The Australian Prudential Regulation Authority (APRA) released draft guidelines for IT security last Friday, which laid out practices to improve areas of "potential weakness" in the financial services industry.
(Security image by Anonymous
Account, CC2.0)
According to the authority, it identified the areas during its usual supervision. The guidelines were not supposed to replace current industry standards and guidelines, but instead to set principles for safeguarding IT assets, the authority pointed out.
APRA lays out its guidelines as a set of principles for the financial services industry, which companies are expected to follow to some extent. APRA deals with companies individually on their processes and is able to discuss it with them if it feels their following of guidelines is inadequate.
The IT guidelines dealt with various security issues, including security management frameworks, user awareness, access, life-cycle management, monitoring and security reporting as well as security assurance.
The authority placed importance on training users in security awareness and the use of personal versus corporate assets as well as the security dangers related to email, remote computing, mobile devices and the handling of sensitive data. It also touched on authorisation and access, especially for temporary staff.
APRA believed that any sensitive data moved outside the boundary of companies' secure network had to be protected by encryption, at the least.
Companies were also expected to make sure that any sensitive information in systems to be decommissioned be deleted before the systems were taken offline — something that will concern the banks as they migrate from older banking systems.
The regulator also issued a guideline that products not be used until they were proved mature. The authority suggested that companies develop a process so they could form an "approved technology register" for products.
Offshoring of systems also received attention. The authority said that any companies with critical systems offshore should have a plan in place for the event that the systems go offline for a lengthy period of time. It also suggested that the systems remain separate enough that they could be moved.
The Australia New Zealand Banking Group recently increased the size of its offshored IT operations. The National Australia Bank had to reconsider its outsourcing contracts with Indian IT services company Satyam because of a financial scandal in which the latter was involved. The bank stopped any new work moving to Satyam.
APRA is receiving submissions from the industry on draft guidelines until 5 June.
