APRA have released a discussion paper and draft best practice guide on the management of IT security risks.

APRA are the Australian financial services industry regulatory body. They oversee banks, credit unions, building societies, insurance and superannuation companies.

While light on specific detail, as a quick guide on what is expected for organizations under APRA's juristiction. It's a neat, concise set of guidelines that's not too jargon heavy - ie: good for Management to give them an overview of what is considered best practice (or 'prudential practice' as APRA call it).

I quite like the recommendation that organizations need to have "an overarching IT security risk management framework, addressing matters including an IT security strategy and a hierarchy of policies, standards, guidelines & procedures; and clearly-defined security principles for this strategy, addressing issues such as defence-in-depth, control diversity, breach detection and denial of unnecessary permissions/protocols."

It's good to see a body such as APRA publishing a document like this, I think it really helps raise awareness about some of these issues that may be lagging here in Australia compared to other parts of the world. My only criticism it that it's only a 'prudential guide' and non-enforcable, but that hopefully may change in the future.

The papers are available here.