Core Requirements
Governance, asset management, controls, incidents, testing, and audit.
Roles and Responsibilities
The Board is ultimately responsible for ensuring the entity maintains its information security. Senior management must clearly define roles and responsibilities.
Information Security Capability
An APRA-regulated entity must maintain an information security capability commensurate with the size and extent of threats to its information assets.
Policy Framework
Maintain an information security policy framework providing direction on responsibilities of all parties who have an obligation to maintain information security.
Information Asset Identification & Classification
Classify information assets, including those managed by related parties and third parties, by criticality and sensitivity.
Implementation of Controls
Implement controls to protect information assets commensurate with the criticality and sensitivity of those assets, and undertake systematic testing.
Third-Party Information Assets
Evaluate the design of related/third-party information security controls that protect the information assets of the entity.
Incident Management
Have robust mechanisms in place to detect and respond to information security incidents in a timely manner.
Testing Control Effectiveness
Test the effectiveness of controls through a systematic testing program. Nature and frequency of tests must be commensurate with rate of change, criticality, and consequences.
Internal Audit
Internal audit activities must include a review of the design and operating effectiveness of information security controls, including those maintained by related/third parties.
APRA Notification
Notify APRA as soon as possible (no later than 72 hours) of an information security incident that materially affected, or had the potential to materially affect, the entity or the interests of depositors/policyholders/beneficiaries.
Material Weakness Notification
Notify APRA as soon as possible (no later than 10 business days) of identification of a material information security control weakness which the entity expects it will be unable to remediate in a timely manner.