| ๐ผ 78 In order to systematically test information security controls, an APRA-regulated entity would normally outline the population of information security controls across the regulated entity, including any group of which it is a part, and maintain a program of testing which validates the design and operating effectiveness of controls over time. Additional testing could be triggered by changes to vulnerabilities/threats, information assets or the threat landscape | | | | |
| ๐ผ 79 In APRAโs view, the frequency and scope of testing would ensure that a sufficient set of information security controls are tested, at least annually, in order to validate that information security controls remain effective. Furthermore, controls protecting information assets exposed to โuntrustedโ environments7 would typically be tested throughout the year. | | | | |
| ๐ผ 80 The nature of testing would be a function of the type of control, and would typically consider a variety of testing approaches informed by contemporary industry practices (refer to Attachment G for further guidance). | | | | |
| ๐ผ 81 It is important that success criteria for tests are clearly defined, including the circumstances under which re-testing would be required. Test results would be reported to the appropriate governing body or individual, with associated follow-up actions formally tracked and reported. | | | | |