| ๐ผ 1 An APRA-regulated entity could benefit from developing a training and information security awareness program. This would typically communicate to personnel (staff, contractors and third parties) regarding information security practices, policies and other expectations as well as providing material to assist the Board and other governing bodies to execute their duties. Sound practice would involve tracking training undertaken and testing the understanding of relevant information security policies, both on commencement and periodically. | | | | |
| ๐ผ 2 An APRA-regulated entity would regularly educate users, including both internal staff and contractors, as to their responsibilities regarding securing information assets. Common areas covered would typically include: | 9 | | | |
| ๐ผ a. personal versus corporate use of information assets; | | | | |
| ๐ผ b. email usage, internet usage (including social networking) and malwareprotection; | | | | |
| ๐ผ c. physical protection, remote computing and usage of mobile devices; | | | | |
| ๐ผ d. awareness of common attack techniques targeted at personnel and facilities (e.g. social engineering, tailgating); | | | | |
| ๐ผ e. access controls, including standards relating to passwords and other authentication requirements; | | | | |
| ๐ผ f. responsibilities with respect to any end-user developed/configured software (including spreadsheets, databases and office automation); | | | | |
| ๐ผ g. expectations of staff where bring-your-own-device is an option; | | | | |
| ๐ผ h. handling of sensitive data; | | | | |
| ๐ผ i. reporting of information security incidents and concerns. | | | | |
| ๐ผ 3 An APRA-regulated entity would typically require users to adhere to appropriate information security policies pertinent to their roles and responsibilities. At a minimum, all users would typically be required to periodically sign-off on these policies as part of the terms and conditions of their employment or contractual agreements. | | | | |