supervisory policy manual - hkma.gov.hk · supervisory policy manual tm-g-1 general principles for...

Supervisory Policy ManualTM-G-1 General Principles for Technology

Risk ManagementV.1 – 24.06.03

1

This module should be read in conjunction with the Introduction and with theGlossary, which contains an explanation of abbreviations and other termsused in this Manual. If reading on-line, click on blue underlined headings toactivate hyperlinks to the relevant module.

—————————

PurposeTo provide AIs with guidance on general principles which AIs areexpected to consider in managing technology-related risks

ClassificationA non-statutory guideline issued by the MA as a guidance note

Previous guidelines supersededThis is a new guideline.

ApplicationTo all AIs

Structure1. Introduction

1.1 Terminology1.2 Legal obligations under the Seventh Schedule1.3 General framework of technology risk management

2. IT governance2.1 IT control policies2.2 Oversight and organisation of IT functions2.3 Technology risk management function2.4 Technology audits2.5 Staff competence and training2.6 IT support provided by overseas offices

3. Security management



2

3.1 Information classification and protection3.2 Authentication and access control3.3 Security administration and monitoring3.4 System security3.5 End-user and mobile computing3.6 Physical and personnel security

4. System development and change management4.1 Project management4.2 Project life cycle4.3 Change management

5. Information processing5.1 IT operations management and support5.2 Performance monitoring and capacity planning5.3 IT facilities and equipment maintenance5.4 Disaster recovery planning

6. Communications networks6.1 Network management6.2 Network security and certification6.3 Wireless local area network

7. Management of technology service providers7.1 Management of technology outsourcing7.2 Management of other technology service providers

—————————

1. Introduction

1.1 Terminology1.1.1 In this module terms are used with the following

meanings:

• “Information technology” (IT) or “technology”encompasses automated means of originating,



3

processing, storing and communicatinginformation, and covers recording devices,communications networks, computer systems(including hardware and software components anddata) and other electronic devices;

• “IT controls” refers to internal controls over securitymanagement, system development and changemanagement, information processing,communications networks and management oftechnology service providers;

• “IT governance” refers to the organisationalstructures and processes that align the IT missionwith the institution’s strategies and businessobjectives, and ensure that IT resources are usedeffectively and technology-related risks aremanaged properly; and

• “Technology risk management” refers to riskmanagement systems that enable AIs to identify,measure, monitor and control their technology-related risks.

1.2 Legal obligations under the Seventh Schedule

1.2.1 AIs should be aware of their legal obligations to meet theminimum authorization criteria stipulated under theSeventh Schedule to the Banking Ordinance in relation totheir computer systems.

1.2.2 Specially, para. 10 of the Schedule requires AIs to haveadequate accounting systems and systems of control andpara. 121 requires them to conduct their business withintegrity, competence and in a manner not detrimental tothe interests of depositors and potential depositors. Inthis connection, the MA expects AIs to have in place aneffective framework of technology risk management toensure the adequacy of IT controls and quality of theircomputer systems.

1 As set out in the “Guide to Authorization”, the MA will take account of the quality of an

institution’s computer systems, among other factors, in considering whether the institutionis conducting its business prudently and with competence.



4

1.2.3 The HKMA will, in the course of its on-site examinations,off-site reviews and prudential meetings with AIs,determine as appropriate the adequacy of theirtechnology risk management, having regard to theprinciples set out in this module.

1.3 General framework of technology risk management1.3.1 This module is intended to supplement IC-1 “General Risk

Management Controls” by setting out general principlesthat the MA expects AIs to consider in their technologyrisk management. Further detailed guidance onmanaging technology-related risks of electronic bankingwill be covered separately in another module TM-E-1“Supervision of E-banking”.

1.3.2 As AIs increase their dependency on technology to deliverbanking services, inappropriate usage of AIs’ technologyresources may have significant risk implications. Theseinclude for example:

• the strategic risk resulted from poor decisions ontechnology-related investments;

• the operational risk caused by unauthorized accessor disruptions to technology resources that supportmission-critical banking services; and

• the reputation risk and the legal risk due to materialsecurity breaches or unavailability of computersystems which process customer information ortransactions.

1.3.3 As set out in IC-1 “General Risk Management Controls”,the Board of Directors is ultimately responsible forunderstanding the risks run by an AI and ensuring thatthey are properly managed, whereas the seniormanagement is accountable for designing andimplementing the risk management system approved bythe Board2 or its designated committee. To this end, thesenior management should establish an effective

2 For the purpose of this module, the responsibility of Board oversight of technology risk

management for overseas incorporated AIs in respect of the Hong Kong operation shouldrest with the local senior management.



5

technology risk management framework3. This normallycomprises IT governance, a continuous technology riskmanagement process, and implementation of soundpractices in respect of IT controls.

1.3.4 The general principle is that AIs are expected toimplement the relevant technology risk managementframework that is “fit for purpose”, i.e. commensurate withthe risks associated with the types of business andoperations, the technologies adopted and the overall riskmanagement systems of individual AIs. An overview of asound framework of technology risk management isillustrated below.

3 AIs may find it useful to draw other references from additional resources on technology

risk management or IT controls, e.g., ISO/IEC 17799:2000 Information Technology – Codeof Practice for Information Security Management (www.iso.ch), Information Systems Auditand Control Association (www.isaca.org), IT Governance Institute (www.itgovernance.org)and Information Security Forum (www.securityforum.org).

http://www.iso.ch

http://www.isaca.org

http://www.itgovernance.org

http://www.securityforum.org



6

Staff competence and training

Board and senior management oversight

IT governance

To set out the ground rules for key IT controls

IT control policies

To delivertechnology

services andimplementIT controls

IT functions

To performindependent

assessment oftechnology riskmanagement

process &IT controls

Technologyaudit

To performcertain IT

services orcontrols to

support localoperations

Overseasoffices (if any)

To managetechnology riskmanagement

process amongbusiness units& IT functions

Technology riskmanagement

function

Technology risk management process

MeasureMeasure

To measurethe impact,

likelihood anddirection oftechnology-related risks

To measurethe impact,

likelihood anddirection oftechnology-related risks

IdentifyIdentify

To identify emerging orexisting technology-

related risks

To identify emerging orexisting technology-

related risks

ControlControl

To control the risks through preventive,

compensating and contingency

measures

To control the risks through preventive,

compensating and contingency

measures

System development & change management

Security management

Information processing

Communications networks

Management of technology service providers

Sound practices for IT controls

MonitorMonitor

To regularly monitor anytechnology-related issues

or incidents

To regularly monitor anytechnology-related issues

or incidents



7

2. IT governance

2.1 IT control policies2.1.1 Achieving a consistent standard of sound practices for IT

controls across an AI requires clear direction andcommitment from the Board and senior management. Inthis connection, senior management, who may beassisted by a delegated sub-committee, is responsible fordeveloping a set of IT control policies which establish theground rules for IT controls. These policies should beformally approved by the Board or its designatedcommittee and properly implemented among IT functionsand business units.

2.1.2 IT control policies normally cover, at a minimum, the fiveaspects of IT controls mentioned in sections 3 to 7 of thismodule. They should be reviewed regularly, and wherenecessary updated to accommodate changing operatingenvironments and technologies.

2.1.3 Senior management should ensure that processes usedto verify compliance with IT control policies and theprocess for seeking appropriate approval for dispensationfrom IT control policies are specified clearly. Seniormanagement should also define the consequencesassociated with any failure to adhere to this process. Ingeneral, the responsibility for ensuring compliance with ITcontrol policies and the process for seeking dispensationrests with individual business units and IT functions, withthe assistance of the technology risk managementfunction (see subsection 2.3 below).

2.1.4 Senior management may put in place mechanisms (e.g.periodic reminders for relevant staff and policy orientationfor new recruits) to promote awareness of IT controlpolicies among relevant personnel on a regular basis.

2.2 Oversight and organisation of IT functions2.2.1 Senior management should establish an effective

organisation of IT functions to deliver technology servicesand to provide day-to-day technology support to businessunits. A clear IT organisation structure and related jobdescriptions of individual IT functions should bedocumented and approved by senior management.



8

2.2.2 Proper segregation of duties4 within and among variousIT functions is crucial for ensuring an effective IT controlenvironment. In the event that an AI finds it difficult tosegregate certain IT control responsibilities, it should putin place adequate compensating controls (e.g. peerreviews) to mitigate the associated risk.

2.2.3 It is recommended that AIs establish an IT planning orsteering committee which oversees whether IT resourcesare used effectively to support business strategies. Thiscommittee should normally consist of representatives ofsenior management, key business units and IT functions.It should meet regularly and report to senior management,and where appropriate to the Board or its designatedcommittee on the status of major technology-relatedinitiatives and any material IT-related issues.

2.2.4 In general, the IT planning or steering committee shouldalso be responsible for developing an IT strategy to coverlonger and short-term technology-related initiatives, takinginto account new business initiatives, organisationalchanges, technological evolution, regulatoryrequirements, staffing and control related issues. The ITstrategy should be formally documented, endorsed by theBoard or its designated committee and seniormanagement, as well as reviewed and updated at leaston an annual basis.

2.3 Technology risk management function2.3.1 IC-1 “General Risk Management Controls” specifies that

AIs should have in place effective risk managementsystems and that new products and services should besubject to careful evaluation (including a detailed riskassessment) as well as a post-launch review. The samerisk management controls apply to the technology riskmanagement of AIs.

2.3.2 Senior management should establish clearly whichfunction in the AI is responsible for implementing andmanaging the technology risk management process (theTRM function). Depending on the business and

4 For example, system development personnel should be prohibited from having access to

production systems. The security management function should not be assigned otherconflicting duties such as system development, computer operations or technical support.



9

operational needs of individual AIs, the TRM function mayrefer to a dedicated department of an AI, or a group ofdepartments or support units collectively performing theroles defined for this function.

2.3.3 The TRM function has a role to assist business units andIT functions in performing the technology riskmanagement process which identifies, measures,monitors and controls technology-related risks. Inaddition, this function helps to ensure awareness of, andcompliance with, the AI’s IT control policies, and toprovide support for investigation of any technology-relatedfrauds and incidents.

2.3.4 The TRM function should formulate a formal technologyrisk acknowledgement and acceptance process forreviewing, evaluating and approving any major incidentsof non-compliance with IT control policies. Typicalreasons for such non-compliance are technologylimitations (e.g. certain proprietary operating systems areonly able to provide primitive password controls),business constraints (e.g. undesirable impact oncustomer services) and the costs outweighing theassociated benefits. The process includes:

• a description of the risk being considered foracknowledgement by the owner of the risk and anassessment of the risk that is being accepted;

• identification of mitigating controls;

• formulation of a remedial plan to reduce the risk;and

• approval of the risk acknowledgement from theowner of the risk and senior management.

2.4 Technology audits2.4.1 IC-1 “General Risk Management Controls” sets out the

general objective and the importance of independenceand expertise of AIs’ internal audit function. As regardstechnology audits, AIs are expected to assess periodicallytheir technology risk management process and ITcontrols. To ensure adequate coverage of the IT controlenvironment and critical computer systems, an annualtechnology audit plan should be developed. AIs should



10

also ensure that audit issues are properly tracked and, inparticular, completely recorded, adequately followed upand satisfactorily rectified.

2.4.2 It is recognised that the internal audit function of some AIsmay find it difficult to build up in-house technology auditexpertise. In these circumstances, technology auditsupport may be supplemented by external specialists orinternal technology auditors of other offices of the samebanking group.

2.5 Staff competence and training2.5.1 Given the rapid pace of technological development, senior

management needs to ensure that staff of IT functions,the TRM function and internal technology auditors arecompetent and able to meet required levels of expertiseand experience on an ongoing basis. It is also importantto ensure that staffing levels are sufficient to handlepresent and expected work demands, and to caterreasonably for staff turnover.

2.5.2 To ensure that an adequate training programme is inplace for IT personnel, it is essential to establish aprocess to identify any material skill gaps5 of staff oftechnology-related functions. AIs may encourage and,where appropriate, facilitate their staff to acquire relevantprofessional qualifications, such as for those who areresponsible for security management, technology riskmanagement and technology audits.

2.6 IT support provided by overseas offices2.6.1 Some AIs may rely upon or work with their overseas

offices (e.g. parent banks, subsidiaries, head offices orother regional offices of the same banking group) withregard to certain IT controls or support activities. Seniormanagement should ensure that the respectiveresponsibilities of the local and overseas offices in theseareas are clearly set out in the relevant documents (e.g.policies, procedures or service agreements).

5 Skill gaps can be identified by evaluating the skill set of personnel against a pre-defined

skill matrix which defines the required knowledge, qualifications and experience for aparticular job or position.



11

3. Security management

3.1 Information classification and protection3.1.1 For each application system, AIs should preferably assign

an individual as the information owner6. The informationowner normally needs to work with the TRM and ITfunctions to ensure confidentiality and integrity ofinformation, and to protect the information in accordancewith the level of risk present and envisaged.

3.1.2 Information can be classified into different categoriesaccording to the degree of sensitivity (e.g. highlysensitive, sensitive, internal and public) to indicate theextent of protection required. To aid the classificationprocess, AIs should ideally develop guidelines anddefinitions for each classification and define anappropriate set of procedures for information protection inaccordance with the classification scheme. The level ofdetail of the information classification scheme adoptedshould be practicable and appropriate to AIs’circumstances.

3.1.3 Protection of information confidentiality should be in placeregardless of the media (including paper and electronicmedia) in which the information is maintained. AIs shouldensure that all media are adequately protected, andestablish secure processes for disposal and destruction ofsensitive information in both paper and electronic media.

3.1.4 If cryptographic technology is used to protect theconfidentiality and integrity of AIs’ information, AIs shouldadopt industry-accepted cryptographic solutions andimplement sound key management practices to safeguardthe associated cryptographic keys. Sound practices ofkey management generally include:

• provision of a secure control environment forgeneration, distribution, storage, entry, use andarchiving of cryptographic keys to safeguardagainst modification and unauthorized disclosure.In particular, the use of tamper-resistant storage is

6 An information owner refers to an individual who has been assigned as the business

owner of an application system and is accountable for the protection of informationprocessed by, and stored in, this application system.



12

recommended to prevent the disclosure of thecryptographic keys; and

• adequate off-site back-up and contingencyarrangements for cryptographic keys which aresubject to the same security controls as theproduction cryptographic keys.

3.2 Authentication and access control3.2.1 Access to the information and application systems should

be restricted by an adequate authentication mechanismassociated with access control rules. Access control rulesdetermine what application functions, system resourcesand data a user can access. For each application system,all users should be identified by unique user-identificationcodes (e.g. user IDs) with appropriate method ofauthentication (e.g. passwords) to ensure accountabilityfor their activities.

3.2.2 AIs should implement effective password rules to ensurethat easy-to-guess passwords are avoided andpasswords are changed on a periodic basis. Strongerauthentication methods should be adopted fortransactions/activities of higher risk (e.g. paymenttransactions, financial messages and mobile computing7).These usually entail multiple factors for userauthentication which combine something one knows (e.g.passwords) and something one has (e.g. a smart card orhardware security tokens).

3.2.3 Extra care should be exercised when controlling the useof and access to privileged and emergency IDs8. Thenecessary control procedures include:

• granting of authorities that are strictly necessary toprivileged and emergency IDs;

7 Mobile computing includes access to AIs’ computing resources from a remote location

outside office premises (e.g. using notebook computers and other mobile devices).

8 Privileged and emergency IDs are system accounts which are created with specialauthorities and extended access to system resources. These IDs are normally establishedfor system administration (i.e. system administration IDs) or for introducing emergencysolutions to system problems of the production environment.



13

• formal approval by appropriate personnel prior tobeing released for usage;

• monitoring of the activities performed by privilegedand emergency IDs (e.g. peer reviews of activitylogs);

• proper safeguard of privileged and emergency IDsand passwords (e.g. kept in a sealed envelope andlocked up inside the data centre); and

• change of privileged and emergency IDs’passwords immediately upon return by therequesters.

3.3 Security administration and monitoring3.3.1 A security administration function and a set of formal

procedures should be established for administering theallocation of access rights to system resources andapplication systems, and monitoring the use of systemresources to detect any unusual or unauthorizedactivities. In particular, the function should cover thefollowing areas:

• granting, changing and removing user accessrights subject to proper approval of the informationowners. In particular, proper procedures should bein place to ensure that a user’s relevant accessrights are removed when he leaves the AI or whenhis job responsibilities no longer require suchrights;

• ensuring the performance of periodic user accessre-certification (e.g. on an annual basis) thatconfirms whether user access rights remainappropriate and obsolete user accounts have beenremoved from the systems;

• reviewing security logs and violation reports in atimely manner; and

• performing incident analysis, reporting andinvestigation.

3.3.2 Proper segregation of duties within the securityadministration function or other compensating controls(e.g. peer reviews) should be in place to mitigate the risk



14

of unauthorized activities being performed by the securityadministration function.

3.3.3 AIs should establish incident response and reportingprocedures to handle information security-relatedincidents during or outside office hours. The incidentresponse and reporting procedures should include timelyreporting to the HKMA of any confirmed IT-related fraudcases or major security breaches.

3.4 System security3.4.1 Control procedures and baseline security requirements

should be developed to safeguard application programs,operating systems, system software and databases. Forexample:

• access to data and programs should be controlledby appropriate methods of identification andauthentication of users together with properauthorization;

• integrity of static data (e.g. system parameters)should be periodically checked to detectunauthorized changes;

• operating systems, system software, databasesand servers should be securely configured to meetthe intended uses with all unnecessary servicesand programs disabled or removed. Use ofsecurity tools should be considered to strengthenthe security of critical systems and servers;

• clear responsibilities should be established toensure that the necessary patches and securityupdates developed from time to time by relevantvendors are identified, assessed, tested andapplied to the systems in a timely manner;

• all configurations and settings of operatingsystems, system software, databases and serversshould be adequately documented. Periodiccertifications of the security settings should beperformed (e.g. by the TRM function or thetechnology audit function); and



15

• adequate logging and monitoring of system anduser activities should be in place to detectanomalies, and the logs should be securelyprotected from manipulation.

3.5 End-user and mobile computing3.5.1 While end-user computing9 may offer advantages (e.g.

higher productivity) to an AI, it may also increase thedifficulty in controlling the quality of, and access to, thesystem. AIs should where necessary, therefore, establishcontrol practices and responsibilities with respect to end-user computing to cover areas such as data security,documentation, data/file storage and back-up, systemrecovery, audit responsibilities and training.

3.5.2 Controls over mobile computing are required to managethe risks of working in an unprotected environment. Inprotecting AIs’ information, AIs should establish controlprocedures covering:

• an approval process for user requests for mobilecomputing;

• authentication controls for remote access tonetworks, host data and/or systems;

• protection (e.g. against theft and malicioussoftware) of equipment and devices for mobilecomputing;

• use of data encryption software to protect sensitiveinformation and business transactions in the mobileenvironment and when being transmitted; and

• back-up of data and/or systems in the mobilecomputing devices.

3.5.3 Software and information processing facilities arevulnerable to attacks by computer viruses and othermalicious software. Procedures and responsibilitiesshould be established to detect and prevent attacks. AIsshould put in place adequate controls such as:

9 End-user computing is the transfer of information processing and system development

capabilities from centralised data centres onto the user’s desktop.



16

• prohibiting the download and use of unauthorizedfiles and software, and the access to doubtful websites;

• installation and timely update of anti-virus softwareprovided by reputable vendors;

• disallowing the download of executable files, andmobile codes10, especially those with knownvulnerabilities (e.g. through the use of corporatefirewalls and proper configuration of the browsersoftware); and

• prompt and regular virus scanning of all computingdevices and mobile users’ computers, andprocedures for recovering from virus infections.

3.6 Physical and personnel security3.6.1 Physical security measures should be in place to protect

computer facilities and equipment from damage orunauthorized access. Critical information processingfacilities should be housed in secure areas such as datacentres and network equipment rooms with appropriatesecurity barriers and entry controls. Access to theseareas should be restricted to authorized personnel onlyand the access rights should be reviewed and updatedregularly. Buildings should give minimum indication oftheir purpose, with no obvious signs identifying thepresence of information processing facilities.

3.6.2 AIs should consider fully the environmental threats (e.g.proximity to dangerous factories) when selecting thelocations of their data centres. Moreover, physical andenvironmental controls should be implemented to monitorenvironmental conditions which could affect adversely theoperation of information processing facilities (e.g. fire,explosives, smoke, temperature, water and dust).Equipment and facilities should be protected from powerfailures and electrical supply interference by, for example,installing uninterruptible power supply (UPS) and a back-up generator.

10 Mobile codes refer to small programs automatically downloaded from web sites by

browsers for execution.



17

3.6.3 In controlling access by third-party personnel (e.g. serviceproviders) to secure areas, proper approval of accessshould be required and their activities should be closelymonitored. It is also important that proper screeningprocedures including verification and background checks,especially for sensitive technology-related jobs, aredeveloped for recruitment of permanent and temporarytechnology staff, and contractors.

4. System development and change management

4.1 Project management4.1.1 AIs should establish a general framework for

management of major technology-related projects. Thisframework should, among other things, specify the projectmanagement methodology to be adopted and applied tothese projects. The methodology should cover, at aminimum, allocation of responsibilities, activitybreakdown, budgeting of time and resources, milestones,check points, key dependencies, quality assurance, riskassessment and approvals.

4.2 Project life cycle4.2.1 AIs should adopt and implement a full project life cycle

methodology governing the process of developing,implementing and maintaining major computer systems.In general, this should involve phases of project initiation,feasibility study, requirement definition, system design,program development, system and acceptance testing,training, implementation, operation and maintenance.

4.2.2 The project life cycle methodology should define clearlythe roles and responsibilities for the project team and thedeliverables from each phase. It also needs to contain aprocess to ensure that appropriate security requirementsare identified when formulating business requirements,built during program development, tested andimplemented.

4.2.3 An independent party (e.g. the quality assurance function,the TRM function or the technology audit team), which isnot involved in the project development, should conduct aquality assurance review of major technology-related



18

projects, with the assistance of the legal and compliancefunctions if necessary. This review is to ensurecompliance with the project life cycle methodology, otherinternal policies, control requirements, regulations andapplicable laws.

4.2.4 A formal acceptance process should be established toensure that only properly tested and approved systemsare promoted to the production environment. System anduser acceptance testing should be carried out in anenvironment separated from the production environment.Production data should not be used in development oracceptance testing unless the data has been de-sensitised (i.e. not disclosing personal or sensitiveinformation) and prior approval from the informationowner has been obtained. Performance testing shouldalso be performed before newly developed systems arepromoted to the production environment.

4.2.5 Software package acquisition is an alternative to in-housesystems development and should be subject to broadlysimilar controls as the project life cycle. As inappropriatehandling of software licences may expose AIs to asignificant risk of patent infringement, and financial andreputation losses, AIs should establish a formal softwarepackage acquisition process. In particular, the processshould involve detailed evaluation of the softwarepackage (e.g. in terms of software licence, functionality,system performance and security requirements) and itssupplier (e.g. its financial condition, reputation andtechnical capabilities).

4.2.6 AIs should ensure that on-going maintenance andadequate support of software packages are provided bythe software vendors and are specified in formalcontracts. For mission-critical software packages, AIsmay consider including in the contracts an escrowagreement, which allows them to obtain access to thesource code of the software packages under certaincircumstances, such as when the software vendors ceasetheir business.



19

4.3 Change management4.3.1 Change management is the process of planning,

scheduling, applying, distributing and tracking changes toapplication systems, system software (e.g. operatingsystems and utilities), hardware, network systems, andother IT facilities and equipment. An effective changemanagement process helps to ensure the integrity andreliability of the production environment. AIs shoulddevelop a formal change management process thatincludes:

• classification and prioritisation of changes anddetermination of the impact of changes;

• roles and responsibilities of each relevant party,including IT functions and end-user departments,with adequate segregation of duties. This is toensure that no single person can effect changes tothe production environment without the review andapproval of other authorized personnel;

• program version controls and audit trails;

• scheduling, tracking, monitoring andimplementation of changes to minimise businessdisruption;

• a process for rolling-back changes to re-instate theoriginal programs, system configuration or data inthe event of production release problems; and

• a post implementation verification of the changesmade (e.g. by checking the versions of majoramendments).

4.3.2 To enable unforeseen problems to be addressed in atimely and controlled manner, AIs should establish formalprocedures to manage emergency changes. Emergencychanges should be approved by the information owner(for application system or production data relatedchanges) and other relevant parties at the time of change.If the change needs to be introduced as a matter ofurgency and it is impracticable to seek the approval of theinformation owner, endorsement should be sought fromthe information owner after the implementation as soon aspracticable (e.g. on the following business day).



20

4.3.3 Emergency changes should be logged and backed up(including the previous and changed program versionsand data) so that recovery of previous program versionsand data files is possible if necessary. Emergencychanges need to be reviewed by independent personnelto ensure that the changes are proper and do not have anundesirable impact on the production environment. Theyshould be subsequently replaced by proper fixes throughthe normal acceptance testing and change managementprocedures.

5. Information processing5.1 IT operations management and support

5.1.1 Management of IT functions should ideally formulate aservice level agreement with business units to coversystem availability and performance requirements,capacity for growth, and the level of support provided tousers. The responsible IT functions should ensure thatadequate procedures are in place for managing thedelivery of the agreed technology support and services.

5.1.2 Detailed operational instructions such as computeroperator tasks, and job scheduling and execution (e.g.instructions for processing information, schedulingrequirements and system housekeeping activities) shouldbe documented in an IT operations manual. The IToperations manual should also cover the procedures andrequirements for on-site and off-site back-up of data andsoftware in both the production and developmentenvironments (e.g. the frequency, scope and retentionperiods of back-up).

5.1.3 AIs should have in place a problem management systemto respond promptly to IT operational incidents, toescalate reported incidents to relevant IT managementstaff and to record, analyse and keep track of all theseincidents until rectification of the incidents. A helpdeskfunction can be set up to provide front-line support tousers on all technology-related problems and to relay theproblems to relevant IT functions for investigation andresolution.



21

5.2 Performance monitoring and capacity planning5.2.1 AIs should implement a process to ensure that the

performance of application systems is continuouslymonitored and exceptions are reported in a timely andcomprehensive manner. The performance monitoringprocess should include forecasting capability to enableproblems to be identified and corrected before they affectsystem performance. This process should help thepreparation of workload forecasts to identify trends and toprovide information needed for the capacity plan, takinginto account planned business initiatives.

5.2.2 Capacity planning should be extended to cover back-upsystems and related facilities in addition to the productionenvironment.

5.3 IT facilities and equipment maintenance5.3.1 To ensure the continued availability of AIs’ technology-

related services, AIs should maintain and service ITfacilities and equipment (e.g. computer hardware, networkdevices, electrical power distribution, UPS and air-conditioning units) in accordance with the industrypractice, and suppliers’ recommended service intervalsand specifications. Proper record keeping (includingsuspected or actual faults, and preventive and correctivemaintenance records) is necessary for effective facilityand equipment maintenance. A hardware and facilityinventory should be kept to control and track all hardwareand software purchased and leased. These records canalso be used for regular inventory taking.

5.4 Disaster recovery planning5.4.1 AIs should develop an IT disaster recovery plan to ensure

that critical application systems and technology servicescan be resumed in accordance with the business recoveryrequirements. Please refer to TM-G-2 “BusinessContinuity Planning” on how to develop detailed recoveryprocedures of application systems and technologyservices, and ensure adequate insurance coverage of ITresources.



22

6. Communications networks6.1 Network management

6.1.1 Communications networks convey information andprovide a channel of access to application systems andsystems resources. Given their technical complexity,communications networks can be highly vulnerable todisruption and abuse. Safeguarding communicationsnetworks requires robust network design, well-definednetwork services and sound discipline to be observed inmanaging networks.

6.1.2 Overall responsibility for network management should beclearly assigned to individuals who are equipped with theknow-how, skills and resources to fulfil their duties.Network standards, design, diagrams and operatingprocedures should be formally documented, kept up-to-date, communicated to all relevant network staff andreviewed periodically.

6.1.3 Communications facilities that are critical to continuity ofnetwork services should be identified. Single points offailure should be minimised by automatic re-routing ofcommunications through alternate routes should criticalnodes or links fail (e.g. routing critical links to more thanone external exchange or switching centre, and pre-arranging services with alternate telecommunicationsservice providers).

6.1.4 The network should be monitored on a continuous basis.This would reduce the likelihood of network trafficoverload and detect network intrusions. Monitoringactivities include:

• monitoring network services and performanceagainst pre-defined targets;

• reviewing volumes of network traffic, utilisation ofnetwork facilities and any potential bottlenecks oroverloads; and

• detection of unusual network activities based oncommon attack characteristics.

6.1.5 Powerful network analysis and monitoring tools, such asprotocol analysers, network scanning and sniffer tools,are normally used for monitoring network performance



23

and detecting potential or actual intrusions. Thesepowerful network tools should be protected fromunauthorized usage (e.g. viewing of unencrypted sensitiveinformation). The use of network tools should also betightly restricted to authorized staff only and be subject tostringent approval and review procedures.

6.2 Network security and certification6.2.1 To prevent insecure connections to an AI’s network,

procedures concerning the use of networks and networkservices need to be established and enforced. Theseshould cover:

• the available networks and network services;

• authorization procedures for determining who isallowed to access particular networks and networkservices; and

• controls and procedures to protect access tonetwork access points, network connections andnetwork services.

6.2.2 AIs should consider segregating internal networks intodifferent segments having regard to the access controlneeded for the data stored in, or systems connected to,each segment. For instance, the production systemsshould be located in dedicated network segmentsseparated from other segments so that productionnetwork traffic is segregated from other traffic (e.g.connections to the internet, extranet connections toexternal parties and market data feeds). Sensitive datatraffic between different network segments should beproperly controlled and protected from being tamperedwith.

6.2.3 Regular reviews of the security parameter settings ofnetwork devices such as routers, firewalls and networkservers are required to ensure that they remain current.Audit trails of daily activities in critical network devicesshould be maintained and reviewed regularly. Networkoperational personnel should be alerted on a real-timebasis to potential security breaches.



24

6.2.4 Network certification11 should be conducted whenrequesting local area network (LAN)/wide area network(WAN) additions or changes to AIs’ corporate network.The additions or changes cover dial-in/out ports, switches,terminal servers, gateways/servers, routers, extranets andthe public internet. The network certification processincludes gathering data about the network environment,analysing any points of vulnerability and associatedcontrols, and documenting whether approval is given orwhat additional controls are required for approval ofconnectivity.

6.3 Wireless local area network6.3.1 If wireless local area networks (WLANs) are to be

deployed, AIs should develop policies and procedures forapproval, installation, operation and administration ofWLANs. A risk assessment process for evaluating thesensitivity of information to be accessible via a WLANshould be formulated before a WLAN can beimplemented. AIs should also develop a standardsecurity configuration for WLAN products and follow thenetwork certification process to ensure that WLANs areimplemented in a secure manner so that they do notexpose the corporate network to unmanaged risks.

6.3.2 Additional security measures may be needed between thewireless workstations and the wired network to providestronger encryption and mutual authentication. WLANsshould be segregated from the corporate network (e.g. byfirewalls) to prevent any unauthorized access to thecorporate network via WLANs.

7. Management of technology service providers

7.1 Management of technology outsourcing7.1.1 While AIs are expected to take into account the general

guidance specified in SA-2 “Outsourcing” when managing

11 Network certification refers to an assessment process which aims to ensure that additions

or changes to network devices and infrastructure do not impose points of vulnerability toother parts of the corporate network. Network certification may form part of the networkchange management process.



25

technology outsourcing12, they should also have regard tothe following controls:

• technology service providers should have sufficientresources and expertise to comply with thesubstance of the AIs’ IT control policies;

• in case of outsourcing of critical technologyservices (e.g. data centre operations), AIs areexpected to commission a detailed assessment ofthe technology service provider’s IT controlenvironment. The assessment should ideally beconducted by a party independent of the serviceprovider. The independent assessment reportshould set out clearly the objectives, scope andresults of the assessment and should be providedto the HKMA for reference;

• the outsourcing agreement should specify clearly,among other things, the performance standardsand other obligations13 of the technology serviceprovider, and the issue of software and hardwareownership. As technology service providers mayfurther sub-contract their services to other parties,AIs should consider including a notification or anapproval requirement for significant sub-contractingof services and a provision that the originaltechnology service provider is still responsible forits sub-contracted services;

• further to the regular monitoring activities set out inSA-2 “Outsourcing”, AIs should conduct an annualassessment to confirm the adequacy of the ITcontrol environment of the provider of criticaltechnology services;

12 In line with SA-2 “Outsourcing”, “technology outsourcing” refers to an arrangement under

which another party undertakes to provide to an AI a technology service previously carriedout by the AI itself or a new technology service to be launched by the AI. Technologyoutsourcing can be to a service provider in Hong Kong or overseas and the serviceprovider may be a unit of the same AI (e.g. the head office or an overseas branch), anaffiliated company of the AI’s group or an independent third party.

13 These may include the obligations of the technology service provider in ensuringconfidentiality of the AI’s information obtained by the provider’s staff or agents andcomplying with the AI’s relevant IT control policies and procedures.



26

• AIs should try to avoid placing excessive relianceon a single outside service provider in providingcritical technology services; and

• AIs should develop a contingency plan for criticaloutsourced technology services to protect themfrom unavailability of services due to unexpectedproblems of the technology service provider14. Thismay include an exit management plan andidentification of additional or alternate technologyservice providers for such support and services.

7.2 Management of other technology service providers7.2.1 Apart from technology outsourcing, AIs may rely on some

outside technology service providers in the provision oftechnology-related support and services (e.g.telecommunications and network operators). AIs shouldhave in place guidelines on how to manage different kindsof major outside technology service providers. Similar tothe general principles set out in SA-2 “Outsourcing” andsubsection 7.1 above, the guidelines may need to coverthe selection process of service providers, the process forapproving material exceptions, and the need to avoidover-reliance upon a single technology service provider incritical technology services.

—————————

Contents Glossary Home Introduction

14 The service provider may become insolvent or have other difficulty to continue provision of

the services and support.

supervisory policy manual - hkma.gov.hk · supervisory policy manual tm-g-1 general principles for...

Documents