CRA-5.8.1

Location:

Versions

Past version: Effective from 01 Apr 2019 to 31 Dec 2019
To view other versions open the versions tab on the right

A licensee must establish and maintain an effective cyber security program to ensure the availability and functionality of the licensee's electronic systems and to protect those systems and any sensitive data stored on those systems from unauthorized access, use, or tampering. The cyber security program must be designed to perform, at the minimum, the following five core cyber security functions:

(a) identify internal and external cyber risks by, at a minimum, identifying the information stored on the licensee's systems, the sensitivity of such information, and how and by whom such information may be accessed;

(b) protect the licensee's electronic systems, and the information stored on those systems, from unauthorized access, use, or other malicious acts through the use of defensive infrastructure and the implementation of policies and procedures;

(c) detect systems intrusions, data breaches, unauthorized access to systems or information, malware, and other cyber security events;

(d) respond to detected cyber security events to mitigate any negative effects; and

(e) recover from cyber security events and restore normal operations and services.

Added: April 2019