PRU 6.7 PRU 6.7 Information security
PRU 6.7.1 PRU 6.7.1
An Authorised Person must establish and maintain appropriate systems and controls to manage its information security risk.
In establishing its systems and controls to address information security risks, an Authorised Person should have regard to:a. confidentiality: information should be accessible only to Persons or systems with appropriate authority, which may require firewalls within a system, as well as entry restrictions;b. the risk of loss or theft of customer data;c. integrity: safeguarding the accuracy and completeness of information and its processing;d. non-repudiation and accountability: ensuring that the Person or system that processed the information cannot deny their actions; ande. internal security: including premises security, staff vetting; access rights and portable media, staff internet and email access, encryption, safe disposal of customer data, and training and awareness.