| ๐ผ 56 An APRA-regulated entity would typically deploy appropriate information security technology solutions which maintain the security of information assets. Examples include firewalls, network access control, intrusion detection/prevention devices, anti-malware, encryption and monitoring/log analysis tools. The degree of reliance placed on technology solutions for information security could necessitate a heightened set of lifecycle controls, including but not limited to: | 6 | | | |
| ย ย ย ย ๐ผ 56a guidelines outlining when information security-specific technology solutions should be used; | | | | |
| ย ย ย ย ๐ผ 56b standards documenting the detailed objectives and requirements of individual information security-specific technology solutions; | | | | |
| ย ย ย ย ๐ผ 56c authorisation of individuals who can make changes to information security-specific technology solutions. This would typically take into account segregation of duties issues; | | | | |
| ย ย ย ย ๐ผ 56d regular assessment of the information security-specific technology solutions configuration, assessing both continued effectiveness as well as identification of any unauthorised access or modification; | | | | |
| ย ย ย ย ๐ผ 56e periodic review of industry practice and benchmarking against peers; | | | | |
| ย ย ย ย ๐ผ 56f detection techniques deployed which provide an alert if information security-specific technology solutions are not working as designed. | | | | |