| ๐ผ 1 APRA envisages that an APRA-regulated entity would adopt a set of high-level information security principles in order to establish a sound foundation for the entityโs information security policy framework. Common information security principles include: | 10 | | | |
| ย ย ย ย ๐ผ a. implement multiple layers and types of controls such that if one control fails, other controls limit the impact of an information security compromise. This is typically referred to as the principle of โdefence in depthโ; | | | | |
| ย ย ย ย ๐ผ b. access to, and configuration of, information assets is restricted to the minimum required to achieve business objectives. This is typically referred to as the principle of โleast privilegeโ and aims to reduce the number of attack vectors that can be used to compromise information security; | | 3 | 3 | |
| ย ย ย ย ๐ผ c. Timely detection of information security incidents. This minimises the impact of an information security compromise; | | | | |
| ย ย ย ย ๐ผ d. information security is incorporated into the design of the information system asset. This is typically referred to as secure by design; | | | | |
| ย ย ย ย ๐ผ e. use of, and access to, information assets is attributable to an individual, hardware or software, and activity logged and monitored; | | 2 | 2 | |
| ย ย ย ย ๐ผ f. error handling is designed such that errors do not allow unauthorised access to information assets or other information security compromises; | | | | |
| ย ย ย ย ๐ผ g. assume information assets have an unknown and possibly reduced level of information security control. This is typically referred to as the principle of โnever trust, always identifyโ; | | | | |
| ย ย ย ย ๐ผ h. segregation of duties is enforced through appropriate allocation of roles and responsibilities. This reduces the potential for the actions of a single individual to compromise information security; | | 3 | 3 | |
| ย ย ย ย ๐ผ i. design controls that enforce compliance with the information security policy framework, thereby reducing reliance on individuals; | | | | |
| ย ย ย ย ๐ผ j. design detection and response controls based on the assumption that preventive controls have failed. This is typically referred as the principle of โassumed breachโ. | | | | |