The Australian Prudential Regulation Authority (APRA) has today published a prudential practice guide (PPG) on the management of security risk in information and information technology (IT) by institutions supervised by APRA.
A draft PPG and discussion paper on this topic were released for public consultation on 8 May 2009 as Prudential Practice Guide PPG 234 Management of IT Security Risk. Response to the consultation package was positive and no material issues were raised.
The final PPG aims to target areas where APRA’s ongoing supervisory activities continue to identify weaknesses. Topics addressed include the importance of an overarching framework, systematic IT asset life-cycle management, effective monitoring processes and robust IT security reporting and assurance mechanisms.
The PPG is designed to provide guidance to senior management, risk management and IT security specialists (management and operational). It does not seek to provide an all-encompassing framework nor to replace or endorse existing industry standards and guidelines.