The APRA “prudential practice guide”, (PPG234) hasn’t really come out all guns a blazing so far has it? (Press release and document here). Or has it?
It would be interesting to know from readers if anyone has yet been involved with PPG 234 and APRA. ie; Are you talking about it? Are you adopting the “principles”? Are you dealing with APRA in any sense regarding the “principles”?
We mentioned in a previous post that it’s very similar to the Monetary Authority of Singapore’s “Internet Banking and Technology Risk Management Guidelines“, only seems to have no teeth and is a decade behind.
Lets hope not. I talk in this post here recently about regulation and the impacts of enforcing stronger controls and practices on organisations – in particular, the financial sector. APRA has never really given us any indication of heading down this path like the MAS and other regulators in the region have. You have to wonder why not? Seriously. (The simplest answer probably is that it’s all too hard, lack of funding and support etc etc). So what’s the point of it you may ask? And, that would be a fair question.
I welcome your thoughts on this.
———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.
Interesting that your posting about the PPG considering APRA just released this (http://www.apra.gov.au/media-releases/10_06.cfm)
They’re proposing to supervise unregulated entities if they’re owned by a regulated entities. The umbrella is opening wider!
I hate to say it but companies need compliance. Even if they only adhere to the letter of the law and not the spirit of it, fact is we cannot trust companies to act with honorable intentions with regards to running even “reasonable” levels of security, let alone anything approaching the rubric of best practise.
Sometimes ticking the check box is better than nothing. Savvy security pros can at least turn these situations to their advantage by applying these projects to wider reaching aims with the goal of actually improving security. You just need switched on managers or architects to really drive it.
Jay,
You won’t get an argument from me. Having seen both sides of the fence so to speak – working in more heavily regulated countries/industries versus not, the difference is chalk and cheese. Rambled on about this for years.
I remember ComputerWorld interviewed me about this circa 2002. The Attorney-General’s Department responded that they disagreed with me and would instead develop some “standards” that companies could use if they wanted to. Problem with that was even in 2002 we were not short in knowing what good practice was and having a plethora of standards out there already.
Just looking at the change in mentality/thinking with some of our PCI clients has been amazing. Almost all are now very proactive in what they’re doing and beyond the checkbox. It’s sinking in and working.
Rants over the years:
http://beastorbuddha.com/?s=regulation
If in doubt as to the effectiveness, check out other industries.
DD
Funny the AG said that, especially now that all government departments are now mandated to implement their own ISMS! Hahaha.
I think I understand the argument that market forces will be the ultimate equaliser. I believe its a reference to capitalism being the ultimate driver. If you have a crappy, insecure service, your clients will find out and eventually leave. This is sort of the inverse tack taken of where security can be used as a service differentiator.
I don’t see why it has to be either/or. Why can’t we have the carrot as well as the stick?