| ๐ผ 60 New technologies potentially introduce a set of additional information security vulnerabilities, both known and unknown. An APRA-regulated entity would typically apply appropriate caution when considering the introduction of new technologies. | | | | |
| ๐ผ 61 Typically, an APRA-regulated entity would only authorise the use of new technologies in a production environment where the technology: | 2 | | | |
| ๐ผ 61a has matured to a state where there is a generally agreed set of industry-accepted controls to manage the security of the technology; | | | | |
| ๐ผ 61b compensating controls are sufficient to reduce residual risk within the entityโs risk appetite. | | | | |
| ๐ผ 62 An APRA-regulated entity could find it useful to develop a technology authorisation process and maintain an โapproved technology registerโ to facilitate this. The authorisation process would typically assess the benefits of the new technology against the impact of an information security compromise, including an allowance for uncertainty. | | | | |