← Frameworks / Regulatory

HKMA Supervisory Policy Manual TM-E-1: Technology Risk Management

Hong Kong Monetary Authority's comprehensive technology risk management guideline for all authorised institutions. Covers IT governance, project management, change management, operations, IT resilience, information security, access control, cryptography, internet and mobile banking, ATM security, and outsourcing of technology services. Complemented by the Cyber Fortification Initiative (CFI) including iCAST intelligence-led penetration testing and the Cyber Resilience Assessment Framework (C-RAF).

Clauses: 47

Avg Coverage: 75.4%

Publisher: Hong Kong Monetary Authority (HKMA) Version: 2020

HKMA TM-E-1 → SP 800-53 SP 800-53 → HKMA TM-E-1 Coverage Analysis

Clause	Title	SP 800-53 Controls
TME1.2.1	Board and Senior Management Oversight of IT	PM-01 PM-02 PM-03 PM-09 PM-29 PS-09 PL-09
TME1.2.2	IT Strategy and Planning	PM-07 PM-08 PM-11 PL-07 PL-08 SA-02
TME1.2.3	IT Risk Management Framework	PM-01 PM-09 PM-28 RA-01 RA-03 RA-04 RA-07 RA-09 PL-09 PL-10 PL-11
TME1.2.4	IT Steering Committee and Organisational Structure	PM-02 PM-29 PS-09 PL-09
TME1.2.5	IT Policies and Standards	AC-01 AT-01 AU-01 CA-01 CM-01 CP-01 IA-01 IR-01 MA-01 MP-01 PE-01 PL-01 PM-01 PS-01 PT-01 RA-01 SA-01 SC-01 SI-01 SR-01
TME1.2.6	IT Audit	CA-02 CA-05 CA-07 AU-01 AU-06 PM-14
TME1.3.1	Project Governance and Methodology	SA-03 SA-04 SA-08 SA-15 PM-07 PL-07
TME1.3.2	System Development and Testing	SA-03 SA-08 SA-10 SA-11 SA-15 SA-16 SA-17 SA-20 SA-21 CM-04 CM-14 SI-10
TME1.3.3	Implementation and Post-Implementation Review	CM-03 CM-04 CM-05 SA-11 CA-02 PM-06
TME1.3.4	Package Software and Vendor Management	SA-04 SA-05 SA-09 SA-22 SR-04 SR-05 SR-06 SR-11
TME1.4.1	Change Control Process	CM-01 CM-02 CM-03 CM-04 CM-05 CM-06 CM-09 CM-14
TME1.4.2	Emergency Change Procedures	CM-03 CM-05 AU-02 AU-12
TME1.4.3	Release and Deployment Management	CM-02 CM-03 CM-04 CM-14 SA-10 SI-07
TME1.5.1	Data Centre Operations	PE-01 PE-02 PE-03 PE-04 PE-06 PE-07 PE-08 PE-09 PE-10 PE-11 PE-12 PE-13 PE-14 PE-15 PE-17 PE-18 PE-23
TME1.5.2	System Monitoring and Job Scheduling	AU-02 AU-03 AU-04 AU-06 AU-12 CA-07 SI-04 SI-13 SC-45
TME1.5.3	Capacity and Performance Management	AU-04 SA-02 SC-06 SI-13 PM-07
TME1.5.4	Problem and Incident Management	IR-01 IR-04 IR-05 IR-06 IR-07 IR-08 IR-09 SI-02
TME1.6.1	Business Continuity Planning	CP-01 CP-02 CP-03 PM-08 PM-11 RA-09
TME1.6.2	Disaster Recovery Planning and RTO/RPO	CP-02 CP-06 CP-07 CP-08 CP-10 RA-09 SC-24 SI-17
TME1.6.3	BCP/DR Testing and Maintenance	CP-03 CP-04 CP-05 PM-14 IR-03
TME1.6.4	Alternate Processing Sites	CP-06 CP-07 CP-08 PE-17 PE-23
TME1.6.5	Data Backup and Recovery	CP-09 CP-10 MP-04 MP-05 SI-12
TME1.7.1	Information Security Policy and Framework	PL-01 PL-02 PL-08 PL-09 PM-01 PM-02 PM-09 PM-13 PM-28
TME1.7.2	Information Classification and Handling	AC-15 AC-16 MP-01 MP-02 MP-03 MP-04 MP-05 MP-06 MP-08 RA-02 SI-12 CM-12
TME1.7.3	Security Architecture and Controls	PL-08 SA-08 SA-17 SC-02 SC-03 SC-07 SC-32 SC-39 SC-46 SC-49 SC-50 SI-03 SI-04 SI-07 SI-16
TME1.7.4	Vulnerability Assessment and Penetration Testing	CA-02 CA-08 RA-05 RA-10 PM-14 PM-16 SI-02 SI-05
TME1.7.5	Security Incident Management	IR-01 IR-02 IR-03 IR-04 IR-05 IR-06 IR-07 IR-08 IR-09 AU-06 SI-04 PM-16
TME1.8.1	User Access Management	AC-01 AC-02 AC-03 AC-05 AC-06 AC-13 AC-24 IA-04 PS-04 PS-05
TME1.8.2	Privilege Access Management	AC-02 AC-05 AC-06 AC-13 AU-02 AU-03 AU-12 AU-14 IA-02 IA-05
TME1.8.3	Authentication Mechanisms	IA-01 IA-02 IA-03 IA-05 IA-06 IA-07 IA-08 IA-10 IA-11 IA-12
TME1.8.4	Session Management and Timeout	AC-10 AC-11 AC-12 SC-10 SC-23
TME1.8.5	Remote Access Security	AC-17 AC-18 AC-19 AC-20 IA-02 SC-08 SC-09 SC-12 SC-13 SC-40 PE-17
TME1.9.1	Cryptographic Policy and Standards	SC-12 SC-13 SC-17 SC-08 SC-28 IA-07
TME1.9.2	Key Management	SC-12 SC-17 SC-28 MP-04 MP-05
TME1.9.3	Digital Signatures and Certificates	SC-17 SC-13 AU-10 IA-09 SC-16
TME1.10.1	Online Banking Security Controls	SC-07 SC-08 SC-13 SC-23 SC-11 AC-04 AC-17 SI-03 SI-04 SI-10 SI-11
TME1.10.2	Mobile Banking Security	AC-19 SC-08 SC-13 SC-28 SC-18 IA-02 IA-03 SI-07
TME1.10.3	Electronic Payment Security	SC-07 SC-08 SC-12 SC-13 SC-28 AU-02 AU-10 AC-03 AC-04
TME1.10.4	Two-Factor Authentication for Online Services	IA-02 IA-05 IA-10 IA-11 SC-37
TME1.11.1	ATM Physical Security	PE-01 PE-02 PE-03 PE-06 PE-20 SC-41
TME1.11.2	ATM Transaction Security	SC-08 SC-12 SC-13 SC-28 AU-02 AU-10 AC-03
TME1.11.3	Anti-Skimming and Fraud Prevention	PE-03 PE-06 PE-20 SI-04 SC-41 IR-04
TME1.12.1	Outsourcing Risk Assessment and Due Diligence	SA-04 SA-09 SA-21 SR-01 SR-02 SR-03 SR-04 SR-05 SR-07 RA-03 RA-09
TME1.12.2	Contractual and SLA Requirements	SA-04 SA-09 SR-03 SR-06 SR-08 PS-07
TME1.12.3	Ongoing Monitoring and Oversight	SR-06 SR-10 CA-07 SA-09 PM-06 AU-16
TME1.12.4	Cloud Computing Governance	SA-09 AC-20 CM-12 CM-13 SC-07 SC-28 SR-01 SR-03
TME1.12.5	Sub-outsourcing and Concentration Risk	SR-01 SR-02 SR-03 SR-06 RA-09