Skip to main content

๐Ÿ’ผ 26 Incident management - Detection of security compromises

  • Contextual name: ๐Ÿ’ผ 26 Incident management - Detection of security compromises
  • ID: /frameworks/apra-cpg-234/26
  • Located in: ๐Ÿ’ผ APRA CPG 234

Descriptionโ€‹

Empty...

Similarโ€‹

  • Internal
    • ID: dec-b-4d7fe73f

Sub Sectionsโ€‹

SectionSub SectionsInternal RulesPoliciesFlags
๐Ÿ’ผ 66 Under CPS 234, an APRA-regulated entity is required to have robust mechanisms in place to detect and respond to actual or potential compromises of information security in a timely manner. The term โ€˜potentialโ€™ is used to highlight that information security incidents are commonly identified when an event occurs (e.g. unauthorised access notification, customer complaint) requiring further investigation in order to ascertain whether an actual security compromise has occurred.1010
๐Ÿ’ผ 67 Detection mechanisms typically include scanning, sensing and logging mechanisms which can be used to identify potential information security incidents. Monitoring processes could include the identification of unusual patterns of behaviour and logging that facilitates investigation and preserves forensic evidence. The strength and nature of monitoring controls would typically be commensurate with the impact of an information security incident. Monitoring processes would consider the broad set of events, ranging from the physical hardware layer to higher order business activities such as payments and changes to user access.5
ย ย ย ย ๐Ÿ’ผ 67a network and user profiling that establishes a baseline of normal activity which, when combined with logging and alerting mechanisms, can enable detection of anomalous activity;1821
ย ย ย ย ๐Ÿ’ผ 67b scanning for unauthorised hardware, software and changes to configurations;78
ย ย ย ย ๐Ÿ’ผ 67c sensors that provide an alert when a measure breaches a defined threshold(s) (e.g. device, server and network activity);1010
ย ย ย ย ๐Ÿ’ผ 67d logging and alerting of access to sensitive data or unsuccessful logon attempts to identify potential unauthorised access;11
ย ย ย ย ๐Ÿ’ผ 67e users with privileged access accounts subject to a greater level of monitoring in light of the heightened risks involved.11
๐Ÿ’ผ 68 Monitoring processes and tools remain in step with the evolving nature of threats and contemporary industry practices.1010
๐Ÿ’ผ 69 APRA envisages that a regulated entity would establish a clear allocation of responsibilities for monitoring processes, with appropriate tools in place to enable timely detection. Access controls and segregation of duties would typically be used as a means to safeguard the integrity of the monitoring processes.