HKMA Supervisory Policy Manual TM-E-1: Technology Risk Management
Hong Kong Monetary Authority's comprehensive technology risk management guideline for all authorised institutions. Covers IT governance, project management, change management, operations, IT resilience, information security, access control, cryptography, internet and mobile banking, ATM security, and outsourcing of technology services. Complemented by the Cyber Fortification Initiative (CFI) including iCAST intelligence-led penetration testing and the Cyber Resilience Assessment Framework (C-RAF).
AC (17) AT (1) AU (9) CA (5) CM (10) CP (10) IA (12) IR (9) MA (1) MP (7) PE (18) PL (7) PM (13) PS (5) RA (8) SA (15) SC (26) SI (12)
AC Access Control
| Control | Name | HKMA TM-E-1 References |
|---|---|---|
| AC-01 | Access Control Policies and Procedures | TME1.2.5TME1.8.1 |
| AC-02 | Account Management | TME1.8.1TME1.8.2 |
| AC-03 | Access Enforcement | TME1.10.3TME1.11.2TME1.8.1 |
| AC-04 | Information Flow Enforcement | TME1.10.1TME1.10.3 |
| AC-05 | Separation Of Duties | TME1.8.1TME1.8.2 |
| AC-06 | Least Privilege | TME1.8.1TME1.8.2 |
| AC-10 | Concurrent Session Control | TME1.8.4 |
| AC-11 | Session Lock | TME1.8.4 |
| AC-12 | Session Termination | TME1.8.4 |
| AC-13 | Supervision And Review -- Access Control | TME1.8.1TME1.8.2 |
| AC-15 | Automated Marking | TME1.7.2 |
| AC-16 | Automated Labeling | TME1.7.2 |
| AC-17 | Remote Access | TME1.10.1TME1.8.5 |
| AC-18 | Wireless Access Restrictions | TME1.8.5 |
| AC-19 | Access Control For Portable And Mobile Devices | TME1.10.2TME1.8.5 |
| AC-20 | Use Of External Information Systems | TME1.12.4TME1.8.5 |
| AC-24 | Access Control Decisions | TME1.8.1 |
AT Awareness and Training
| Control | Name | HKMA TM-E-1 References |
|---|---|---|
| AT-01 | Security Awareness And Training Policy And Procedures | TME1.2.5 |
AU Audit and Accountability
| Control | Name | HKMA TM-E-1 References |
|---|---|---|
| AU-01 | Audit And Accountability Policy And Procedures | TME1.2.5TME1.2.6 |
| AU-02 | Auditable Events | TME1.10.3TME1.11.2TME1.4.2TME1.5.2TME1.8.2 |
| AU-03 | Content Of Audit Records | TME1.5.2TME1.8.2 |
| AU-04 | Audit Storage Capacity | TME1.5.2TME1.5.3 |
| AU-06 | Audit Monitoring, Analysis, And Reporting | TME1.2.6TME1.5.2TME1.7.5 |
| AU-10 | Non-Repudiation | TME1.10.3TME1.11.2TME1.9.3 |
| AU-12 | Audit Record Generation | TME1.4.2TME1.5.2TME1.8.2 |
| AU-14 | Session Audit | TME1.8.2 |
| AU-16 | Cross-Organizational Audit Logging | TME1.12.3 |
CA Security Assessment and Authorization
| Control | Name | HKMA TM-E-1 References |
|---|---|---|
| CA-01 | Certification, Accreditation, And Security Assessment Policies And Procedures | TME1.2.5 |
| CA-02 | Security Assessments | TME1.2.6TME1.3.3TME1.7.4 |
| CA-05 | Plan Of Action And Milestones | TME1.2.6 |
| CA-07 | Continuous Monitoring | TME1.12.3TME1.2.6TME1.5.2 |
| CA-08 | Penetration Testing | TME1.7.4 |
CM Configuration Management
| Control | Name | HKMA TM-E-1 References |
|---|---|---|
| CM-01 | Configuration Management Policy And Procedures | TME1.2.5TME1.4.1 |
| CM-02 | Baseline Configuration | TME1.4.1TME1.4.3 |
| CM-03 | Configuration Change Control | TME1.3.3TME1.4.1TME1.4.2TME1.4.3 |
| CM-04 | Monitoring Configuration Changes | TME1.3.2TME1.3.3TME1.4.1TME1.4.3 |
| CM-05 | Access Restrictions For Change | TME1.3.3TME1.4.1TME1.4.2 |
| CM-06 | Configuration Settings | TME1.4.1 |
| CM-09 | Configuration Management Plan | TME1.4.1 |
| CM-12 | Information Location | TME1.12.4TME1.7.2 |
| CM-13 | Data Action Mapping | TME1.12.4 |
| CM-14 | Signed Components | TME1.3.2TME1.4.1TME1.4.3 |
CP Contingency Planning
| Control | Name | HKMA TM-E-1 References |
|---|---|---|
| CP-01 | Contingency Planning Policy And Procedures | TME1.2.5TME1.6.1 |
| CP-02 | Contingency Plan | TME1.6.1TME1.6.2 |
| CP-03 | Contingency Training | TME1.6.1TME1.6.3 |
| CP-04 | Contingency Plan Testing And Exercises | TME1.6.3 |
| CP-05 | Contingency Plan Update | TME1.6.3 |
| CP-06 | Alternate Storage Site | TME1.6.2TME1.6.4 |
| CP-07 | Alternate Processing Site | TME1.6.2TME1.6.4 |
| CP-08 | Telecommunications Services | TME1.6.2TME1.6.4 |
| CP-09 | Information System Backup | TME1.6.5 |
| CP-10 | Information System Recovery And Reconstitution | TME1.6.2TME1.6.5 |
IA Identification and Authentication
| Control | Name | HKMA TM-E-1 References |
|---|---|---|
| IA-01 | Identification And Authentication Policy And Procedures | TME1.2.5TME1.8.3 |
| IA-02 | User Identification And Authentication | TME1.10.2TME1.10.4TME1.8.2TME1.8.3TME1.8.5 |
| IA-03 | Device Identification And Authentication | TME1.10.2TME1.8.3 |
| IA-04 | Identifier Management | TME1.8.1 |
| IA-05 | Authenticator Management | TME1.10.4TME1.8.2TME1.8.3 |
| IA-06 | Authenticator Feedback | TME1.8.3 |
| IA-07 | Cryptographic Module Authentication | TME1.8.3TME1.9.1 |
| IA-08 | Identification and Authentication (Non-Organizational Users) | TME1.8.3 |
| IA-09 | Service Identification and Authentication | TME1.9.3 |
| IA-10 | Adaptive Authentication | TME1.10.4TME1.8.3 |
| IA-11 | Re-authentication | TME1.10.4TME1.8.3 |
| IA-12 | Identity Proofing | TME1.8.3 |
IR Incident Response
| Control | Name | HKMA TM-E-1 References |
|---|---|---|
| IR-01 | Incident Response Policy And Procedures | TME1.2.5TME1.5.4TME1.7.5 |
| IR-02 | Incident Response Training | TME1.7.5 |
| IR-03 | Incident Response Testing And Exercises | TME1.6.3TME1.7.5 |
| IR-04 | Incident Handling | TME1.11.3TME1.5.4TME1.7.5 |
| IR-05 | Incident Monitoring | TME1.5.4TME1.7.5 |
| IR-06 | Incident Reporting | TME1.5.4TME1.7.5 |
| IR-07 | Incident Response Assistance | TME1.5.4TME1.7.5 |
| IR-08 | Incident Response Plan | TME1.5.4TME1.7.5 |
| IR-09 | Information Spillage Response | TME1.5.4TME1.7.5 |
MA Maintenance
| Control | Name | HKMA TM-E-1 References |
|---|---|---|
| MA-01 | System Maintenance Policy And Procedures | TME1.2.5 |
MP Media Protection
| Control | Name | HKMA TM-E-1 References |
|---|---|---|
| MP-01 | Media Protection Policy And Procedures | TME1.2.5TME1.7.2 |
| MP-02 | Media Access | TME1.7.2 |
| MP-03 | Media Labeling | TME1.7.2 |
| MP-04 | Media Storage | TME1.6.5TME1.7.2TME1.9.2 |
| MP-05 | Media Transport | TME1.6.5TME1.7.2TME1.9.2 |
| MP-06 | Media Sanitization And Disposal | TME1.7.2 |
| MP-08 | Media Downgrading | TME1.7.2 |
PE Physical and Environmental Protection
| Control | Name | HKMA TM-E-1 References |
|---|---|---|
| PE-01 | Physical And Environmental Protection Policy And Procedures | TME1.11.1TME1.2.5TME1.5.1 |
| PE-02 | Physical Access Authorizations | TME1.11.1TME1.5.1 |
| PE-03 | Physical Access Control | TME1.11.1TME1.11.3TME1.5.1 |
| PE-04 | Access Control For Transmission Medium | TME1.5.1 |
| PE-06 | Monitoring Physical Access | TME1.11.1TME1.11.3TME1.5.1 |
| PE-07 | Visitor Control | TME1.5.1 |
| PE-08 | Access Records | TME1.5.1 |
| PE-09 | Power Equipment And Power Cabling | TME1.5.1 |
| PE-10 | Emergency Shutoff | TME1.5.1 |
| PE-11 | Emergency Power | TME1.5.1 |
| PE-12 | Emergency Lighting | TME1.5.1 |
| PE-13 | Fire Protection | TME1.5.1 |
| PE-14 | Temperature And Humidity Controls | TME1.5.1 |
| PE-15 | Water Damage Protection | TME1.5.1 |
| PE-17 | Alternate Work Site | TME1.5.1TME1.6.4TME1.8.5 |
| PE-18 | Location Of Information System Components | TME1.5.1 |
| PE-20 | Asset Monitoring and Tracking | TME1.11.1TME1.11.3 |
| PE-23 | Facility Location | TME1.5.1TME1.6.4 |
PL Planning
| Control | Name | HKMA TM-E-1 References |
|---|---|---|
| PL-01 | Security Planning Policy And Procedures | TME1.2.5TME1.7.1 |
| PL-02 | System Security Plan | TME1.7.1 |
| PL-07 | Concept of Operations | TME1.2.2TME1.3.1 |
| PL-08 | Security and Privacy Architectures | TME1.2.2TME1.7.1TME1.7.3 |
| PL-09 | Central Management | TME1.2.1TME1.2.3TME1.2.4TME1.7.1 |
| PL-10 | Baseline Selection | TME1.2.3 |
| PL-11 | Baseline Tailoring | TME1.2.3 |
PM Program Management
| Control | Name | HKMA TM-E-1 References |
|---|---|---|
| PM-01 | Information Security Program Plan | TME1.2.1TME1.2.3TME1.2.5TME1.7.1 |
| PM-02 | Information Security Program Leadership Role | TME1.2.1TME1.2.4TME1.7.1 |
| PM-03 | Information Security and Privacy Resources | TME1.2.1 |
| PM-06 | Measures of Performance | TME1.12.3TME1.3.3 |
| PM-07 | Enterprise Architecture | TME1.2.2TME1.3.1TME1.5.3 |
| PM-08 | Critical Infrastructure Plan | TME1.2.2TME1.6.1 |
| PM-09 | Risk Management Strategy | TME1.2.1TME1.2.3TME1.7.1 |
| PM-11 | Mission and Business Process Definition | TME1.2.2TME1.6.1 |
| PM-13 | Security and Privacy Workforce | TME1.7.1 |
| PM-14 | Testing, Training, and Monitoring | TME1.2.6TME1.6.3TME1.7.4 |
| PM-16 | Threat Awareness Program | TME1.7.4TME1.7.5 |
| PM-28 | Risk Framing | TME1.2.3TME1.7.1 |
| PM-29 | Risk Management Program Leadership Roles | TME1.2.1TME1.2.4 |
PS Personnel Security
RA Risk Assessment
| Control | Name | HKMA TM-E-1 References |
|---|---|---|
| RA-01 | Risk Assessment Policy And Procedures | TME1.2.3TME1.2.5 |
| RA-02 | Security Categorization | TME1.7.2 |
| RA-03 | Risk Assessment | TME1.12.1TME1.2.3 |
| RA-04 | Risk Assessment Update | TME1.2.3 |
| RA-05 | Vulnerability Scanning | TME1.7.4 |
| RA-07 | Risk Response | TME1.2.3 |
| RA-09 | Criticality Analysis | TME1.12.1TME1.12.5TME1.2.3TME1.6.1TME1.6.2 |
| RA-10 | Threat Hunting | TME1.7.4 |
SA System and Services Acquisition
| Control | Name | HKMA TM-E-1 References |
|---|---|---|
| SA-01 | System And Services Acquisition Policy And Procedures | TME1.2.5 |
| SA-02 | Allocation Of Resources | TME1.2.2TME1.5.3 |
| SA-03 | Life Cycle Support | TME1.3.1TME1.3.2 |
| SA-04 | Acquisitions | TME1.12.1TME1.12.2TME1.3.1TME1.3.4 |
| SA-05 | Information System Documentation | TME1.3.4 |
| SA-08 | Security Engineering Principles | TME1.3.1TME1.3.2TME1.7.3 |
| SA-09 | External Information System Services | TME1.12.1TME1.12.2TME1.12.3TME1.12.4TME1.3.4 |
| SA-10 | Developer Configuration Management | TME1.3.2TME1.4.3 |
| SA-11 | Developer Security Testing | TME1.3.2TME1.3.3 |
| SA-15 | Development Process, Standards, and Tools | TME1.3.1TME1.3.2 |
| SA-16 | Developer-Provided Training | TME1.3.2 |
| SA-17 | Developer Security and Privacy Architecture and Design | TME1.3.2TME1.7.3 |
| SA-20 | Customized Development of Critical Components | TME1.3.2 |
| SA-21 | Developer Screening | TME1.12.1TME1.3.2 |
| SA-22 | Unsupported System Components | TME1.3.4 |
SC System and Communications Protection
| Control | Name | HKMA TM-E-1 References |
|---|---|---|
| SC-01 | System And Communications Protection Policy And Procedures | TME1.2.5 |
| SC-02 | Application Partitioning | TME1.7.3 |
| SC-03 | Security Function Isolation | TME1.7.3 |
| SC-06 | Resource Priority | TME1.5.3 |
| SC-07 | Boundary Protection | TME1.10.1TME1.10.3TME1.12.4TME1.7.3 |
| SC-08 | Transmission Integrity | TME1.10.1TME1.10.2TME1.10.3TME1.11.2TME1.8.5TME1.9.1 |
| SC-09 | Transmission Confidentiality | TME1.8.5 |
| SC-10 | Network Disconnect | TME1.8.4 |
| SC-11 | Trusted Path | TME1.10.1 |
| SC-12 | Cryptographic Key Establishment And Management | TME1.10.3TME1.11.2TME1.8.5TME1.9.1TME1.9.2 |
| SC-13 | Use Of Cryptography | TME1.10.1TME1.10.2TME1.10.3TME1.11.2TME1.8.5TME1.9.1TME1.9.3 |
| SC-16 | Transmission Of Security Parameters | TME1.9.3 |
| SC-17 | Public Key Infrastructure Certificates | TME1.9.1TME1.9.2TME1.9.3 |
| SC-18 | Mobile Code | TME1.10.2 |
| SC-23 | Session Authenticity | TME1.10.1TME1.8.4 |
| SC-24 | Fail in Known State | TME1.6.2 |
| SC-28 | Protection of Information at Rest | TME1.10.2TME1.10.3TME1.11.2TME1.12.4TME1.9.1TME1.9.2 |
| SC-32 | System Partitioning | TME1.7.3 |
| SC-37 | Out-of-band Channels | TME1.10.4 |
| SC-39 | Process Isolation | TME1.7.3 |
| SC-40 | Wireless Link Protection | TME1.8.5 |
| SC-41 | Port and I/O Device Access | TME1.11.1TME1.11.3 |
| SC-45 | System Time Synchronization | TME1.5.2 |
| SC-46 | Cross Domain Policy Enforcement | TME1.7.3 |
| SC-49 | Hardware-enforced Separation and Policy Enforcement | TME1.7.3 |
| SC-50 | Software-enforced Separation and Policy Enforcement | TME1.7.3 |
SI System and Information Integrity
| Control | Name | HKMA TM-E-1 References |
|---|---|---|
| SI-01 | System And Information Integrity Policy And Procedures | TME1.2.5 |
| SI-02 | Flaw Remediation | TME1.5.4TME1.7.4 |
| SI-03 | Malicious Code Protection | TME1.10.1TME1.7.3 |
| SI-04 | Information System Monitoring Tools And Techniques | TME1.10.1TME1.11.3TME1.5.2TME1.7.3TME1.7.5 |
| SI-05 | Security Alerts And Advisories | TME1.7.4 |
| SI-07 | Software And Information Integrity | TME1.10.2TME1.4.3TME1.7.3 |
| SI-10 | Information Accuracy, Completeness, Validity, And Authenticity | TME1.10.1TME1.3.2 |
| SI-11 | Error Handling | TME1.10.1 |
| SI-12 | Information Output Handling And Retention | TME1.6.5TME1.7.2 |
| SI-13 | Predictable Failure Prevention | TME1.5.2TME1.5.3 |
| SI-16 | Memory Protection | TME1.7.3 |
| SI-17 | Fail-safe Procedures | TME1.6.2 |