The Australian Prudential Regulation Authority (APRA) has today released for consultation a discussion paper and draft prudential practice guide (PPG) on the management of information technology (IT) security risks by institutions regulated by APRA.
The draft PPG outlines the measures that APRA regards as sound practice in managing security risks associated with IT, and addresses areas where IT security risk management weaknesses continue to be identified as part of APRA’s ongoing supervision activities.
The PPG is not intended to replace existing industry standards and guidelines on IT security. Instead, it provides a set of sound principles for safeguarding IT assets by managing risks and implementing appropriate controls. It is intended for use by senior management, risk management and security specialists (management and operational). These multiple audiences reflect the pervasive nature of IT security management and the need for sound risk management disciplines and solid business understanding to evaluate and manage an institution’s security risk profile.
APRA has consulted with industry and professional associations in preparing the draft PPG and seeks written submissions on the proposed guidance from interested parties by5 June 2009.
The discussion paper and accompanying draft Prudential Practice Guide PPG 234 Management of IT Security Risk are available on the APRA website.