Ultimate Governance, Risk &
Compliance (GRC) Guides
Implementation of controls
AI-powered. Integrated content.
Unique Hub & Spoke architecture.
Implementation of controls
for third-party information assets When it comes to information security, third-party information assets present a unique set of challenges. Third-party assets are often outside of the direct control of the APRA-regulated entity, and as such, require additional security measures to be implemented. The first step in ensuring adequate security for third-party information assets is to conduct a thorough risk assessment. This assessment should identify any potential vulnerabilities and threats to the information assets, as well as the criticality and sensitivity of the information assets. The risk assessment should also take into account the stage at which the information assets are within their life-cycle, as well as the potential consequences of an information security incident. Once the risks have been identified, the APRA-regulated entity should then implement appropriate security controls to mitigate these risks. These controls should be implemented in a timely manner, and should be commensurate with the identified risks. The security controls implemented should include both technical and non-technical measures. On the technical side, measures such as encryption, firewalls, and data loss prevention (DLP) solutions can be implemented to protect the third-party information assets. On the non-technical side, the APRA-regulated entity should ensure that any third-party vendors or partners are subject to appropriate contractual obligations, such as confidentiality agreements and service-level agreements. The APRA-regulated entity should also ensure that third-party vendors or partners are subject to regular audits and reviews. This will ensure that any security issues are identified and addressed in a timely manner. Additionally, the APRA-regulated entity should have a process in place to monitor the security of the third-party information assets on an ongoing basis. Finally, it is important to note that the implementation of security controls for third-party information assets is an ongoing process. As such, the APRA-regulated entity should ensure that any new third-party vendors or partners are subject to the same security controls as existing vendors or partners, and that the security controls are regularly reviewed and updated as needed. In conclusion, it is clear that the implementation of security controls for third-party information assets is essential for any APRA-regulated entity. By conducting a thorough risk assessment, implementing appropriate security controls, and monitoring the security of the third-party information assets on an ongoing basis, the APRA-regulated entity can ensure that its information assets are adequately protected. .