Skip to content

Ultimate Governance, Risk &
Compliance  (GRC) Guides

The responsibility of the board

 

AI-powered. Integrated content.
Unique Hub & Spoke architecture.

The responsibility of the board

of an APRA-regulated entity in relation to information security The board of an APRA-regulated entity has a responsibility to ensure the security of its information assets. This responsibility is essential to the continued sound operation of the entity, as the security of information assets is a key component of protecting the organisation from the risks posed by cyber threats. The board should ensure that the entity has an appropriate information security policy and procedures in place, and that these are regularly reviewed and updated to reflect changes in the organisation's risk profile. This policy should be comprehensive and should cover areas such as access control, data encryption, incident response and monitoring. The board should also ensure that the entity has an Information Security Officer (ISO) in place to oversee the implementation of the organisation's security policy and procedures. The ISO should be responsible for developing and maintaining security protocols, conducting security audits and monitoring the organisation's security posture. The board should also ensure that the entity has adequate resources to ensure the security of its information assets. This includes ensuring that the organisation has the appropriate technical resources, such as firewalls, antivirus software and intrusion detection systems, as well as the necessary personnel resources, such as a dedicated IT security team or an external security consultant. The board should also ensure that the entity has a culture of security awareness. This involves educating employees on the importance of information security and the risks posed by cyber threats. It also involves ensuring that employees are aware of the security policies and procedures in place, and that they are following them. The board should also ensure that the entity has an effective incident response plan in place. This plan should include procedures for detecting, responding to and recovering from cyber incidents. The plan should also include procedures for reporting incidents to the relevant authorities, such as APRA. Finally, the board should ensure that the entity has a risk management process in place. This process should involve regularly assessing the organisation's security posture and identifying any potential vulnerabilities. It should also involve developing and implementing appropriate measures to mitigate these risks. In summary, the board of an APRA-regulated entity has a responsibility to ensure the security of its information assets. This responsibility includes ensuring that the organisation has an appropriate security policy and procedures in place, an Information Security Officer to oversee the implementation of these policies, adequate resources to ensure the security of its information assets, a culture of security awareness, an effective incident response plan and a risk management process. By ensuring these measures are in place, the board can help to protect the organisation from the risks posed by cyber threats. .



6clicks is powered by AI and includes all the content you need.
Our unique 6clicks Hub & Spoke architecture makes it simple to use and deploy.

logo
logo
logo
logo
logo
logo

GET STARTED TODAY