Help Center/ Config/ User Guide/ Conformance Packages/ Conformance Package Templates/ Conformance Package for Hong Kong Monetary Authority of China Requirements
Updated on 2024-11-12 GMT+08:00

Conformance Package for Hong Kong Monetary Authority of China Requirements

This section describes the background, applicable scenarios, and the conformance package to meet requirements by the Hong Kong Monetary Authority of China.

Background

Hong Kong Monetary Authority of China provided guidelines and regulations on cloud computing based on the results of a thematic review conducted between 2021 and 2022. Before adopting cloud computing, you need to pay attention to the key principles proposed by the Hong Kong Monetary Authority of China.

For more details, see HKMA.2022.08.31, SA-2, OR-2, and TM-G-1.

Applicable Scenarios

The conformance package in this section is intended to help financial enterprises in Hong Kong (China) migrate to the cloud.

Exemption Clauses

This package provides you with general guide to help you quickly create scenario-based conformance packages. The conformance package and rules included only apply to cloud service and do not represent any legal advice. This conformance package does not ensure compliance with specific laws, regulations, or industry standards. You are responsible for the compliance and legality of your business and technical operations and assume all related responsibilities.

Conformance Rules

The guideline No. in the following table are in consistent with the chapter No. in HKMA.2022.08.31.

Table 1 The conformance package for HKMA

Guideline No.

Guideline Description

Rule

Solution

I-2

Depending on the cloud deployment model adopted, these may include multi-tenancy risks, as well as those concerning concentration risk and supply chain risks more generally.

iam-group-has-users-check

Assign different permissions to IAM users or user groups to implement least privilege and separation of duty (SOD) principles.

I-2

Depending on the cloud deployment model adopted, these may include multi-tenancy risks, as well as those concerning concentration risk and supply chain risks more generally.

iam-user-group-membership-check

Assign different permissions to IAM users or user groups to perform access control.

I-2

Depending on the cloud deployment model adopted, these may include multi-tenancy risks, as well as those concerning concentration risk and supply chain risks more generally.

iam-root-access-key-check

Delete root access keys to prevent unintended authorization.

II-5

AIs should implement layers of security control measures to protect the integrity and confidentiality of customer information stored in the cloud.

kms-rotation-enabled

Enable key rotation.

II-5

AIs should implement layers of security control measures to protect the integrity and confidentiality of customer information stored in the cloud.

iam-password-policy

Set thresholds for password strength.

II-5

AIs should implement layers of security control measures to protect the integrity and confidentiality of customer information stored in the cloud.

cts-support-validate-check

Use CTS trackers to verify whether logs are modified, deleted, or unchanged after being dumped.

II-5

AIs should implement layers of security control measures to protect the integrity and confidentiality of customer information stored in the cloud.

rds-instances-enable-kms

Enable encryption for RDS instances.

II-5

AIs should implement layers of security control measures to protect the integrity and confidentiality of customer information stored in the cloud.

dcs-redis-enable-ssl

Enable SSL for Redis to protect sensitive data.

The guideline No. in the following table are in consistent with the chapter No. in SA-2.

Table 2 Rules for SA-2

Guideline No.

Guideline Description

Rule

Solution

2.5.1

AIs should ensure that the proposed outsourcing arrangement complies with relevant statutory requirements and common law customer confidentiality.

cts-kms-encrypted-check

Enable file encryption for CTS trackers.

2.5.1

AIs should ensure that the proposed outsourcing arrangement complies with relevant statutory requirements and common law customer confidentiality.

rds-instances-enable-kms

Enable encryption for cloud databases

2.5.1

AIs should ensure that the proposed outsourcing arrangement complies with relevant statutory requirements and common law customer confidentiality.

css-cluster-disk-encryption-check

Enable disk encryption for Cloud Search Service (CSS) clusters.

2.8.1

AIs should ensure that the proposed outsourcing arrangement complies with relevant statutory requirements and common law customer confidentiality.

vpc-flow-logs-enabled

Use VPC flow logs to obtain VPC traffic information.

2.8.1

AIs should ensure that appropriate up-to-date records are maintained in their premises and kept available for inspection by the HKMA.

apig-instances-execution-logging-enabled

Use API gateway logs to visualize users accessing APIs and obtain their access methods and activities.

2.8.1

AIs should ensure that appropriate up-to-date records are maintained in their premises and kept available for inspection by the HKMA.

cts-lts-enable

Use CTS to centrally collect and manage log events

2.8.1

AIs should ensure that appropriate up-to-date records are maintained in their premises and kept available for inspection by the HKMA.

cts-support-validate-check

Use CTS trackers to verify whether logs are modified, deleted, or unchanged after being dumped.

The guideline numbers in the following table are in consistent with the chapter numbers in OR-2.

Table 3 Rules for OR-2

Guideline No.

Guideline Description

Rule

Solution

4.2.2

AIs should be aware that their operational capabilities may vary during different business cycles or as a result of seasonal factors. For instance, during the periods of time when more initial public offerings are launched.

as-group-elb-healthcheck-required

User elastic load balancers to monitor cloud server (in AS groups) status by periodically sending requests.

6.1

AIs should be prepared to manage all risks with potential to affect critical operations delivery.

as-multiple-az

Deploy AS groups across AZs to ensure high capacity and availability.

6.1

AIs should be prepared to manage all risks with potential to affect critical operations delivery.

css-cluster-multiple-az-check

Use CSS across AZs to ensure high capacity and availability.

6.1

AIs should be prepared to manage all risks with potential to affect critical operations delivery.

elb-multiple-az-check

Deploy elastic load balancers across AZs to ensure high capacity and availability.

6.1

AIs should be prepared to manage all risks with potential to affect critical operations delivery.

rds-instance-multi-az-support

Deploy cloud databases across AZs to ensure high capacity and availability.

6.2

As operational risk management focuses on preventing and minimizing operational losses, it contributes to an AI's efforts to maintain operational resilience.

kms-not-scheduled-for-deletion

Check KMS key status to prevent accidental or malicious deletion.

The guideline numbers in the following table are in consistent with the chapter numbers in TM-G-1.

Table 4 Rules for TM-G-1

Guideline No.

Guideline Description

Rule

Solution

3.1.4

AIs should adopt industry-accepted cryptographic solutions and implement sound key management practices to safeguard the associated cryptographic keys.

kms-not-scheduled-for-deletion

Check key status to prevent accidental deletion.

3.1.4

AIs should adopt industry-accepted cryptographic solutions and implement sound key management practices to safeguard the associated cryptographic keys.

kms-rotation-enabled

Enable key rotation.

3.2.2

AIs should implement effective password rules to ensure that easy-to-guess passwords are avoided and passwords are changed on a periodic basis.

iam-password-policy

Set thresholds for password strength.

3.2.2

AIs should implement effective password rules to ensure that easy-to-guess passwords are avoided and passwords are changed on a periodic basis.

access-keys-rotated

Periodically change access keys.

3.2.2

AIs should implement effective password rules to ensure that easy-to-guess passwords are avoided and passwords are changed on a periodic basis.

iam-user-mfa-enabled

Enable multi-factor authentication (MFA) for all users.

3.2.2

AIs should implement effective password rules to ensure that easy-to-guess passwords are avoided and passwords are changed on a periodic basis.

root-account-mfa-enabled

Enable multi-factor authentication (MFA) for root users.

3.3.1

Monitor the use of system resources to detect any unusual or unauthorized activities.

cts-tracker-exists

Use CTS to record operations on the Huawei Cloud management console and API calls.

3.3.1

Monitor the use of system resources to detect any unusual or unauthorized activities.

cts-lts-enable

Use CTS to centrally collect and manage log events.

3.3.2

Proper segregation of duties within the security administration function or other compensating controls should be in place to mitigate the risk of unauthorized activities.

iam-role-has-all-permissions

Only grant IAM users necessary permissions to perform required operations to ensure compliance with the least privilege and SOD principles.

5.2.1

AIs should implement a process to ensure that the performance of application systems is continuously monitored and exceptions are reported in a timely and comprehensive manner.

alarm-action-enabled-check

Ensure that CES alarm rules are not disabled.

6.2.1

AIs should implement a process to ensure that the performance of application systems is continuously monitored and exceptions are reported in a timely and comprehensive manner.

ecs-instance-no-public-ip

The ECSs may contain sensitive information. Restrict access to ECSs from public networks.

6.2.1

To prevent insecure connections to an AI's network, procedures concerning the use of networks and network services need to be established and enforced.

function-graph-public-access-prohibited

Restrict access to FunctionGraph functions from public networks. Public network access may cause data leakage or lower availability.