huawei cloud compliance with hong kong financial services ... · huawei cloud continues to follow...

HUAWEI TECHNOLOGIES CO., LTD.

HUAWEI CLOUD

Compliance with Hong Kong

Financial Services

Regulations & Guidelines

Version 1.0

Date November 2019

HUAWEI CLOUD Compliance with Hong Kong

Financial Services Regulations & Guidelines Globally released

Version 1.0 Copyright © Huawei Technologies Co., Ltd. i

Copyright © Huawei Technologies Co., Ltd. 2019. All rights reserved.

No part of this document may be reproduced or transmitted in any form or by any means without

prior written consent of Huawei Technologies Co., Ltd.

Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.

All other trademarks and trade names mentioned in this document are the property of their

respective holders.

Notice

The purchased products, services and features are stipulated by the contract made between Huawei

and the customer. All or part of the products, services and features described in this document may

not be within the purchase scope or the usage scope. Unless otherwise specified in the contract, all

statements, information, and recommendations in this document are provided "AS IS" without

warranties, guarantees or representations of any kind, either express or implied.

The information in this document is subject to change without notice. Every effort has been made

in the preparation of this document to ensure accuracy of the contents, but all statements,

information, and recommendations in this document do not constitute a warranty of any kind,

express or implied.

Huawei Technologies Co., Ltd.

Address: Huawei Industrial Base

Bantian, Longgang

Shenzhen 518129

People's Republic of China

Website: HUAWEI – https://www.huawei.com/en/

HUAWEI CLOUD – https://intl.huaweicloud.com/en-us/

Email: [email protected]

https://www.huawei.com/en/

https://intl.huaweicloud.com/en-us/



Version 1.0 Copyright © Huawei Technologies Co., Ltd. ii

Contents

1. Introduction ......................................................................................................................................... 1

2. HUAWEI CLOUD Security and Privacy Compliance .................................................................... 2

3. HUAWEI CLOUD Security Responsibility Sharing Model ............................................................ 5

4. HUAWEI CLOUD Global Infrastructure ........................................................................................ 6

5. How HUAWEI CLOUD Meets the Requirements of HKMA Supervisory Policy Manual on

General Principles for Technology Risk Management (TM-G-1) .......................................................... 7

5.1 Security Management ................................................................................................................ 7

5.2 System Development and Change Management ..................................................................... 17

5.3 Information Processing ............................................................................................................ 19

5.4 Communications Networks ...................................................................................................... 22

5.5 Management of Technology Service Providers ....................................................................... 25


Outsourcing (SA-2) ................................................................................................................................... 26

6.1 Ability of Service Providers ..................................................................................................... 26

6.2 Outsourcing Agreement ........................................................................................................... 29

6.3 Customer Data Confidentiality ................................................................................................ 29

6.4 Control over Outsourced Activities ......................................................................................... 31

6.5 Contingency Planning .............................................................................................................. 31

6.6 Access to Outsourced Data ...................................................................................................... 32


Business Continuity Planning (TM-G-2) ................................................................................................ 33

7.1 Business Impact Analysis and Recovery Strategy ................................................................... 33

7.2 Development of Business Continuity Plan .............................................................................. 34

7.3 Alternate Sites for Business and Technology Recovery .......................................................... 38

7.4 Implementation of Business Continuity Plan........................................................................... 40

8. How HUAWEI CLOUD Meets the Requirements of HKMA Guideline on Authorization of

Virtual Banks ............................................................................................................................................ 41

9. How HUAWEI CLOUD Meets the Requirements of HKMA Customer Data Protection ......... 44

10. How HUAWEI CLOUD Meets the Requirements of Incident Response and Management

Procedures ................................................................................................................................................. 49

11. Conclusion .......................................................................................................................................... 51

12. Version History .................................................................................................................................. 52



Version 1.0 Copyright © Huawei Technologies Co., Ltd. 1

1. Introduction

The Hong Kong Monetary Authority (HKMA) has issued a series of guidelines and circulars

providing practical guidance to Hong Kong financial institutions on IT risk management. As

financial institutions gradually introduce advanced technologies and transform their businesses,

such as deploying their businesses to operate in the cloud, the HKMA expects them to establish an

effective technology risk management framework that minimizes risk and meets regulatory

requirements while achieving its own business targets.

HUAWEI CLOUD continues to follow the regulatory guidelines and circulars issued by the

HKMA and is committed to assisting financial customers in meeting these regulatory guidelines

and circulars. This article details how HUAWEI CLOUD will assist banking financial institutions

in meeting regulatory requirements in the following regulatory guidelines and circulars that

banking financial institutions typically follow:

Regulatory guidelines:

• Supervisory Policy Manual on General Principles for Technology Risk Management

(TM-G-1): Provide authorized institutions (AIs) with guidance on general principles which

AIs are expected to consider in managing technology-related risks.

• Supervisory Policy Manual on Outsourcing (SA-2): Set out the HKMA's supervisory

approach to outsourcing and the major points which the HKMA recommends AIs to

address when outsourcing their activities.

• Supervisory Policy Manual on Business Continuity Planning (TM-G-2): Set out the

HKMA's supervisory approach to business continuity planning and the sound practices

which the HKMA expects AIs to take into consideration in this regard.

• Guideline on Authorization of Virtual Banks: Set out the principles which the HKMA

will take into account in deciding whether to authorize virtual banks applying to conduct

banking business in Hong Kong.

Note:

AIs: The HKMA is responsible for the supervision and authorization of banks, restricted

license banks and deposit-taking companies in Hong Kong. The three types of institutions

mentioned above are collectively referred to as authorized institutions.

Regulatory circulars:

• Customer Data Protection: Remind AIs of the importance of protecting the

confidentiality of customer data and some key control measures for customer data

protection.

• Incident Response and Management Procedures: Remind AIs that effective incident

response and management capabilities and procedures must be in place to deal with

significant incidents and set out the principles to be followed by AIs in any public

communication regarding such incidents.




2. HUAWEI CLOUD Security and Privacy Compliance

HUAWEI CLOUD inherits Huawei's comprehensive management system and leverages its

experience in IT system construction and operation, actively managing and continuously

improving the development, operation and maintenance of cloud services. To date, HUAWEI

CLOUD has received a number of international and industry security compliance certifications1,

ensuring the security and compliance of businesses deployed by cloud service customers.

HUAWEI CLOUD has attained the following certifications:

Certification Description

ISO 27001:2013

ISO 27001 is a widely used international standard that specifies

requirements for information security management systems. This

standard provides a method of periodic risk evaluation for

assessing systems that manage company and customer

information.

Classified Cybersecurity

Protection of China's

Ministry of Public

Security

Classified Cybersecurity Protection issued by China's Ministry of

Public Security is used to guide organizations in China through

cybersecurity development. Today, it has become the general

security standard widely adopted by various industries throughout

China. HUAWEI CLOUD has passed the registration and

assessment of Classified Cybersecurity Protection Class 3. In

addition, key HUAWEI CLOUD regions and nodes have passed

the registration and assessment of Classified Cybersecurity

Protection Class 4.

ISO 27017:2015

ISO 27017 is an international certification for cloud computing

information security. The adoption of ISO 27017 indicates that

HUAWEI CLOUD has achieved internationally recognized best

practices in information security management.

Singapore MTCS Level 3

Certification

The Multi-Tier Cloud Security (MTCS) specification is a standard

developed by the Singapore Information Technology Standards

Committee. This standard requires cloud service providers (CSPs)

to adopt sound risk management and security practices in cloud

computing. HUAWEI CLOUD Singapore has obtained the highest

level of MTCS security rating (Level 3).

1 https://intl.huaweicloud.com/en-us/securecenter/safetycompliance.html

https://intl.huaweicloud.com/en-us/securecenter/safetycompliance.html





ISO 20000-1:2011

ISO 20000 is an international recognized information technology

service management system (SMS) standard. It specifies

requirements for the service provider to plan, establish,

implement, operate, monitor, review, maintain and improve an

SMS to make sure CSPs can provide effective IT services to meet

the requirements of customers and businesses.

SOC audit

The SOC audit report is an independent audit report issued by a

third-party auditor based on the relevant guidelines developed by

the American Institute of Certified Public Accountants (AICPA)

for the system and internal control of outsourced service

providers. At present, HUAWEI CLOUD has passed the audit of

SOC2 Type 1 Privacy Principle in terms of privacy, which proves

that HUAWEI CLOUD has reasonable control measures in terms

of cloud management and technology.

PCI DSS Certification

Payment Card Industry Data Security Standard (PCI DSS) is the

global card industry security standard, jointly established by five

major international payment brands: JCB, American Express,

Discover, MasterCard and Visa. It is the most authoritative and

strict financial institution certification in the world.

ISO 22301:2012

ISO 22301 is an internationally recognized business continuity

management system standard that helps organizations avoid

potential incidents by identifying, analyzing, and alerting risks,

and develops a comprehensive Business Continuity Plan (BCP) to

effectively respond to disruptions so that entities can recover

rapidly, keep core business running, and minimize loss and

recovery costs.

CSA STAR Gold

Certification

CSA STAR certification was developed by the Cloud Security

Alliance (CSA) and the British Standards Institution (BSI), an

authoritative standard development and preparation body as well

as a worldwide certification service provider. This certification

aims to increase trust and transparency in the cloud computing

industry and enables cloud computing service providers to

demonstrate their service maturity.

Gold O&M (TRUCS)

The Gold O&M certification is designed to assess the O&M

capability of cloud service providers who have passed TRUCS

certification. This certification confirms that HUAWEI CLOUD

services operate a sound O&M management system that satisfies

the cloud service O&M assurance requirements specified in

Chinese certification standards.





Certification for the

Capability of Protecting

Cloud Service User Data

(TRUCS)

This certification evaluates a CSP's ability to protect cloud data.

Evaluation covers pre-event prevention, in-event protection, and

post-event tracking.

ITSS Cloud Computing

Service Capability

Evaluation by the

Ministry of Industry and

Information Technology

(MIIT)

ITSS cloud computing service capability evaluation is based on

Chinese standards such as the General Requirements for Cloud

Computing and Cloud Service Operations. It is the first

hierarchical evaluation mechanism in China's cloud service/cloud

computing domain. Huawei private and public clouds have

obtained cloud computing service capability level-1 (top level)

compliance certificates.

TRUCS

Trusted Cloud Service (TRUCS) is one of the most authoritative

public domain assessments in China. This assessment confirms

that HUAWEI CLOUD complies with the most detailed standard

for cloud service data and service assurance in China.

Cloud Service Security

Certification -

Cyberspace

Administration of China

(CAC)

This certification is a third-party security review conducted by the

Cyberspace Administration of China according to the Security

Capability Requirements of Cloud Computing Service. HUAWEI

CLOUD e-Government Cloud Service Platform has passed the

security review (enhanced level), indicating that Huawei e-

Government cloud platform was recognized for its security and

controllability by China's top cybersecurity management

organization.

International Common

Criteria EAL 3+

Certification

Common Criteria (CC) certification is a highly recognized

international standard for information technology products and

system security. HUAWEI CLOUD FusionSphere passed CC

EAL 3+ certification, indicating that the HUAWEI CLOUD

software platform is highly recognized worldwide.

ISO 27018:2014

ISO 27018 is an international code of conduct that focuses on the

protection of personal data in the cloud. The adoption of ISO

27018 indicates that HUAWEI CLOUD has met the requirements

of an internationally complete personal data protection and

management system.

ISO 29151:2017

ISO 29151 is an international practical guide to the protection of

personal identity information. The adoption of ISO 29151

confirms HUAWEI CLOUD's implementation of internationally

recognized management measures for the entire lifecycle of

personal data processing.





ISO 27701:2019

ISO 27701 specifies requirements for the establishment,

implementation, maintenance and continuous improvement of a

privacy-specific management system. The adoption of ISO 27701

demonstrates that HUAWEI CLOUD operates a sound system for

personal data protection.

BS 10012:2017

BS10012 is the personal information data management system

standard issued by BSI. The BS10012 certification indicates that

HUAWEI CLOUD offers a complete personal data protection

system to ensure personal data security.

3. HUAWEI CLOUD Security Responsibility Sharing Model

The primary responsibilities of HUAWEI CLOUD are developing and operating the physical

infrastructure of HUAWEI CLOUD data centers; the IaaS, PaaS, and SaaS services provided by

HUAWEI CLOUD; and the built-in security functions of a variety of services. Furthermore,

HUAWEI CLOUD is also responsible for the secure design, implementation, and O&M of the

multi-layered defense-in-depth, which spans the physical, infrastructure, platform, application, and

data layers, in addition to the identity and access management (IAM) cross-layer function.

The primary responsibilities of the tenant are customizing the configuration and operating the

virtual network, platform, application, data, management, security, and other cloud services to

which a tenant subscribes on HUAWEI CLOUD, including its customization of HUAWEI

CLOUD services according to its needs as well as the O&M of any platform, application, and IAM

services that the tenant deploys on HUAWEI CLOUD. At the same time, the tenant is also

responsible for the customization of the security settings at the virtual network layer, the platform

layer, the application layer, the data layer, and the cross-layer IAM function, as well as the tenant's

own in-cloud O&M security and the effective management of its users and identities.




Figure 1: Responsibility Sharing Model

For details on the security responsibilities of both tenants and HUAWEI CLOUD, please refer to

the HUAWEI CLOUD Security White Paper2 released by HUAWEI CLOUD.

4. HUAWEI CLOUD Global Infrastructure

HUAWEI CLOUD operates services in many countries and regions around the world. The

HUAWEI CLOUD infrastructure is built around Regions and Availability Zones (AZ). Compute

instances and data stored in HUAWEI CLOUD can be flexibly exchanged among multiple regions

or multiple AZs within the same region. Each AZ is an independent, physically isolated fault

maintenance domain, Users can and should take full advantage of all these regions and AZs in

their planning for application deployment and operations in HUAWEI CLOUD. Distributed

deployment of an application across a number of AZs provides a high degree of assurance for

normal application operations and business continuity in most outage scenarios (including natural

disasters and system failures). For current information on HUAWEI CLOUD Regions and

Availability Zones, please refer to the official website of HUAWEI CLOUD "Worldwide

Infrastructure"3.

2 https://intl.huaweicloud.com/content/dam/cloudbu-site/archive/hk/en-us/securecenter/security_doc/SecurityWhitepaper_en.pdf 3 https://intl.huaweicloud.com/en-us/global/

https://intl.huaweicloud.com/content/dam/cloudbu-site/archive/hk/en-us/securecenter/security_doc/SecurityWhitepaper_en.pdf

https://intl.huaweicloud.com/en-us/global/




5. How HUAWEI CLOUD Meets the Requirements of HKMA Supervisory

Policy Manual on General Principles for Technology Risk Management

(TM-G-1)

HKMA Supervisory Policy Manual on General Principles for Technology Risk Management (TM-

G-1)4 provides common principles and best practice guidelines for AIs to conduct technology risk

management in six domains: IT governance, security management, system development and

change management, information processing, communication networks, and management of

technology service providers.

The following summarizes the control requirements associated with cloud service providers in

TM-G-1 and details how HUAWEI CLOUD, as a cloud service provider, can help AIs meet these

control requirements.

5.1 Security Management

In Chapter 3 "Security Management" of TM-G-1, AIs are required to establish appropriate security

management mechanisms covering information classification and protection, authentication and

access control, security administration and monitoring, system security, physical and personnel

security. The relevant control requirements and HUAWEI CLOUD's response are as follows:

No. Control

Domain

Specific Control

Requirements HUAWEI CLOUD Response

3.1

Information

classification

and protection

AIs should ensure that all

media are adequately

protected, and establish

secure processes for disposal

and destruction of sensitive

information in both paper

and electronic media.

Customers should consider protecting all

media that stores information, both paper

and electronic. HUAWEI CLOUD has

developed a sound media management

process for storage media that stores

customer content data in the financial

industry to ensure the security of the

data stored in the media. When a

customer initiates a data deletion

operation or if the data needs to be

deleted due to the expiration of the

service, HUAWEI CLOUD will strictly

follow the data destruction standard

signed in agreement with the customer to

erase the stored customer data. Specific

practice is: Once customers agree the

deletion, HUAWEI CLOUD deletes the

index relationship between customers

and data, and clears the storage space,

such as memory and block storage

before reallocation, to ensure that related

4 https://www.hkma.gov.hk/media/eng/doc/key-functions/banking-stability/supervisory-policy-manual/TM-G-1.pdf

https://www.hkma.gov.hk/media/eng/doc/key-functions/banking-stability/supervisory-policy-manual/TM-G-1.pdf




No. Control

Domain

Specific Control


data and information cannot be restored.

If a physical storage medium is to be

disposed, HUAWEI CLOUD clears the

data by degaussing, bending, or breaking

the storage medium to ensure that data

on the storage medium cannot be

restored.

3.1

Information

classification

and protection

AIs should adopt industry-

accepted cryptographic

solutions and implement

sound key management

practices to safeguard the

associated cryptographic

keys.

When customers use encryption to

protect data, they should consider using

industry-approved encryption algorithms

and key management mechanisms.

Currently, services including EVS, OBS,

IMS and RDS provide data encryption or

server-side encryption functions and

encrypt data using high-strength

algorithms.

The server-side encryption function

integrates Key Management Service

(KMS) of HUAWEI CLOUD Data

Encryption Workshop (DEW)5, which

provides full-lifecycle key management.

Without authorization, others cannot

obtain keys to decrypt data, which

ensures data security on the cloud. DEW

adopts the layered key management

mechanism. Specifically, after

association configuration on DEW

Console or using APIs, customer's

master key stored in DEW encrypts the

encryption keys of each storage service,

while the master key is encrypted by the

root key stored in HSM. In this way, a

complete, secure and reliable key chain

is formed. HSM is certified by

international security organizations and

can prevent intrusion and tampering.

Even Huawei O&M personnel cannot

obtain the root key. DEW also allows

customers to import their own keys as

master keys for unified management,

5 https://intl.huaweicloud.com/en-us/product/dew.html

https://intl.huaweicloud.com/en-us/product/dew.html




No. Control

Domain

Specific Control


facilitating seamless integration with

customers' services.

3.2

Authentication

and access

control

Access to the information

and application systems

should be restricted by an

adequate authentication

mechanism associated with

access control rules. Access

control rules determine what

application functions, system

resources and data a user can

access. For each application

system, all users should be

identified by unique user

identification codes (e.g.

user IDs) with appropriate

method of authentication

(e.g. passwords) to ensure

accountability for their

activities.

AIs should implement

effective password rules to

ensure that easy-to-guess

passwords are avoided and

passwords are changed on a

periodic basis.

Stronger authentication

methods should be adopted

for transactions/activities of

higher risk (e.g. payment

transactions, financial

messages and mobile

computing).

HUAWEI CLOUD provides customers

with user account management and

identity authentication suitable for

enterprise-level organizational structure

through Identity and Access

Management (IAM)6. Each HUAWEI

CLOUD customer has a unique user ID

in HUAWEI CLOUD, and provides a

variety of user authentication

mechanisms.

IAM supports the security administrators

of customers to set up different password

strategies and change cycles according

to their needs to prevent users from

using simple passwords or using fixed

passwords for a long time, resulting in

account leakage. In addition, IAM also

supports customers' security

administrators to set up login strategies

to avoid users' passwords being violently

cracked or to leak account information

by visiting phishing pages.

IAM supports multi-factor

authentication mechanism at the same

time. MFA is an optional security

measure that enhances account security.

If MFA is enabled, users who have

completed password authentication will

receive a one-time SMS authentication

code that they must use for secondary

authentication. MFA is used by default

for changing important or sensitive

account information such as passwords

or mobile phone numbers.

At the same time, when HUAWEI

CLOUD O&M personnel access

HUAWEI CLOUD Management

6 https://intl.huaweicloud.com/en-us/product/iam.html

https://intl.huaweicloud.com/en-us/product/iam.html




No. Control

Domain

Specific Control


Network for centralized management of

the system, they need to use only

identifiable employee identity accounts.

User accounts are equipped with strong

password security policies, and

passwords are changed regularly to

prevent violent decryption. In addition,

two-factor authentication is used to

authenticate cloud personnel, such as

USB key, Smart Card and so on.

Employee account is used to log on VPN

and access gateway to realize the deep

audit of user login.

3.2

Authentication

and access

control

Extra care should be

exercised when controlling

the use of and access to

privileged and emergency

IDs. The necessary control

procedures include:

• granting of authorities

that are strictly necessary

to privileged and

emergency IDs;

• formal approval by

appropriate personnel

prior to being released for

usage;

• monitoring of the

activities performed by


IDs (e.g. peer reviews of

activity logs);

• proper safeguard of


IDs and passwords (e.g.

kept in a sealed envelope

and locked up inside the

data center); and

• change of privileged and

emergency IDs'

passwords immediately

HUAWEI CLOUD unified Identity and

Access Management (IAM) provides

cloud resource access control for

customers. With IAM, the customer

administrator can manage the user

accounts and control the operation

permissions of these user accounts to the

resources under the customer's name.

When multi-user cooperative operation

resources exist in customer enterprises,

IAM can avoid sharing account keys

with other users, assign users minimum

privileges on demand, and ensure the

security of user accounts by setting login

authentication strategy, password

strategy and access control list. Through

the above ways, we can effectively

control privileges and emergency

accounts. Through the above ways, we

can effectively control privileges and

emergency accounts.

At the same time, to meet the

compliance requirements, HUAWEI

CLOUD also accomplished the

following:

• For operation and maintenance

personnel, role-based access control

is implemented. Personnel with

different obligation in different




No. Control

Domain

Specific Control


upon return by the

requesters.

positions can only perform specific

operations on the authorized

operation and maintenance

objectives. Privileges or emergency

accounts are granted to employees

only when their duties are required.

• Applications for all privileges or

emergency accounts require only

multi-level review and approval.

• Privileged Account Management

System binds functional or technical

accounts of daily or emergency

operations to operation and

maintenance teams or individuals.

O&M personnel first access the

O&M environment through two-

factor authentication, and then

concentrate on jumping from the

access gateway to the target pc for

operation. The access gateway

supports strong log auditing to

ensure that O&M personnel on the

target PC can be positioned to

individuals.

• The password of the target pc is

recycled by the access gateway and

updated regularly to ensure that the

operators do not need and cannot

obtain the password.

3.3

Security

administration

and monitoring

A security administration

function and a set of formal

procedures should be

established for administering

the allocation of access

rights to system resources

and application systems, and

monitoring the use of system

resources to detect any

unusual or unauthorized

activities.

HUAWEI CLOUD unified Identity

Authentication Service (IAM) allows

tenant administrators of customers to

flexibly manage user rights and control

the rights to create, delete, modify and

set cloud resources. In addition,

HUAWEI CLOUD provides operating

records of cloud service resources for

users to query, audit and retrospective

through Cloud Trace Service (CTS)7.

7 https://intl.huaweicloud.com/en-us/product/cts.html

https://intl.huaweicloud.com/en-us/product/cts.html




No. Control

Domain

Specific Control


Proper segregation of duties

within the security

administration function or

other compensating controls

(e.g. peer reviews) should be

in place to mitigate the risk

of unauthorized activities

being performed by the

security administration

function.

AIs should establish incident

response and reporting

procedures to handle

information security-related

incidents during or outside

office hours.

To meet the requirement of rights

allocation, the authorization creation,

alteration and revocation of HUAWEI

CLOUD insiders must be formally

approved by designated personnel. All

operation and maintenance accounts, all

equipment and application accounts are

unified management, centralized

monitoring through the unified audit

platform, and automatic audit to ensure

the realization of the whole process

management from user creation,

authorization, authentication to authority

recovery. Account administrators

regularly review user rights according to

the internal mechanism for standard

account rights management in HUAWEI

CLOUD.

HUAWEI CLOUD complies with the

requirements of laws and regulations and

has a centralized and complete log audit

system. Internal personnel operation and

maintenance operations are collected and

recorded by the log platform. HUAWEI

CLOUD's log audit system has powerful

data preservation and query capabilities

to ensure that all log content is stored for

more than six months. HUAWEI

CLOUD has set up an independent

internal audit department, which

regularly audits various activities of the

operation and maintenance process, and

timely discovers and corrects violations.

In addition, HUAWEI CLOUD has a

sound security event grading and

disposal process, according to the impact

of security incidents on the whole

network and customers, according to the

importance level of events to respond.

At the same time, HUAWEI CLOUD set

up a 24/7 professional security incident

response team and expert resource pool,




No. Control

Domain

Specific Control


timely disclosure of related security

incidents, timely notification of

customers, and implementation of

emergency plans and recovery processes

to reduce the impact on business.

3.4 System security

Control procedures and

baseline security

requirements should be

developed to safeguard

application programs,

operating systems, system

software and databases. For

example:

•Access control of data and

programs through identity

authentication and

authorization;

•Periodically check the

integrity of static data, such

as system parameters;

•Secure configuration of

operating system, system

software, database and

server, and disable or delete

all unnecessary services and

programs. Consideration

should be given to using

security tools to enhance the

security of critical systems

and servers;

• Clear division of

responsibilities to ensure that

organizations can identify,

evaluate and test the

necessary patches and

security updates developed

by suppliers in a timely

manner and apply them to

relevant systems;

To meet customer compliance

requirements, HUAWEI CLOUD

service products and components

comply with Huawei's security design

principles, specifications and baselines,

providing multi-level security protection

and protection:

• HUAWEI CLOUD Identity and

Access Management (IAM)

provides identity authentication and

cloud resource access control for

customers.

• An integrity checking mechanism is

adopted to ensure the integrity of

system parameters. For example, at

the level of virtual machine

operating system, HUAWEI

CLOUD Image Service supports

image integrity checking. When

creating a virtual machine based on

an image, the system automatically

checks the image integrity to ensure

that the created virtual machine

contains the complete image

content. Additionally, HUAWEI

CLOUD O&M personnel prevent

unauthorized changes in system

configuration parameters through

improved change management

procedures.

• HUAWEI CLOUD strengthens the

security configuration of host

operating system, virtual machine,

database and web application

components, and supports customers

to choose their own security




No. Control

Domain

Specific Control


• Record all configurations

of operating system, system

software, database and

server, and regularly review

security configurations;

• For the activities of the

system and users, adequate

records should be kept, and

sufficient monitoring should

be carried out to identify

abnormal behavior. The

relevant recorded data

should be safely kept to

avoid tampering.

configuration according to their

business needs. For example, in

terms of host security, the host

operating system uses Huawei

Unified Virtualization Platform

(UVP) to manage CPU, memory

and I/O resources in isolation. The

host operating system has been

tailored to minimize security and to

strengthen services; In terms of

virtual machine security, HUAWEI

CLOUD provides security

configurations such as image

reinforcement, network and

platform isolation, IP/MAC

counterfeiting control, security

group, etc.

• HUAWEI CLOUD has formulated

clear security requirements and

perfect process control scheme for

the introduced open source and

third-party software. Strict control

has been implemented in such links

as selection analysis, security

testing, code security, risk scanning,

forensic audit, software application

and software exit. In the case of

open source vulnerabilities,

HUAWEI CLOUD will discover

and fix the vulnerabilities in the first

place. When responding to

vulnerabilities, open source and

third-party software should be tested

as part of services and solutions to

verify that known vulnerabilities of

open source and third-party software

are repaired, and the list of

vulnerability repairs of open source

and third-party software should be

reflected in Release Notes of

services.




No. Control

Domain

Specific Control


HUAWEI CLOUD collects management

behavior logs of all physical devices,

networks, platforms, applications,

databases and security systems and

threat detection and warning logs of

security products and components

through a centralized log large data

analysis system. The logs are kept for

more than 180 days, and security

measures are taken to prevent log

tampering to enable compliance and

backtracking of network security events.

In addition, CTS provides operational


tenants, and many products and services

also have log recording functions.

Tenants can independently select log

retention time according to their own

needs to effectively support analysis of

abnormal activities.

3.6

Physical and

personnel

security

Physical security measures

should be in place to protect

computer facilities and

equipment from damage or

unauthorized access.

AIs should consider fully the

environmental threats (e.g.

proximity to dangerous

factories) when selecting the

locations of their data

centers.

Moreover, physical and

environmental controls

should be implemented to

monitor environmental

conditions which could

affect adversely the

operation of information

processing facilities.

To meet customers' compliance

requirements, HUAWEI CLOUD has

established comprehensive physical

security and environmental safety

protection measures, strategies, and

procedures that comply with Class A

standard of GB 50174 Code for Design

of Electronic Information System Room

and T3+ standard of TIA-942

Telecommunications Infrastructure

Standard for Data Centers. HUAWEI

CLOUD data centers are located on

suitable physical sites, as determined

from solid site surveys. During the

design, construction, and operation

stages, the data centers have proper

physical zoning and well-organized

placement of information systems and

components, which helps prevent

potential physical and environmental

risk scenarios (for example, fire or

electro-magnetic leakage) as well as

unauthorized access. Furthermore,




No. Control

Domain

Specific Control


sufficient data center space and adequate

electrical, networking, and cooling

capacities are reserved in order to meet

not only today's infrastructure

requirements but also the demands of

tomorrow's rapid infrastructure

expansion. The HUAWEI CLOUD

O&M team enforces stringent access

control, safety measures, regular

monitoring and auditing, and emergency

response measures to ensure the physical

security and environmental safety of

HUAWEI CLOUD data centers. Refer to

the released HUAWEI CLOUD Security

White Paper.

3.6

Physical and

personnel

security

It is also important that

proper screening procedures

including verification and

background checks,

especially for sensitive

technology-related jobs, are

developed for recruitment of

permanent and temporary

technology staff, and

contractors.

HUAWEI CLOUD follows Huawei's

overall human resources management

framework. When appointing HUAWEI

CLOUD formal staff or outsourcing

staff, HUAWEI CLOUD carries out

strict background checks to ensure that

the background and qualifications of

employees are suitable for HUAWEI

CLOUD Security business requirements,

in which special management will be

implemented for key positions.




5.2 System Development and Change Management

In Chapter 4 "System Development and Change Management" of TM-G-1, AIs are required to

develop project management methods and processes for the life cycle of system development, and

to establish standardized change management procedures. The relevant control requirements and

HUAWEI CLOUD's response are as follows:

No. Control

Domain

Specific Control


4.2 Project life

cycle

AIs should adopt

and implement a full

project life cycle

methodology

governing the

process of

developing,

implementing and

maintaining major

computer systems.

An independent

party (e.g. the

quality assurance

function, the TRM

function or the

technology audit

team), which is not

involved in the

project development,

should conduct a

quality assurance

review of major

technology-related

projects, with the

assistance of the

legal and compliance

functions if

necessary.

A formal acceptance

process should be

established to ensure

that only properly

tested and approved

systems are

promoted to the

production

environment. System

To meet customer compliance requirements,

HUAWEI CLOUD manages the end-to-end

software and hardware life cycle through

complete systems and processes, as well as

automated platforms and tools. The life cycle

includes security requirements analysis, security

design, security coding and testing, security

acceptance and release, and vulnerability

management.

HUAWEI CLOUD and related cloud services

comply with the security and privacy design

principles and norms, laws and regulations.

Threats are analyzed according to business

scenarios, data flow diagrams and networking

models in the security requirements analysis and

design phase. When a threat is identified, the

design engineer will formulate mitigation

measures according to the reduction library and

the safety design library and complete the

corresponding safety design. All threat mitigation

measures will eventually be converted into

security requirements and security functions, and

according to the company's test case library, will

be used to complete the design of security test

cases, to ensure successful implementation, and

ultimately ensure the safety of products and

services.

HUAWEI CLOUD strictly complies with the

security coding specifications of various

programming languages issued by Huawei. Static

code analysis tools are used for routine checks,

and the resulting data is entered in the cloud

service tool chain to evaluate the quality of

coding. Before all cloud services are released,

static code analysis alarms must be cleared to




No. Control

Domain

Specific Control


and user acceptance

testing should be

carried out in an

environment

separated from the

production

environment.

Production data

should not be used in

development or

acceptance testing

unless the data has

been desensitised

and prior approval

from the information

owner has been

obtained.

effectively reduce the security issues related to

coding when online.

HUAWEI CLOUD takes security requirements

identified in the security design stage, penetration

test cases from the attacker's perspective, and

industry standards, and develops corresponding

security testing tools, and conducts multi-round

security testing before the release of cloud

services to ensure that the released cloud services

meet security requirements. Testing is conducted

in a test environment, isolated from the

production environment, and avoids the use of

production data for testing. If production data is

used for testing, it must be desensitized, and data

cleaning is required after use. In addition, before

a new version of the HUAWEI CLOUD platform

and cloud services go online, it is necessary to

analyze and judge the compliance of security and

privacy requirements in the service area through

strict review by Huawei's Global Network

Security and User Privacy Protection Officer and

Chief Justice Officer, to ensure that the cloud

services developed for HUAWEI CLOUD and

Huawei meet the requirements of laws,

regulations and customer security in all regions.

4.3 Change

management

AIs shall establish

formal change

management

procedures covering

impact assessment,

change planning,

tracking, monitoring,

implementation and

rollback of changes.

AIs should formulate

formal emergency

change management

procedures, stipulate

the examination,

implementation

criteria and approval

Customers should consider managing changes

through formal procedures. To meet customer

compliance requirements, HUAWEI CLOUD has

formulated a standardized change management

process, Changes to environments include but are

not limited to data center equipment, networks,

system hardware and software, and applications,

whether those are changes in the equipment used,

architectural changes, system software updates

(including network device software, OS image,

and application container software), or changes in

configuration. All changes must be performed in

an organized and priority-driven fashion. After

all change requests are generated, they are

submitted to the HUAWEI CLOUD Change

Committee by the change manager team with

change classification assigned. After the




No. Control

Domain

Specific Control


mechanism of

emergency change.

committee has reviewed and approved the

requests, the planned changes can be

implemented on the production network. Before

submitting a change request, the change must

undergo a testing process that includes

production-like environment testing, pilot

release, and/or blue/green deployment. This

ensures that the change committee clearly

understands the change activities involved,

duration, failure rollback procedure, and all

potential impacts.

HUAWEI CLOUD has also developed a

standardized emergency change management

process. If emergency changes affect users, they

will communicate with users in advance by

announcement, mail, telephone, conference, or

other means according to the prescribed time

limit. If the emergency changes do not meet the

prescribed notice time limit, the changes will be

upgraded to HUAWEI CLOUD senior

leadership, and users will be notified promptly

after the changes are implemented. Emergency

changes are recorded. The old version and data of

the program are retained before the changes are

executed. The changes are guaranteed to proceed

smoothly through two-person operation to

minimize the impact on the production

environment. After the implementation, a

designated person will verify it to ensure that the

change achieves its desired purpose.

5.3 Information Processing

In Chapter 5 "Information Processing" of TM-G-1, AIs are required to develop appropriate

procedures to regulate operational activities related to information processing facilities. Control

requirements cover four domains: IT operations management and support, performance

monitoring and capacity planning, IT facilities and equipment maintenance, and disaster recovery

planning. The relevant control requirements and HUAWEI CLOUD's response are as follows:




No. Control

Domain

Specific Control


5.1

IT operations

management

and support

AIs should have in

place a problem

management system to

respond promptly to

IT operational

incidents, to escalate

reported incidents to

relevant IT

management staff and

to record, analyse and

keep track of all these

incidents until

rectification of the

incidents.

A helpdesk function

can be set up to

provide front-line

support to users on all

technology-related

problems and to relay

the problems to

relevant IT functions

for investigation and

resolution.

Customers should consider promptly

responding to IT operation accidents through

the event management system. In order to

meet the compliance requirements of

customers, HUAWEI CLOUD has

developed a comprehensive event

management process that adheres to the

"four fast" principle (e.g. fast discovery, fast

demarcation, fast isolation, and fast

recovery). Events are responded to

systematically according to the impact of the

event on customers and the network as a

whole. The event is recorded and tracked in

the work order system to ensure that the

event can be solved as root cause analysis is

carried out.

In addition, HUAWEI CLOUD provides an

after-sales service guarantee for customers.

HUAWEI CLOUD professional service

engineer team provides 24/7 service support

so customers can seek help with methods

such as work orders, intelligent customer

service, self-service, and telephone. In

addition to basic support, customers with

complex systems can choose from the tiered

support plans to obtain exclusive support

from personnel such as the IM enterprise

group, Technical Service Manager (TAM),

and service manager.

5.2

Performance

monitoring

and capacity

planning


a process to ensure

that the performance

of application systems

is continuously

monitored and

exceptions are

reported in a timely

and comprehensive

manner. The

performance

monitoring process

should include

Customers should consider managing

capacity through formal procedures. In order

to meet customer compliance requirements,

HUAWEI CLOUD has formulated a

standard capacity management and resource

forecasting procedure to manage Huawei's

cloud capacity as a whole and improve the

availability of Huawei's cloud resources.

HUAWEI CLOUD resource utilization is

monitored daily. Input from all parties

provides ongoing predictions for future

resource requirements, and resource

expansion schemes are formulated to meet




No. Control

Domain

Specific Control


forecasting capability

to enable problems to

be identified and

corrected before they

affect system

performance. This

process should help

the preparation of

workload forecasts to

identify trends and to

provide information

needed for the

capacity plan, taking

into account planned

business initiatives.

these requirements. Business capacity and

performance bottlenecks are analyzed and

evaluated. When resources reach a preset

threshold, a warning is issued, and further

solutions are adopted to avoid the impact on

the system performance of the tenant cloud

service.

Cloud Eye Service (CES)8 provides users

with a robust monitoring platform for

flexible cloud servers, bandwidth, and other

resources. CES provides real-time

monitoring alarms, notifications, and

personalized report views to accurately grasp

the status of business resources. Users can

set independent alarm rules and notification

strategies to quickly see the running status

and performance of instance resources of

each service.

5.3

IT facilities

and equipment

maintenance

AIs should regularly

maintain and service

IT facilities and

equipment. Records

should be maintained

properly. A hardware

and facility inventory

should be kept to

control and track all

hardware and software

purchased and leased

and be used for regular

inventory taking.

In order to meet customer compliance

requirements, HUAWEI CLOUD routinely

monitors the data center, regularly inspects

the controlled area (including distribution

boxes, PDU cabinets, fire protection

facilities, air conditioning systems and

drainage systems in the facility area), and

requests registration of inspection results to

ensure that potential safety hazards can be

promptly detected and repaired and ensure

the stable operation of the equipment.

In addition, HUAWEI CLOUD maintains a

detailed list of hardware and facilities

through the asset management system. These

are checked and updated regularly.

5.4

Disaster

recovery

planning

AIs should develop

disaster recovery plans

for information

technology to ensure

that critical application

systems and services

can be resumed in

To meet customers' disaster tolerance needs,

in addition to the high availability

infrastructure, data redundancy and backup,

and DR among AZs, HUAWEI CLOUD also

has a formal business continuity plan (BCP)

and conducts BCP drills periodically. This

8 https://intl.huaweicloud.com/en-us/product/ces.html

https://intl.huaweicloud.com/en-us/product/ces.html




No. Control

Domain

Specific Control


accordance with

business recovery

needs.

plan, which applies to major disasters such

as earthquakes or public health crises,

ensures continued operations of HUAWEI

CLOUD services and safeguards customers'

service and data security.

HUAWEI CLOUD has a DR plan (DRP) as

well, and conducts DRP tests periodically.

For example, first, bring the cloud platform

infrastructure and cloud services offline in a

certain geographic location or region to

simulate a disaster, then, perform system

operations and migration as specified in the

DRP, and lastly, verify the service and

business operations functions in the

presumably disaster-impacted region. Test

results are then annotated and archived for

continuous improvement of the DRP.

5.4 Communications Networks

In Chapter 6 "Communications Networks" of TM-G-1, AIs are required to implement control

measures to protect network communication facilities and information in the network and prevent

unauthorized access to the connected network services. The relevant control requirements and


No. Control

Domain

Specific Control


6.1 Network

management

Network design

should ensure the

robustness of

network services

and have complete

network

management

standards. Network

topology, design

criteria and

HUAWEI CLOUD can help customers build a

network security protection system to ensure

the security of customer cloud services:

Customers on the Internet border can detect

and clean abnormal and excessive traffic

attacks by deploying the Anti-DDoS9 service;

key network partitions are partitioned and

isolated by Virtual Private Cloud (VPC)10;

deployment of Web Application Firewall

(WAF)11 is used to deal with web attacks to

9 https://intl.huaweicloud.com/en-us/product/antiddos.html 10 https://intl.huaweicloud.com/en-us/product/vpc.html 11 https://intl.huaweicloud.com/en-us/product/waf.html




No. Control

Domain

Specific Control


operating

procedures should

be documented,

periodically

reviewed and

updated as required,

and then

communicated to

employees.

AIs should identify

key communication

facilities that

support the

continuous

operation of

network services

and set up standby

paths to reduce

single point failures.

In addition, the

network should be

continuously

monitored to reduce

network overload

and detect network

intrusion.

Finally, network

analysis and

monitoring tools

should be protected

from unauthorized

use. Network tools

should also be

strictly limited to

authorized

employees and

follow strict

approval and

inspection

procedures.

protect web application services and systems

deployed in the DMZ area and oriented to the

external network.

HUAWEI CLOUD has formulated complete

network management standards and relevant

operating procedures to ensure that all relevant

personnel comply with the requirements of

management standards and operating

procedures in the daily operation and

maintenance process, and regularly review and

update relevant documents before releasing

them within the company.

HUAWEI CLOUD communication

infrastructure has high availability, minimizing

the impact of system failures on customers.

HUAWEI CLOUD deployed the multi-region

and multi-availability zone (AZ) architecture

used in a data center cluster to realize

redundancy between multiple availability

zones and further eliminate the risk of single

point failure.

HUAWEI CLOUD deployed a full network

alarm system to continuously monitor the

utilization of network equipment resources,

covering all network equipment. When

resource utilization reaches a preset threshold,

the alarm system will issue a warning. O&M

personnel will take prompt measures to ensure

the continuous operation of customer cloud

services to the greatest extent.

HUAWEI CLOUD implements role-based

access control rights management for internal

personnel. This limits personnel permissions

to only allow the operations which are

required for their individual role. While

minimizing permission allocation and

implementing strict behavioral auditing, it

ensures that employees are not unauthorized to

use network analysis and monitoring tools.




No. Control

Domain

Specific Control


6.2

Network

security and

certification

Procedures

concerning the use

of networks and

network services

need to be

established and

enforced to prevent

insecure

connections to an

AI's network.

In addition, AIs

should divide the

internal network

into different areas.

Sensitive data

interaction between

different network

areas should be

controlled and

guaranteed against

data tampering.

Finally, AIs should

ensure that the

security parameters

of all network

equipment are

regularly checked,

and that audit

records of daily

activities on key

network equipment

are maintained and

regularly reviewed.

Network operators

should receive

immediate warnings

about potential

security issues.

The virtual private cloud (VPC) service

provided by HUAWEI CLOUD for customers

can create a private network environment for

tenants, and realize complete isolation of

different tenants in a three-tier network.

Tenants have full control over the construction

of their own virtual network and configuration,

and can configure network ACL and security

group rules to strictly control the network

traffic coming in and out of subnets and virtual

machines, to meet the needs of customers for

finer-grained network isolation.

In connection with business functions and

network security risks, HUAWEI CLOUD

uses physical, logical control and isolation to

divide the data center into multiple security

areas. To achieve regional isolation, we do not

just use firewalls, but also use innovative

technologies, such as a software defined

perimeter (SDP). This not only defines

regional boundaries for the network layer, but

also divides and isolates multi-layer

boundaries, including the network layer, the

platform layer, the application layer, and to the

user identity layer. These boundaries operate

using a trust-based system with corresponding

access control.

The HUAWEI CLOUD O&M team regularly

checks and updates network equipment

security parameters according to internal

security baseline management specifications.

The management behavior logs of all network

devices and the threat detection and alarm logs

of security products and components are

collected by the big data log analysis system to

ensure the compliance of network security

events and provide backtracking. HUAWEI

CLOUD linkage analysis of the warning

information from various security devices can

quickly identify potential or current security

incidents and promptly respond.




5.5 Management of Technology Service Providers

In Chapter 7 "Management of Technology Service Providers" of TM-G-1, AIs are required to

properly manage the technical service providers to reduce the risks brought to the organization by

outsourcing services. The relevant control requirements and HUAWEI CLOUD's response are as

follows:

No. Control

Domain

Specific Control


7.1

Management

of technology

outsourcing

The following control

measures should also be

considered in the

management of

technology outsourcing

by AIs:

• Technology service

providers should have

sufficient resources and

expertise to comply with

the substance of the AIs'

IT control policies;

• Outsourcing agreements

should specify the service

level and other

responsibilities of

technical service

providers, as well as the

ownership of software

and hardware. At the

same time, the agreement

should require the service

provider to be informed or

approved when hiring the

subcontractor and be

responsible for the

subcontracted services.

•AIs should also conduct

annual audits to ensure

that key technical service

providers have adequate

IT management and

control environments.

HUAWEI CLOUD cooperates with

customers to exercise supervision over

technology outsourcing. The online

HUAWEI CLOUD Customer Agreement12

defines security responsibilities of cloud

service customers and Huawei, while the

HUAWEI CLOUD Service Level

Agreement13 stipulates the level of service

provided. HUAWEI CLOUD has also

formulated an offline contract template,

which stipulates that HUAWEI CLOUD

should notify AIs and be responsible for

any subcontracted services.

In addition, HUAWEI CLOUD's services

and platforms have been certified by

many international and industry security

compliance certifications, covering

information security, privacy protection,

business continuity management, IT

service management and other fields.

HUAWEI CLOUD is committed to

creating security and credible cloud

services for customers in all walks of life

and providing empowerment and

escorting services for customers.

HUAWEI CLOUD receives regular audits

from professional third-party auditing

institutions every year and provides

professional assistance to actively respond

to and cooperate with audit activities

initiated by customers.

12 https://intl.huaweicloud.com/en-us/declaration/sa_cua.html 13 https://intl.huaweicloud.com/en-us/declaration/sla.html

https://intl.huaweicloud.com/en-us/declaration/sa_cua.html

https://intl.huaweicloud.com/en-us/declaration/sla.html





Policy Manual on Outsourcing (SA-2)

The HKMA Supervisory Policy Manual on Outsourcing (SA-2)14 provides guidelines for the

implementation of outsourcing by AIs by explaining the main issues for attention when

outsourcing. AIs require control over the ability of service providers, outsourcing agreements,

customer data confidentiality, control over outsourced activities, contingency planning, access to

outsourced data and other fields.

The following will summarize the requirements for control relevant to cloud service providers in

SA-2, and elaborate on how HUAWEI CLOUD, as an authorized cloud service provider, can help

AIs meet these requirements.

6.1 Ability of Service Providers

In Chapter 2.3 "Ability of Service Providers", AIs are required to conduct inspection and due

diligence to ensure the qualification of a service provider and to continuously monitor its

performance during the service process before selecting a service provider. The relevant control

requirements and HUAWEI CLOUD's response are as follows:

No. Control

Domain

Specific Control


2.3

Ability of

service

providers

Before selecting a

service provider,

AIs should perform

appropriate due

diligence and assess

a provider from the

following aspects:

a. Financial

soundness;

b. Reputation;

c. Managerial

skills;

d. Technical

capabilities;

e. Operational

capability and

capacity;

f. Compatibility

with the AI's

corporate culture

and future

a. Financial soundness: HUAWEI CLOUD is

Huawei's service brand. Since its launch in 2017,

HUAWEI CLOUD has been developing rapidly

and its revenue has maintained a strong growth

trend. According to the Q1 China Public Cloud

Service Market Tracking Report 2019 released by

IDC, a global authoritative consultancy, Huawei's

cloud revenue grew by more than 300% in terms of

the overall market share of IaaS and PaaS, and

Huawei's cloud PaaS market share grew by nearly

700%, ranking first in the growth rate of top 5

providers and in China's public cloud service

business.

b. Reputation: As always, HUAWEI CLOUD

adheres to the customer-centric principle, making

more and more customers choose HUAWEI

CLOUD. HUAWEI CLOUD has made

breakthroughs in different Chinese industries such

as the internet, live on demand, video surveillance,

genetics, automobile manufacturing and other

industries. Apart from Chinese mainland,

14 https://www.hkma.gov.hk/media/eng/doc/key-functions/banking-stability/supervisory-policy-manual/SA-2.pdf

https://www.hkma.gov.hk/media/eng/doc/key-functions/banking-stability/supervisory-policy-manual/SA-2.pdf




development

strategies;

g. Familiarity with

the banking

industry;

h. Capacity to keep

pace with

innovation in the

market.

HUAWEI CLOUD was launched in Hong Kong

(China), Russia, Thailand, South Africa and

Singapore in succession.

c. Managerial skills: HUAWEI CLOUD inherits

Huawei's risk management ability and establishes a

complete risk management system. Through the

continuous operation of the risk management

system, HUAWEI CLOUD can effectively control

risks in the complex internal and external

environment with the huge uncertainties in the

market, strive for the optimal balance between

performance growth and risk, continuously manage

internal and external risks, and ensure the

sustainable and healthy development of the

company.

d. Technical capabilities: HUAWEI CLOUD

provides cloud services online, opening Huawei's

technology accumulation and product solutions in

ICT infrastructure for more than 30 years to

customers. HUAWEI CLOUD has five core

technological advantages: full stack scenario AI,

multidimensional framework, extreme

performance, security and reliability, and open

innovation.

For example, in the field of artificial intelligence

(AI), HUAWEI CLOUD AI has landed over 300

projects in 10 major industries, such as city,

manufacturing, logistics, internet, medical

treatment, and campus. In terms of multi-

architecture, HUAWEI CLOUD has created a new

multi-computing cloud service architecture based

on "x86 + Kunpeng + Ascend", which enables

various applications to run at the optimal

computing power to maximize customer value.

e. Operational capability and capacity:

HUAWEI CLOUD follows ISO 27001, ISO

20000, ISO 22301 and other international

standards to establish a sound information security

management system, IT service management

system, business continuity management system,

and daily operation of the system applicable

requirements. HUAWEI CLOUD regularly carries

out risk assessment, management review, and other

activities every year to identify problems in the




operation of the system and rectify them to

continuously improve the management system.

f. Compatibility with AIs' corporate culture and

future development strategies: HUAWEI

CLOUD defines product safety and functional

requirements according to customer business

scenarios, laws and regulations, regulatory

requirements in product and service planning, and

design phases. Huawei implements these in R&D,

and design phases to meet customer needs.

g. Familiarity with the banking industry:

HUAWEI CLOUD has released financial industry

solutions to provide end-to-end cloud solutions for

banks, insurance companies and other customers,

by considering the needs of the industry and

Huawei's comprehensive cloud services. HUAWEI

CLOUD has commissioned an independent

evaluation by a third party to compare HUAWEI

CLOUD's internal control status with the

regulatory guidelines and announcement

requirements issued by the Hong Kong Monetary

Authority, to conduct gap analysis and ensure that

all gaps are rectified.

h. Capacity to keep pace with innovation in the

market: Since its launch, HUAWEI CLOUD has

insisted on technological innovation. It has

released a series of leading new products and

upgrades, covering many fields such as cloud

security, DevOps, cloud container engine and

micro service engine, service grid, computing,

cloud storage, network, cloud disaster recovery,

and so on.




6.2 Outsourcing Agreement

Chapter 2.4 "Outsourcing Agreement" requires that the relevant matters should be clearly defined

in the agreement signed between AIs and their service provider. The relevant control requirements

and HUAWEI CLOUD's response are as follows:

No. Control

Domain

Specific Control


2.4 Outsourcing

agreement

The type and level

of services to be

provided and the

contractual

liabilities and

obligations of the

service provider

should be clearly

set out in a service

agreement

between AIs and

their service

provider.

HUAWEI CLOUD provides online HUAWEI

CLOUD Customer Agreement and HUAWEI

CLOUD Service Level Agreement, which

specifies the content and level of services

provided, as well as the responsibilities of

HUAWEI CLOUD. HUAWEI CLOUD has also

developed an offline contract template, which can

be customized according to the needs of different

customers.

6.3 Customer Data Confidentiality

Chapter 2.5 "Customer Data Confidentiality" requires AIs to ensure the confidentiality of customer

data in the process of outsourcing services. The relevant control requirements and HUAWEI

CLOUD's response are as follows:

No. Control

Domain

Specific Control


2.5 Customer data

confidentiality

AIs should

ensure

compliance with

customer data

confidentiality

requirements and

take preventive

measures to

protect the

integrity and

confidentiality of

customer data.

HUAWEI CLOUD strictly adheres to "not

accessing customer data without permission" and

explicitly states in the user agreement that it will

not access or use the user's content, unless it

provides the necessary services for the user or

abides by the laws and regulations or the binding

orders of the government institutions. HUAWEI

CLOUD strictly conforms to the data protection

principles described in Personal Data (Privacy)

Ordinance (PDPO) and at the same time, it will

clearly stipulate the responsibility of HUAWEI

CLOUD to customers in the case of a breach of

confidentiality clauses in contracts signed with

customers in the financial industry.




No. Control

Domain

Specific Control


In addition, HUAWEI CLOUD service products

and components have planned and implemented

isolation mechanism from the beginning of design,

avoiding unauthorized access and tampering

between customers intentionally or unintentionally,

and reducing the risk of data leakage. Using data

storage as an example, HUAWEI CLOUD services

including block storage, object storage, and file

storage all regard customer data isolation as an

important feature.

2.5 Customer data

confidentiality

In the event of a

termination of

outsourcing

agreement, AIs

should ensure

that all customer

data is either

retrieved from

the service

provider or

destroyed.

When the service agreement terminates, customers

can migrate content data from HUAWEI CLOUD

through cloud data migration service (CDM)

provided by HUAWEI CLOUD, such as migrating

to local data center.

During the destruction of customer data, HUAWEI

CLOUD clears the specified data and all the

copies. Once customers agree the deletion,

HUAWEI CLOUD deletes the index relationship

between customers and data, and clears the storage

space, such as memory and block storage before

reallocation, to ensure that related data and

information cannot be restored. If a physical

storage medium is to be disposed, HUAWEI

CLOUD clears the data by degaussing, bending, or

breaking the storage medium to ensure that data on

the storage medium cannot be restored.




6.4 Control over Outsourced Activities

Chapter 2.6 "Control over Outsourced Activities" requires AIs to continuously monitor the

services of outsourced service providers and establish reporting mechanisms related to outsourcing

issues. The relevant control requirements and HUAWEI CLOUD's response are as follows:

No. Control

Domain

Specific Control


2.6

Control over

outsourced

activities

AIs shall monitor

the contract

performance,

material problems

encountered,

financial condition

and risk profile, and

the effectiveness of

contingency plans

of service providers.

AIs should establish

reporting

procedures which

can promptly

escalate problems

relating to the

outsourced activity

to the attention of

the management of

the AI and their

service providers.

HUAWEI CLOUD receives regular audits from

professional third-party auditors every year and

can provide relevant auditing reports to

customers when they need them. Huawei will

also arrange a dedicated person to take charge

of inspection and due diligence initiated by

customers. In addition, HUAWEI CLOUD

provides an after-sales service guarantee for

customers, the HUAWEI CLOUD professional

service engineer team provides 24/7 service

support. Customers can seek help through work

orders, intelligent customer service, self-service,

and telephone. In addition to basic support,

customers with complex systems can choose

from the tiered support plans to obtain exclusive

support from personnel such as the IM

enterprise group, Technical Service Manager

(TAM), and service manager.

6.5 Contingency Planning

Chapter 2.7 "Contingency Planning" requires AIs to plan for contingency plans in the process of

outsourcing services to ensure business continuity. The relevant control requirements and





No. Control

Domain

Specific Control


2.7 Contingency

planning

AIs and service

providers should

maintain and

regularly test

contingency plans,

which include

contingency

arrangements for

daily operations and

system problems.

HUAWEI CLOUD has formulated a complete

contingency plan, which specifies the

organization, procedures and operational

specifications of contingency response in detail,

and carries out regular testing to ensure the

continuous operation of cloud services and the

business and data security of customers.

6.6 Access to Outsourced Data

Chapter 2.8 "Access to Outsourced Data" requires AIs to ensure that the outsourced data can be

invoked by the HKMA when outsourcing services and that appropriate audits of service providers

are conducted. The relevant control requirements and HUAWEI CLOUD's response are as follows:

No. Control

Domain

Specific Control


2.8

Access to

outsourced

data

AIs shall keep

appropriate up-to-date

records in their

premises for inspection

by the HKMA and

ensure that the data

they retrieve from

service providers are

accurate and readily

available for inspection

by the HKMA in Hong

Kong.

AIs should ensure that

agreements with

service providers

contain provisions

allowing the HKMA to

review the operation

and control of service

providers.

HUAWEI CLOUD provides customers with

a variety of data backup and migration

services, which can help customers migrate

data to local data centers and other places.

HUAWEI CLOUD also provides customers

with a variety of security mechanisms to

ensure the integrity of customer data storage

and transmission process.

If customers need to sign offline contracts

with HUAWEI CLOUD, HUAWEI CLOUD

will include provisions allowing the HKMA

to review the operation and management

control system of HUAWEI CLOUD and

customize it according to the needs of

different customers. When the HKMA

inspects HUAWEI CLOUD, HUAWEI

CLOUD will provide professional assistance

and actively cooperate with the audit

according to the internal process.





Policy Manual on Business Continuity Planning (TM-G-2)

The implementation of effective business continuity management in HKMA Supervisory Policy

Manual on Business Continuity Planning (TM-G-2)15 for AIs provides guidance that covers

business impact analysis and recovery strategy, development of business continuity plan, alternate

sites for business and technology recovery, implementation of business continuity plan, and so on.

The following will summarize the control requirements related to cloud service providers in the

manual, and elaborate on how HUAWEI CLOUD, as an authorized cloud service provider, can

help AIs meet these control requirements.

7.1 Business Impact Analysis and Recovery Strategy

Chapter 3 of HKMA Supervisory Policy Manual on Business Continuity Planning (TM-G-2),

"Business Impact Analysis and Recovery Strategy", requires AIs to implement business impact

analysis, identify key business and recovery objectives, and formulate corresponding recovery

strategies. The following are related control requirements and HUAWEI CLOUD's response:

No. Control

Domain

Specific Control


3.1 Business

impact analysis

AIs should carry out

business impact

analysis to identify

critical business

activities and

determine the

recovery deadline for

them. Based on the

business impact

analysis, the business

and support functions

should be able to

define the minimum

level of critical

services to be

delivered in the event

of a disaster.

To provide continuous and stable cloud

services to customers, HUAWEI CLOUD

has established a set of complete business

continuity management systems in

accordance with ISO 22301 - Business

Continuity Management International

standards. Under the requirements of this

framework, HUAWEI CLOUD carries out

regular business impact analysis, identifies

key business, and determines the recovery

target and minimum recovery level of key

business. In the process of identifying key

business, the impact of business interruption

on cloud service customers is regarded as an

important criterion to judge key business.

15 https://www.hkma.gov.hk/media/eng/doc/key-functions/banking-stability/supervisory-policy-manual/TM-G-2.pdf

https://www.hkma.gov.hk/media/eng/doc/key-functions/banking-stability/supervisory-policy-manual/TM-G-2.pdf




No. Control

Domain

Specific Control


3.2

Recovery

strategy

formulation

Individual critical

business and support

functions should

formulate their own

recovery strategies on

how to achieve the

recovery time-frame

and to deliver the

minimum level of

critical services

derived from the

business impact

analysis. This involves

determination of an

alternate site, total

number of recovery

personnel and the

related workspace,

applications and

technology

requirements, office

facilities and vital

records required for

the provision of such

levels of services.

Customers should consider specifying

recovery strategies to address the results of

business impact analysis. In order to meet

customer compliance requirements,

HUAWEI CLOUD has formulated a sound

recovery strategy for key businesses

supporting the continuous operation of

cloud services according to the requirements

of its internal business continuity

management system. The restoration

strategy takes site, equipment, personnel,

information systems, third party and other

aspects into consideration.

7.2 Development of Business Continuity Plan

Chapter 4 of the HKMA Supervisory Policy Manual on Business Continuity Planning (TM-G-2),

the "Development of Business Continuity Plan", requires AIs to develop detailed procedures and

operational guidelines to respond to crisis events and ensure prompt recovery of critical business

interruptions. Control requirements cover domains such as crisis management process, business

resumption, technology recovery, business continuity models, vital record management, public

relations and communication strategy.

The relevant control requirements and HUAWEI CLOUD's response are as follows:




No. Control

Domain

Specific Control


4.2

Crisis

management

process

Business continuity plans

should include crisis

management processes to

guide emergency response

and containment. Senior

management should identify

potential crisis scenarios and

develop crisis management

procedures to deal with

them. Crisis management

should include procedures

such as emergency detection

and reporting, crisis

management team impact

assessment, BCP start-up

conditions, and internal and

external communications.

To meet customers' requirements for

compliance, HUAWEI CLOUD

regularly conducts risk assessment

according to the requirements of the

internal business continuity

management system, identifies and

analyses the potential risks faced by

key resources supporting the

continuous operation of cloud services,

further considers emergency scenarios

and risks, and formulates crisis

management procedures to deal with

and reduce the impact of various

emergencies. Crisis management

procedures include early warning and

reporting of emergencies, emergency

escalation, the conditions for starting

emergency plans, notification of event

progress, and internal and external

communication processes.

4.4 Technology

recovery

AIs should pay attention to

the resilience of critical

technology equipment and

facilities such as the

Uninterruptible Power

Supply (UPS) and the

cooling systems. Such

equipment and facilities

should be subject to

continuous monitoring and

periodic maintenance and

testing. Appropriate

personnel should be

assigned with the

responsibility for technology

recovery. Alternate

personnel need to be

identified for key

technology recovery

personnel.

HUAWEI CLOUD infrastructure has

high availability. HUAWEI CLOUD

has developed a sound internal process

to ensure continuous monitoring,

regular maintenance and regular testing

of infrastructure operation, to minimize

the impact of system failures on

customers. HUAWEI CLOUD data

center relies on the structure of two

places and three centers to realize

disaster recovery and backup of the

data center itself. Disaster data backup

centers between different availability

zones in the same region. If a hitch

occurs in an AZ, the system

automatically transfers customer

applications and data from the affected

area to ensure business continuity on

the premise of meeting compliance

policies. Each AZ has its own UPS and

on-site standby power generation

equipment. Each AZ connects different

power grids. All AZs are redundantly




No. Control

Domain

Specific Control


connected with multiple primary

transmission providers to further

eliminate the risk of single point

failure.

HUAWEI CLOUD has set up a

multiple position backup mechanism

for key positions supporting cloud

services.

4.5

Business

continuity

model

Various business continuity

modes can be adopted by

AIs to handle prolonged

disruptions. For example,

the traditional model is an

"active/backup" model,

which is based on an

"active" operating site with

a corresponding alternate

site (backup site); an

emerging split operations

model is to operate with two

or more widely separated

active sites for the same

critical operations,

providing inherent back-up

for each other. Each other

(e.g. call centres for

customer services). Each

site has the capacity to take

up some or all of the work

of another site for an

extended period of time.

Customers can rely on the Region and

Availability Zone (AZ) architecture of

HUAWEI CLOUD Data Center cluster

for disaster recovery and backup of

their business systems. Data centers are

deployed around the world according

to rules. Customers have disaster data

backup centers through two places. If a

failure occurs, the system automatically

transfers customer applications and

data from the affected areas to ensure

business continuity on the premise of

meeting compliance policies.

HUAWEI CLOUD has also deployed a

Global Server Load Balance Center.

Customer applications can achieve

N+1 deployment in the data center.

Even if one data center fails, it can also

balance traffic load to other centers.

4.6 Vital record

management

Copies of vital records

should be stored off-site as

soon as possible after

creation. Back-up vital

records must be readily

accessible for emergency

retrieval. Access to back-up

vital records should be

adequately controlled to

ensure that they are reliable

HUAWEI CLOUD provides multi-

granularity data backup and archiving

services to meet customers'

requirements in specific scenarios.

Customers can use the versioning

function of OBS, Volume Backup

Service (VBS), and Cloud Server

Backup Service (CSBS) to back up in-

cloud documents, disks, and servers.

Benefiting from on-demand use,

scalability, and high reliability features




No. Control

Domain

Specific Control


for business resumption

purposes.

For certain critical services,

AIs should consider the

need for instantaneous data

back-up (e.g. adopting real-

time data mirroring

technology) to ensure

prompt system and data

recovery.

of cloud services, customers can also

use the Backup and Archive Solution,

backup and archiving software, and

HUAWEI CLOUD infrastructure to

back up on-premises data to HUAWEI

CLOUD.

With the DEW service, customers can

encrypt backup data easily and quickly,

thereby ensuring data security.

In addition, to minimize service

interruption caused by hardware

failures, natural disasters, or other

disastrous events, HUAWEI CLOUD

has prepared DR plans for all data

centers:

• User data can be replicated and

stored on multiple nodes in a data

center. If a single node fails, user

data will not be lost. The system

supports automatic failure

detection and data recovery.

• Different AZs within a single

region have implemented Data

Center Interconnection (DCI),

connecting them through high-

speed fiber and supporting the

essential requirement of cross-AZ

data replication. Users can also

leverage our DR replication

service and solution based on their

business needs.

4.7

Public

relations and

communication

strategy

AIs should formulate a

formal strategy for

communication with key

external parties. The

strategy needs to set out to

which parties AIs should

communicate in the event of

a disaster. Important

conversations with external

parties should be properly

logged for future reference.

HUAWEI CLOUD, as a service

provider of AIs, will actively cooperate

with the initiative of the AIs to initiate

communication. HUAWEI CLOUD

professional service engineer team

provides 24/7 service support,

customers can contact HUAWEI

CLOUD support team through work

orders, intelligent customer service,

self-service, and hotline.




No. Control

Domain

Specific Control


Important contact numbers

and e-mail addresses of key

external parties should be

kept in a readily accessible

manner.

HUAWEI CLOUD has also formulated

crisis communication strategies

according to the requirements of

internal business continuity

management system, and defined the

people to contact in the case of

emergencies, the dialogue, and the

method for communication.

7.3 Alternate Sites for Business and Technology Recovery

Specific requirements are put forward in Chapter 5 of the HKMA Supervisory Policy Manual on

Business Continuity Planning (TM-G-2) for disaster recovery reserve sites to ensure that they can

undertake critical business in emergency scenarios. The relevant control requirements and


No. Control

Domain

Specific Control


5.1

Selection

criteria for

alternate sites

Alternate sites should be

sufficiently distanced to

avoid being affected by

the same disaster.

AIs' alternate sites should

be readily accessible and

available for occupancy

within the time

requirement specified in

their BCPs. Should the

BCPs so require, the

alternate sites should have

pre-installed workstations,

power, telephones and

ventilation, and sufficient

space. Appropriate

physical access controls

such as access control

systems and security

guards should be

implemented in

accordance with AIs'

security policy.

Customers have disaster data backup

centers through two places. If a failure

occurs, the system automatically

transfers customer applications and data

from the affected area to ensure business

continuity on the premise of meeting

compliance policies. When HUAWEI

CLOUD locates its data center, it

ensures that different data centers keep

enough distance to avoid being affected

by the same threat. At the same time, the

site selection ensures the necessary

supporting resources for the normal

operation of the data center, such as

municipal electricity, water,

communication lines and so on.

The HUAWEI CLOUD O&M team

strictly implements access control,

security measures, routine monitoring

and audit measures to ensure the

physical security of HUAWEI CLOUD

Data Center. Detailed information on

physical security of data centers can be




No. Control

Domain

Specific Control


found in HUAWEI CLOUD Security

White Paper.

5.2

Alternate sites

for technology

recovery

Alternate sites for

technology recovery

should have sufficient

technical equipment (e.g.

workstations, servers,

printers, etc.) of

appropriate model, size

and capacity to meet

recovery requirements as

specified by AIs' BCPs.

The sites should also have

adequate

telecommunication

(including bandwidth)

facilities and pre-installed

network connections.

Compute instances and data stored in

HUAWEI CLOUD can be flexibly

exchanged among multiple regions or

multiple AZs within the same region.

Each AZ is an independent, physically

isolated fault maintenance domain, has

its own UPS and on-site backup power

generator, and also connects to a power

grid different than any other AZ. All

AZs connect to multiple tier-1 telecom

providers for redundancy, eliminating

the risk of single point of failure.

5.3

Alternate sites

provided by

vendors or

other

institutions

The contractual terms

between AIs and vendors

should include the lead-

time and capacity that

vendors are committed to

deliver in terms of backup

facilities, technical

support or hardware. The

vendor should be able to

demonstrate its own

recoverability.

HUAWEI CLOUD infrastructure has

high availability. Customers can rely on

the Region and Availability Zone (AZ)

architecture of HUAWEI CLOUD Data

Center cluster for disaster recovery and

backup of their business systems. Data

centers are deployed around the world

according to strict rules. Customers have

disaster data backup centers in two

different physical locations. If one

location fails, the system automatically

transfers customer applications and data

from the affected areas to ensure

business continuity and meet policies of

compliance. If business needs require

customers to consider disaster recovery,

they need to deploy distributed

applications using multiple AZs or

choose replicated disaster recovery

services. HUAWEI CLOUD can provide

relevant assistance. Additionally, the

"HUAWEI CLOUD Service Level

Agreement" promises a certain level of

service for HUAWEI CLOUD products




No. Control

Domain

Specific Control


and services, including service

availability commitment, HUAWEI

CLOUD will strictly comply with the

requirements of the agreement.

HUAWEI CLOUD also provides offline

contract templates. If customers have

special disaster recovery requirements,

HUAWEI CLOUD can add provisions

upon agreement by both sides.

7.4 Implementation of Business Continuity Plan

Chapter 6 "Implementation of Business Continuity Plan" requires AIs to regularly test and

maintain the business continuity plan to ensure its effectiveness. The relevant control requirements

and HUAWEI CLOUD's response are as follows:

No. Control

Domain

Specific Control


6.1 Testing and

rehearsal

AIs are expected to

conduct testing of their

BCP at least annually.

Both recovery and

alternate personnel should

participate in plan

rehearsals to familiarise

themselves with their

recovery responsibilities.

The scope of testing

should be comprehensive

to cover the major

components of the BCP as

well as coordination and

interfaces among

important parties.

Formal testing

documentation (including

testing plan, testing

scenarios, testing

procedures and testing

results) should be

produced, and plans and

As a supplier of cloud service customers,

HUAWEI CLOUD will actively

cooperate with customer-initiated test

requirements and help customers test the

effectiveness of their business continuity

plans.

HUAWEI CLOUD tests the business

continuity plans and disaster recovery

plans annually according to the

requirements of the internal business

continuity management system. All

emergency response personnel, including

reserve personnel, need to participate. The

tests include desktop exercises, functional

exercises and full-scale exercises, in

which high-risk scenarios are emphasized.

During the testing process, HUAWEI

CLOUD will select test scenarios, develop

complete test plans and procedures, and

record test results. After the completion of

the test, relevant personnel write the test

report and summarize any problems found

during the test. If the test results show

problems with the business continuity




recovery strategies should

be updated to remedy the

situation.

plan, recovery strategy or emergency plan,

the documents will be updated.

6.2 Periodic

maintenance

Individual business and

support functions should

review their business

impact analysis and

recovery strategy on an

annual basis.

The contact information

for key staff,

counterparties, customers

and service providers

should be updated as soon

as possible.

Copies of the BCP

document should be

stored at locations

separate from the primary

sites. A summary of key

steps to take in an

emergency should be

made available to senior

management and other

key personnel and kept by

them in multiple

locations.

Customers should consider updating

business continuity plans at least once a

year and make sure copies are available.

In order to meet the compliance

requirements of customers, HUAWEI

CLOUD regularly audits and updates all

system documents every year according to

the requirements of the internal business

continuity management system. HUAWEI

CLOUD maintains a list of contacts that

should be contacted in case of an

emergency and updates it promptly when

notified of personnel changes.

Multiple copies of documents such as the

business continuity plan, emergency

response plan and disaster recovery

operation manual are stored both

electronically and in paper form and are

distributed to relevant management and

other key personnel.

8. How HUAWEI CLOUD Meets the Requirements of HKMA Guideline on

Authorization of Virtual Banks

The HKMA issued the Guideline on Authorization of Virtual Banks16 on February 6, 2018. After

the completion of public consultation, the revised Guideline on Authorization of Virtual Banks

were issued on May 30, 2018. In guidance, the HKMA said that the development of virtual banks

would promote the application and innovation of financial technology in Hong Kong, provide new

customer experience and promote the popularization of finance. Therefore, the HKMA invited

others to set up virtual banks and open non-financial institutions such as technology companies in

Hong Kong.

The guidelines set out the main requirements that companies applying for the establishment of

virtual banks should comply with, including ownership structure, continuous supervision, entity

offices, business plans, technical risks, outsourcing arrangements and so on. In terms of technical

16 https://www.hkma.gov.hk/media/eng/doc/key-information/guidelines-and-circular/guideline/guideline_eng_virtual_bank_20180608.pdf

https://www.hkma.gov.hk/media/eng/doc/key-information/guidelines-and

https://www.hkma.gov.hk/media/eng/doc/key-information/guidelines-and-circular/guideline/guideline_eng_virtual_bank_20180608.pdf




risks, the guidelines emphasize that companies applying for virtual banking should pay attention

to the three aspects of technical risks: information security, system resilience and business

continuity, and adopt security and technical control measures that meet business needs. In terms

of outsourcing arrangements, the guidelines indicate that outsourcing arrangements must be

approved and comply with the SA-2 Outsourcing Supervisory Policy Manual and other relevant

requirements.

The following table summarizes how HUAWEI CLOUD, as a cloud service provider, will assist

virtual banking applicants to meet the technical risks and outsourcing arrangements as outlined in

the guidelines.

Control

Domain

Specific Control


Technology

risk

Virtual banking

applicants should

pay attention to

the risks of

information

security, system

resilience and

business

continuity

management, and

adopt security

and technical

control measures

that meet

business needs.

Information Security: HUAWEI CLOUD not only

guarantees the security of the cloud platform, but also

provides layer-by-layer protective measures for all stages of

the data life cycle in customer cloud. Through friendly

operation interfaces, HUAWEI CLOUD facilitates the use

and integration of customers, and meets the individualized

needs of customers in different industries for data security.

See White Paper for HUAWEI CLOUD Data Security17 for

more information.

System Resilience: HUAWEI CLOUD infrastructure is

highly available and thereby minimizes the impact of

system failures on our customers Disaster data backup

centers between different AZs in the same region. If a hitch

occurs in an AZ, the system automatically transfers

customer applications and data from the affected area to

ensure business continuity on the premise of meeting

compliance policies. Each AZ has its own UPS and on-site

standby power generation equipment. Each AZ connects

different power grids. All AZs are redundantly connected

with multiple primary transmission providers to further

eliminate the risk of single point failure. See section 8.4

Business continuity and disaster recovery of HUAWEI

CLOUD Security White Paper for more information.

Business Continuity Management: HUAWEI CLOUD

follows ISO 22301 international standards for business

continuity management and has established a complete set

of business continuity management systems. Within this

framework, business impact analysis and risk assessment

are carried out regularly, business continuity plans and

disaster recovery plans are formulated and tested regularly.

Test results are annotated and documented to continuously

17 https://intl.huaweicloud.com/content/dam/cloudbu-site/archive/hk/en-us/securecenter/security_doc/DataSecurityWhitepaper_en.pdf

https://intl.huaweicloud.com/content/dam/cloudbu-site/archive/hk/en-us/securecenter/security_doc/DataSecurityWhitepaper_en.pdf




Control

Domain

Specific Control


improve the plan. In addition, HUAWEI CLOUD can assist

customers in developing and testing business continuity

plans according to their needs.

Technology

risk

The applicant

shall entrust a

qualified

independent

expert with an

independent

assessment report

on his computer

hardware,

systems, safety,

process and

control.

HUAWEI CLOUD can provide professional assistance and

actively respond to and cooperate with the audit activities

initiated by the customer in view of the expert evaluation

commissioned by the customer. HUAWEI CLOUD also

regularly receives audit reports from professional third-

party auditors every year.

Outsourcing

arrangement

Outsourcing

arrangements

must be

effectively

approved and

must comply with

the Supervisory

Policy Manual on

Outsourcing (SA-

2) and the

Personal Data

(Privacy)

Ordinance and

the Client

Confidentiality

Provisions under

the Common

Law. The

confidentiality

and integrity of

customer data

should be

protected in

outsourcing

activities.

HUAWEI CLOUD can assist cloud service customers to

meet outsourcing requirements:

• Chapter 6 "How HUAWEI CLOUD Meets the

Requirements of HKMA Supervisory Policy Manual

on Outsourcing (SA-2)", describes in detail how

HUAWEI CLOUD helps financial institutions meet

the requirements of SA-2.

• Chapter 9 "How HUAWEI CLOUD Meets the

Requirements of HKMA Customer Data

Protection" elaborates on how HUAWEI CLOUD

can assist financial institutions to protect their

customer data.




9. How HUAWEI CLOUD Meets the Requirements of HKMA Customer

Data Protection

Customer Data Protection18 explains the importance of protecting the confidentiality of customer

data to AIs and provides implementation guidelines on how to protect customer data.


circular, and elaborate on how HUAWEI CLOUD, as an authorized cloud service provider, can


No. Control

Domain

Specific Control


B

Data

security

policies and

awareness

AIs should develop formal

policies and procedures on

data security to safeguard

customer data. Where

personal data are involved,

the policies and

procedures, including those

to be followed by the

relevant service providers,

should also be in line with

PDPO and any relevant

codes of practice, rules or

guidance issued or

approved by the Privacy

Commissioner.

In addition, AIs should

develop awareness training

programs to inform

employees of the

importance of customer

data protection.

Customers should consider formulating

appropriate strategies to protect

customer data in their business,

especially for the protection of personal

information. In order to meet customer

compliance requirements, HUAWEI

CLOUD has established, and continued

to improve, a complete information

security and privacy protection

management system in accordance

with various regulatory requirements,

international and industry standards.

The management system has detailed

policies and procedures in many

security fields, such as physical

security control, system security,

security awareness training and so on.

HUAWEI CLOUD continues to

implement management system

requirements to ensure customer

business and data security.

HUAWEI CLOUD has formulated a

comprehensive security awareness

training plan, which includes various

forms of employee recruitment, on-the-

job, transfer, and other such types of

security awareness training. This

ensures that employee behavior

complies with all laws, policies,

18 https://www.hkma.gov.hk/media/eng/doc/key-information/guidelines-and-circular/2014/20141014e1.pdf

https://www.hkma.gov.hk/media/eng/doc/key-information/guidelines-and-circular/2014/20141014e1.pdf




No. Control

Domain

Specific Control


processes and requirements in

Huawei's business code of conduct. In

addition, HUAWEI CLOUD has

established a rigorous security

responsibility system, implemented a

mechanism of accountability for

violations, and made employees aware

of possible sanctions for violations

through training.

C

Logical

access

control of

customer

data

AIs should identify the

locations of customer data

residing in different parts

of AIs’ networks and

systems, and ensure that

adequate logical access

controls are in place at

different levels (such as

the. application level,

database level, operating

system level, and network

level) to prevent

unauthorized access to

customer data and

unauthorized/erroneous

transmission of customer

data to external parties.

HUAWEI CLOUD unified Identity

and Access Management (IAM)

provides cloud resource access control

for customers. With IAM, the customer

administrator can manage user

accounts and control the operation

rights of these user accounts to the

resources under the customer name;

Cloud Audit Service (CTS) can

provide customers with operational


users to query, audit and retrospective

use. There are three types of operations

recorded: operations performed

through the cloud account login

management console, operations

performed through APIs supported by

cloud services, and operations triggered

within Huawei's cloud system.

HUAWEI CLOUD following the

principle of "not accessing customer

data without permission" and explicitly

states in the user agreement that it will

not access or use the user's content

unless it provides the necessary

services for the user or abides by the

laws and regulations or the binding

orders of government organs. When

internal operation and maintenance

personnel access HUAWEI CLOUD




No. Control

Domain

Specific Control


management network for centralized

management of the system, they need

to use two-factor authentication for

identity authentication, such as USB

key, Smart Card and so on. Employee

account is used to log on VPN and

Fortress Machine to realize the deep

audit of user login.

HUAWEI CLOUD provides

infrastructure for customers. It

considers infrastructure security as the

core component of cloud security

protection system which constructs

multi-dimensional full stack. It

provides multi-level security protection

in physical environment, network,

platform, application programming

interface, data and so on. For more

information, see the " Infrastructure

Security" section 5 of HUAWEI

CLOUD Security White Paper.

E

Controls

over storage

of customer

data


effective controls for

prompt detection of

unusual downloading

activities that may involve

customer data. For

instance, AIs could enable

logging of data

downloading to those

media and perform

periodic sample checks on

whether customer data

have been downloaded

without authorization.

For all media (including

paper and electronic

media) where customer

data is stored, AIs should

Customers own and control their data

on the cloud. Without their permission,

HUAWEI CLOUD will not access any

customer data. To prevent this data

from being downloaded wrongfully,

customers can use different ways to

audit and detect abnormal activities for

different products and services. For

example, for object storage, file storage

and other services, customers can use

cloud audit services to record user

operations on data. For relational

database services, customers can use

database security services for column-

level database management, and can

access activity records.

When customers stop using HUAWEI

CLOUD services and need to destroy




No. Control

Domain

Specific Control


establish secure processes

for disposal and destruction

of customer data stored in

such media.

content data, HUAWEI CLOUD clears

the specified data and all the copies.

Once customers agree the deletion,

HUAWEI CLOUD deletes the index

relationship between customers and

data, and clears the storage space, such

as memory and block storage before

reallocation, to ensure that related data

and information cannot be restored. If a

physical storage medium is to be

disposed, HUAWEI CLOUD clears the

data by degaussing, bending, or

breaking the storage medium to ensure

that data on the storage medium cannot

be restored.

G

Physical

security

controls

over and

office

environment

related to

customer

data

AIs should identify the

locations within and

outside their premises

(including service

providers) where their

customer data are stored or

can be accessed. They

should satisfy themselves

that adequate physical

security (including physical

access controls, security

guards and surveillance

cameras) is in place in

those locations in order to

safeguard customer data

against theft or

unauthorized access. When

AIs or their service

providers (e.g. couriers)

need to relocate or

transport their systems,

facilities, records or other

assets that contain

customer data, they should

HUAWEI CLOUD enforces stringent

data center access control for both

personnel and equipment. Security

guards, stationed 24/7 at every entrance

to each HUAWEI CLOUD data center

site as well as at the entrance of each

building on site, are responsible for

registering and monitoring visitors and

staff, managing their access scope on

an as-needed basis. Different security

strategies are applied to the physical

access control systems at different

zones of the data center site for optimal

physical security. Security guards

strictly review and regularly audit user

access privileges. Important physical

components of a data center are stored

in designated safes with crypto-based

electronic access code protection in the

data center storage warehouses. Only

authorized personnel can access and

operate the safes. Work orders must be

filled out before any physical

components within the data center can




No. Control

Domain

Specific Control


arrange adequate physical

security controls to protect

those assets and data

during the relocation or

transportation. Adequate

reconciliation or inventory

check should be performed

as soon as practicable

during and after the

relocation or transportation

to ensure that no customer

data are lost in transit.

AIs should control places

or service providers that

process or access large

amounts of sensitive

customer data.

be carried out of the data center.

Personnel removing any data center

components must be registered in the

warehouse management system

(WMS). Designated personnel perform

periodic inventories on all physical

equipment and warehouse materials.

Data center administrators not only

perform routine safety checks but also

audit data center visitor logs on an as-

needed basis to ensure that

unauthorized personnel have no access

to data centers.

I

Other

controls

over service

providers

Where there is an

operational need for AIs to

transmit customer data to

their service providers over

public network, strong data

encryption should be in

place to protect the

customer data during

transmission.

Customers can use the virtual private

network (VPN)19, Cloud Direct

(DC)20, Cloud Connection (CC)21 and

other services provided by HUAWEI

CLOUD to realize business

interconnection and data transmission

security between different regions.

Among them, the VPN service uses

Huawei's professional equipment and

virtual private network on Internet

based on IKE and IPsec protocols. It

constructs a secure and reliable

encryption transmission channel

between a local data center and

HUAWEI CLOUD VPCs in different

areas.

The cloud dedicated line service is

based on operators' various types of

19 https://intl.huaweicloud.com/en-us/product/vpn.html 20 https://intl.huaweicloud.com/en-us/product/dc.html 21 https://intl.huaweicloud.com/en-us/product/cc.html

https://intl.huaweicloud.com/en-us/product/dc.html

https://intl.huaweicloud.com/en-us/product/cc.html




No. Control

Domain

Specific Control


dedicated line network. It builds

exclusive encrypted transmission

channels between local data center and

HUAWEI CLOUD VPC. Physical

isolation between customer dedicated

lines meets higher security and stability

requirements. The cloud connection

service can quickly establish a private

communication network between

multiple local data centers and multiple

cloud VPCs, support the

interconnection of cross-cloud VPCs,

and greatly improve the security and

speed of global expansion of customer

services.

10. How HUAWEI CLOUD Meets the Requirements of Incident Response and

Management Procedures

Incident Response and Management Procedures22 remind AIs that they must have the ability and

procedures required to respond to major events. It manages and lists guiding principles that AIs

should follow when communicating with the public regarding major events


circular, and elaborate on how HUAWEI CLOUD, as an authorized cloud service provider, can


Control

Domain Specific Control Requirements HUAWEI CLOUD Response

Immediate

incident

response

The AI concerned should

immediately analyze the cause of

the incident and as soon as

practicable rectify or contain the

problem. The top priority should

be to safeguard the interests of

customers who have been or

may be affected by the incident.

To meet the requirement for fast

response, HUAWEI CLOUD has

developed a complete event

management process. Events are

prioritized and different processing time

limits are defined according to the

impact and scope of each event.

HUAWEI CLOUD will respond to and

resolve the event within a specified time

limit according to the priority of the

22 https://www.hkma.gov.hk/media/eng/doc/key-information/guidelines-and-circular/2010/20100622e1.pdf

https://www.hkma.gov.hk/media/eng/doc/key-information/guidelines-and-circular/2010/20100622e1.pdf




Control


event, to minimize the impact of the

event on cloud service customers.

Customer

notifications

The AI concerned should

determine as quickly as possible

after identifying an incident

whether the situation is likely to

affect other customers or the

customers of other AIs. The AI

should proactively notify the

customers affected or likely to

be affected through the most

effective means and advise them

of the steps or precautionary

measures that they need to take

as well as whether the bank

would reimburse any losses

incurred by them and if so, how

they can apply for compensation.

Where necessary, the AI should

also notify other affected AIs (so

they can in turn notify their

affected customers) as soon as

practicable.

To meet the requirements for post-event

notification, HUAWEI CLOUD has

developed a complete process for event

management and notification. If an

event occurs on the HUAWEI CLOUD

Base Platform, relevant personnel will

analyze the impact of the event

according to the process. If the event

has or will have an impact on the cloud

service customers, HUAWEI CLOUD

will start to notify customers of the

event. The contents of the notice

include but are not limited to

description of the event, the cause,

impact, measures taken by HUAWEI

CLOUD, and measures recommended

for customers.

Public

announcement

In addition to notifying

customers individually, for

serious incidents, AIs should

consider issuing a public

announcement. The content of

the announcement should

include the key elements of the

event and the measures to be

taken by the affected customers.

The internal customer notification

process ensures that HUAWEI CLOUD

can promptly notify customers of events

with an announcement when serious

events occur on the underlying

infrastructure platform and have or may

have a serious impact on multiple

customers. The contents of the

notification include but are not limited

to a description of the event, the cause,

impact, measures taken by HUAWEI

CLOUD and the measures

recommended for customers.

Reporting

incident to the

HKMA

Once an AI has become aware

that a significant incident has

occurred, the AI concerned

should notify the HKMA

immediately and provide it with

whatever information is

To meet the requirements of HKMA for

reporting major events, HUAWEI

CLOUD has set up a 24/7 professional

safety incident response team and

expert resource pool. According to the

requirements of laws and regulations,




Control


available at the time. For the

avoidance of doubt, an AI should

not wait until it has rectified the

problem before reporting the

incident to the HKMA. The

HKMA may require the AI

concerned to provide further

information or updates.

Depending on the nature and

seriousness of the incident and

on whether the incident has

wider implications for the

general public, the HKMA may

make a separate public

announcement as appropriate.

relevant events are disclosed promptly,

customers are informed promptly, and

emergency plans and recovery

processes are implemented to reduce

business impact.

Handling of

customers'

and media's

enquiry

AIs should ensure that their staff

members are at all times alert to

the importance of detecting

significant incidents and

reporting such incidents to senior

management. AIs are expected

to ensure that they have in place

the appropriate incident response

and management capability and

procedures through its ongoing

supervisory effects.

In order to meet the requirements for

event response management, the

HUAWEI CLOUD event management

program defines the responsibilities and

procedures of event reporting. In

addition, HUAWEI CLOUD linkage

analysis of security equipment

warnings, combined with machine

learning technology and expert

experience to build the corresponding

model, allow detection of previously

unknown data security risks, and

prompt defense and response with

effective measures.

11. Conclusion

This user guide describes how HUAWEI CLOUD provides cloud services that meet the regulatory

requirements of the financial industry in Hong Kong and shows that HUAWEI CLOUD complies

with key regulatory requirements issued by the HKMA. This aims to help customers learn more

about HUAWEI CLOUD's compliance with Hong Kong's regulatory requirements of the financial

industry to assure customers that they can store and process customer content data safely through

HUAWEI CLOUD services. To some extent, this document also guides customers on how to

design, build and deploy a secure cloud environment that meets the regulatory requirements of

HKMA on HUAWEI CLOUD, and helps customers better shoulder security responsibilities

together with HUAWEI CLOUD.




This user guide is for reference only and does not have legal effect or constitute legal advice.

Customers should assess their own use of cloud services as appropriate and ensure compliance

with relevant regulatory requirements of the HKMA when using HUAWEI CLOUD.

12. Version History

Date Version Description

November 2019 1.0 First release

huawei cloud compliance with hong kong financial services ... · huawei cloud continues to follow...

Documents