IT security practices have featured in the headlines for the second time in a month as the Australian Prudential Regulation Authority (APRA) releases a discussion paper on the information technology (IT) security management implemented by the institutions it supervises.
The draft paper, released last Friday and titled “Prudential Practice Guide Draft: PPG 234 - Management of IT Security Risk” is not designed to replace existing industry guidelines, but instead to provide a set of “sound principles for safeguarding IT assets”.
It is of interest to senior management, risk management and security specialists. According to a statement by APRA, the diverse nature of this audience reflects “the pervasive nature of IT security management and the need for sound risk management disciplines and solid business understanding to evaluate and manage an institution’s security risk profile”.
APRA seeks written submissions on the proposed guidance from interested parties by 5 June 2009.
WA Auditor-General condemns WA Government IT security practices
In mid-April, the Western Australian Auditor-General launched a scathing attack on the state Government for “a lack of fundamental controls in place to protect personal and sensitive information”.
The Auditor General said there was a “real and significant risk of inappropriate disclosure or access to the information held by [government agencies]”, in the Information Systems Audit Report.
The report is a “wake-up call” for agencies; the report found three out of five agencies lacked IT security policies. Often, it says, agencies were unaware of the security risks.
In the extreme, the report says that “in numerous cases, the agencies would have no way of knowing if data theft or manipulation had occurred”.