Focus: APRA releases guide on the management of IT security
3 February 2010
In brief: The Australian Prudential Regulation Authority has published a prudential practice guide, Management of security risk in information and information technology, to assist APRA-regulated institutions manage security risk for their information and information technology. Partner Michael Pattison (view CV) and Lawyer Oliver Evans report.
- APRA's guidelines for IT security risk management
- What is IT security risk?
- Key areas considered by the guide
How does it affect you?
- The guide focuses on areas that APRA has identified as being subject to IT security risk management weaknesses. Senior management, risk management and IT security specialists (management and operational) in regulated institutions should use the guide to determine if their institution deals adequately with these issues.
- Many of the risks and measures referred to in the guide are also relevant to non-APRA-regulated companies and the guide could be useful for relevant staff at those companies.
- The guide should be considered when preparing contracts for the supply of IT services. In particular, APRA's view is that disaster recovery contracts involving a shared access site should normally guarantee the regulated institution access to a defined minimum set of assets in the event that the same disaster affects a number of the users of that site.
- The guide contains specific technical schedules relating to change management, resilience and recovery, service provider management, secure software development, consumer protection and cryptographic techniques. IT specialists in APRA-regulated organisations need to be at least aware of APRA's views on these technical issues.
APRA has published the guide to assist regulated institutions manage security risk in their information and information technology (comprising software, hardware and data) (collectively, IT).
The guide does not purport to be an all-encompassing framework for IT security risk management, but aims to provide guidance on areas where APRA's ongoing supervisory activities have continued to identify IT security risk management weaknesses. Importantly, to the extent that the guide touches on matters contained in APRA's prudential standards, it is intended to provide guidance where those standards relate to IT security risk management. The guide does not seek to replace or endorse existing industry standards and guidelines. Subject to APRA's prudential standards, regulated institutions can manage IT security risks in the way most suited to achieving their business objectives.
The guide defines 'IT assets' as anything deemed to be of value (either financial or otherwise) by an organisation and pertaining to IT. It then describes 'IT security risk' as the risk of loss due to inadequate or failed internal processes, people and systems or from external events, resulting in a compromise of an IT asset's confidentiality (meaning only authorised access is permitted), integrity (meaning completeness, accuracy and freedom from unauthorised change) or availability (meaning accessibility and usability when required). Additional security considerations include attributes such as accountability, authenticity and non-repudiation.
An overarching framework
Regulated institutions should address IT security risks when implementing an IT security risk management framework (the framework). The framework should be:
- embodied by a hierarchy of policies (specific examples of which are provided in the guide), standards, guidelines and procedures that are formally approved and regularly reviewed by the regulated institution;
- aligned to other institution frameworks, such as project management, outsourcing management and risk management;
- based on a sound foundation of high-level IT security principles (specific examples of which are provided in the guide); and
- continually and systematically updated to remain effective against any emerging IT security vulnerabilities that are identified.
The framework should also contain processes to ensure that it, and all regulatory and prudential requirements, are complied with.
Regulated institutions should provide training and an IT security awareness program to their staff, and ensure that their staff understand relevant IT security policies. The guide contains a list of areas that would normally be covered in such a program (eg personal vs corporate use of IT assets).
Access control and data leakage
Regulated institutions should only authorise access to IT assets where a valid business need exists, and only for as long as such access is required. Access should not be granted until the identity and authenticity of who or what is requiring access is determined. The guide considers a number of ways in which identification and authentication can occur, as well as additional access control techniques. The processes implemented should be commensurate with the level of risk involved.
The guide also sets out common controls to prevent unauthorised data/information removal, copying, distribution, capturing or other types of disclosure, which must also be addressed by a regulated institution as part of its IT security risk management procedures.
IT asset life-cycle management controls
IT security needs to be considered at all stages of an IT asset's life-cycle. Life-cycle stages for IT assets include:
- planning and design;
- acquisition and implementation;
- support and maintenance; and
- decommissioning and disposal.
For each life-cycle stage different IT security requirements are required, which are considered in the Guide.
Monitoring and incident management
Regulated institutions should have monitoring processes in place to identify events and unusual patterns of behaviour that could impact on the security of their IT assets. The guide contains a list of common monitoring processes, which vary depending on the criticality and sensitivity of the IT asset. Monitoring processes should be coupled with an incident management process to manage all stages of an incident that could impact on services. Such a process should include clear accountability and communication strategies to limit the impact of any IT security incident. Any incident management process should assist a regulated institution to comply with its regulatory requirements, and require the institution to notify APRA after experiencing a major incident.
IT security reporting and metrics
Regulated institutions should develop a formalised IT security reporting framework overseeing various aspects of the framework. This should incorporate clearly defined reporting and escalation thresholds and reflect the various audiences responsible for either acting on or reviewing the reports. The reports would give consideration to both risk and control dimensions.
The success of the framework should be gauged by measuring each dimension of it against at least one metric to enable the monitoring of progress towards set targets and the identification of trends.
IT security assurance
APRA expects that a regulated institution would seek regular assurance, through a formal program of work, that its IT assets are appropriately secured and that its framework is effective. The guide sets out the ideal frequency with which such assurances should be obtained, and in APRA's view annual testing (as a minimum) would be normal for IT assets exposed to 'un-trusted' environments.
Although such assurance work has traditionally been conducted by way of internal audit, the guide indicates that, given the nature of this work, other appropriately trained and sufficiently independent (to avoid conflict of interest) IT security experts could be used to complement such work.
- Michael PattisonPartner,
Ph: +61 3 9613 8839
- Ian McGillPartner,
Ph: +61 2 9230 4893
- Niranjan ArasaratnamPartner, Sector Leader - Technology, Media & Telecommunications,
Ph: +61 3 9613 8324