The Prudential Practice Guide 234: Management of security risk in information and information technology (PPG 234) was written to target areas that APRA in its ongoing supervision activities identified as IT security risk management weaknesses. By APRA’s own words, “while the PPG provides guidance for safeguarding IT assets, it does not seek to be an all-encompassing framework.” The PPG does not cover all aspects of IT security risk management, nor does it go into the depth required to establish an efficient and effective IT security risk management function.
The PPG aims to provide guidance to senior management, risk management and IT security specialists (management and operational) in APRA-regulated institutions. The difference in requirements each of the groups in the audience has points to the PPG being light on the ground. The multiple audiences reflect the pervasive nature of IT security risk management, and the need for sound risk management disciplines and solid business understanding to evaluate and manage the IT security risk profile. Additionally, effective IT security risk management can facilitate business initiatives and assist compliance with other regulatory requirements (e.g. privacy and anti-money laundering).
Over the 7 months that have passed between end of feedback gathering phase on the draft version and publishing of the final version of the PPG a number of small changes were made to the document. There is a significant change in the focus of the PPG and expansion of the role IT security risk management plays; the draft version focused on IT security management framework as the overarching framework that “outlines a regulated institution’s approach to managing IT security and is typically embodied in a hierarchy of policies, standards, guidelines and procedures”. The final version shifts the framework to IT security risk management, effectively making risk management the underlying framework for normal business operations.
Final version of the document expands on risk management’s position and role in the organisation. Whilst the draft version mentioned risk management in the passing the final version expands on what APRA expects regulated organisations will have in place to manage IT security risks at a high level.
In addition to shifting the focus the final version of PPG also expanded and elaborated on the role of IT security risk management. Some of the more pertinent points made in the final version of the PPG:
- A call to map IT security risks to business risks, and allocation of ownership of those risks is repeated throughout the document.
- Outline a firm approach to risk management and stresses APRA’s expectation to see IT security risk management permeate every APRA-regulated organisation.
- The degree of sophistication and entrenchment of IT security risk management is left for the organisations to decide on. However, APRA expects all regulated organisations to have the level of IT security risk management appropriate to their size, industry and the assessed impact that failure of IT security risk management at an organisation would have on the rest of the industry.
- Strong correlation between IT operational management and IT security risk management; operational controls such as change management, software development lifecycle, are inextricably linked with IT security risk management.
- Strong correlation between business processes and IT security risk management; call for, and expectation of, resilience at all business and IT process levels, common customer communication strategy between business and IT, minimisation of personally-identifiable information of customers to only that information strictly needed to provide a service to the customer.
PPG 234 advocates a ‘top down’ approach for addressing recurring security weaknesses. This is achieved by improvements to risk management and governance, which in-turn drive improvements in security operations. The overall aim is to facilitate business initiatives and assist compliance with other regulatory requirements (e.g. privacy and anti-money laundering). PPG 234 establishes IT security risk management as an integral part of regulated organisation’s information management, not as a separate entity.