There are several area we need to consider when we design and setup our infrastructure:
(a) Information security policy
-> We need to have this policy within IT policy or separate a policy document. The document need to fit the regulatory requirement, market best practice, international security standard in design and control manner.
(b) Access control
-> User access control, identity and record management
-> Password policy and control
-> Network and system access control
-> Onboarding, change and off-boarding
(c) Encryption
-> Network transmission e.g. SSL, SSH……
-> Laptop HDD (e.g. bitlocker)
(d) Change management
-> Change management policy/procedure, better have a change management broad (CAB)
(e) User activities monitoring
-> System logging and audit log management
(f) System, Data backup and continuity planning.
-> Backup policy
-> DR site, data offsite…..
-> Regular restore test…
(g) Operation
-> All operation should have document and record for audit trail
-> Vendor management (Outsourcing)
(h) Cyber Security
-> Two tier firewall
-> 2FA
-> Patch Management
-> Encryption
-> Endpoint protection
-> Two tier antimalware solution
-> Zero trust network
-> Security Operation Centre (SOC) for logging, event management …
-> Incident management
-> Access control
-> Physical security
-> System, Data backup and business continuity planning (BCP)
-> User least privilege (Principle of least privilege)
-> DNS security
-> Password policy
-> Data encryption
-> Security Policy with management roles and responsibilities
-> Cybersecurity awareness training for internal system users
-> Cybersecurity alert and reminder to clients
-> Vendor management
(I)Internet facing service (e.g. Internet trading)
-> 2FA
-> Anti DDoS
Please check the following information for your reference:
Insurance Authority (IA)
Guidelines (GL) – Previous call Guidance Notes (GN)
https://www.ia.org.hk/en/legislative_framework/guidelines.html
For IT related, please focus on GL8, GL10 and GL14
https://www.ia.org.hk/en/legislative_framework/files/GL8.pdf
https://www.ia.org.hk/en/legislative_framework/files/GL10.pdf
https://www.ia.org.hk/en/legislative_framework/files/GL14.pdf
Security:
Cyber Intelligence Sharing Platform
https://www.ia.org.hk/en/legislative_framework/circulars/reg_matters/files/cir_20170517.pdf
Also, Insurtech applications:
https://www.ia.org.hk/en/aboutus/insurtech_corner.html
Securities And Futures Commission (SFC)
SFC:
Information Technology Management Issues to be considered by licensed corporations
https://www.sfc.hk/edistributionWeb/gateway/EN/circular/openFile?refNo=H569
Guidelines for Reducing and Mitigating Hacking Risks Associated with Internet Trading:
Cybersecurity:
https://www.sfc.hk/web/EN/faqs/intermediaries/supervision/cybersecurity/cybersecurity.html
Circular to All Licensed Corporations Alert for Ransomware Threats
https://www.sfc.hk/edistributionWeb/gateway/EN/circular/doc?refNo=17EC26
Circular to Licensed Corporations Engaged in Internet Trading Good Industry Practices for IT Risk Management and Cybersecurity
https://www.sfc.hk/edistributionWeb/gateway/EN/circular/doc?refNo=17EC74
Privacy Commissioner for Personal Data (PCPD)
Guidance on Collection and Use of Biometric Data
https://www.pcpd.org.hk//english/resources_centre/publications/files/GN_biometric_e.pdf
Data Breach Notification
https://www.pcpd.org.hk//english/resources_centre/publications/files/DataBreachHandling2015_e.pdf
Guidance on the Proper Handling of Customers’ Personal Data for the Insurance Industry
https://www.pcpd.org.hk//english/resources_centre/publications/files/GN_insurance_e.pdf
Guidance on CCTV Surveillance and Use of Drones (Revised in March 2017)
https://www.pcpd.org.hk//english/resources_centre/publications/files/GN_CCTV_Drones_e.pdf
Privacy Guidelines: Monitoring and Personal Data Privacy at work
https://www.pcpd.org.hk/english/publications/files/monguide_e.pdf
Guidance on CCTV Surveillance Practices
https://www.pcpd.org.hk/english/resources_centre/publications/guidance/files/CCTVpractices_e.pdf
Hong Kong Police Requirements For Digital CCTV Systems
https://www.police.gov.hk/info/doc/cpa/CCTV%20English.pdf
Collection and Use of Personal Data through the Internet – Points to Note for Data Users Targeting at Children (December 2015)
https://www.pcpd.org.hk/english/resources_centre/publications/files/guidance_children_e.pdf
Best Practice Guide for Mobile App Development (Revised in October 2015)
Guidance on the Use of Portable Storage Devices (Revised in July 2014)
https://www.pcpd.org.hk//english/resources_centre/publications/files/portable_storage_e.pdf
Guidance for Data Users on the Collection and Use of Personal Data through the Internet (Revised in April 2014)
https://www.pcpd.org.hk//english/resources_centre/publications/files/guidance_internet_e.pdf
Guidance on Personal Data Erasure and Anonymisation (Revised in April 2014)
https://www.pcpd.org.hk//english/resources_centre/publications/files/erasure_e.pdf
EU General Data Protection Regulation (GDPR)
https://www.pcpd.org.hk/english/data_privacy_law/eu/eu.html
PCPD - Information Technology
https://www.pcpd.org.hk/english/resources_centre/industry_specific/information_technology.html
PCPD – Banking & Finance
https://www.pcpd.org.hk/english/resources_centre/industry_specific/banking_finance.html
PCPD – Insurance
https://www.pcpd.org.hk/english/resources_centre/industry_specific/banking_finance.html
Hong Kong Monetary Authority (HKMA)
Reference control from HKMA:
General Principles for Technology Risk Management:
Cyber Security Risk Management:
https://www.hkma.gov.hk/media/eng/doc/key-information/guidelines-and-circular/2015/20150915e1.pdf
Enhanced Competency Framework on Cybersecurity:
https://www.hkma.gov.hk/media/eng/doc/key-information/guidelines-and-circular/2016/20161219e1.pdf
Cybersecurity Fortification Initiative
https://www.hkma.gov.hk/media/eng/doc/key-information/guidelines-and-circular/2016/20161221e1.pdf
Cyber Resilience Assessment Framework (C-RAF)
https://www.hkma.gov.hk/media/eng/doc/key-information/speeches/s20160518e2.pdf
Implementation of Cyber Resilience Assessment Framework
https://www.hkma.gov.hk/media/eng/doc/key-information/guidelines-and-circular/2018/20180612e1.pdf
Security controls for Internet trading services:
https://www.hkma.gov.hk/media/eng/doc/key-information/guidelines-and-circular/2017/20171027e1.pdf
Risk Management of E-banking:
HKMA Open API Framework:
https://www.hkma.gov.hk/media/eng/doc/key-information/press-release/2018/20180718e5a2.pdf
https://www.hkma.gov.hk/media/eng/doc/key-information/press-release/2018/20180718e5a1.pdf
Fintech Facilitation Office (FFO)
Mandatory Provident Fund Schemes Authority (MPFA)
List of MPF Guidelines:
Controls Relating to Security of Data
Guidelines on Notification of Events of Significant Nature (e.g. Major (Core) system change / upgrade, move to cloud…..)
Cybersecurity With growing concern over cybersecurity issues, we shared views with Hong Kong Monetary Authority (“HKMA”) and briefed trustees on the importance of cybersecurity risk management. We discussed with trustees international principles and guidelines on cybersecurity and the steps they should take to protect their technological assets and customer information against cybersecurity threats. We also reminded trustees to set cybersecurity strategies and urged them to conduct regular self-assessment and testing on cyber-resilience for withstanding and recovering from disruption caused by cyber attacks.
MPFA reference technology risk control from HKMA.
Good whitepaper for your reference:
IT Security Guidance:
AWS FSI Whitepapers – Good for cloud computing:
https://aws.amazon.com/events/fsi-hk-whitepapers/
PCI standard if you need to handle credit card:
https://www.pcisecuritystandards.org/
https://www.pcicomplianceguide.org/faq/
SFC strengthens internet trading regulatory controls
A Guide to Strong Risk Culture and Risk Management in the MPF Industry
No comments:
Post a Comment