The Australian Prudential Regulation Authority (APRA) has moved to address issues around information and IT risk in the institutions it supervises with the release of a new prudential practice guide.
According to APRA, <i>Management of security risk in information and information technology</i>targets weaknesses identified by the financial regulator as part of its ongoing supervisory activities.
These areas of weakness include user awareness, access control, IT asset lifecycle management controls, monitoring and incident management, IT security reporting and metrics, and IT security assurance.
The guide also provides recommendations around change management, resilience and recovery, service provider management, secure software, development, customer protection and cryptographic techniques.
Detailing the need for the guide, APRA said that in its view, IT security risk was intimately tied to business risk, and that any IT security risk would ultimately result in a business risk exposure.
“As with any process, governance is vital to ensure that risk management processes are properly designed and operating effectively to meet the needs of the institution,” the guide reads.
“In APRA’s view, effective governance of IT security risk management would be aligned to the broader IT and corporate governance frameworks and involve the clear articulation of Board and senior management responsibilities and expectations, formally delegated powers of authority, and regular oversight.”