | | 7 | 8 | |
| ย ย ย ย ๐ผ 36b configuration management โthe configuration of information assets minimises vulnerabilities and is defined, assessed, registered, maintained, including when new vulnerabilities and threats are discovered, and applied consistently; | | 1 | 1 | |
| ย ย ย ย ๐ผ 36c deployment and environment management โdevelopment, test and production environments are appropriately segregated and enforce segregation of duties; | | 2 | 2 | |
| ย ย ย ย ๐ผ 36d access management controls โonly authorised users, software and hardware are able to access information assets (refer to Attachment B for further guidance); | | 13 | 13 | |
| ย ย ย ย ๐ผ 36e hardware and software asset controls โappropriate authorisation to prevent security compromises from unauthorised hardware and software assets; | | 15 | 15 | |
| ย ย ย ย ๐ผ 36f network design โ to ensure authorised network traffic flows and to reduce the impact of security compromises; | | 28 | 29 | |
| ย ย ย ย ๐ผ 36g vulnerability management controls โ which identify and address information security vulnerabilities in a timely manner; | | 11 | 11 | |
| ย ย ย ย ๐ผ 36h patch management controls โ to manage the assessment and application of patches and other updates that address known vulnerabilities in a timely manner; | | 5 | 5 | |
| ย ย ย ย ๐ผ 36i service level management mechanisms โ to monitor, manage and align information security with business objectives; | | 2 | 2 | |
| ย ย ย ย ๐ผ 36j monitoring controls โ for timely detection of compromises to information security; | | 9 | 11 | |
| ย ย ย ย ๐ผ 36k response controls โ to manage information security incidents and feedback mechanisms to address control deficiencies; | | 10 | 10 | |
| ย ย ย ย ๐ผ 36l capacity and performance management controls โ to ensure that availability is not compromised by current or projected business volumes; | | | | |
| ย ย ย ย ๐ผ 36m service provider management controls โ to ensure that a regulated entityโs information security requirements are met. | | | | |
| ๐ผ 37 Decommissioning and destruction controls are typically used to ensure that information security is not compromised as information assets reach the end of their useful life. Examples include archiving strategies and the secure data deletion (that is, deleting data using techniques to ensure data is irrecoverable) of sensitive information prior to the disposal of information assets. | | | | |
| ๐ผ 38 An APRA-regulated entity could find it useful to regularly assess the completeness of its information security controls by comparison to peers and contemporary industry practices. | | | | |