Conformance Package for Hong Kong Monetary Authority of China Requirements
This section describes the background, applicable scenarios, and the compliance package to meet requirements by the Hong Kong Monetary Authority of China.
Background
Hong Kong Monetary Authority of China provided guidelines and regulations on cloud computing based on the results of a thematic review conducted between 2021 and 2022. Before adopting cloud computing, you need to pay attention to the key principles proposed by the Hong Kong Monetary Authority of China.
For more details, see HKMA.2022.08.31, SA-2, OR-2, and TM-G-1.
Applicable Scenarios
The conformance package in this section is intended to help financial enterprises in Hong Kong (China) migrate to the cloud.
Exemption Clauses
This package provides you with general guide to help you quickly create scenario-based conformance packages. The conformance package and rules included only apply to cloud service and do not represent any legal advice. This conformance package does not ensure compliance with specific laws, regulations, or industry standards. You are responsible for the compliance and legality of your business and technical operations and assume all related responsibilities.
Conformance Rules
The guideline No. in the following table are in consistent with the chapter No. in HKMA.2022.08.31.
Guideline No. |
Guideline Description |
Rule |
Solution |
|---|---|---|---|
I-2 |
Depending on the cloud deployment model adopted, these may include multi-tenancy risks, as well as those concerning concentration risk and supply chain risks more generally. |
iam-group-has-users-check |
Assign different permissions to IAM users or user groups to implement least privilege and separation of duty (SOD) principles. |
I-2 |
Depending on the cloud deployment model adopted, these may include multi-tenancy risks, as well as those concerning concentration risk and supply chain risks more generally. |
iam-user-group-membership-check |
Assign different permissions to IAM users or user groups to perform access control. |
I-2 |
Depending on the cloud deployment model adopted, these may include multi-tenancy risks, as well as those concerning concentration risk and supply chain risks more generally. |
iam-root-access-key-check |
Delete root access keys to prevent unintended authorization. |
II-5 |
AIs should implement layers of security control measures to protect the integrity and confidentiality of customer information stored in the cloud. |
kms-rotation-enabled |
Enable key rotation. |
II-5 |
AIs should implement layers of security control measures to protect the integrity and confidentiality of customer information stored in the cloud. |
iam-password-policy |
Set thresholds for password strength. |
II-5 |
AIs should implement layers of security control measures to protect the integrity and confidentiality of customer information stored in the cloud. |
cts-support-validate-check |
Use CTS trackers to verify whether logs are modified, deleted, or unchanged after being dumped. |
II-5 |
AIs should implement layers of security control measures to protect the integrity and confidentiality of customer information stored in the cloud. |
rds-instances-enable-kms |
Enable encryption for RDS instances. |
II-5 |
AIs should implement layers of security control measures to protect the integrity and confidentiality of customer information stored in the cloud. |
dcs-redis-enable-ssl |
Enable SSL for Redis to protect sensitive data. |
The guideline No. in the following table are in consistent with the chapter No. in SA-2.
Guideline No. |
Guideline Description |
Rule |
Solution |
|---|---|---|---|
2.5.1 |
AIs should ensure that the proposed outsourcing arrangement complies with relevant statutory requirements and common law customer confidentiality. |
cts-kms-encrypted-check |
Enable file encryption for CTS trackers. |
2.5.1 |
AIs should ensure that the proposed outsourcing arrangement complies with relevant statutory requirements and common law customer confidentiality. |
rds-instances-enable-kms |
Enable encryption for cloud databases |
2.5.1 |
AIs should ensure that the proposed outsourcing arrangement complies with relevant statutory requirements and common law customer confidentiality. |
css-cluster-disk-encryption-check |
Enable disk encryption for Cloud Search Service (CSS) clusters. |
2.8.1 |
AIs should ensure that the proposed outsourcing arrangement complies with relevant statutory requirements and common law customer confidentiality. |
vpc-flow-logs-enabled |
Use VPC flow logs to obtain VPC traffic information. |
2.8.1 |
AIs should ensure that appropriate up-to-date records are maintained in their premises and kept available for inspection by the HKMA. |
apig-instances-execution-logging-enabled |
User API gateway logs to visualize users accessing APIs and obtain their access methods and activities. |
2.8.1 |
AIs should ensure that appropriate up-to-date records are maintained in their premises and kept available for inspection by the HKMA. |
cts-lts-enable |
Use CTS to centrally collect and manage log events |
2.8.1 |
AIs should ensure that appropriate up-to-date records are maintained in their premises and kept available for inspection by the HKMA. |
cts-support-validate-check |
Use CTS trackers to verify whether logs are modified, deleted, or unchanged after being dumped. |
The guideline numbers in the following table are in consistent with the chapter numbers in OR-2.
Guideline No. |
Guideline Description |
Rule |
Solution |
|---|---|---|---|
4.2.2 |
AIs should be aware that their operational capabilities may vary during different business cycles or as a result of seasonal factors. For instance, during the periods of time when more initial public offerings are launched. |
as-group-elb-healthcheck-required |
User elastic load balancers to monitor cloud server (in AS groups) status by periodically sending requests. |
6.1 |
AIs should be prepared to manage all risks with potential to affect critical operations delivery. |
as-multiple-az |
Deploy AS groups across AZs to ensure high capacity and availability. |
6.1 |
AIs should be prepared to manage all risks with potential to affect critical operations delivery. |
css-cluster-multiple-az-check |
Use CSS across AZs to ensure high capacity and availability. |
6.1 |
AIs should be prepared to manage all risks with potential to affect critical operations delivery. |
elb-multiple-az-check |
Deploy elastic load balancers across AZs to ensure high capacity and availability. |
6.1 |
AIs should be prepared to manage all risks with potential to affect critical operations delivery. |
rds-instance-multi-az-support |
Deploy cloud databases across AZs to ensure high capacity and availability. |
6.2 |
As operational risk management focuses on preventing and minimizing operational losses, it contributes to an AI's efforts to maintain operational resilience. |
kms-not-scheduled-for-deletion |
Check KMS key status to prevent accidental or malicious deletion. |
The guideline numbers in the following table are in consistent with the chapter numbers in TM-G-1.
Guideline No. |
Guideline Description |
Rule |
Solution |
|---|---|---|---|
3.1.4 |
AIs should adopt industry-accepted cryptographic solutions and implement sound key management practices to safeguard the associated cryptographic keys. |
kms-not-scheduled-for-deletion |
Check key status to prevent accidental deletion. |
3.1.4 |
AIs should adopt industry-accepted cryptographic solutions and implement sound key management practices to safeguard the associated cryptographic keys. |
kms-rotation-enabled |
Enable key rotation. |
3.2.2 |
AIs should implement effective password rules to ensure that easy-to-guess passwords are avoided and passwords are changed on a periodic basis. |
iam-password-policy |
Set thresholds for password strength. |
3.2.2 |
AIs should implement effective password rules to ensure that easy-to-guess passwords are avoided and passwords are changed on a periodic basis. |
access-keys-rotated |
Periodically change access keys. |
3.2.2 |
AIs should implement effective password rules to ensure that easy-to-guess passwords are avoided and passwords are changed on a periodic basis. |
iam-user-mfa-enabled |
Enable multi-factor authentication (MFA) for all users. |
3.2.2 |
AIs should implement effective password rules to ensure that easy-to-guess passwords are avoided and passwords are changed on a periodic basis. |
root-account-mfa-enabled |
Enable multi-factor authentication (MFA) for root users. |
3.3.1 |
Monitor the use of system resources to detect any unusual or unauthorized activities. |
cts-tracker-exists |
Use CTS to record operations on the Huawei Cloud management console and API calls. |
3.3.1 |
Monitor the use of system resources to detect any unusual or unauthorized activities. |
cts-lts-enable |
Use CTS to centrally collect and manage log events. |
3.3.2 |
Proper segregation of duties within the security administration function or other compensating controls should be in place to mitigate the risk of unauthorized activities. |
iam-role-has-all-permissions |
Only grant IAM users necessary permissions to perform required operations to ensure compliance with the least privilege and SOD principles. |
5.2.1 |
AIs should implement a process to ensure that the performance of application systems is continuously monitored and exceptions are reported in a timely and comprehensive manner. |
alarm-action-enabled-check |
Ensure that CES alarm rules are not disabled. |
6.2.1 |
AIs should implement a process to ensure that the performance of application systems is continuously monitored and exceptions are reported in a timely and comprehensive manner. |
ecs-instance-no-public-ip |
The ECSs may contain sensitive information. Restrict access to ECSs from public networks. |
6.2.1 |
To prevent insecure connections to an AI's network, procedures concerning the use of networks and network services need to be established and enforced. |
function-graph-public-access-prohibited |
Restrict access to FunctionGraph functions from public networks. Public network access may cause data leakage or lower availability. |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
