| 💼 39 An APRA-regulated entity would typically ensure that existing and emerging information security vulnerabilities and threats pertaining to critical and sensitive information assets are identified, assessed and remediated in a timely manner. This includes information assets which are not critical or sensitive but could expose those information assets that are critical or sensitive. | 4 | | | |
|     💼 39a implement mechanisms that access and analyse timely threat intelligence regarding vulnerabilities, threats, methods of attack and countermeasures; | | 10 | 10 | |
|     💼 39b engage with stakeholders (including Government, industry participants and customers) regarding threats and countermeasures, as appropriate | | | | |
|     💼 39c develop tactical and strategic remediation activities for the control environment (prevention, detection and response) commensurate with the threat; | | | | |
|     💼 39d implement mechanisms to disrupt the various phases of an attack. Example phases include reconnaissance, vulnerability exploitation, malware installation, privilege escalation, and unauthorised access | | 10 | 10 | |