huawei cloud compliance with hong kong financial services ... · huawei cloud continues to follow...
TRANSCRIPT
HUAWEI TECHNOLOGIES CO., LTD.
HUAWEI CLOUD
Compliance with Hong Kong
Financial Services
Regulations & Guidelines
Version 1.0
Date November 2019
HUAWEI CLOUD Compliance with Hong Kong
Financial Services Regulations & Guidelines Globally released
Version 1.0 Copyright © Huawei Technologies Co., Ltd. i
Copyright © Huawei Technologies Co., Ltd. 2019. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without
prior written consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their
respective holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei
and the customer. All or part of the products, services and features described in this document may
not be within the purchase scope or the usage scope. Unless otherwise specified in the contract, all
statements, information, and recommendations in this document are provided "AS IS" without
warranties, guarantees or representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made
in the preparation of this document to ensure accuracy of the contents, but all statements,
information, and recommendations in this document do not constitute a warranty of any kind,
express or implied.
Huawei Technologies Co., Ltd.
Address: Huawei Industrial Base
Bantian, Longgang
Shenzhen 518129
People's Republic of China
Website: HUAWEI – https://www.huawei.com/en/
HUAWEI CLOUD – https://intl.huaweicloud.com/en-us/
Email: [email protected]
HUAWEI CLOUD Compliance with Hong Kong
Financial Services Regulations & Guidelines Globally released
Version 1.0 Copyright © Huawei Technologies Co., Ltd. ii
Contents
1. Introduction ......................................................................................................................................... 1
2. HUAWEI CLOUD Security and Privacy Compliance .................................................................... 2
3. HUAWEI CLOUD Security Responsibility Sharing Model ............................................................ 5
4. HUAWEI CLOUD Global Infrastructure ........................................................................................ 6
5. How HUAWEI CLOUD Meets the Requirements of HKMA Supervisory Policy Manual on
General Principles for Technology Risk Management (TM-G-1) .......................................................... 7
5.1 Security Management ................................................................................................................ 7
5.2 System Development and Change Management ..................................................................... 17
5.3 Information Processing ............................................................................................................ 19
5.4 Communications Networks ...................................................................................................... 22
5.5 Management of Technology Service Providers ....................................................................... 25
6. How HUAWEI CLOUD Meets the Requirements of HKMA Supervisory Policy Manual on
Outsourcing (SA-2) ................................................................................................................................... 26
6.1 Ability of Service Providers ..................................................................................................... 26
6.2 Outsourcing Agreement ........................................................................................................... 29
6.3 Customer Data Confidentiality ................................................................................................ 29
6.4 Control over Outsourced Activities ......................................................................................... 31
6.5 Contingency Planning .............................................................................................................. 31
6.6 Access to Outsourced Data ...................................................................................................... 32
7. How HUAWEI CLOUD Meets the Requirements of HKMA Supervisory Policy Manual on
Business Continuity Planning (TM-G-2) ................................................................................................ 33
7.1 Business Impact Analysis and Recovery Strategy ................................................................... 33
7.2 Development of Business Continuity Plan .............................................................................. 34
7.3 Alternate Sites for Business and Technology Recovery .......................................................... 38
7.4 Implementation of Business Continuity Plan........................................................................... 40
8. How HUAWEI CLOUD Meets the Requirements of HKMA Guideline on Authorization of
Virtual Banks ............................................................................................................................................ 41
9. How HUAWEI CLOUD Meets the Requirements of HKMA Customer Data Protection ......... 44
10. How HUAWEI CLOUD Meets the Requirements of Incident Response and Management
Procedures ................................................................................................................................................. 49
11. Conclusion .......................................................................................................................................... 51
12. Version History .................................................................................................................................. 52
HUAWEI CLOUD Compliance with Hong Kong
Financial Services Regulations & Guidelines Globally released
Version 1.0 Copyright © Huawei Technologies Co., Ltd. 1
1. Introduction
The Hong Kong Monetary Authority (HKMA) has issued a series of guidelines and circulars
providing practical guidance to Hong Kong financial institutions on IT risk management. As
financial institutions gradually introduce advanced technologies and transform their businesses,
such as deploying their businesses to operate in the cloud, the HKMA expects them to establish an
effective technology risk management framework that minimizes risk and meets regulatory
requirements while achieving its own business targets.
HUAWEI CLOUD continues to follow the regulatory guidelines and circulars issued by the
HKMA and is committed to assisting financial customers in meeting these regulatory guidelines
and circulars. This article details how HUAWEI CLOUD will assist banking financial institutions
in meeting regulatory requirements in the following regulatory guidelines and circulars that
banking financial institutions typically follow:
Regulatory guidelines:
• Supervisory Policy Manual on General Principles for Technology Risk Management
(TM-G-1): Provide authorized institutions (AIs) with guidance on general principles which
AIs are expected to consider in managing technology-related risks.
• Supervisory Policy Manual on Outsourcing (SA-2): Set out the HKMA's supervisory
approach to outsourcing and the major points which the HKMA recommends AIs to
address when outsourcing their activities.
• Supervisory Policy Manual on Business Continuity Planning (TM-G-2): Set out the
HKMA's supervisory approach to business continuity planning and the sound practices
which the HKMA expects AIs to take into consideration in this regard.
• Guideline on Authorization of Virtual Banks: Set out the principles which the HKMA
will take into account in deciding whether to authorize virtual banks applying to conduct
banking business in Hong Kong.
Note:
AIs: The HKMA is responsible for the supervision and authorization of banks, restricted
license banks and deposit-taking companies in Hong Kong. The three types of institutions
mentioned above are collectively referred to as authorized institutions.
Regulatory circulars:
• Customer Data Protection: Remind AIs of the importance of protecting the
confidentiality of customer data and some key control measures for customer data
protection.
• Incident Response and Management Procedures: Remind AIs that effective incident
response and management capabilities and procedures must be in place to deal with
significant incidents and set out the principles to be followed by AIs in any public
communication regarding such incidents.
HUAWEI CLOUD Compliance with Hong Kong
Financial Services Regulations & Guidelines Globally released
Version 1.0 Copyright © Huawei Technologies Co., Ltd. 2
2. HUAWEI CLOUD Security and Privacy Compliance
HUAWEI CLOUD inherits Huawei's comprehensive management system and leverages its
experience in IT system construction and operation, actively managing and continuously
improving the development, operation and maintenance of cloud services. To date, HUAWEI
CLOUD has received a number of international and industry security compliance certifications1,
ensuring the security and compliance of businesses deployed by cloud service customers.
HUAWEI CLOUD has attained the following certifications:
Certification Description
ISO 27001:2013
ISO 27001 is a widely used international standard that specifies
requirements for information security management systems. This
standard provides a method of periodic risk evaluation for
assessing systems that manage company and customer
information.
Classified Cybersecurity
Protection of China's
Ministry of Public
Security
Classified Cybersecurity Protection issued by China's Ministry of
Public Security is used to guide organizations in China through
cybersecurity development. Today, it has become the general
security standard widely adopted by various industries throughout
China. HUAWEI CLOUD has passed the registration and
assessment of Classified Cybersecurity Protection Class 3. In
addition, key HUAWEI CLOUD regions and nodes have passed
the registration and assessment of Classified Cybersecurity
Protection Class 4.
ISO 27017:2015
ISO 27017 is an international certification for cloud computing
information security. The adoption of ISO 27017 indicates that
HUAWEI CLOUD has achieved internationally recognized best
practices in information security management.
Singapore MTCS Level 3
Certification
The Multi-Tier Cloud Security (MTCS) specification is a standard
developed by the Singapore Information Technology Standards
Committee. This standard requires cloud service providers (CSPs)
to adopt sound risk management and security practices in cloud
computing. HUAWEI CLOUD Singapore has obtained the highest
level of MTCS security rating (Level 3).
1 https://intl.huaweicloud.com/en-us/securecenter/safetycompliance.html
HUAWEI CLOUD Compliance with Hong Kong
Financial Services Regulations & Guidelines Globally released
Version 1.0 Copyright © Huawei Technologies Co., Ltd. 3
Certification Description
ISO 20000-1:2011
ISO 20000 is an international recognized information technology
service management system (SMS) standard. It specifies
requirements for the service provider to plan, establish,
implement, operate, monitor, review, maintain and improve an
SMS to make sure CSPs can provide effective IT services to meet
the requirements of customers and businesses.
SOC audit
The SOC audit report is an independent audit report issued by a
third-party auditor based on the relevant guidelines developed by
the American Institute of Certified Public Accountants (AICPA)
for the system and internal control of outsourced service
providers. At present, HUAWEI CLOUD has passed the audit of
SOC2 Type 1 Privacy Principle in terms of privacy, which proves
that HUAWEI CLOUD has reasonable control measures in terms
of cloud management and technology.
PCI DSS Certification
Payment Card Industry Data Security Standard (PCI DSS) is the
global card industry security standard, jointly established by five
major international payment brands: JCB, American Express,
Discover, MasterCard and Visa. It is the most authoritative and
strict financial institution certification in the world.
ISO 22301:2012
ISO 22301 is an internationally recognized business continuity
management system standard that helps organizations avoid
potential incidents by identifying, analyzing, and alerting risks,
and develops a comprehensive Business Continuity Plan (BCP) to
effectively respond to disruptions so that entities can recover
rapidly, keep core business running, and minimize loss and
recovery costs.
CSA STAR Gold
Certification
CSA STAR certification was developed by the Cloud Security
Alliance (CSA) and the British Standards Institution (BSI), an
authoritative standard development and preparation body as well
as a worldwide certification service provider. This certification
aims to increase trust and transparency in the cloud computing
industry and enables cloud computing service providers to
demonstrate their service maturity.
Gold O&M (TRUCS)
The Gold O&M certification is designed to assess the O&M
capability of cloud service providers who have passed TRUCS
certification. This certification confirms that HUAWEI CLOUD
services operate a sound O&M management system that satisfies
the cloud service O&M assurance requirements specified in
Chinese certification standards.
HUAWEI CLOUD Compliance with Hong Kong
Financial Services Regulations & Guidelines Globally released
Version 1.0 Copyright © Huawei Technologies Co., Ltd. 4
Certification Description
Certification for the
Capability of Protecting
Cloud Service User Data
(TRUCS)
This certification evaluates a CSP's ability to protect cloud data.
Evaluation covers pre-event prevention, in-event protection, and
post-event tracking.
ITSS Cloud Computing
Service Capability
Evaluation by the
Ministry of Industry and
Information Technology
(MIIT)
ITSS cloud computing service capability evaluation is based on
Chinese standards such as the General Requirements for Cloud
Computing and Cloud Service Operations. It is the first
hierarchical evaluation mechanism in China's cloud service/cloud
computing domain. Huawei private and public clouds have
obtained cloud computing service capability level-1 (top level)
compliance certificates.
TRUCS
Trusted Cloud Service (TRUCS) is one of the most authoritative
public domain assessments in China. This assessment confirms
that HUAWEI CLOUD complies with the most detailed standard
for cloud service data and service assurance in China.
Cloud Service Security
Certification -
Cyberspace
Administration of China
(CAC)
This certification is a third-party security review conducted by the
Cyberspace Administration of China according to the Security
Capability Requirements of Cloud Computing Service. HUAWEI
CLOUD e-Government Cloud Service Platform has passed the
security review (enhanced level), indicating that Huawei e-
Government cloud platform was recognized for its security and
controllability by China's top cybersecurity management
organization.
International Common
Criteria EAL 3+
Certification
Common Criteria (CC) certification is a highly recognized
international standard for information technology products and
system security. HUAWEI CLOUD FusionSphere passed CC
EAL 3+ certification, indicating that the HUAWEI CLOUD
software platform is highly recognized worldwide.
ISO 27018:2014
ISO 27018 is an international code of conduct that focuses on the
protection of personal data in the cloud. The adoption of ISO
27018 indicates that HUAWEI CLOUD has met the requirements
of an internationally complete personal data protection and
management system.
ISO 29151:2017
ISO 29151 is an international practical guide to the protection of
personal identity information. The adoption of ISO 29151
confirms HUAWEI CLOUD's implementation of internationally
recognized management measures for the entire lifecycle of
personal data processing.
HUAWEI CLOUD Compliance with Hong Kong
Financial Services Regulations & Guidelines Globally released
Version 1.0 Copyright © Huawei Technologies Co., Ltd. 5
Certification Description
ISO 27701:2019
ISO 27701 specifies requirements for the establishment,
implementation, maintenance and continuous improvement of a
privacy-specific management system. The adoption of ISO 27701
demonstrates that HUAWEI CLOUD operates a sound system for
personal data protection.
BS 10012:2017
BS10012 is the personal information data management system
standard issued by BSI. The BS10012 certification indicates that
HUAWEI CLOUD offers a complete personal data protection
system to ensure personal data security.
3. HUAWEI CLOUD Security Responsibility Sharing Model
The primary responsibilities of HUAWEI CLOUD are developing and operating the physical
infrastructure of HUAWEI CLOUD data centers; the IaaS, PaaS, and SaaS services provided by
HUAWEI CLOUD; and the built-in security functions of a variety of services. Furthermore,
HUAWEI CLOUD is also responsible for the secure design, implementation, and O&M of the
multi-layered defense-in-depth, which spans the physical, infrastructure, platform, application, and
data layers, in addition to the identity and access management (IAM) cross-layer function.
The primary responsibilities of the tenant are customizing the configuration and operating the
virtual network, platform, application, data, management, security, and other cloud services to
which a tenant subscribes on HUAWEI CLOUD, including its customization of HUAWEI
CLOUD services according to its needs as well as the O&M of any platform, application, and IAM
services that the tenant deploys on HUAWEI CLOUD. At the same time, the tenant is also
responsible for the customization of the security settings at the virtual network layer, the platform
layer, the application layer, the data layer, and the cross-layer IAM function, as well as the tenant's
own in-cloud O&M security and the effective management of its users and identities.
HUAWEI CLOUD Compliance with Hong Kong
Financial Services Regulations & Guidelines Globally released
Version 1.0 Copyright © Huawei Technologies Co., Ltd. 6
Figure 1: Responsibility Sharing Model
For details on the security responsibilities of both tenants and HUAWEI CLOUD, please refer to
the HUAWEI CLOUD Security White Paper2 released by HUAWEI CLOUD.
4. HUAWEI CLOUD Global Infrastructure
HUAWEI CLOUD operates services in many countries and regions around the world. The
HUAWEI CLOUD infrastructure is built around Regions and Availability Zones (AZ). Compute
instances and data stored in HUAWEI CLOUD can be flexibly exchanged among multiple regions
or multiple AZs within the same region. Each AZ is an independent, physically isolated fault
maintenance domain, Users can and should take full advantage of all these regions and AZs in
their planning for application deployment and operations in HUAWEI CLOUD. Distributed
deployment of an application across a number of AZs provides a high degree of assurance for
normal application operations and business continuity in most outage scenarios (including natural
disasters and system failures). For current information on HUAWEI CLOUD Regions and
Availability Zones, please refer to the official website of HUAWEI CLOUD "Worldwide
Infrastructure"3.
2 https://intl.huaweicloud.com/content/dam/cloudbu-site/archive/hk/en-us/securecenter/security_doc/SecurityWhitepaper_en.pdf 3 https://intl.huaweicloud.com/en-us/global/
HUAWEI CLOUD Compliance with Hong Kong
Financial Services Regulations & Guidelines Globally released
Version 1.0 Copyright © Huawei Technologies Co., Ltd. 7
5. How HUAWEI CLOUD Meets the Requirements of HKMA Supervisory
Policy Manual on General Principles for Technology Risk Management
(TM-G-1)
HKMA Supervisory Policy Manual on General Principles for Technology Risk Management (TM-
G-1)4 provides common principles and best practice guidelines for AIs to conduct technology risk
management in six domains: IT governance, security management, system development and
change management, information processing, communication networks, and management of
technology service providers.
The following summarizes the control requirements associated with cloud service providers in
TM-G-1 and details how HUAWEI CLOUD, as a cloud service provider, can help AIs meet these
control requirements.
5.1 Security Management
In Chapter 3 "Security Management" of TM-G-1, AIs are required to establish appropriate security
management mechanisms covering information classification and protection, authentication and
access control, security administration and monitoring, system security, physical and personnel
security. The relevant control requirements and HUAWEI CLOUD's response are as follows:
No. Control
Domain
Specific Control
Requirements HUAWEI CLOUD Response
3.1
Information
classification
and protection
AIs should ensure that all
media are adequately
protected, and establish
secure processes for disposal
and destruction of sensitive
information in both paper
and electronic media.
Customers should consider protecting all
media that stores information, both paper
and electronic. HUAWEI CLOUD has
developed a sound media management
process for storage media that stores
customer content data in the financial
industry to ensure the security of the
data stored in the media. When a
customer initiates a data deletion
operation or if the data needs to be
deleted due to the expiration of the
service, HUAWEI CLOUD will strictly
follow the data destruction standard
signed in agreement with the customer to
erase the stored customer data. Specific
practice is: Once customers agree the
deletion, HUAWEI CLOUD deletes the
index relationship between customers
and data, and clears the storage space,
such as memory and block storage
before reallocation, to ensure that related
4 https://www.hkma.gov.hk/media/eng/doc/key-functions/banking-stability/supervisory-policy-manual/TM-G-1.pdf
HUAWEI CLOUD Compliance with Hong Kong
Financial Services Regulations & Guidelines Globally released
Version 1.0 Copyright © Huawei Technologies Co., Ltd. 8
No. Control
Domain
Specific Control
Requirements HUAWEI CLOUD Response
data and information cannot be restored.
If a physical storage medium is to be
disposed, HUAWEI CLOUD clears the
data by degaussing, bending, or breaking
the storage medium to ensure that data
on the storage medium cannot be
restored.
3.1
Information
classification
and protection
AIs should adopt industry-
accepted cryptographic
solutions and implement
sound key management
practices to safeguard the
associated cryptographic
keys.
When customers use encryption to
protect data, they should consider using
industry-approved encryption algorithms
and key management mechanisms.
Currently, services including EVS, OBS,
IMS and RDS provide data encryption or
server-side encryption functions and
encrypt data using high-strength
algorithms.
The server-side encryption function
integrates Key Management Service
(KMS) of HUAWEI CLOUD Data
Encryption Workshop (DEW)5, which
provides full-lifecycle key management.
Without authorization, others cannot
obtain keys to decrypt data, which
ensures data security on the cloud. DEW
adopts the layered key management
mechanism. Specifically, after
association configuration on DEW
Console or using APIs, customer's
master key stored in DEW encrypts the
encryption keys of each storage service,
while the master key is encrypted by the
root key stored in HSM. In this way, a
complete, secure and reliable key chain
is formed. HSM is certified by
international security organizations and
can prevent intrusion and tampering.
Even Huawei O&M personnel cannot
obtain the root key. DEW also allows
customers to import their own keys as
master keys for unified management,
5 https://intl.huaweicloud.com/en-us/product/dew.html
HUAWEI CLOUD Compliance with Hong Kong
Financial Services Regulations & Guidelines Globally released
Version 1.0 Copyright © Huawei Technologies Co., Ltd. 9
No. Control
Domain
Specific Control
Requirements HUAWEI CLOUD Response
facilitating seamless integration with
customers' services.
3.2
Authentication
and access
control
Access to the information
and application systems
should be restricted by an
adequate authentication
mechanism associated with
access control rules. Access
control rules determine what
application functions, system
resources and data a user can
access. For each application
system, all users should be
identified by unique user
identification codes (e.g.
user IDs) with appropriate
method of authentication
(e.g. passwords) to ensure
accountability for their
activities.
AIs should implement
effective password rules to
ensure that easy-to-guess
passwords are avoided and
passwords are changed on a
periodic basis.
Stronger authentication
methods should be adopted
for transactions/activities of
higher risk (e.g. payment
transactions, financial
messages and mobile
computing).
HUAWEI CLOUD provides customers
with user account management and
identity authentication suitable for
enterprise-level organizational structure
through Identity and Access
Management (IAM)6. Each HUAWEI
CLOUD customer has a unique user ID
in HUAWEI CLOUD, and provides a
variety of user authentication
mechanisms.
IAM supports the security administrators
of customers to set up different password
strategies and change cycles according
to their needs to prevent users from
using simple passwords or using fixed
passwords for a long time, resulting in
account leakage. In addition, IAM also
supports customers' security
administrators to set up login strategies
to avoid users' passwords being violently
cracked or to leak account information
by visiting phishing pages.
IAM supports multi-factor
authentication mechanism at the same
time. MFA is an optional security
measure that enhances account security.
If MFA is enabled, users who have
completed password authentication will
receive a one-time SMS authentication
code that they must use for secondary
authentication. MFA is used by default
for changing important or sensitive
account information such as passwords
or mobile phone numbers.
At the same time, when HUAWEI
CLOUD O&M personnel access
HUAWEI CLOUD Management
6 https://intl.huaweicloud.com/en-us/product/iam.html
HUAWEI CLOUD Compliance with Hong Kong
Financial Services Regulations & Guidelines Globally released
Version 1.0 Copyright © Huawei Technologies Co., Ltd. 10
No. Control
Domain
Specific Control
Requirements HUAWEI CLOUD Response
Network for centralized management of
the system, they need to use only
identifiable employee identity accounts.
User accounts are equipped with strong
password security policies, and
passwords are changed regularly to
prevent violent decryption. In addition,
two-factor authentication is used to
authenticate cloud personnel, such as
USB key, Smart Card and so on.
Employee account is used to log on VPN
and access gateway to realize the deep
audit of user login.
3.2
Authentication
and access
control
Extra care should be
exercised when controlling
the use of and access to
privileged and emergency
IDs. The necessary control
procedures include:
• granting of authorities
that are strictly necessary
to privileged and
emergency IDs;
• formal approval by
appropriate personnel
prior to being released for
usage;
• monitoring of the
activities performed by
privileged and emergency
IDs (e.g. peer reviews of
activity logs);
• proper safeguard of
privileged and emergency
IDs and passwords (e.g.
kept in a sealed envelope
and locked up inside the
data center); and
• change of privileged and
emergency IDs'
passwords immediately
HUAWEI CLOUD unified Identity and
Access Management (IAM) provides
cloud resource access control for
customers. With IAM, the customer
administrator can manage the user
accounts and control the operation
permissions of these user accounts to the
resources under the customer's name.
When multi-user cooperative operation
resources exist in customer enterprises,
IAM can avoid sharing account keys
with other users, assign users minimum
privileges on demand, and ensure the
security of user accounts by setting login
authentication strategy, password
strategy and access control list. Through
the above ways, we can effectively
control privileges and emergency
accounts. Through the above ways, we
can effectively control privileges and
emergency accounts.
At the same time, to meet the
compliance requirements, HUAWEI
CLOUD also accomplished the
following:
• For operation and maintenance
personnel, role-based access control
is implemented. Personnel with
different obligation in different
HUAWEI CLOUD Compliance with Hong Kong
Financial Services Regulations & Guidelines Globally released
Version 1.0 Copyright © Huawei Technologies Co., Ltd. 11
No. Control
Domain
Specific Control
Requirements HUAWEI CLOUD Response
upon return by the
requesters.
positions can only perform specific
operations on the authorized
operation and maintenance
objectives. Privileges or emergency
accounts are granted to employees
only when their duties are required.
• Applications for all privileges or
emergency accounts require only
multi-level review and approval.
• Privileged Account Management
System binds functional or technical
accounts of daily or emergency
operations to operation and
maintenance teams or individuals.
O&M personnel first access the
O&M environment through two-
factor authentication, and then
concentrate on jumping from the
access gateway to the target pc for
operation. The access gateway
supports strong log auditing to
ensure that O&M personnel on the
target PC can be positioned to
individuals.
• The password of the target pc is
recycled by the access gateway and
updated regularly to ensure that the
operators do not need and cannot
obtain the password.
3.3
Security
administration
and monitoring
A security administration
function and a set of formal
procedures should be
established for administering
the allocation of access
rights to system resources
and application systems, and
monitoring the use of system
resources to detect any
unusual or unauthorized
activities.
HUAWEI CLOUD unified Identity
Authentication Service (IAM) allows
tenant administrators of customers to
flexibly manage user rights and control
the rights to create, delete, modify and
set cloud resources. In addition,
HUAWEI CLOUD provides operating
records of cloud service resources for
users to query, audit and retrospective
through Cloud Trace Service (CTS)7.
7 https://intl.huaweicloud.com/en-us/product/cts.html
HUAWEI CLOUD Compliance with Hong Kong
Financial Services Regulations & Guidelines Globally released
Version 1.0 Copyright © Huawei Technologies Co., Ltd. 12
No. Control
Domain
Specific Control
Requirements HUAWEI CLOUD Response
Proper segregation of duties
within the security
administration function or
other compensating controls
(e.g. peer reviews) should be
in place to mitigate the risk
of unauthorized activities
being performed by the
security administration
function.
AIs should establish incident
response and reporting
procedures to handle
information security-related
incidents during or outside
office hours.
To meet the requirement of rights
allocation, the authorization creation,
alteration and revocation of HUAWEI
CLOUD insiders must be formally
approved by designated personnel. All
operation and maintenance accounts, all
equipment and application accounts are
unified management, centralized
monitoring through the unified audit
platform, and automatic audit to ensure
the realization of the whole process
management from user creation,
authorization, authentication to authority
recovery. Account administrators
regularly review user rights according to
the internal mechanism for standard
account rights management in HUAWEI
CLOUD.
HUAWEI CLOUD complies with the
requirements of laws and regulations and
has a centralized and complete log audit
system. Internal personnel operation and
maintenance operations are collected and
recorded by the log platform. HUAWEI
CLOUD's log audit system has powerful
data preservation and query capabilities
to ensure that all log content is stored for
more than six months. HUAWEI
CLOUD has set up an independent
internal audit department, which
regularly audits various activities of the
operation and maintenance process, and
timely discovers and corrects violations.
In addition, HUAWEI CLOUD has a
sound security event grading and
disposal process, according to the impact
of security incidents on the whole
network and customers, according to the
importance level of events to respond.
At the same time, HUAWEI CLOUD set
up a 24/7 professional security incident
response team and expert resource pool,
HUAWEI CLOUD Compliance with Hong Kong
Financial Services Regulations & Guidelines Globally released
Version 1.0 Copyright © Huawei Technologies Co., Ltd. 13
No. Control
Domain
Specific Control
Requirements HUAWEI CLOUD Response
timely disclosure of related security
incidents, timely notification of
customers, and implementation of
emergency plans and recovery processes
to reduce the impact on business.
3.4 System security
Control procedures and
baseline security
requirements should be
developed to safeguard
application programs,
operating systems, system
software and databases. For
example:
•Access control of data and
programs through identity
authentication and
authorization;
•Periodically check the
integrity of static data, such
as system parameters;
•Secure configuration of
operating system, system
software, database and
server, and disable or delete
all unnecessary services and
programs. Consideration
should be given to using
security tools to enhance the
security of critical systems
and servers;
• Clear division of
responsibilities to ensure that
organizations can identify,
evaluate and test the
necessary patches and
security updates developed
by suppliers in a timely
manner and apply them to
relevant systems;
To meet customer compliance
requirements, HUAWEI CLOUD
service products and components
comply with Huawei's security design
principles, specifications and baselines,
providing multi-level security protection
and protection:
• HUAWEI CLOUD Identity and
Access Management (IAM)
provides identity authentication and
cloud resource access control for
customers.
• An integrity checking mechanism is
adopted to ensure the integrity of
system parameters. For example, at
the level of virtual machine
operating system, HUAWEI
CLOUD Image Service supports
image integrity checking. When
creating a virtual machine based on
an image, the system automatically
checks the image integrity to ensure
that the created virtual machine
contains the complete image
content. Additionally, HUAWEI
CLOUD O&M personnel prevent
unauthorized changes in system
configuration parameters through
improved change management
procedures.
• HUAWEI CLOUD strengthens the
security configuration of host
operating system, virtual machine,
database and web application
components, and supports customers
to choose their own security
HUAWEI CLOUD Compliance with Hong Kong
Financial Services Regulations & Guidelines Globally released
Version 1.0 Copyright © Huawei Technologies Co., Ltd. 14
No. Control
Domain
Specific Control
Requirements HUAWEI CLOUD Response
• Record all configurations
of operating system, system
software, database and
server, and regularly review
security configurations;
• For the activities of the
system and users, adequate
records should be kept, and
sufficient monitoring should
be carried out to identify
abnormal behavior. The
relevant recorded data
should be safely kept to
avoid tampering.
configuration according to their
business needs. For example, in
terms of host security, the host
operating system uses Huawei
Unified Virtualization Platform
(UVP) to manage CPU, memory
and I/O resources in isolation. The
host operating system has been
tailored to minimize security and to
strengthen services; In terms of
virtual machine security, HUAWEI
CLOUD provides security
configurations such as image
reinforcement, network and
platform isolation, IP/MAC
counterfeiting control, security
group, etc.
• HUAWEI CLOUD has formulated
clear security requirements and
perfect process control scheme for
the introduced open source and
third-party software. Strict control
has been implemented in such links
as selection analysis, security
testing, code security, risk scanning,
forensic audit, software application
and software exit. In the case of
open source vulnerabilities,
HUAWEI CLOUD will discover
and fix the vulnerabilities in the first
place. When responding to
vulnerabilities, open source and
third-party software should be tested
as part of services and solutions to
verify that known vulnerabilities of
open source and third-party software
are repaired, and the list of
vulnerability repairs of open source
and third-party software should be
reflected in Release Notes of
services.
HUAWEI CLOUD Compliance with Hong Kong
Financial Services Regulations & Guidelines Globally released
Version 1.0 Copyright © Huawei Technologies Co., Ltd. 15
No. Control
Domain
Specific Control
Requirements HUAWEI CLOUD Response
HUAWEI CLOUD collects management
behavior logs of all physical devices,
networks, platforms, applications,
databases and security systems and
threat detection and warning logs of
security products and components
through a centralized log large data
analysis system. The logs are kept for
more than 180 days, and security
measures are taken to prevent log
tampering to enable compliance and
backtracking of network security events.
In addition, CTS provides operational
records of cloud service resources for
tenants, and many products and services
also have log recording functions.
Tenants can independently select log
retention time according to their own
needs to effectively support analysis of
abnormal activities.
3.6
Physical and
personnel
security
Physical security measures
should be in place to protect
computer facilities and
equipment from damage or
unauthorized access.
AIs should consider fully the
environmental threats (e.g.
proximity to dangerous
factories) when selecting the
locations of their data
centers.
Moreover, physical and
environmental controls
should be implemented to
monitor environmental
conditions which could
affect adversely the
operation of information
processing facilities.
To meet customers' compliance
requirements, HUAWEI CLOUD has
established comprehensive physical
security and environmental safety
protection measures, strategies, and
procedures that comply with Class A
standard of GB 50174 Code for Design
of Electronic Information System Room
and T3+ standard of TIA-942
Telecommunications Infrastructure
Standard for Data Centers. HUAWEI
CLOUD data centers are located on
suitable physical sites, as determined
from solid site surveys. During the
design, construction, and operation
stages, the data centers have proper
physical zoning and well-organized
placement of information systems and
components, which helps prevent
potential physical and environmental
risk scenarios (for example, fire or
electro-magnetic leakage) as well as
unauthorized access. Furthermore,
HUAWEI CLOUD Compliance with Hong Kong
Financial Services Regulations & Guidelines Globally released
Version 1.0 Copyright © Huawei Technologies Co., Ltd. 16
No. Control
Domain
Specific Control
Requirements HUAWEI CLOUD Response
sufficient data center space and adequate
electrical, networking, and cooling
capacities are reserved in order to meet
not only today's infrastructure
requirements but also the demands of
tomorrow's rapid infrastructure
expansion. The HUAWEI CLOUD
O&M team enforces stringent access
control, safety measures, regular
monitoring and auditing, and emergency
response measures to ensure the physical
security and environmental safety of
HUAWEI CLOUD data centers. Refer to
the released HUAWEI CLOUD Security
White Paper.
3.6
Physical and
personnel
security
It is also important that
proper screening procedures
including verification and
background checks,
especially for sensitive
technology-related jobs, are
developed for recruitment of
permanent and temporary
technology staff, and
contractors.
HUAWEI CLOUD follows Huawei's
overall human resources management
framework. When appointing HUAWEI
CLOUD formal staff or outsourcing
staff, HUAWEI CLOUD carries out
strict background checks to ensure that
the background and qualifications of
employees are suitable for HUAWEI
CLOUD Security business requirements,
in which special management will be
implemented for key positions.
HUAWEI CLOUD Compliance with Hong Kong
Financial Services Regulations & Guidelines Globally released
Version 1.0 Copyright © Huawei Technologies Co., Ltd. 17
5.2 System Development and Change Management
In Chapter 4 "System Development and Change Management" of TM-G-1, AIs are required to
develop project management methods and processes for the life cycle of system development, and
to establish standardized change management procedures. The relevant control requirements and
HUAWEI CLOUD's response are as follows:
No. Control
Domain
Specific Control
Requirements HUAWEI CLOUD Response
4.2 Project life
cycle
AIs should adopt
and implement a full
project life cycle
methodology
governing the
process of
developing,
implementing and
maintaining major
computer systems.
An independent
party (e.g. the
quality assurance
function, the TRM
function or the
technology audit
team), which is not
involved in the
project development,
should conduct a
quality assurance
review of major
technology-related
projects, with the
assistance of the
legal and compliance
functions if
necessary.
A formal acceptance
process should be
established to ensure
that only properly
tested and approved
systems are
promoted to the
production
environment. System
To meet customer compliance requirements,
HUAWEI CLOUD manages the end-to-end
software and hardware life cycle through
complete systems and processes, as well as
automated platforms and tools. The life cycle
includes security requirements analysis, security
design, security coding and testing, security
acceptance and release, and vulnerability
management.
HUAWEI CLOUD and related cloud services
comply with the security and privacy design
principles and norms, laws and regulations.
Threats are analyzed according to business
scenarios, data flow diagrams and networking
models in the security requirements analysis and
design phase. When a threat is identified, the
design engineer will formulate mitigation
measures according to the reduction library and
the safety design library and complete the
corresponding safety design. All threat mitigation
measures will eventually be converted into
security requirements and security functions, and
according to the company's test case library, will
be used to complete the design of security test
cases, to ensure successful implementation, and
ultimately ensure the safety of products and
services.
HUAWEI CLOUD strictly complies with the
security coding specifications of various
programming languages issued by Huawei. Static
code analysis tools are used for routine checks,
and the resulting data is entered in the cloud
service tool chain to evaluate the quality of
coding. Before all cloud services are released,
static code analysis alarms must be cleared to
HUAWEI CLOUD Compliance with Hong Kong
Financial Services Regulations & Guidelines Globally released
Version 1.0 Copyright © Huawei Technologies Co., Ltd. 18
No. Control
Domain
Specific Control
Requirements HUAWEI CLOUD Response
and user acceptance
testing should be
carried out in an
environment
separated from the
production
environment.
Production data
should not be used in
development or
acceptance testing
unless the data has
been desensitised
and prior approval
from the information
owner has been
obtained.
effectively reduce the security issues related to
coding when online.
HUAWEI CLOUD takes security requirements
identified in the security design stage, penetration
test cases from the attacker's perspective, and
industry standards, and develops corresponding
security testing tools, and conducts multi-round
security testing before the release of cloud
services to ensure that the released cloud services
meet security requirements. Testing is conducted
in a test environment, isolated from the
production environment, and avoids the use of
production data for testing. If production data is
used for testing, it must be desensitized, and data
cleaning is required after use. In addition, before
a new version of the HUAWEI CLOUD platform
and cloud services go online, it is necessary to
analyze and judge the compliance of security and
privacy requirements in the service area through
strict review by Huawei's Global Network
Security and User Privacy Protection Officer and
Chief Justice Officer, to ensure that the cloud
services developed for HUAWEI CLOUD and
Huawei meet the requirements of laws,
regulations and customer security in all regions.
4.3 Change
management
AIs shall establish
formal change
management
procedures covering
impact assessment,
change planning,
tracking, monitoring,
implementation and
rollback of changes.
AIs should formulate
formal emergency
change management
procedures, stipulate
the examination,
implementation
criteria and approval
Customers should consider managing changes
through formal procedures. To meet customer
compliance requirements, HUAWEI CLOUD has
formulated a standardized change management
process, Changes to environments include but are
not limited to data center equipment, networks,
system hardware and software, and applications,
whether those are changes in the equipment used,
architectural changes, system software updates
(including network device software, OS image,
and application container software), or changes in
configuration. All changes must be performed in
an organized and priority-driven fashion. After
all change requests are generated, they are
submitted to the HUAWEI CLOUD Change
Committee by the change manager team with
change classification assigned. After the
HUAWEI CLOUD Compliance with Hong Kong
Financial Services Regulations & Guidelines Globally released
Version 1.0 Copyright © Huawei Technologies Co., Ltd. 19
No. Control
Domain
Specific Control
Requirements HUAWEI CLOUD Response
mechanism of
emergency change.
committee has reviewed and approved the
requests, the planned changes can be
implemented on the production network. Before
submitting a change request, the change must
undergo a testing process that includes
production-like environment testing, pilot
release, and/or blue/green deployment. This
ensures that the change committee clearly
understands the change activities involved,
duration, failure rollback procedure, and all
potential impacts.
HUAWEI CLOUD has also developed a
standardized emergency change management
process. If emergency changes affect users, they
will communicate with users in advance by
announcement, mail, telephone, conference, or
other means according to the prescribed time
limit. If the emergency changes do not meet the
prescribed notice time limit, the changes will be
upgraded to HUAWEI CLOUD senior
leadership, and users will be notified promptly
after the changes are implemented. Emergency
changes are recorded. The old version and data of
the program are retained before the changes are
executed. The changes are guaranteed to proceed
smoothly through two-person operation to
minimize the impact on the production
environment. After the implementation, a
designated person will verify it to ensure that the
change achieves its desired purpose.
5.3 Information Processing
In Chapter 5 "Information Processing" of TM-G-1, AIs are required to develop appropriate
procedures to regulate operational activities related to information processing facilities. Control
requirements cover four domains: IT operations management and support, performance
monitoring and capacity planning, IT facilities and equipment maintenance, and disaster recovery
planning. The relevant control requirements and HUAWEI CLOUD's response are as follows:
HUAWEI CLOUD Compliance with Hong Kong
Financial Services Regulations & Guidelines Globally released
Version 1.0 Copyright © Huawei Technologies Co., Ltd. 20
No. Control
Domain
Specific Control
Requirements HUAWEI CLOUD Response
5.1
IT operations
management
and support
AIs should have in
place a problem
management system to
respond promptly to
IT operational
incidents, to escalate
reported incidents to
relevant IT
management staff and
to record, analyse and
keep track of all these
incidents until
rectification of the
incidents.
A helpdesk function
can be set up to
provide front-line
support to users on all
technology-related
problems and to relay
the problems to
relevant IT functions
for investigation and
resolution.
Customers should consider promptly
responding to IT operation accidents through
the event management system. In order to
meet the compliance requirements of
customers, HUAWEI CLOUD has
developed a comprehensive event
management process that adheres to the
"four fast" principle (e.g. fast discovery, fast
demarcation, fast isolation, and fast
recovery). Events are responded to
systematically according to the impact of the
event on customers and the network as a
whole. The event is recorded and tracked in
the work order system to ensure that the
event can be solved as root cause analysis is
carried out.
In addition, HUAWEI CLOUD provides an
after-sales service guarantee for customers.
HUAWEI CLOUD professional service
engineer team provides 24/7 service support
so customers can seek help with methods
such as work orders, intelligent customer
service, self-service, and telephone. In
addition to basic support, customers with
complex systems can choose from the tiered
support plans to obtain exclusive support
from personnel such as the IM enterprise
group, Technical Service Manager (TAM),
and service manager.
5.2
Performance
monitoring
and capacity
planning
AIs should implement
a process to ensure
that the performance
of application systems
is continuously
monitored and
exceptions are
reported in a timely
and comprehensive
manner. The
performance
monitoring process
should include
Customers should consider managing
capacity through formal procedures. In order
to meet customer compliance requirements,
HUAWEI CLOUD has formulated a
standard capacity management and resource
forecasting procedure to manage Huawei's
cloud capacity as a whole and improve the
availability of Huawei's cloud resources.
HUAWEI CLOUD resource utilization is
monitored daily. Input from all parties
provides ongoing predictions for future
resource requirements, and resource
expansion schemes are formulated to meet
HUAWEI CLOUD Compliance with Hong Kong
Financial Services Regulations & Guidelines Globally released
Version 1.0 Copyright © Huawei Technologies Co., Ltd. 21
No. Control
Domain
Specific Control
Requirements HUAWEI CLOUD Response
forecasting capability
to enable problems to
be identified and
corrected before they
affect system
performance. This
process should help
the preparation of
workload forecasts to
identify trends and to
provide information
needed for the
capacity plan, taking
into account planned
business initiatives.
these requirements. Business capacity and
performance bottlenecks are analyzed and
evaluated. When resources reach a preset
threshold, a warning is issued, and further
solutions are adopted to avoid the impact on
the system performance of the tenant cloud
service.
Cloud Eye Service (CES)8 provides users
with a robust monitoring platform for
flexible cloud servers, bandwidth, and other
resources. CES provides real-time
monitoring alarms, notifications, and
personalized report views to accurately grasp
the status of business resources. Users can
set independent alarm rules and notification
strategies to quickly see the running status
and performance of instance resources of
each service.
5.3
IT facilities
and equipment
maintenance
AIs should regularly
maintain and service
IT facilities and
equipment. Records
should be maintained
properly. A hardware
and facility inventory
should be kept to
control and track all
hardware and software
purchased and leased
and be used for regular
inventory taking.
In order to meet customer compliance
requirements, HUAWEI CLOUD routinely
monitors the data center, regularly inspects
the controlled area (including distribution
boxes, PDU cabinets, fire protection
facilities, air conditioning systems and
drainage systems in the facility area), and
requests registration of inspection results to
ensure that potential safety hazards can be
promptly detected and repaired and ensure
the stable operation of the equipment.
In addition, HUAWEI CLOUD maintains a
detailed list of hardware and facilities
through the asset management system. These
are checked and updated regularly.
5.4
Disaster
recovery
planning
AIs should develop
disaster recovery plans
for information
technology to ensure
that critical application
systems and services
can be resumed in
To meet customers' disaster tolerance needs,
in addition to the high availability
infrastructure, data redundancy and backup,
and DR among AZs, HUAWEI CLOUD also
has a formal business continuity plan (BCP)
and conducts BCP drills periodically. This
8 https://intl.huaweicloud.com/en-us/product/ces.html
HUAWEI CLOUD Compliance with Hong Kong
Financial Services Regulations & Guidelines Globally released
Version 1.0 Copyright © Huawei Technologies Co., Ltd. 22
No. Control
Domain
Specific Control
Requirements HUAWEI CLOUD Response
accordance with
business recovery
needs.
plan, which applies to major disasters such
as earthquakes or public health crises,
ensures continued operations of HUAWEI
CLOUD services and safeguards customers'
service and data security.
HUAWEI CLOUD has a DR plan (DRP) as
well, and conducts DRP tests periodically.
For example, first, bring the cloud platform
infrastructure and cloud services offline in a
certain geographic location or region to
simulate a disaster, then, perform system
operations and migration as specified in the
DRP, and lastly, verify the service and
business operations functions in the
presumably disaster-impacted region. Test
results are then annotated and archived for
continuous improvement of the DRP.
5.4 Communications Networks
In Chapter 6 "Communications Networks" of TM-G-1, AIs are required to implement control
measures to protect network communication facilities and information in the network and prevent
unauthorized access to the connected network services. The relevant control requirements and
HUAWEI CLOUD's response are as follows:
No. Control
Domain
Specific Control
Requirements HUAWEI CLOUD Response
6.1 Network
management
Network design
should ensure the
robustness of
network services
and have complete
network
management
standards. Network
topology, design
criteria and
HUAWEI CLOUD can help customers build a
network security protection system to ensure
the security of customer cloud services:
Customers on the Internet border can detect
and clean abnormal and excessive traffic
attacks by deploying the Anti-DDoS9 service;
key network partitions are partitioned and
isolated by Virtual Private Cloud (VPC)10;
deployment of Web Application Firewall
(WAF)11 is used to deal with web attacks to
9 https://intl.huaweicloud.com/en-us/product/antiddos.html 10 https://intl.huaweicloud.com/en-us/product/vpc.html 11 https://intl.huaweicloud.com/en-us/product/waf.html
HUAWEI CLOUD Compliance with Hong Kong
Financial Services Regulations & Guidelines Globally released
Version 1.0 Copyright © Huawei Technologies Co., Ltd. 23
No. Control
Domain
Specific Control
Requirements HUAWEI CLOUD Response
operating
procedures should
be documented,
periodically
reviewed and
updated as required,
and then
communicated to
employees.
AIs should identify
key communication
facilities that
support the
continuous
operation of
network services
and set up standby
paths to reduce
single point failures.
In addition, the
network should be
continuously
monitored to reduce
network overload
and detect network
intrusion.
Finally, network
analysis and
monitoring tools
should be protected
from unauthorized
use. Network tools
should also be
strictly limited to
authorized
employees and
follow strict
approval and
inspection
procedures.
protect web application services and systems
deployed in the DMZ area and oriented to the
external network.
HUAWEI CLOUD has formulated complete
network management standards and relevant
operating procedures to ensure that all relevant
personnel comply with the requirements of
management standards and operating
procedures in the daily operation and
maintenance process, and regularly review and
update relevant documents before releasing
them within the company.
HUAWEI CLOUD communication
infrastructure has high availability, minimizing
the impact of system failures on customers.
HUAWEI CLOUD deployed the multi-region
and multi-availability zone (AZ) architecture
used in a data center cluster to realize
redundancy between multiple availability
zones and further eliminate the risk of single
point failure.
HUAWEI CLOUD deployed a full network
alarm system to continuously monitor the
utilization of network equipment resources,
covering all network equipment. When
resource utilization reaches a preset threshold,
the alarm system will issue a warning. O&M
personnel will take prompt measures to ensure
the continuous operation of customer cloud
services to the greatest extent.
HUAWEI CLOUD implements role-based
access control rights management for internal
personnel. This limits personnel permissions
to only allow the operations which are
required for their individual role. While
minimizing permission allocation and
implementing strict behavioral auditing, it
ensures that employees are not unauthorized to
use network analysis and monitoring tools.
HUAWEI CLOUD Compliance with Hong Kong
Financial Services Regulations & Guidelines Globally released
Version 1.0 Copyright © Huawei Technologies Co., Ltd. 24
No. Control
Domain
Specific Control
Requirements HUAWEI CLOUD Response
6.2
Network
security and
certification
Procedures
concerning the use
of networks and
network services
need to be
established and
enforced to prevent
insecure
connections to an
AI's network.
In addition, AIs
should divide the
internal network
into different areas.
Sensitive data
interaction between
different network
areas should be
controlled and
guaranteed against
data tampering.
Finally, AIs should
ensure that the
security parameters
of all network
equipment are
regularly checked,
and that audit
records of daily
activities on key
network equipment
are maintained and
regularly reviewed.
Network operators
should receive
immediate warnings
about potential
security issues.
The virtual private cloud (VPC) service
provided by HUAWEI CLOUD for customers
can create a private network environment for
tenants, and realize complete isolation of
different tenants in a three-tier network.
Tenants have full control over the construction
of their own virtual network and configuration,
and can configure network ACL and security
group rules to strictly control the network
traffic coming in and out of subnets and virtual
machines, to meet the needs of customers for
finer-grained network isolation.
In connection with business functions and
network security risks, HUAWEI CLOUD
uses physical, logical control and isolation to
divide the data center into multiple security
areas. To achieve regional isolation, we do not
just use firewalls, but also use innovative
technologies, such as a software defined
perimeter (SDP). This not only defines
regional boundaries for the network layer, but
also divides and isolates multi-layer
boundaries, including the network layer, the
platform layer, the application layer, and to the
user identity layer. These boundaries operate
using a trust-based system with corresponding
access control.
The HUAWEI CLOUD O&M team regularly
checks and updates network equipment
security parameters according to internal
security baseline management specifications.
The management behavior logs of all network
devices and the threat detection and alarm logs
of security products and components are
collected by the big data log analysis system to
ensure the compliance of network security
events and provide backtracking. HUAWEI
CLOUD linkage analysis of the warning
information from various security devices can
quickly identify potential or current security
incidents and promptly respond.
HUAWEI CLOUD Compliance with Hong Kong
Financial Services Regulations & Guidelines Globally released
Version 1.0 Copyright © Huawei Technologies Co., Ltd. 25
5.5 Management of Technology Service Providers
In Chapter 7 "Management of Technology Service Providers" of TM-G-1, AIs are required to
properly manage the technical service providers to reduce the risks brought to the organization by
outsourcing services. The relevant control requirements and HUAWEI CLOUD's response are as
follows:
No. Control
Domain
Specific Control
Requirements HUAWEI CLOUD Response
7.1
Management
of technology
outsourcing
The following control
measures should also be
considered in the
management of
technology outsourcing
by AIs:
• Technology service
providers should have
sufficient resources and
expertise to comply with
the substance of the AIs'
IT control policies;
• Outsourcing agreements
should specify the service
level and other
responsibilities of
technical service
providers, as well as the
ownership of software
and hardware. At the
same time, the agreement
should require the service
provider to be informed or
approved when hiring the
subcontractor and be
responsible for the
subcontracted services.
•AIs should also conduct
annual audits to ensure
that key technical service
providers have adequate
IT management and
control environments.
HUAWEI CLOUD cooperates with
customers to exercise supervision over
technology outsourcing. The online
HUAWEI CLOUD Customer Agreement12
defines security responsibilities of cloud
service customers and Huawei, while the
HUAWEI CLOUD Service Level
Agreement13 stipulates the level of service
provided. HUAWEI CLOUD has also
formulated an offline contract template,
which stipulates that HUAWEI CLOUD
should notify AIs and be responsible for
any subcontracted services.
In addition, HUAWEI CLOUD's services
and platforms have been certified by
many international and industry security
compliance certifications, covering
information security, privacy protection,
business continuity management, IT
service management and other fields.
HUAWEI CLOUD is committed to
creating security and credible cloud
services for customers in all walks of life
and providing empowerment and
escorting services for customers.
HUAWEI CLOUD receives regular audits
from professional third-party auditing
institutions every year and provides
professional assistance to actively respond
to and cooperate with audit activities
initiated by customers.
12 https://intl.huaweicloud.com/en-us/declaration/sa_cua.html 13 https://intl.huaweicloud.com/en-us/declaration/sla.html
HUAWEI CLOUD Compliance with Hong Kong
Financial Services Regulations & Guidelines Globally released
Version 1.0 Copyright © Huawei Technologies Co., Ltd. 26
6. How HUAWEI CLOUD Meets the Requirements of HKMA Supervisory
Policy Manual on Outsourcing (SA-2)
The HKMA Supervisory Policy Manual on Outsourcing (SA-2)14 provides guidelines for the
implementation of outsourcing by AIs by explaining the main issues for attention when
outsourcing. AIs require control over the ability of service providers, outsourcing agreements,
customer data confidentiality, control over outsourced activities, contingency planning, access to
outsourced data and other fields.
The following will summarize the requirements for control relevant to cloud service providers in
SA-2, and elaborate on how HUAWEI CLOUD, as an authorized cloud service provider, can help
AIs meet these requirements.
6.1 Ability of Service Providers
In Chapter 2.3 "Ability of Service Providers", AIs are required to conduct inspection and due
diligence to ensure the qualification of a service provider and to continuously monitor its
performance during the service process before selecting a service provider. The relevant control
requirements and HUAWEI CLOUD's response are as follows:
No. Control
Domain
Specific Control
Requirements HUAWEI CLOUD Response
2.3
Ability of
service
providers
Before selecting a
service provider,
AIs should perform
appropriate due
diligence and assess
a provider from the
following aspects:
a. Financial
soundness;
b. Reputation;
c. Managerial
skills;
d. Technical
capabilities;
e. Operational
capability and
capacity;
f. Compatibility
with the AI's
corporate culture
and future
a. Financial soundness: HUAWEI CLOUD is
Huawei's service brand. Since its launch in 2017,
HUAWEI CLOUD has been developing rapidly
and its revenue has maintained a strong growth
trend. According to the Q1 China Public Cloud
Service Market Tracking Report 2019 released by
IDC, a global authoritative consultancy, Huawei's
cloud revenue grew by more than 300% in terms of
the overall market share of IaaS and PaaS, and
Huawei's cloud PaaS market share grew by nearly
700%, ranking first in the growth rate of top 5
providers and in China's public cloud service
business.
b. Reputation: As always, HUAWEI CLOUD
adheres to the customer-centric principle, making
more and more customers choose HUAWEI
CLOUD. HUAWEI CLOUD has made
breakthroughs in different Chinese industries such
as the internet, live on demand, video surveillance,
genetics, automobile manufacturing and other
industries. Apart from Chinese mainland,
14 https://www.hkma.gov.hk/media/eng/doc/key-functions/banking-stability/supervisory-policy-manual/SA-2.pdf
HUAWEI CLOUD Compliance with Hong Kong
Financial Services Regulations & Guidelines Globally released
Version 1.0 Copyright © Huawei Technologies Co., Ltd. 27
development
strategies;
g. Familiarity with
the banking
industry;
h. Capacity to keep
pace with
innovation in the
market.
HUAWEI CLOUD was launched in Hong Kong
(China), Russia, Thailand, South Africa and
Singapore in succession.
c. Managerial skills: HUAWEI CLOUD inherits
Huawei's risk management ability and establishes a
complete risk management system. Through the
continuous operation of the risk management
system, HUAWEI CLOUD can effectively control
risks in the complex internal and external
environment with the huge uncertainties in the
market, strive for the optimal balance between
performance growth and risk, continuously manage
internal and external risks, and ensure the
sustainable and healthy development of the
company.
d. Technical capabilities: HUAWEI CLOUD
provides cloud services online, opening Huawei's
technology accumulation and product solutions in
ICT infrastructure for more than 30 years to
customers. HUAWEI CLOUD has five core
technological advantages: full stack scenario AI,
multidimensional framework, extreme
performance, security and reliability, and open
innovation.
For example, in the field of artificial intelligence
(AI), HUAWEI CLOUD AI has landed over 300
projects in 10 major industries, such as city,
manufacturing, logistics, internet, medical
treatment, and campus. In terms of multi-
architecture, HUAWEI CLOUD has created a new
multi-computing cloud service architecture based
on "x86 + Kunpeng + Ascend", which enables
various applications to run at the optimal
computing power to maximize customer value.
e. Operational capability and capacity:
HUAWEI CLOUD follows ISO 27001, ISO
20000, ISO 22301 and other international
standards to establish a sound information security
management system, IT service management
system, business continuity management system,
and daily operation of the system applicable
requirements. HUAWEI CLOUD regularly carries
out risk assessment, management review, and other
activities every year to identify problems in the
HUAWEI CLOUD Compliance with Hong Kong
Financial Services Regulations & Guidelines Globally released
Version 1.0 Copyright © Huawei Technologies Co., Ltd. 28
operation of the system and rectify them to
continuously improve the management system.
f. Compatibility with AIs' corporate culture and
future development strategies: HUAWEI
CLOUD defines product safety and functional
requirements according to customer business
scenarios, laws and regulations, regulatory
requirements in product and service planning, and
design phases. Huawei implements these in R&D,
and design phases to meet customer needs.
g. Familiarity with the banking industry:
HUAWEI CLOUD has released financial industry
solutions to provide end-to-end cloud solutions for
banks, insurance companies and other customers,
by considering the needs of the industry and
Huawei's comprehensive cloud services. HUAWEI
CLOUD has commissioned an independent
evaluation by a third party to compare HUAWEI
CLOUD's internal control status with the
regulatory guidelines and announcement
requirements issued by the Hong Kong Monetary
Authority, to conduct gap analysis and ensure that
all gaps are rectified.
h. Capacity to keep pace with innovation in the
market: Since its launch, HUAWEI CLOUD has
insisted on technological innovation. It has
released a series of leading new products and
upgrades, covering many fields such as cloud
security, DevOps, cloud container engine and
micro service engine, service grid, computing,
cloud storage, network, cloud disaster recovery,
and so on.
HUAWEI CLOUD Compliance with Hong Kong
Financial Services Regulations & Guidelines Globally released
Version 1.0 Copyright © Huawei Technologies Co., Ltd. 29
6.2 Outsourcing Agreement
Chapter 2.4 "Outsourcing Agreement" requires that the relevant matters should be clearly defined
in the agreement signed between AIs and their service provider. The relevant control requirements
and HUAWEI CLOUD's response are as follows:
No. Control
Domain
Specific Control
Requirements HUAWEI CLOUD Response
2.4 Outsourcing
agreement
The type and level
of services to be
provided and the
contractual
liabilities and
obligations of the
service provider
should be clearly
set out in a service
agreement
between AIs and
their service
provider.
HUAWEI CLOUD provides online HUAWEI
CLOUD Customer Agreement and HUAWEI
CLOUD Service Level Agreement, which
specifies the content and level of services
provided, as well as the responsibilities of
HUAWEI CLOUD. HUAWEI CLOUD has also
developed an offline contract template, which can
be customized according to the needs of different
customers.
6.3 Customer Data Confidentiality
Chapter 2.5 "Customer Data Confidentiality" requires AIs to ensure the confidentiality of customer
data in the process of outsourcing services. The relevant control requirements and HUAWEI
CLOUD's response are as follows:
No. Control
Domain
Specific Control
Requirements HUAWEI CLOUD Response
2.5 Customer data
confidentiality
AIs should
ensure
compliance with
customer data
confidentiality
requirements and
take preventive
measures to
protect the
integrity and
confidentiality of
customer data.
HUAWEI CLOUD strictly adheres to "not
accessing customer data without permission" and
explicitly states in the user agreement that it will
not access or use the user's content, unless it
provides the necessary services for the user or
abides by the laws and regulations or the binding
orders of the government institutions. HUAWEI
CLOUD strictly conforms to the data protection
principles described in Personal Data (Privacy)
Ordinance (PDPO) and at the same time, it will
clearly stipulate the responsibility of HUAWEI
CLOUD to customers in the case of a breach of
confidentiality clauses in contracts signed with
customers in the financial industry.
HUAWEI CLOUD Compliance with Hong Kong
Financial Services Regulations & Guidelines Globally released
Version 1.0 Copyright © Huawei Technologies Co., Ltd. 30
No. Control
Domain
Specific Control
Requirements HUAWEI CLOUD Response
In addition, HUAWEI CLOUD service products
and components have planned and implemented
isolation mechanism from the beginning of design,
avoiding unauthorized access and tampering
between customers intentionally or unintentionally,
and reducing the risk of data leakage. Using data
storage as an example, HUAWEI CLOUD services
including block storage, object storage, and file
storage all regard customer data isolation as an
important feature.
2.5 Customer data
confidentiality
In the event of a
termination of
outsourcing
agreement, AIs
should ensure
that all customer
data is either
retrieved from
the service
provider or
destroyed.
When the service agreement terminates, customers
can migrate content data from HUAWEI CLOUD
through cloud data migration service (CDM)
provided by HUAWEI CLOUD, such as migrating
to local data center.
During the destruction of customer data, HUAWEI
CLOUD clears the specified data and all the
copies. Once customers agree the deletion,
HUAWEI CLOUD deletes the index relationship
between customers and data, and clears the storage
space, such as memory and block storage before
reallocation, to ensure that related data and
information cannot be restored. If a physical
storage medium is to be disposed, HUAWEI
CLOUD clears the data by degaussing, bending, or
breaking the storage medium to ensure that data on
the storage medium cannot be restored.
HUAWEI CLOUD Compliance with Hong Kong
Financial Services Regulations & Guidelines Globally released
Version 1.0 Copyright © Huawei Technologies Co., Ltd. 31
6.4 Control over Outsourced Activities
Chapter 2.6 "Control over Outsourced Activities" requires AIs to continuously monitor the
services of outsourced service providers and establish reporting mechanisms related to outsourcing
issues. The relevant control requirements and HUAWEI CLOUD's response are as follows:
No. Control
Domain
Specific Control
Requirements HUAWEI CLOUD Response
2.6
Control over
outsourced
activities
AIs shall monitor
the contract
performance,
material problems
encountered,
financial condition
and risk profile, and
the effectiveness of
contingency plans
of service providers.
AIs should establish
reporting
procedures which
can promptly
escalate problems
relating to the
outsourced activity
to the attention of
the management of
the AI and their
service providers.
HUAWEI CLOUD receives regular audits from
professional third-party auditors every year and
can provide relevant auditing reports to
customers when they need them. Huawei will
also arrange a dedicated person to take charge
of inspection and due diligence initiated by
customers. In addition, HUAWEI CLOUD
provides an after-sales service guarantee for
customers, the HUAWEI CLOUD professional
service engineer team provides 24/7 service
support. Customers can seek help through work
orders, intelligent customer service, self-service,
and telephone. In addition to basic support,
customers with complex systems can choose
from the tiered support plans to obtain exclusive
support from personnel such as the IM
enterprise group, Technical Service Manager
(TAM), and service manager.
6.5 Contingency Planning
Chapter 2.7 "Contingency Planning" requires AIs to plan for contingency plans in the process of
outsourcing services to ensure business continuity. The relevant control requirements and
HUAWEI CLOUD's response are as follows:
HUAWEI CLOUD Compliance with Hong Kong
Financial Services Regulations & Guidelines Globally released
Version 1.0 Copyright © Huawei Technologies Co., Ltd. 32
No. Control
Domain
Specific Control
Requirements HUAWEI CLOUD Response
2.7 Contingency
planning
AIs and service
providers should
maintain and
regularly test
contingency plans,
which include
contingency
arrangements for
daily operations and
system problems.
HUAWEI CLOUD has formulated a complete
contingency plan, which specifies the
organization, procedures and operational
specifications of contingency response in detail,
and carries out regular testing to ensure the
continuous operation of cloud services and the
business and data security of customers.
6.6 Access to Outsourced Data
Chapter 2.8 "Access to Outsourced Data" requires AIs to ensure that the outsourced data can be
invoked by the HKMA when outsourcing services and that appropriate audits of service providers
are conducted. The relevant control requirements and HUAWEI CLOUD's response are as follows:
No. Control
Domain
Specific Control
Requirements HUAWEI CLOUD Response
2.8
Access to
outsourced
data
AIs shall keep
appropriate up-to-date
records in their
premises for inspection
by the HKMA and
ensure that the data
they retrieve from
service providers are
accurate and readily
available for inspection
by the HKMA in Hong
Kong.
AIs should ensure that
agreements with
service providers
contain provisions
allowing the HKMA to
review the operation
and control of service
providers.
HUAWEI CLOUD provides customers with
a variety of data backup and migration
services, which can help customers migrate
data to local data centers and other places.
HUAWEI CLOUD also provides customers
with a variety of security mechanisms to
ensure the integrity of customer data storage
and transmission process.
If customers need to sign offline contracts
with HUAWEI CLOUD, HUAWEI CLOUD
will include provisions allowing the HKMA
to review the operation and management
control system of HUAWEI CLOUD and
customize it according to the needs of
different customers. When the HKMA
inspects HUAWEI CLOUD, HUAWEI
CLOUD will provide professional assistance
and actively cooperate with the audit
according to the internal process.
HUAWEI CLOUD Compliance with Hong Kong
Financial Services Regulations & Guidelines Globally released
Version 1.0 Copyright © Huawei Technologies Co., Ltd. 33
7. How HUAWEI CLOUD Meets the Requirements of HKMA Supervisory
Policy Manual on Business Continuity Planning (TM-G-2)
The implementation of effective business continuity management in HKMA Supervisory Policy
Manual on Business Continuity Planning (TM-G-2)15 for AIs provides guidance that covers
business impact analysis and recovery strategy, development of business continuity plan, alternate
sites for business and technology recovery, implementation of business continuity plan, and so on.
The following will summarize the control requirements related to cloud service providers in the
manual, and elaborate on how HUAWEI CLOUD, as an authorized cloud service provider, can
help AIs meet these control requirements.
7.1 Business Impact Analysis and Recovery Strategy
Chapter 3 of HKMA Supervisory Policy Manual on Business Continuity Planning (TM-G-2),
"Business Impact Analysis and Recovery Strategy", requires AIs to implement business impact
analysis, identify key business and recovery objectives, and formulate corresponding recovery
strategies. The following are related control requirements and HUAWEI CLOUD's response:
No. Control
Domain
Specific Control
Requirements HUAWEI CLOUD Response
3.1 Business
impact analysis
AIs should carry out
business impact
analysis to identify
critical business
activities and
determine the
recovery deadline for
them. Based on the
business impact
analysis, the business
and support functions
should be able to
define the minimum
level of critical
services to be
delivered in the event
of a disaster.
To provide continuous and stable cloud
services to customers, HUAWEI CLOUD
has established a set of complete business
continuity management systems in
accordance with ISO 22301 - Business
Continuity Management International
standards. Under the requirements of this
framework, HUAWEI CLOUD carries out
regular business impact analysis, identifies
key business, and determines the recovery
target and minimum recovery level of key
business. In the process of identifying key
business, the impact of business interruption
on cloud service customers is regarded as an
important criterion to judge key business.
15 https://www.hkma.gov.hk/media/eng/doc/key-functions/banking-stability/supervisory-policy-manual/TM-G-2.pdf
HUAWEI CLOUD Compliance with Hong Kong
Financial Services Regulations & Guidelines Globally released
Version 1.0 Copyright © Huawei Technologies Co., Ltd. 34
No. Control
Domain
Specific Control
Requirements HUAWEI CLOUD Response
3.2
Recovery
strategy
formulation
Individual critical
business and support
functions should
formulate their own
recovery strategies on
how to achieve the
recovery time-frame
and to deliver the
minimum level of
critical services
derived from the
business impact
analysis. This involves
determination of an
alternate site, total
number of recovery
personnel and the
related workspace,
applications and
technology
requirements, office
facilities and vital
records required for
the provision of such
levels of services.
Customers should consider specifying
recovery strategies to address the results of
business impact analysis. In order to meet
customer compliance requirements,
HUAWEI CLOUD has formulated a sound
recovery strategy for key businesses
supporting the continuous operation of
cloud services according to the requirements
of its internal business continuity
management system. The restoration
strategy takes site, equipment, personnel,
information systems, third party and other
aspects into consideration.
7.2 Development of Business Continuity Plan
Chapter 4 of the HKMA Supervisory Policy Manual on Business Continuity Planning (TM-G-2),
the "Development of Business Continuity Plan", requires AIs to develop detailed procedures and
operational guidelines to respond to crisis events and ensure prompt recovery of critical business
interruptions. Control requirements cover domains such as crisis management process, business
resumption, technology recovery, business continuity models, vital record management, public
relations and communication strategy.
The relevant control requirements and HUAWEI CLOUD's response are as follows:
HUAWEI CLOUD Compliance with Hong Kong
Financial Services Regulations & Guidelines Globally released
Version 1.0 Copyright © Huawei Technologies Co., Ltd. 35
No. Control
Domain
Specific Control
Requirements HUAWEI CLOUD Response
4.2
Crisis
management
process
Business continuity plans
should include crisis
management processes to
guide emergency response
and containment. Senior
management should identify
potential crisis scenarios and
develop crisis management
procedures to deal with
them. Crisis management
should include procedures
such as emergency detection
and reporting, crisis
management team impact
assessment, BCP start-up
conditions, and internal and
external communications.
To meet customers' requirements for
compliance, HUAWEI CLOUD
regularly conducts risk assessment
according to the requirements of the
internal business continuity
management system, identifies and
analyses the potential risks faced by
key resources supporting the
continuous operation of cloud services,
further considers emergency scenarios
and risks, and formulates crisis
management procedures to deal with
and reduce the impact of various
emergencies. Crisis management
procedures include early warning and
reporting of emergencies, emergency
escalation, the conditions for starting
emergency plans, notification of event
progress, and internal and external
communication processes.
4.4 Technology
recovery
AIs should pay attention to
the resilience of critical
technology equipment and
facilities such as the
Uninterruptible Power
Supply (UPS) and the
cooling systems. Such
equipment and facilities
should be subject to
continuous monitoring and
periodic maintenance and
testing. Appropriate
personnel should be
assigned with the
responsibility for technology
recovery. Alternate
personnel need to be
identified for key
technology recovery
personnel.
HUAWEI CLOUD infrastructure has
high availability. HUAWEI CLOUD
has developed a sound internal process
to ensure continuous monitoring,
regular maintenance and regular testing
of infrastructure operation, to minimize
the impact of system failures on
customers. HUAWEI CLOUD data
center relies on the structure of two
places and three centers to realize
disaster recovery and backup of the
data center itself. Disaster data backup
centers between different availability
zones in the same region. If a hitch
occurs in an AZ, the system
automatically transfers customer
applications and data from the affected
area to ensure business continuity on
the premise of meeting compliance
policies. Each AZ has its own UPS and
on-site standby power generation
equipment. Each AZ connects different
power grids. All AZs are redundantly
HUAWEI CLOUD Compliance with Hong Kong
Financial Services Regulations & Guidelines Globally released
Version 1.0 Copyright © Huawei Technologies Co., Ltd. 36
No. Control
Domain
Specific Control
Requirements HUAWEI CLOUD Response
connected with multiple primary
transmission providers to further
eliminate the risk of single point
failure.
HUAWEI CLOUD has set up a
multiple position backup mechanism
for key positions supporting cloud
services.
4.5
Business
continuity
model
Various business continuity
modes can be adopted by
AIs to handle prolonged
disruptions. For example,
the traditional model is an
"active/backup" model,
which is based on an
"active" operating site with
a corresponding alternate
site (backup site); an
emerging split operations
model is to operate with two
or more widely separated
active sites for the same
critical operations,
providing inherent back-up
for each other. Each other
(e.g. call centres for
customer services). Each
site has the capacity to take
up some or all of the work
of another site for an
extended period of time.
Customers can rely on the Region and
Availability Zone (AZ) architecture of
HUAWEI CLOUD Data Center cluster
for disaster recovery and backup of
their business systems. Data centers are
deployed around the world according
to rules. Customers have disaster data
backup centers through two places. If a
failure occurs, the system automatically
transfers customer applications and
data from the affected areas to ensure
business continuity on the premise of
meeting compliance policies.
HUAWEI CLOUD has also deployed a
Global Server Load Balance Center.
Customer applications can achieve
N+1 deployment in the data center.
Even if one data center fails, it can also
balance traffic load to other centers.
4.6 Vital record
management
Copies of vital records
should be stored off-site as
soon as possible after
creation. Back-up vital
records must be readily
accessible for emergency
retrieval. Access to back-up
vital records should be
adequately controlled to
ensure that they are reliable
HUAWEI CLOUD provides multi-
granularity data backup and archiving
services to meet customers'
requirements in specific scenarios.
Customers can use the versioning
function of OBS, Volume Backup
Service (VBS), and Cloud Server
Backup Service (CSBS) to back up in-
cloud documents, disks, and servers.
Benefiting from on-demand use,
scalability, and high reliability features
HUAWEI CLOUD Compliance with Hong Kong
Financial Services Regulations & Guidelines Globally released
Version 1.0 Copyright © Huawei Technologies Co., Ltd. 37
No. Control
Domain
Specific Control
Requirements HUAWEI CLOUD Response
for business resumption
purposes.
For certain critical services,
AIs should consider the
need for instantaneous data
back-up (e.g. adopting real-
time data mirroring
technology) to ensure
prompt system and data
recovery.
of cloud services, customers can also
use the Backup and Archive Solution,
backup and archiving software, and
HUAWEI CLOUD infrastructure to
back up on-premises data to HUAWEI
CLOUD.
With the DEW service, customers can
encrypt backup data easily and quickly,
thereby ensuring data security.
In addition, to minimize service
interruption caused by hardware
failures, natural disasters, or other
disastrous events, HUAWEI CLOUD
has prepared DR plans for all data
centers:
• User data can be replicated and
stored on multiple nodes in a data
center. If a single node fails, user
data will not be lost. The system
supports automatic failure
detection and data recovery.
• Different AZs within a single
region have implemented Data
Center Interconnection (DCI),
connecting them through high-
speed fiber and supporting the
essential requirement of cross-AZ
data replication. Users can also
leverage our DR replication
service and solution based on their
business needs.
4.7
Public
relations and
communication
strategy
AIs should formulate a
formal strategy for
communication with key
external parties. The
strategy needs to set out to
which parties AIs should
communicate in the event of
a disaster. Important
conversations with external
parties should be properly
logged for future reference.
HUAWEI CLOUD, as a service
provider of AIs, will actively cooperate
with the initiative of the AIs to initiate
communication. HUAWEI CLOUD
professional service engineer team
provides 24/7 service support,
customers can contact HUAWEI
CLOUD support team through work
orders, intelligent customer service,
self-service, and hotline.
HUAWEI CLOUD Compliance with Hong Kong
Financial Services Regulations & Guidelines Globally released
Version 1.0 Copyright © Huawei Technologies Co., Ltd. 38
No. Control
Domain
Specific Control
Requirements HUAWEI CLOUD Response
Important contact numbers
and e-mail addresses of key
external parties should be
kept in a readily accessible
manner.
HUAWEI CLOUD has also formulated
crisis communication strategies
according to the requirements of
internal business continuity
management system, and defined the
people to contact in the case of
emergencies, the dialogue, and the
method for communication.
7.3 Alternate Sites for Business and Technology Recovery
Specific requirements are put forward in Chapter 5 of the HKMA Supervisory Policy Manual on
Business Continuity Planning (TM-G-2) for disaster recovery reserve sites to ensure that they can
undertake critical business in emergency scenarios. The relevant control requirements and
HUAWEI CLOUD's response are as follows:
No. Control
Domain
Specific Control
Requirements HUAWEI CLOUD Response
5.1
Selection
criteria for
alternate sites
Alternate sites should be
sufficiently distanced to
avoid being affected by
the same disaster.
AIs' alternate sites should
be readily accessible and
available for occupancy
within the time
requirement specified in
their BCPs. Should the
BCPs so require, the
alternate sites should have
pre-installed workstations,
power, telephones and
ventilation, and sufficient
space. Appropriate
physical access controls
such as access control
systems and security
guards should be
implemented in
accordance with AIs'
security policy.
Customers have disaster data backup
centers through two places. If a failure
occurs, the system automatically
transfers customer applications and data
from the affected area to ensure business
continuity on the premise of meeting
compliance policies. When HUAWEI
CLOUD locates its data center, it
ensures that different data centers keep
enough distance to avoid being affected
by the same threat. At the same time, the
site selection ensures the necessary
supporting resources for the normal
operation of the data center, such as
municipal electricity, water,
communication lines and so on.
The HUAWEI CLOUD O&M team
strictly implements access control,
security measures, routine monitoring
and audit measures to ensure the
physical security of HUAWEI CLOUD
Data Center. Detailed information on
physical security of data centers can be
HUAWEI CLOUD Compliance with Hong Kong
Financial Services Regulations & Guidelines Globally released
Version 1.0 Copyright © Huawei Technologies Co., Ltd. 39
No. Control
Domain
Specific Control
Requirements HUAWEI CLOUD Response
found in HUAWEI CLOUD Security
White Paper.
5.2
Alternate sites
for technology
recovery
Alternate sites for
technology recovery
should have sufficient
technical equipment (e.g.
workstations, servers,
printers, etc.) of
appropriate model, size
and capacity to meet
recovery requirements as
specified by AIs' BCPs.
The sites should also have
adequate
telecommunication
(including bandwidth)
facilities and pre-installed
network connections.
Compute instances and data stored in
HUAWEI CLOUD can be flexibly
exchanged among multiple regions or
multiple AZs within the same region.
Each AZ is an independent, physically
isolated fault maintenance domain, has
its own UPS and on-site backup power
generator, and also connects to a power
grid different than any other AZ. All
AZs connect to multiple tier-1 telecom
providers for redundancy, eliminating
the risk of single point of failure.
5.3
Alternate sites
provided by
vendors or
other
institutions
The contractual terms
between AIs and vendors
should include the lead-
time and capacity that
vendors are committed to
deliver in terms of backup
facilities, technical
support or hardware. The
vendor should be able to
demonstrate its own
recoverability.
HUAWEI CLOUD infrastructure has
high availability. Customers can rely on
the Region and Availability Zone (AZ)
architecture of HUAWEI CLOUD Data
Center cluster for disaster recovery and
backup of their business systems. Data
centers are deployed around the world
according to strict rules. Customers have
disaster data backup centers in two
different physical locations. If one
location fails, the system automatically
transfers customer applications and data
from the affected areas to ensure
business continuity and meet policies of
compliance. If business needs require
customers to consider disaster recovery,
they need to deploy distributed
applications using multiple AZs or
choose replicated disaster recovery
services. HUAWEI CLOUD can provide
relevant assistance. Additionally, the
"HUAWEI CLOUD Service Level
Agreement" promises a certain level of
service for HUAWEI CLOUD products
HUAWEI CLOUD Compliance with Hong Kong
Financial Services Regulations & Guidelines Globally released
Version 1.0 Copyright © Huawei Technologies Co., Ltd. 40
No. Control
Domain
Specific Control
Requirements HUAWEI CLOUD Response
and services, including service
availability commitment, HUAWEI
CLOUD will strictly comply with the
requirements of the agreement.
HUAWEI CLOUD also provides offline
contract templates. If customers have
special disaster recovery requirements,
HUAWEI CLOUD can add provisions
upon agreement by both sides.
7.4 Implementation of Business Continuity Plan
Chapter 6 "Implementation of Business Continuity Plan" requires AIs to regularly test and
maintain the business continuity plan to ensure its effectiveness. The relevant control requirements
and HUAWEI CLOUD's response are as follows:
No. Control
Domain
Specific Control
Requirements HUAWEI CLOUD Response
6.1 Testing and
rehearsal
AIs are expected to
conduct testing of their
BCP at least annually.
Both recovery and
alternate personnel should
participate in plan
rehearsals to familiarise
themselves with their
recovery responsibilities.
The scope of testing
should be comprehensive
to cover the major
components of the BCP as
well as coordination and
interfaces among
important parties.
Formal testing
documentation (including
testing plan, testing
scenarios, testing
procedures and testing
results) should be
produced, and plans and
As a supplier of cloud service customers,
HUAWEI CLOUD will actively
cooperate with customer-initiated test
requirements and help customers test the
effectiveness of their business continuity
plans.
HUAWEI CLOUD tests the business
continuity plans and disaster recovery
plans annually according to the
requirements of the internal business
continuity management system. All
emergency response personnel, including
reserve personnel, need to participate. The
tests include desktop exercises, functional
exercises and full-scale exercises, in
which high-risk scenarios are emphasized.
During the testing process, HUAWEI
CLOUD will select test scenarios, develop
complete test plans and procedures, and
record test results. After the completion of
the test, relevant personnel write the test
report and summarize any problems found
during the test. If the test results show
problems with the business continuity
HUAWEI CLOUD Compliance with Hong Kong
Financial Services Regulations & Guidelines Globally released
Version 1.0 Copyright © Huawei Technologies Co., Ltd. 41
recovery strategies should
be updated to remedy the
situation.
plan, recovery strategy or emergency plan,
the documents will be updated.
6.2 Periodic
maintenance
Individual business and
support functions should
review their business
impact analysis and
recovery strategy on an
annual basis.
The contact information
for key staff,
counterparties, customers
and service providers
should be updated as soon
as possible.
Copies of the BCP
document should be
stored at locations
separate from the primary
sites. A summary of key
steps to take in an
emergency should be
made available to senior
management and other
key personnel and kept by
them in multiple
locations.
Customers should consider updating
business continuity plans at least once a
year and make sure copies are available.
In order to meet the compliance
requirements of customers, HUAWEI
CLOUD regularly audits and updates all
system documents every year according to
the requirements of the internal business
continuity management system. HUAWEI
CLOUD maintains a list of contacts that
should be contacted in case of an
emergency and updates it promptly when
notified of personnel changes.
Multiple copies of documents such as the
business continuity plan, emergency
response plan and disaster recovery
operation manual are stored both
electronically and in paper form and are
distributed to relevant management and
other key personnel.
8. How HUAWEI CLOUD Meets the Requirements of HKMA Guideline on
Authorization of Virtual Banks
The HKMA issued the Guideline on Authorization of Virtual Banks16 on February 6, 2018. After
the completion of public consultation, the revised Guideline on Authorization of Virtual Banks
were issued on May 30, 2018. In guidance, the HKMA said that the development of virtual banks
would promote the application and innovation of financial technology in Hong Kong, provide new
customer experience and promote the popularization of finance. Therefore, the HKMA invited
others to set up virtual banks and open non-financial institutions such as technology companies in
Hong Kong.
The guidelines set out the main requirements that companies applying for the establishment of
virtual banks should comply with, including ownership structure, continuous supervision, entity
offices, business plans, technical risks, outsourcing arrangements and so on. In terms of technical
16 https://www.hkma.gov.hk/media/eng/doc/key-information/guidelines-and-circular/guideline/guideline_eng_virtual_bank_20180608.pdf
HUAWEI CLOUD Compliance with Hong Kong
Financial Services Regulations & Guidelines Globally released
Version 1.0 Copyright © Huawei Technologies Co., Ltd. 42
risks, the guidelines emphasize that companies applying for virtual banking should pay attention
to the three aspects of technical risks: information security, system resilience and business
continuity, and adopt security and technical control measures that meet business needs. In terms
of outsourcing arrangements, the guidelines indicate that outsourcing arrangements must be
approved and comply with the SA-2 Outsourcing Supervisory Policy Manual and other relevant
requirements.
The following table summarizes how HUAWEI CLOUD, as a cloud service provider, will assist
virtual banking applicants to meet the technical risks and outsourcing arrangements as outlined in
the guidelines.
Control
Domain
Specific Control
Requirements HUAWEI CLOUD Response
Technology
risk
Virtual banking
applicants should
pay attention to
the risks of
information
security, system
resilience and
business
continuity
management, and
adopt security
and technical
control measures
that meet
business needs.
Information Security: HUAWEI CLOUD not only
guarantees the security of the cloud platform, but also
provides layer-by-layer protective measures for all stages of
the data life cycle in customer cloud. Through friendly
operation interfaces, HUAWEI CLOUD facilitates the use
and integration of customers, and meets the individualized
needs of customers in different industries for data security.
See White Paper for HUAWEI CLOUD Data Security17 for
more information.
System Resilience: HUAWEI CLOUD infrastructure is
highly available and thereby minimizes the impact of
system failures on our customers Disaster data backup
centers between different AZs in the same region. If a hitch
occurs in an AZ, the system automatically transfers
customer applications and data from the affected area to
ensure business continuity on the premise of meeting
compliance policies. Each AZ has its own UPS and on-site
standby power generation equipment. Each AZ connects
different power grids. All AZs are redundantly connected
with multiple primary transmission providers to further
eliminate the risk of single point failure. See section 8.4
Business continuity and disaster recovery of HUAWEI
CLOUD Security White Paper for more information.
Business Continuity Management: HUAWEI CLOUD
follows ISO 22301 international standards for business
continuity management and has established a complete set
of business continuity management systems. Within this
framework, business impact analysis and risk assessment
are carried out regularly, business continuity plans and
disaster recovery plans are formulated and tested regularly.
Test results are annotated and documented to continuously
17 https://intl.huaweicloud.com/content/dam/cloudbu-site/archive/hk/en-us/securecenter/security_doc/DataSecurityWhitepaper_en.pdf
HUAWEI CLOUD Compliance with Hong Kong
Financial Services Regulations & Guidelines Globally released
Version 1.0 Copyright © Huawei Technologies Co., Ltd. 43
Control
Domain
Specific Control
Requirements HUAWEI CLOUD Response
improve the plan. In addition, HUAWEI CLOUD can assist
customers in developing and testing business continuity
plans according to their needs.
Technology
risk
The applicant
shall entrust a
qualified
independent
expert with an
independent
assessment report
on his computer
hardware,
systems, safety,
process and
control.
HUAWEI CLOUD can provide professional assistance and
actively respond to and cooperate with the audit activities
initiated by the customer in view of the expert evaluation
commissioned by the customer. HUAWEI CLOUD also
regularly receives audit reports from professional third-
party auditors every year.
Outsourcing
arrangement
Outsourcing
arrangements
must be
effectively
approved and
must comply with
the Supervisory
Policy Manual on
Outsourcing (SA-
2) and the
Personal Data
(Privacy)
Ordinance and
the Client
Confidentiality
Provisions under
the Common
Law. The
confidentiality
and integrity of
customer data
should be
protected in
outsourcing
activities.
HUAWEI CLOUD can assist cloud service customers to
meet outsourcing requirements:
• Chapter 6 "How HUAWEI CLOUD Meets the
Requirements of HKMA Supervisory Policy Manual
on Outsourcing (SA-2)", describes in detail how
HUAWEI CLOUD helps financial institutions meet
the requirements of SA-2.
• Chapter 9 "How HUAWEI CLOUD Meets the
Requirements of HKMA Customer Data
Protection" elaborates on how HUAWEI CLOUD
can assist financial institutions to protect their
customer data.
HUAWEI CLOUD Compliance with Hong Kong
Financial Services Regulations & Guidelines Globally released
Version 1.0 Copyright © Huawei Technologies Co., Ltd. 44
9. How HUAWEI CLOUD Meets the Requirements of HKMA Customer
Data Protection
Customer Data Protection18 explains the importance of protecting the confidentiality of customer
data to AIs and provides implementation guidelines on how to protect customer data.
The following will summarize the control requirements related to cloud service providers in the
circular, and elaborate on how HUAWEI CLOUD, as an authorized cloud service provider, can
help AIs meet these control requirements.
No. Control
Domain
Specific Control
Requirements HUAWEI CLOUD Response
B
Data
security
policies and
awareness
AIs should develop formal
policies and procedures on
data security to safeguard
customer data. Where
personal data are involved,
the policies and
procedures, including those
to be followed by the
relevant service providers,
should also be in line with
PDPO and any relevant
codes of practice, rules or
guidance issued or
approved by the Privacy
Commissioner.
In addition, AIs should
develop awareness training
programs to inform
employees of the
importance of customer
data protection.
Customers should consider formulating
appropriate strategies to protect
customer data in their business,
especially for the protection of personal
information. In order to meet customer
compliance requirements, HUAWEI
CLOUD has established, and continued
to improve, a complete information
security and privacy protection
management system in accordance
with various regulatory requirements,
international and industry standards.
The management system has detailed
policies and procedures in many
security fields, such as physical
security control, system security,
security awareness training and so on.
HUAWEI CLOUD continues to
implement management system
requirements to ensure customer
business and data security.
HUAWEI CLOUD has formulated a
comprehensive security awareness
training plan, which includes various
forms of employee recruitment, on-the-
job, transfer, and other such types of
security awareness training. This
ensures that employee behavior
complies with all laws, policies,
18 https://www.hkma.gov.hk/media/eng/doc/key-information/guidelines-and-circular/2014/20141014e1.pdf
HUAWEI CLOUD Compliance with Hong Kong
Financial Services Regulations & Guidelines Globally released
Version 1.0 Copyright © Huawei Technologies Co., Ltd. 45
No. Control
Domain
Specific Control
Requirements HUAWEI CLOUD Response
processes and requirements in
Huawei's business code of conduct. In
addition, HUAWEI CLOUD has
established a rigorous security
responsibility system, implemented a
mechanism of accountability for
violations, and made employees aware
of possible sanctions for violations
through training.
C
Logical
access
control of
customer
data
AIs should identify the
locations of customer data
residing in different parts
of AIs’ networks and
systems, and ensure that
adequate logical access
controls are in place at
different levels (such as
the. application level,
database level, operating
system level, and network
level) to prevent
unauthorized access to
customer data and
unauthorized/erroneous
transmission of customer
data to external parties.
HUAWEI CLOUD unified Identity
and Access Management (IAM)
provides cloud resource access control
for customers. With IAM, the customer
administrator can manage user
accounts and control the operation
rights of these user accounts to the
resources under the customer name;
Cloud Audit Service (CTS) can
provide customers with operational
records of cloud service resources for
users to query, audit and retrospective
use. There are three types of operations
recorded: operations performed
through the cloud account login
management console, operations
performed through APIs supported by
cloud services, and operations triggered
within Huawei's cloud system.
HUAWEI CLOUD following the
principle of "not accessing customer
data without permission" and explicitly
states in the user agreement that it will
not access or use the user's content
unless it provides the necessary
services for the user or abides by the
laws and regulations or the binding
orders of government organs. When
internal operation and maintenance
personnel access HUAWEI CLOUD
HUAWEI CLOUD Compliance with Hong Kong
Financial Services Regulations & Guidelines Globally released
Version 1.0 Copyright © Huawei Technologies Co., Ltd. 46
No. Control
Domain
Specific Control
Requirements HUAWEI CLOUD Response
management network for centralized
management of the system, they need
to use two-factor authentication for
identity authentication, such as USB
key, Smart Card and so on. Employee
account is used to log on VPN and
Fortress Machine to realize the deep
audit of user login.
HUAWEI CLOUD provides
infrastructure for customers. It
considers infrastructure security as the
core component of cloud security
protection system which constructs
multi-dimensional full stack. It
provides multi-level security protection
in physical environment, network,
platform, application programming
interface, data and so on. For more
information, see the " Infrastructure
Security" section 5 of HUAWEI
CLOUD Security White Paper.
E
Controls
over storage
of customer
data
AIs should implement
effective controls for
prompt detection of
unusual downloading
activities that may involve
customer data. For
instance, AIs could enable
logging of data
downloading to those
media and perform
periodic sample checks on
whether customer data
have been downloaded
without authorization.
For all media (including
paper and electronic
media) where customer
data is stored, AIs should
Customers own and control their data
on the cloud. Without their permission,
HUAWEI CLOUD will not access any
customer data. To prevent this data
from being downloaded wrongfully,
customers can use different ways to
audit and detect abnormal activities for
different products and services. For
example, for object storage, file storage
and other services, customers can use
cloud audit services to record user
operations on data. For relational
database services, customers can use
database security services for column-
level database management, and can
access activity records.
When customers stop using HUAWEI
CLOUD services and need to destroy
HUAWEI CLOUD Compliance with Hong Kong
Financial Services Regulations & Guidelines Globally released
Version 1.0 Copyright © Huawei Technologies Co., Ltd. 47
No. Control
Domain
Specific Control
Requirements HUAWEI CLOUD Response
establish secure processes
for disposal and destruction
of customer data stored in
such media.
content data, HUAWEI CLOUD clears
the specified data and all the copies.
Once customers agree the deletion,
HUAWEI CLOUD deletes the index
relationship between customers and
data, and clears the storage space, such
as memory and block storage before
reallocation, to ensure that related data
and information cannot be restored. If a
physical storage medium is to be
disposed, HUAWEI CLOUD clears the
data by degaussing, bending, or
breaking the storage medium to ensure
that data on the storage medium cannot
be restored.
G
Physical
security
controls
over and
office
environment
related to
customer
data
AIs should identify the
locations within and
outside their premises
(including service
providers) where their
customer data are stored or
can be accessed. They
should satisfy themselves
that adequate physical
security (including physical
access controls, security
guards and surveillance
cameras) is in place in
those locations in order to
safeguard customer data
against theft or
unauthorized access. When
AIs or their service
providers (e.g. couriers)
need to relocate or
transport their systems,
facilities, records or other
assets that contain
customer data, they should
HUAWEI CLOUD enforces stringent
data center access control for both
personnel and equipment. Security
guards, stationed 24/7 at every entrance
to each HUAWEI CLOUD data center
site as well as at the entrance of each
building on site, are responsible for
registering and monitoring visitors and
staff, managing their access scope on
an as-needed basis. Different security
strategies are applied to the physical
access control systems at different
zones of the data center site for optimal
physical security. Security guards
strictly review and regularly audit user
access privileges. Important physical
components of a data center are stored
in designated safes with crypto-based
electronic access code protection in the
data center storage warehouses. Only
authorized personnel can access and
operate the safes. Work orders must be
filled out before any physical
components within the data center can
HUAWEI CLOUD Compliance with Hong Kong
Financial Services Regulations & Guidelines Globally released
Version 1.0 Copyright © Huawei Technologies Co., Ltd. 48
No. Control
Domain
Specific Control
Requirements HUAWEI CLOUD Response
arrange adequate physical
security controls to protect
those assets and data
during the relocation or
transportation. Adequate
reconciliation or inventory
check should be performed
as soon as practicable
during and after the
relocation or transportation
to ensure that no customer
data are lost in transit.
AIs should control places
or service providers that
process or access large
amounts of sensitive
customer data.
be carried out of the data center.
Personnel removing any data center
components must be registered in the
warehouse management system
(WMS). Designated personnel perform
periodic inventories on all physical
equipment and warehouse materials.
Data center administrators not only
perform routine safety checks but also
audit data center visitor logs on an as-
needed basis to ensure that
unauthorized personnel have no access
to data centers.
I
Other
controls
over service
providers
Where there is an
operational need for AIs to
transmit customer data to
their service providers over
public network, strong data
encryption should be in
place to protect the
customer data during
transmission.
Customers can use the virtual private
network (VPN)19, Cloud Direct
(DC)20, Cloud Connection (CC)21 and
other services provided by HUAWEI
CLOUD to realize business
interconnection and data transmission
security between different regions.
Among them, the VPN service uses
Huawei's professional equipment and
virtual private network on Internet
based on IKE and IPsec protocols. It
constructs a secure and reliable
encryption transmission channel
between a local data center and
HUAWEI CLOUD VPCs in different
areas.
The cloud dedicated line service is
based on operators' various types of
19 https://intl.huaweicloud.com/en-us/product/vpn.html 20 https://intl.huaweicloud.com/en-us/product/dc.html 21 https://intl.huaweicloud.com/en-us/product/cc.html
HUAWEI CLOUD Compliance with Hong Kong
Financial Services Regulations & Guidelines Globally released
Version 1.0 Copyright © Huawei Technologies Co., Ltd. 49
No. Control
Domain
Specific Control
Requirements HUAWEI CLOUD Response
dedicated line network. It builds
exclusive encrypted transmission
channels between local data center and
HUAWEI CLOUD VPC. Physical
isolation between customer dedicated
lines meets higher security and stability
requirements. The cloud connection
service can quickly establish a private
communication network between
multiple local data centers and multiple
cloud VPCs, support the
interconnection of cross-cloud VPCs,
and greatly improve the security and
speed of global expansion of customer
services.
10. How HUAWEI CLOUD Meets the Requirements of Incident Response and
Management Procedures
Incident Response and Management Procedures22 remind AIs that they must have the ability and
procedures required to respond to major events. It manages and lists guiding principles that AIs
should follow when communicating with the public regarding major events
The following will summarize the control requirements related to cloud service providers in the
circular, and elaborate on how HUAWEI CLOUD, as an authorized cloud service provider, can
help AIs meet these control requirements.
Control
Domain Specific Control Requirements HUAWEI CLOUD Response
Immediate
incident
response
The AI concerned should
immediately analyze the cause of
the incident and as soon as
practicable rectify or contain the
problem. The top priority should
be to safeguard the interests of
customers who have been or
may be affected by the incident.
To meet the requirement for fast
response, HUAWEI CLOUD has
developed a complete event
management process. Events are
prioritized and different processing time
limits are defined according to the
impact and scope of each event.
HUAWEI CLOUD will respond to and
resolve the event within a specified time
limit according to the priority of the
22 https://www.hkma.gov.hk/media/eng/doc/key-information/guidelines-and-circular/2010/20100622e1.pdf
HUAWEI CLOUD Compliance with Hong Kong
Financial Services Regulations & Guidelines Globally released
Version 1.0 Copyright © Huawei Technologies Co., Ltd. 50
Control
Domain Specific Control Requirements HUAWEI CLOUD Response
event, to minimize the impact of the
event on cloud service customers.
Customer
notifications
The AI concerned should
determine as quickly as possible
after identifying an incident
whether the situation is likely to
affect other customers or the
customers of other AIs. The AI
should proactively notify the
customers affected or likely to
be affected through the most
effective means and advise them
of the steps or precautionary
measures that they need to take
as well as whether the bank
would reimburse any losses
incurred by them and if so, how
they can apply for compensation.
Where necessary, the AI should
also notify other affected AIs (so
they can in turn notify their
affected customers) as soon as
practicable.
To meet the requirements for post-event
notification, HUAWEI CLOUD has
developed a complete process for event
management and notification. If an
event occurs on the HUAWEI CLOUD
Base Platform, relevant personnel will
analyze the impact of the event
according to the process. If the event
has or will have an impact on the cloud
service customers, HUAWEI CLOUD
will start to notify customers of the
event. The contents of the notice
include but are not limited to
description of the event, the cause,
impact, measures taken by HUAWEI
CLOUD, and measures recommended
for customers.
Public
announcement
In addition to notifying
customers individually, for
serious incidents, AIs should
consider issuing a public
announcement. The content of
the announcement should
include the key elements of the
event and the measures to be
taken by the affected customers.
The internal customer notification
process ensures that HUAWEI CLOUD
can promptly notify customers of events
with an announcement when serious
events occur on the underlying
infrastructure platform and have or may
have a serious impact on multiple
customers. The contents of the
notification include but are not limited
to a description of the event, the cause,
impact, measures taken by HUAWEI
CLOUD and the measures
recommended for customers.
Reporting
incident to the
HKMA
Once an AI has become aware
that a significant incident has
occurred, the AI concerned
should notify the HKMA
immediately and provide it with
whatever information is
To meet the requirements of HKMA for
reporting major events, HUAWEI
CLOUD has set up a 24/7 professional
safety incident response team and
expert resource pool. According to the
requirements of laws and regulations,
HUAWEI CLOUD Compliance with Hong Kong
Financial Services Regulations & Guidelines Globally released
Version 1.0 Copyright © Huawei Technologies Co., Ltd. 51
Control
Domain Specific Control Requirements HUAWEI CLOUD Response
available at the time. For the
avoidance of doubt, an AI should
not wait until it has rectified the
problem before reporting the
incident to the HKMA. The
HKMA may require the AI
concerned to provide further
information or updates.
Depending on the nature and
seriousness of the incident and
on whether the incident has
wider implications for the
general public, the HKMA may
make a separate public
announcement as appropriate.
relevant events are disclosed promptly,
customers are informed promptly, and
emergency plans and recovery
processes are implemented to reduce
business impact.
Handling of
customers'
and media's
enquiry
AIs should ensure that their staff
members are at all times alert to
the importance of detecting
significant incidents and
reporting such incidents to senior
management. AIs are expected
to ensure that they have in place
the appropriate incident response
and management capability and
procedures through its ongoing
supervisory effects.
In order to meet the requirements for
event response management, the
HUAWEI CLOUD event management
program defines the responsibilities and
procedures of event reporting. In
addition, HUAWEI CLOUD linkage
analysis of security equipment
warnings, combined with machine
learning technology and expert
experience to build the corresponding
model, allow detection of previously
unknown data security risks, and
prompt defense and response with
effective measures.
11. Conclusion
This user guide describes how HUAWEI CLOUD provides cloud services that meet the regulatory
requirements of the financial industry in Hong Kong and shows that HUAWEI CLOUD complies
with key regulatory requirements issued by the HKMA. This aims to help customers learn more
about HUAWEI CLOUD's compliance with Hong Kong's regulatory requirements of the financial
industry to assure customers that they can store and process customer content data safely through
HUAWEI CLOUD services. To some extent, this document also guides customers on how to
design, build and deploy a secure cloud environment that meets the regulatory requirements of
HKMA on HUAWEI CLOUD, and helps customers better shoulder security responsibilities
together with HUAWEI CLOUD.
HUAWEI CLOUD Compliance with Hong Kong
Financial Services Regulations & Guidelines Globally released
Version 1.0 Copyright © Huawei Technologies Co., Ltd. 52
This user guide is for reference only and does not have legal effect or constitute legal advice.
Customers should assess their own use of cloud services as appropriate and ensure compliance
with relevant regulatory requirements of the HKMA when using HUAWEI CLOUD.
12. Version History
Date Version Description
November 2019 1.0 First release