Incident Management Policy¶
| Code | OPS-003 |
| Domain | Operational Resilience |
| Owner | Chief Technology Officer |
| Status | Draft |
| Applicability | Platform |
| Jurisdiction | NZ + AU |
| Business domain | BD09 |
| Review date | 2027-03-25 |
Regulations: CPS 230 Operational Risk Management · CPS 234 Information Security · RBNZ Cyber Resilience Standard¶
Purpose¶
Govern the platform's cyber security framework, including security architecture standards, threat monitoring, vulnerability management, and security incident response.
Scope¶
All systems, networks, endpoints, and data assets of the platform in NZ and AU, including cloud-hosted and third-party-operated components within the platform's security perimeter.
Policy statements¶
The platform SHALL maintain a cyber security framework aligned with the NIST Cybersecurity Framework or an equivalent industry standard approved by the Board. The framework SHALL address the five core functions — identify, protect, detect, respond, and recover — and SHALL be reviewed at least annually by the CTO and approved by the Board.
The platform SHALL operate a continuous security monitoring capability. Security events from all production systems SHALL be collected, correlated, and analysed by a Security Operations Centre (SOC) function. High-priority alerts SHALL be investigated within the timeframes defined in the security monitoring procedures. The SOC capability may be fulfilled by an internal team, an approved managed security service provider, or a combination of both.
The platform SHALL maintain a vulnerability management programme. All production systems SHALL be scanned for vulnerabilities at least monthly. Critical vulnerabilities SHALL be remediated within 30 days of identification; high vulnerabilities SHALL be remediated within 90 days. Vulnerabilities that cannot be remediated within these timeframes SHALL require CTO-approved risk acceptance with a documented compensating control and remediation plan.
Multi-factor authentication (MFA) SHALL be required for all privileged access to production systems and all access to systems holding customer data. Exceptions to this requirement SHALL require written CTO approval and SHALL be reviewed quarterly. Approved exceptions SHALL be reported to the BRC.
The platform SHALL comply with APRA CPS 234 Information Security requirements, including the information security capability assessment, Board attestation obligations, and incident notification requirements. In NZ, the platform SHALL comply with applicable RBNZ cybersecurity guidance and NZ NCSC advisories classified as mandatory.
Security incidents SHALL be managed under the incident management framework (OPS-002). A cyber security incident response plan SHALL be maintained, tested at least annually, and approved by the CTO and Board. The test SHALL include at least one simulated cyber attack scenario per year.
The platform's cyber security posture SHALL be independently assessed at least every two years by a qualified external assessor. Assessment findings SHALL be reported to the Board and tracked to remediation, with material findings addressed within agreed timeframes.
Satisfying modules¶
| Module | Name | Mode | Description |
|---|---|---|---|
| MOD-150 | Risk management platform | AUTO |
Incidents are auto-created from observability alerts with P1/P2/P3 classification, SLA timers, and routing — no manual incident registration required. |
| MOD-151 | Risk case console | GATE |
All P1 incidents require a documented root cause and resolution action before they can be closed — the case workflow enforces this gate and no bypass path exists. |
| MOD-172 | Operations & Model Intelligence Dashboard | AUTO |
Data quality breaks from MOD-038 are surfaced as scorecard items in the dashboard; the DQ scorecard acts as the first-line operational health indicator for the data platform, complementing MOD-150 incident management. |
Part of Operational Resilience · Governance overview
Compiled 2026-05-22 from source/entities/policies/OPS-003.yaml