💼 39 An APRA-regulated entity would typically ensure that existing and emerging information security vulnerabilities and threats pertaining to critical and sensitive information assets are identified, assessed and remediated in a timely manner. This includes information assets which are not critical or sensitive but could expose those information assets that are critical or sensitive.

Contextual name: 💼 39 An APRA-regulated entity would typically ensure that existing and emerging information security vulnerabilities and threats pertaining to critical and sensitive information assets are identified, assessed and remediated in a timely manner. This includes information assets which are not critical or sensitive but could expose those information assets that are critical or sensitive.
ID: /frameworks/apra-cpg-234/14/39
Located in: 💼 14 Implementation of controls - Vulnerabilities and threats are identified, assessed and remediated

Description

Empty...

Section	Internal Rules	Policies
💼 39a implement mechanisms that access and analyse timely threat intelligence regarding vulnerabilities, threats, methods of attack and countermeasures;	10	10
💼 39b engage with stakeholders (including Government, industry participants and customers) regarding threats and countermeasures, as appropriate
💼 39c develop tactical and strategic remediation activities for the control environment (prevention, detection and response) commensurate with the threat;
💼 39d implement mechanisms to disrupt the various phases of an attack. Example phases include reconnaissance, vulnerability exploitation, malware installation, privilege escalation, and unauthorised access	10	10