Skip to content.

Home

Allens Arthur Robinson

Focus: APRA releases guide on the management of IT security

3 February 2010

In brief: The Australian Prudential Regulation Authority has published a prudential practice guide, Management of security risk in information and information technology, to assist APRA-regulated institutions manage security risk for their information and information technology. Partner Michael Pattison (view CV) and Lawyer Oliver Evans report.

How does it affect you?

  • The guide focuses on areas that APRA has identified as being subject to IT security risk management weaknesses. Senior management, risk management and IT security specialists (management and operational) in regulated institutions should use the guide to determine if their institution deals adequately with these issues.
  • Many of the risks and measures referred to in the guide are also relevant to non-APRA-regulated companies and the guide could be useful for relevant staff at those companies.
  • The guide should be considered when preparing contracts for the supply of IT services. In particular, APRA's view is that disaster recovery contracts involving a shared access site should normally guarantee the regulated institution access to a defined minimum set of assets in the event that the same disaster affects a number of the users of that site.
  • The guide contains specific technical schedules relating to change management, resilience and recovery, service provider management, secure software development, consumer protection and cryptographic techniques. IT specialists in APRA-regulated organisations need to be at least aware of APRA's views on these technical issues.

APRA's guidelines for IT security risk management

APRA has published the guide to assist regulated institutions manage security risk in their information and information technology (comprising software, hardware and data) (collectively, IT).

The guide does not purport to be an all-encompassing framework for IT security risk management, but aims to provide guidance on areas where APRA's ongoing supervisory activities have continued to identify IT security risk management weaknesses. Importantly, to the extent that the guide touches on matters contained in APRA's prudential standards, it is intended to provide guidance where those standards relate to IT security risk management. The guide does not seek to replace or endorse existing industry standards and guidelines. Subject to APRA's prudential standards, regulated institutions can manage IT security risks in the way most suited to achieving their business objectives.

Return to top

What is IT security risk?

The guide defines 'IT assets' as anything deemed to be of value (either financial or otherwise) by an organisation and pertaining to IT. It then describes 'IT security risk' as the risk of loss due to inadequate or failed internal processes, people and systems or from external events, resulting in a compromise of an IT asset's confidentiality (meaning only authorised access is permitted), integrity (meaning completeness, accuracy and freedom from unauthorised change) or availability (meaning accessibility and usability when required). Additional security considerations include attributes such as accountability, authenticity and non-repudiation.

Return to top

Key areas considered by the guide

An overarching framework

Regulated institutions should address IT security risks when implementing an IT security risk management framework (the framework). The framework should be:

  • embodied by a hierarchy of policies (specific examples of which are provided in the guide), standards, guidelines and procedures that are formally approved and regularly reviewed by the regulated institution;
  • aligned to other institution frameworks, such as project management, outsourcing management and risk management;
  • based on a sound foundation of high-level IT security principles (specific examples of which are provided in the guide); and
  • continually and systematically updated to remain effective against any emerging IT security vulnerabilities that are identified.

The framework should also contain processes to ensure that it, and all regulatory and prudential requirements, are complied with.

User awareness

Regulated institutions should provide training and an IT security awareness program to their staff, and ensure that their staff understand relevant IT security policies. The guide contains a list of areas that would normally be covered in such a program (eg personal vs corporate use of IT assets).

Access control and data leakage

Regulated institutions should only authorise access to IT assets where a valid business need exists, and only for as long as such access is required. Access should not be granted until the identity and authenticity of who or what is requiring access is determined. The guide considers a number of ways in which identification and authentication can occur, as well as additional access control techniques. The processes implemented should be commensurate with the level of risk involved.

The guide also sets out common controls to prevent unauthorised data/information removal, copying, distribution, capturing or other types of disclosure, which must also be addressed by a regulated institution as part of its IT security risk management procedures.

IT asset life-cycle management controls

IT security needs to be considered at all stages of an IT asset's life-cycle. Life-cycle stages for IT assets include:

  • planning and design;
  • acquisition and implementation;
  • support and maintenance; and
  • decommissioning and disposal.

For each life-cycle stage different IT security requirements are required, which are considered in the Guide.

Monitoring and incident management

Regulated institutions should have monitoring processes in place to identify events and unusual patterns of behaviour that could impact on the security of their IT assets. The guide contains a list of common monitoring processes, which vary depending on the criticality and sensitivity of the IT asset. Monitoring processes should be coupled with an incident management process to manage all stages of an incident that could impact on services. Such a process should include clear accountability and communication strategies to limit the impact of any IT security incident. Any incident management process should assist a regulated institution to comply with its regulatory requirements, and require the institution to notify APRA after experiencing a major incident.

IT security reporting and metrics

Regulated institutions should develop a formalised IT security reporting framework overseeing various aspects of the framework. This should incorporate clearly defined reporting and escalation thresholds and reflect the various audiences responsible for either acting on or reviewing the reports. The reports would give consideration to both risk and control dimensions.

The success of the framework should be gauged by measuring each dimension of it against at least one metric to enable the monitoring of progress towards set targets and the identification of trends.

IT security assurance

APRA expects that a regulated institution would seek regular assurance, through a formal program of work, that its IT assets are appropriately secured and that its framework is effective. The guide sets out the ideal frequency with which such assurances should be obtained, and in APRA's view annual testing (as a minimum) would be normal for IT assets exposed to 'un-trusted' environments.

Although such assurance work has traditionally been conducted by way of internal audit, the guide indicates that, given the nature of this work, other appropriately trained and sufficiently independent (to avoid conflict of interest) IT security experts could be used to complement such work.

For further information, please contact:

Return to top

Tweet or bookmark with
Tweet this article

What are these?

 

Recent Communications, Media & Technology publications