On 8 May 2009, the Australian Prudential Regulation Authority (APRA) published the Prudential Practice Guide Draft (PPG) dealing with the management of IT security risk. The PPG addresses the increased risks associated with the rising interconnectivity of IT systems that are used in the provision of financial services.
The PPG focuses on areas that have been identified as essential to the security of a regulated institution’s IT assets, including software, hardware and data.
APRA has consulted a number of industry and professional associations in preparing the PPG Draft and is seeking submissions from industry and other interested parties.
The final date for submissions is 5 June 2009.
Institutions affected by the PPG
The PPG will, once finalised, only apply to APRA regulated institutions. As a consequence, institutions such as banks, general insurers, Lloyd’s underwriters, life companies, superannuation entities, retirement savings account providers and first home saver account providers are affected.
What constitutes an IT security risk?
The PPG defines IT security risk as the potential compromise of a regulated institution’s IT assets in relation to confidentiality, integrity, availability and accountability that may arise from projects, outsourcing, software and IT infrastructure. IT assets will generally be classified according to their criticality and sensitivity when determining an appropriate risk management approach.
The security management framework proposed by PPG
The PPG recognises that business strategy should direct a regulated institution’s IT security strategy and recommends that high level principles (eg timely detection of security breaches and appropriately controlled error handling) be adopted as the foundation of an IT security strategy.
Practical policies (eg acceptable usage of IT assets, life-cycle management, management of security technology solutions) which are in line with the principles can then be implemented.
Ongoing compliance controls and ongoing assessment of the effectiveness of the security management framework should be applied.
Elements of a security management framework
The PPG sets out in greater detail the elements which security management frameworks will need to address including the following:
Acceptable usage and user awareness
APRA recommends the use of training and awareness programs, user education sessions (eg on personal versus corporate use of IT assets, email usage, handling of sensitive data) and acceptance of user compliance policies by staff.
Identification, access and authorisation
APRA recommends the following identification, access and authorisation controls:
- Access based on business need and only for as long as access is required.
- Strengthening of authentication techniques by using strong password techniques and increasing the number and/or type of authentication factors (eg security tokens, retinal scans).
- Increasing authentication strength where IT assets are sensitive or critical.
- Consideration of various factors (eg business role, physical location, operating system) when determining who should be an authorised user.
- Implementation of authorisation controls such as, role-based access profiles, prohibiting shared accounts and passwords and removal of access rights when there is a change in role or responsibility.
- Taking action to prevent ‘data leakage’ (ie the removal of sensitive data from the regulated institution’s secured network perimeter).
- Using cryptographic techniques.
Life-cycle management controls
APRA recommends securing IT assets by:
- implementing physical security initiatives (eg locating IT assets away from natural and man-made threats);
- adopting security technology solutions (eg firewalls, intrusion detection, anti-malware);
- using secure software development techniques;
- assessing the effectiveness of emerging technologies through evaluation and experimentation.
Monitoring and incident management
Monitoring processes that may be implemented include activity logging (including exceptions to approved activity), environment and customer profiling, checks to determine if security controls are operating and ensuring staff or third party access to sensitive data is for a valid business reason. Where monitoring reveals a security risk, this should be investigated in a timely manner.
Incidents are events that compromise the confidentiality, integrity, availability or accountability of IT assets (eg outages, unauthorised access, identity theft). An appropriate incident management strategy should address methods of detection, identification, containment, investigation, resolution and reducing the risk of similar future events.
Security reporting and metrics
Reporting should be regular and directed at the relevant audience. Reports may include risk profiles, exposure analysis, system capacity and performance analysis and audit findings.
Security assurance
A formal program of work that facilitates an assessment of the security risk and control environment should be adopted by regulated institutions.
The frequency of assurance needs to be commensurate with the sensitivity and criticality of the IT assets. Where a change increases the vulnerability of IT assets, assurance work should also be undertaken.
Given the specialist nature of this assurance work, APRA recommends that appropriately trained and functionally independent security experts be used.
This article was written by Irene Zeitler, Partner and Nathan Kiratzis, Graduate, Melbourne.
More information
For information regarding possible implications for your business, contact