HKMA Supervisory Policy Manual TM-E-1: Technology Risk Management — SP 800-53 Coverage
How well do NIST SP 800-53 Rev 5 controls address each HKMA TM-E-1 requirement? This analysis maps from framework clauses back to SP 800-53, with expert coverage weightings and gap identification.
Clause-by-Clause Analysis
Sorted by clauseTME1.2.1 Board and Senior Management Oversight of IT
Rationale
PM-01 information security program plan establishes the organisational security programme. PM-02 assigns a senior information security leadership role. PM-03 addresses resource allocation for security. PM-09 risk management strategy provides the strategic risk framework. PM-29 (new in Rev 5) risk management program leadership roles formalises senior leadership accountability for risk management. PS-09 (new in Rev 5) position descriptions defines security responsibilities in organisational roles. PL-09 (new in Rev 5) central management enables unified governance of security controls.
Gaps
HKMA TM-E-1 requires specific board-level oversight of IT including board approval of IT strategy, regular board reporting on technology risk posture, and personal accountability of senior management for technology risk. The HKMA three lines of defence model requires distinct first-line (business units), second-line (risk management/compliance), and third-line (internal audit) responsibilities for technology risk. SP 800-53 establishes programme governance but lacks Hong Kong-specific board committee structures, CIO/CTO accountability to the board, and HKMA-mandated reporting frequency to the board.
TME1.2.2 IT Strategy and Planning
Rationale
PM-07 enterprise architecture provides the strategic IT architecture framework. PM-08 critical infrastructure plan addresses planning for critical systems. PM-11 mission and business process definition links IT to business objectives. PL-07 concept of operations and PL-08 security and privacy architectures provide architectural planning. SA-02 allocation of resources addresses IT investment and resource planning.
Gaps
HKMA requires authorised institutions to develop a comprehensive IT strategy approved by the board that is aligned with business strategy and covers a three-to-five year horizon. TM-E-1 mandates specific IT strategic planning elements including technology roadmaps, innovation assessment, and alignment with the HKMA's Smart Banking initiatives and Fintech supervisory expectations. SP 800-53 addresses architecture and planning but not the Hong Kong regulatory expectation for board-approved IT strategic plans with defined horizons.
TME1.2.3 IT Risk Management Framework
Rationale
PM-01 and PM-09 establish the security programme and risk management strategy. PM-28 risk framing provides the organisational context for risk decisions. RA-01 risk assessment policy, RA-03 risk assessment, and RA-04 risk assessment update create a comprehensive risk assessment lifecycle. RA-07 (new in Rev 5) risk response adds explicit risk treatment actions. RA-09 (new in Rev 5) criticality analysis identifies critical components for risk-based prioritisation. PL-09 (new in Rev 5) central management, PL-10 (new in Rev 5) baseline selection, and PL-11 (new in Rev 5) baseline tailoring enable systematic risk-based framework establishment.
Gaps
HKMA requires the IT risk management framework to be integrated with the institution's overall risk management framework and aligned with the HKMA risk-based supervisory approach. TM-E-1 mandates specific risk appetite statements for technology risk approved by the board, regular risk reporting to the HKMA, and alignment with the C-RAF (Cyber Resilience Assessment Framework) maturity model. SP 800-53 provides strong risk management foundations but does not address C-RAF maturity levels or HKMA-specific risk reporting obligations.
TME1.2.4 IT Steering Committee and Organisational Structure
Rationale
PM-02 assigns senior information security leadership. PM-29 (new in Rev 5) risk management program leadership roles formalises leadership accountability. PS-09 (new in Rev 5) position descriptions defines security responsibilities within organisational roles. PL-09 (new in Rev 5) central management enables unified control governance across the organisation.
Gaps
HKMA TM-E-1 mandates specific governance structures including an IT Steering Committee with board/senior management representation, a Chief Information Officer role with appropriate seniority, and clear organisational reporting lines for IT and information security functions. The requirement for separation between IT development and IT operations is a specific HKMA expectation. SP 800-53 addresses leadership roles but does not prescribe specific committee structures, the CIO role, or organisational separation of IT functions as HKMA requires.
TME1.2.5 IT Policies and Standards
Rationale
SP 800-53 mandates comprehensive policies and procedures across all 20 control families through the -01 controls (AC-01 through SR-01). Each family requires documented policies consistent with applicable laws, regulations, and standards, along with procedures to facilitate implementation. PM-01 provides the overarching information security programme plan. PT-01 (new in Rev 5) adds privacy-specific policies. SR-01 (new in Rev 5) adds supply chain risk management policies. This provides thorough coverage of TM-E-1's requirement for a comprehensive IT policy framework.
Gaps
Minor gap. HKMA requires IT policies to be reviewed at least annually and approved by senior management. TM-E-1 also requires policies to specifically address Hong Kong regulatory requirements including PDPO (Personal Data Privacy Ordinance) compliance and HKMA circular requirements. SP 800-53 policy controls are comprehensive but do not reference Hong Kong-specific regulatory requirements or the HKMA's expectation for policy alignment with local banking ordinances.
TME1.2.6 IT Audit
Rationale
CA-02 security assessments provides the assessment framework. CA-05 plan of action and milestones tracks remediation. CA-07 continuous monitoring enables ongoing audit capability. AU-01 audit policy and AU-06 audit monitoring, analysis, and reporting support the audit function. PM-14 testing, training, and monitoring provides organisational-level testing and audit coordination.
Gaps
HKMA TM-E-1 requires an independent IT audit function as part of the three lines of defence model. The internal audit function must have sufficient IT audit expertise, report directly to the Audit Committee of the board, and follow a risk-based IT audit plan. TM-E-1 mandates specific audit coverage of IT governance, cybersecurity, and outsourcing arrangements. SP 800-53 provides assessment and monitoring controls but does not address the HKMA-specific internal audit independence requirements, Audit Committee reporting, or the three lines of defence IT audit expectations.
TME1.3.1 Project Governance and Methodology
Rationale
SA-03 life cycle support establishes development lifecycle requirements. SA-04 acquisitions and SA-08 security engineering principles ensure security is embedded in project methodology. SA-15 development process, standards, and tools defines development governance. PM-07 enterprise architecture and PL-07 concept of operations support project planning alignment with enterprise strategy.
Gaps
HKMA TM-E-1 requires a formal IT project management methodology with board/senior management oversight of major IT projects, defined project governance structures (project sponsor, steering committee, project manager), and mandatory security risk assessments at each project phase gate. SP 800-53 addresses security in the development lifecycle but does not cover the broader IT project management governance, project phase gates, budget oversight, or the HKMA expectation for escalation of material project risks to the IT Steering Committee.
TME1.3.2 System Development and Testing
Rationale
SA-03 life cycle support; SA-08 security engineering principles; SA-10 developer configuration management; SA-11 developer security testing; SA-15 development process, standards, and tools; SA-16 developer-provided training; SA-17 developer security and privacy architecture. SA-20 (new in Rev 5) customized development of critical components addresses bespoke development for high-assurance banking systems. SA-21 (new in Rev 5) developer screening adds vetting for development personnel. CM-04 monitoring configuration changes and CM-14 (new in Rev 5) signed components ensure software integrity. SI-10 information accuracy validates input handling.
Gaps
Minor gap. HKMA requires separation of development, testing, and production environments with formal promotion procedures between environments. TM-E-1 mandates use of sanitised test data (not production customer data) in development and testing environments. SP 800-53 SA family provides comprehensive development security but does not explicitly mandate the HKMA-specific data sanitisation requirements for test environments or the prohibition on using live customer data in non-production environments.
TME1.3.3 Implementation and Post-Implementation Review
Rationale
CM-03 configuration change control governs implementation changes. CM-04 monitoring configuration changes tracks implementation impact. CM-05 access restrictions for change controls who can implement. SA-11 developer security testing covers pre-implementation testing. CA-02 security assessments and PM-06 measures of performance support post-implementation review.
Gaps
HKMA TM-E-1 requires a formal post-implementation review (PIR) for all significant IT projects to assess whether objectives were met, security requirements were satisfied, and lessons learned were captured. The PIR results must be reported to the IT Steering Committee. SP 800-53 addresses change control and assessment but does not mandate the specific post-implementation review process, PIR reporting to governance committees, or the formal lessons learned cycle that HKMA requires.
TME1.3.4 Package Software and Vendor Management
Rationale
SA-04 acquisitions establishes vendor selection and evaluation criteria. SA-05 information system documentation ensures adequate vendor documentation. SA-09 external information system services governs vendor-provided services. SA-22 unsupported system components addresses end-of-life vendor software management. SR-04 provenance and SR-05 acquisition strategies strengthen vendor evaluation. SR-06 supplier assessments and reviews enables ongoing vendor monitoring. SR-11 component authenticity verifies software integrity.
Gaps
HKMA requires specific vendor management practices for package software including evaluation of vendor financial stability, ongoing support commitments, and escrow arrangements for source code of critical applications. TM-E-1 mandates that AIs assess vendor concentration risk and maintain contingency plans for vendor failure. SP 800-53 supply chain controls are strong but do not address source code escrow, vendor financial viability assessment, or the HKMA-specific vendor concentration risk requirements.
TME1.4.1 Change Control Process
Rationale
CM-01 configuration management policy establishes the change control framework. CM-02 baseline configuration defines the controlled baseline. CM-03 configuration change control provides formal change control procedures including approval, testing, and documentation. CM-04 monitoring configuration changes enables detection of unauthorised changes. CM-05 access restrictions for change limits who can make changes. CM-06 configuration settings maintains secure configurations. CM-09 configuration management plan provides the overarching governance. CM-14 (new in Rev 5) signed components verifies integrity of changed components through cryptographic signatures.
Gaps
Minor gap. HKMA requires a Change Advisory Board (CAB) or equivalent committee to review and approve significant changes. TM-E-1 mandates change impact assessment covering business impact, security impact, and rollback planning. SP 800-53 CM family provides comprehensive change control but does not prescribe the specific CAB governance structure or the HKMA-mandated change categorisation scheme (standard, normal, emergency).
TME1.4.2 Emergency Change Procedures
Rationale
CM-03 configuration change control includes provisions for urgent changes with post-implementation review. CM-05 access restrictions for change controls emergency change authorisation. AU-02 auditable events and AU-12 audit record generation ensure emergency changes are fully logged for subsequent review and accountability.
Gaps
HKMA TM-E-1 requires specific emergency change procedures including retrospective authorisation by appropriate management, mandatory post-implementation review within a defined timeframe, and documented justification for bypassing normal change control. SP 800-53 CM-03 accommodates emergency changes but does not prescribe the specific retrospective approval process, management escalation requirements, or the HKMA expectation for trend analysis of emergency changes to identify systemic issues.
TME1.4.3 Release and Deployment Management
Rationale
CM-02 baseline configuration defines the target state for releases. CM-03 configuration change control governs the release approval process. CM-04 monitoring configuration changes validates deployment integrity. CM-14 (new in Rev 5) signed components ensures cryptographic verification of release packages. SA-10 developer configuration management covers version control and build management. SI-07 software and information integrity verifies that deployed software matches approved releases.
Gaps
HKMA requires formal release management procedures including release packaging, version control, deployment scheduling to minimise customer impact, and rollback capability testing. TM-E-1 expects release deployment windows to avoid peak banking hours and critical processing periods (e.g., month-end, CHATS settlement windows). SP 800-53 provides software integrity and change controls but does not address banking-specific deployment scheduling or the HKMA requirement for deployment impact assessment on banking services.
TME1.5.1 Data Centre Operations
Rationale
The PE family provides comprehensive data centre physical and environmental protection. PE-01 policy; PE-02 and PE-03 physical access authorisation and control; PE-04 transmission medium protection; PE-06 through PE-08 monitoring, visitor control, and access records; PE-09 through PE-15 environmental controls covering power, lighting, fire, HVAC, and water damage. PE-17 alternate work site addresses secondary facilities. PE-18 component location addresses secure placement. PE-23 (new in Rev 5) facility location adds site selection criteria for environmental and man-made threats.
Gaps
Minor gap. HKMA requires data centres supporting critical banking infrastructure to meet specific resilience standards including geographic separation from primary sites, resistance to natural disasters common in Hong Kong (typhoons, flooding), and compliance with Hong Kong building and fire safety regulations. SP 800-53 PE family is comprehensive but does not address Hong Kong-specific environmental hazards, local building codes, or the HKMA expectation for data centre tier classification aligned with banking criticality.
TME1.5.2 System Monitoring and Job Scheduling
Rationale
AU-02 auditable events and AU-03 content of audit records define what is monitored. AU-04 audit storage capacity ensures monitoring data retention. AU-06 audit monitoring, analysis, and reporting enables operational monitoring review. AU-12 audit record generation creates the monitoring data. CA-07 continuous monitoring provides the overarching monitoring framework. SI-04 information system monitoring enables real-time system observation. SI-13 (new in Rev 5) predictable failure prevention supports proactive monitoring of system health. SC-45 (new in Rev 5) system time synchronization ensures accurate timestamps for job scheduling and monitoring correlation.
Gaps
HKMA requires specific operational monitoring of batch processing schedules, end-of-day processing for CHATS (Clearing House Automated Transfer System) and FPS (Faster Payment System) settlement, and automated alerting for job failures. TM-E-1 mandates monitoring of service availability metrics against defined SLAs. SP 800-53 provides strong monitoring capabilities but does not address banking-specific batch processing schedules, payment system settlement monitoring, or the HKMA expectation for monitoring of RTGS (Real-Time Gross Settlement) system connectivity.
TME1.5.3 Capacity and Performance Management
Rationale
AU-04 audit storage capacity addresses storage capacity planning. SA-02 allocation of resources covers resource planning. SC-06 resource priority enables prioritisation of critical system resources. SI-13 (new in Rev 5) predictable failure prevention enables proactive capacity monitoring by predicting component failures based on utilisation trends. PM-07 enterprise architecture provides the strategic capacity planning framework.
Gaps
HKMA TM-E-1 requires formal capacity planning processes including demand forecasting, capacity modelling, and proactive capacity augmentation before thresholds are breached. TM-E-1 mandates performance benchmarking against defined service levels and capacity planning to accommodate peak transaction volumes (e.g., IPO settlement surges, year-end processing). SP 800-53 addresses resource allocation and predictive maintenance but does not cover the HKMA-specific capacity planning methodology, performance benchmarking requirements, or capacity planning for Hong Kong market-driven transaction spikes.
TME1.5.4 Problem and Incident Management
Rationale
IR-01 incident response policy establishes the incident management framework. IR-04 incident handling provides incident management procedures. IR-05 incident monitoring enables ongoing incident tracking. IR-06 incident reporting covers reporting processes. IR-07 incident response assistance provides support mechanisms. IR-08 incident response plan defines the response approach. IR-09 (new in Rev 5) information spillage response adds specific handling for data breach incidents. SI-02 flaw remediation addresses problem resolution through patching.
Gaps
HKMA TM-E-1 requires separate but linked problem management and incident management processes. Problem management must include root cause analysis, trend analysis, and proactive problem identification. TM-E-1 mandates specific incident reporting to the HKMA for material technology incidents within stipulated timeframes (typically 1 hour for critical incidents affecting banking services). SP 800-53 IR family covers incident handling well but does not differentiate between incident management and problem management, and does not address the specific HKMA incident notification obligations or the timeframes for reporting to the Hong Kong regulator.
TME1.6.1 Business Continuity Planning
Rationale
CP-01 contingency planning policy establishes the BCP framework. CP-02 contingency plan provides the detailed continuity plan. CP-03 contingency training ensures staff are prepared. PM-08 critical infrastructure plan identifies critical services requiring continuity coverage. PM-11 mission and business process definition links BCP to business functions. RA-09 (new in Rev 5) criticality analysis identifies critical system components supporting essential banking services, enabling prioritised BCP coverage.
Gaps
HKMA TM-E-1 requires business continuity planning to cover all critical banking services with specific attention to payment and settlement systems (CHATS, FPS, SWIFT), regulatory reporting capabilities, and customer-facing channels. The BCP must be aligned with the HKMA Operational Resilience circular (OR-2) and address important business services. SP 800-53 CP family provides strong contingency planning but does not address the specific Hong Kong banking services that must be covered, HKMA OR-2 alignment, or the regulatory expectation for BCP to maintain the institution's ability to meet HKMA reporting obligations during disruption.
TME1.6.2 Disaster Recovery Planning and RTO/RPO
Rationale
CP-02 contingency plan includes disaster recovery provisions. CP-06 alternate storage site and CP-07 alternate processing site provide DR infrastructure. CP-08 telecommunications services ensures communications recovery. CP-10 information system recovery and reconstitution defines recovery procedures. RA-09 (new in Rev 5) criticality analysis supports prioritised recovery by identifying critical components. SC-24 (new in Rev 5) fail in known state ensures systems fail to a secure, predictable state facilitating faster recovery. SI-17 (new in Rev 5) fail-safe procedures provide additional failure handling for critical banking systems.
Gaps
HKMA mandates specific RTO and RPO requirements for critical banking services: payment and settlement systems typically require RTO of 2 hours and RPO near-zero. TM-E-1 requires DR planning to account for Hong Kong-specific disaster scenarios including severe typhoons (Signal 10), major flooding, and pandemic situations. The HKMA also requires DR sites to be geographically separated but within Hong Kong or a location that does not introduce additional cross-border data transfer complications. SP 800-53 covers recovery comprehensively but does not prescribe the specific RTO/RPO targets HKMA expects for banking services or the Hong Kong-specific disaster scenarios.
TME1.6.3 BCP/DR Testing and Maintenance
Rationale
CP-03 contingency training ensures staff readiness. CP-04 contingency plan testing and exercises provides the testing framework including tabletop, functional, and full-scale exercises. CP-05 contingency plan update ensures plans are maintained current. PM-14 testing, training, and monitoring coordinates organisational testing activities. IR-03 incident response testing validates response procedures.
Gaps
HKMA TM-E-1 requires annual BCP/DR testing at minimum, with more frequent testing for critical systems. The HKMA expects industry-wide DR testing exercises coordinated across Hong Kong's banking sector, particularly for payment and settlement infrastructure. TM-E-1 mandates that DR test results are reported to the board and the HKMA. SP 800-53 provides comprehensive testing controls but does not address the HKMA requirements for industry-wide coordinated testing, regulatory reporting of DR test results, or the specific test scenarios HKMA expects (including simultaneous failure of primary and secondary sites).
TME1.6.4 Alternate Processing Sites
Rationale
CP-06 alternate storage site provides geographically separated data storage. CP-07 alternate processing site establishes recovery processing capability with defined readiness levels. CP-08 telecommunications services ensures communications to alternate sites. PE-17 alternate work site addresses staff relocation. PE-23 (new in Rev 5) facility location adds site selection criteria considering environmental threats and proximity to major infrastructure.
Gaps
HKMA requires alternate processing sites to be sufficiently separated from primary sites to avoid common-cause failures, while remaining accessible to staff. TM-E-1 addresses the specific Hong Kong geographic constraint — limited land area means DR sites may need to be located outside Hong Kong (typically in Guangdong Province or Singapore), raising cross-border data transfer considerations under the PDPO and Mainland China data protection regulations. SP 800-53 covers alternate sites comprehensively but does not address the HK-specific geographic constraints or the cross-border data implications of DR site location.
TME1.6.5 Data Backup and Recovery
Rationale
CP-09 information system backup provides comprehensive backup policy including frequency, retention, and testing. CP-10 information system recovery and reconstitution defines recovery procedures. MP-04 media storage and MP-05 media transport govern backup media handling. SI-12 information output handling and retention addresses data retention requirements.
Gaps
Minor gap. HKMA requires backup strategies to ensure data integrity and availability for critical banking records with retention periods aligned with Hong Kong banking ordinance requirements (typically 7 years for transaction records). TM-E-1 mandates backup encryption and secure offsite storage with access controls. SP 800-53 provides strong backup controls but does not specify the Hong Kong-specific data retention periods mandated by the Banking Ordinance and Companies Ordinance.
TME1.7.1 Information Security Policy and Framework
Rationale
PL-01 security planning policy establishes the security policy framework. PL-02 system security plan documents security controls for each system. PL-08 security and privacy architectures provides the architectural security framework. PL-09 (new in Rev 5) central management enables unified governance. PM-01 information security programme plan provides the comprehensive security programme. PM-02 assigns senior security leadership. PM-09 risk management strategy links security to risk. PM-13 security and privacy workforce ensures adequate security staffing. PM-28 risk framing contextualises security within organisational risk.
Gaps
Minor gap. HKMA TM-E-1 requires the information security framework to be aligned with the C-RAF (Cyber Resilience Assessment Framework) maturity model covering inherent risk assessment and maturity assessment across governance, identification, protection, detection, and response/recovery domains. SP 800-53 provides a comprehensive security framework but does not map to the specific C-RAF maturity levels or the HKMA's supervisory expectations for minimum maturity ratings based on the institution's inherent risk profile.
TME1.7.2 Information Classification and Handling
Rationale
AC-15 automated marking and AC-16 automated labeling enable systematic classification. MP-01 through MP-06 and MP-08 provide comprehensive media protection including labelling, storage, transport, and sanitisation. RA-02 security categorisation defines the classification scheme. SI-12 information output handling and retention governs data throughout its lifecycle. CM-12 (new in Rev 5) information location identifies where classified data resides across the infrastructure, enabling effective classification enforcement.
Gaps
Minor gap. HKMA requires classification aligned with the sensitivity of banking data including customer personal data (governed by PDPO), transaction data, and market-sensitive information. TM-E-1 mandates specific handling procedures for customer data including the PDPO Data Protection Principles. SP 800-53 provides strong classification and handling controls but does not address the Hong Kong PDPO-specific classification requirements or the handling rules for banking-specific data categories.
TME1.7.3 Security Architecture and Controls
Rationale
PL-08 security and privacy architectures provides the architectural framework. SA-08 security engineering principles and SA-17 developer security architecture ensure security-by-design. SC-02 application partitioning, SC-03 security function isolation, SC-07 boundary protection, SC-32 system partitioning, and SC-39 process isolation provide defence-in-depth architecture. SC-46 (new in Rev 5) cross-domain policy enforcement strengthens boundary controls. SC-49 and SC-50 (new in Rev 5) hardware and software-enforced separation add layered isolation. SI-03 malicious code protection, SI-04 monitoring, SI-07 software integrity, and SI-16 (new in Rev 5) memory protection provide comprehensive technical security controls.
Gaps
Minimal gap. HKMA requires security architecture to follow defence-in-depth principles with specific attention to network segmentation between internet-facing, internal, and critical banking zones. SP 800-53 provides excellent security architecture coverage. The remaining gap is the HKMA-specific requirement for security architecture to be reviewed by the C-RAF assessment process and aligned with the institution's cyber resilience maturity target.
TME1.7.4 Vulnerability Assessment and Penetration Testing
Rationale
CA-02 security assessments provides the assessment framework. CA-08 penetration testing covers external and internal penetration testing. RA-05 vulnerability scanning enables regular vulnerability identification. RA-10 (new in Rev 5) threat hunting adds proactive threat detection capability. PM-14 testing, training, and monitoring coordinates assessment activities. PM-16 threat awareness program provides threat intelligence context. SI-02 flaw remediation drives vulnerability remediation. SI-05 security alerts and advisories keeps the institution informed of new vulnerabilities.
Gaps
HKMA requires vulnerability assessments and penetration testing at least annually and after significant changes. Beyond standard penetration testing, the HKMA Cyber Fortification Initiative mandates iCAST (intelligence-led Cyber Attack Simulation Testing) for selected institutions, which is a threat intelligence-led red team exercise similar to TIBER-EU and CBEST. iCAST requires certified threat intelligence providers and red team operators approved by the HKMA. SP 800-53 CA-08 covers penetration testing but does not address the iCAST methodology, HKMA-approved tester requirements, or the intelligence-led testing approach mandated under the Cyber Fortification Initiative.
TME1.7.5 Security Incident Management
Rationale
IR-01 through IR-09 provide comprehensive incident response capability including policy, training, testing, handling, monitoring, reporting, assistance, planning, and spillage response. AU-06 audit monitoring, analysis, and reporting supports incident detection. SI-04 information system monitoring enables real-time threat detection. PM-16 threat awareness program provides contextual threat intelligence for incident classification.
Gaps
HKMA TM-E-1 mandates specific incident reporting to the HKMA for major technology incidents including cyber attacks, significant service disruptions, and data breaches. The HKMA expects notification within stipulated timeframes (typically within 1 hour for incidents affecting critical banking services) using prescribed reporting templates. TM-E-1 also requires coordination with the Hong Kong Police Cyber Security and Technology Crime Bureau for criminal incidents and with the Hong Kong Computer Emergency Response Team (HKCERT). SP 800-53 IR family provides strong incident management but does not address the HKMA-specific reporting obligations, timeframes, prescribed templates, or the coordination requirements with Hong Kong law enforcement and HKCERT.
TME1.8.1 User Access Management
Rationale
AC-01 access control policy establishes the access management framework. AC-02 account management covers user provisioning, modification, and de-provisioning. AC-03 access enforcement ensures access decisions are enforced. AC-05 separation of duties prevents conflicting access. AC-06 least privilege minimises access rights. AC-13 supervision and review enables access reviews. AC-24 access control decisions provides dynamic access determination. IA-04 identifier management governs user identifiers. PS-04 personnel termination and PS-05 personnel transfer ensure timely access revocation.
Gaps
Minor gap. HKMA requires regular user access reviews (at least annually for all users, quarterly for privileged users) with formal recertification by data/system owners. TM-E-1 mandates that user access requests follow a maker-checker approval process. SP 800-53 provides comprehensive access management controls including AC-13 for review, but does not prescribe the specific HKMA access review frequencies or the maker-checker approval workflow requirement.
TME1.8.2 Privilege Access Management
Rationale
AC-02 account management with privileged account provisions. AC-05 separation of duties prevents privilege conflicts. AC-06 least privilege restricts privileged access to minimum necessary. AC-13 supervision and review enables privileged access monitoring. AU-02, AU-03, and AU-12 ensure comprehensive audit logging of privileged activities. AU-14 session audit enables recording of privileged user sessions. IA-02 user identification and authentication with multi-factor for privileged users. IA-05 authenticator management governs privileged credentials.
Gaps
HKMA requires specific controls for privileged access including mandatory multi-factor authentication, time-limited privileged access (just-in-time provisioning), session recording for database administrator and system administrator activities, and dual-control (four-eyes) for critical operations such as database changes and firewall rule modifications. SP 800-53 provides strong privilege controls but does not prescribe the HKMA-specific four-eyes principle for critical operations or the requirement for privileged access to be automatically revoked after a defined period.
TME1.8.3 Authentication Mechanisms
Rationale
IA-01 identification and authentication policy establishes the authentication framework. IA-02 user identification and authentication covers multi-factor authentication. IA-03 device identification and authentication verifies devices. IA-05 authenticator management governs credential lifecycle. IA-06 authenticator feedback protects authentication information. IA-07 cryptographic module authentication ensures module integrity. IA-08 identification of non-organisational users covers external authentication. IA-10 adaptive authentication supports risk-based authentication. IA-11 re-authentication enforces periodic re-verification. IA-12 identity proofing validates user identity before credential issuance.
Gaps
Minimal gap. HKMA requires strong authentication mechanisms aligned with Hong Kong banking standards. For internet banking, TM-E-1 mandates two-factor authentication (2FA) using separate channels or devices. SP 800-53 IA family provides comprehensive authentication controls including adaptive and multi-factor authentication. The remaining gap is the HKMA-specific 2FA requirements for internet banking transactions and the requirement for authentication mechanisms to be assessed under the C-RAF maturity model.
TME1.8.4 Session Management and Timeout
Rationale
AC-10 concurrent session control limits simultaneous sessions. AC-11 session lock provides automated session locking after inactivity. AC-12 session termination automatically ends sessions based on defined conditions. SC-10 network disconnect terminates network connections after inactivity periods. SC-23 session authenticity protects against session hijacking and replay attacks.
Gaps
Minimal gap. HKMA requires specific session timeout values for internet banking (typically 5-10 minutes of inactivity) and internal systems. TM-E-1 mandates that session management prevents session fixation and session hijacking attacks. SP 800-53 provides comprehensive session management controls. The only remaining gap is the HKMA-prescribed timeout values for banking application sessions.
TME1.8.5 Remote Access Security
Rationale
AC-17 remote access controls remote connectivity with encryption and authentication requirements. AC-18 wireless access restrictions governs wireless connectivity. AC-19 access control for portable and mobile devices manages mobile endpoints. AC-20 use of external information systems controls access from external environments. IA-02 user identification and authentication with multi-factor for remote access. SC-08 and SC-09 transmission integrity and confidentiality protect data in transit. SC-12 and SC-13 cryptographic key management and use of cryptography ensure encrypted remote connections. SC-40 (new in Rev 5) wireless link protection adds cryptographic protection for wireless communications. PE-17 alternate work site addresses remote working environments.
Gaps
Minor gap. HKMA requires remote access controls to specifically address work-from-home arrangements with endpoint security requirements, split-tunnelling restrictions, and data leakage prevention for remote banking operations. TM-E-1 mandates that remote access to critical banking systems requires enhanced authentication and is subject to additional monitoring. SP 800-53 provides comprehensive remote access controls but does not address the HKMA-specific requirements for remote access to banking production systems or the enhanced controls for home-based working arrangements.
TME1.9.1 Cryptographic Policy and Standards
Rationale
SC-12 cryptographic key establishment and management provides comprehensive key management policy. SC-13 use of cryptography defines cryptographic algorithm and strength requirements. SC-17 public key infrastructure certificates governs PKI usage. SC-08 transmission integrity ensures cryptographic protection of data in transit. SC-28 protection of information at rest covers encryption at rest. IA-07 cryptographic module authentication ensures cryptographic modules meet validation standards (FIPS 140-2/3).
Gaps
Minor gap. HKMA requires cryptographic standards to be aligned with international standards and regularly reviewed to ensure they remain adequate against evolving threats including quantum computing risks. TM-E-1 mandates specific cryptographic requirements for internet banking and payment systems including compliance with the Payment Card Industry PIN Security Requirements and EMV standards. SP 800-53 provides strong cryptographic controls but does not address HKMA-specific cryptographic requirements for Hong Kong payment systems or the quantum readiness expectations.
TME1.9.2 Key Management
Rationale
SC-12 cryptographic key establishment and management provides comprehensive key lifecycle management including generation, distribution, storage, rotation, revocation, and destruction. SC-17 public key infrastructure certificates governs digital certificate management. SC-28 protection of information at rest includes encryption key protection. MP-04 media storage and MP-05 media transport govern secure handling of key material on physical media.
Gaps
Minor gap. HKMA requires key management procedures to include dual-control and split-knowledge for critical cryptographic keys, particularly for HSM (Hardware Security Module) master keys and payment system keys. TM-E-1 mandates key ceremony procedures for critical key generation events. SP 800-53 SC-12 covers key management comprehensively but does not prescribe the specific dual-control, split-knowledge, and key ceremony procedures that HKMA expects for banking-grade cryptographic operations.
TME1.9.3 Digital Signatures and Certificates
Rationale
SC-17 public key infrastructure certificates provides comprehensive PKI and certificate management. SC-13 use of cryptography covers digital signature algorithms. AU-10 non-repudiation ensures transactions cannot be denied using digital signatures. IA-09 service identification and authentication enables service-level certificate-based authentication. SC-16 transmission of security parameters governs the secure exchange of certificates and security parameters.
Gaps
Minor gap. HKMA requires digital signatures and certificates to comply with the Hong Kong Electronic Transactions Ordinance (ETO) for legally binding electronic signatures. TM-E-1 mandates use of recognised certification authorities and specific certificate validation procedures for internet banking. SP 800-53 provides strong PKI and digital signature controls but does not address the Hong Kong ETO requirements or the HKMA-specific certification authority recognition standards.
TME1.10.1 Online Banking Security Controls
Rationale
SC-07 boundary protection provides network segmentation for internet banking infrastructure. SC-08 transmission integrity and SC-13 use of cryptography ensure encrypted communications. SC-23 session authenticity protects banking sessions. SC-11 trusted path provides secure communication channels. AC-04 information flow enforcement controls data flows between internet-facing and internal banking zones. AC-17 remote access governs customer remote connectivity. SI-03 malicious code protection, SI-04 monitoring, SI-10 information accuracy, and SI-11 error handling provide application security controls.
Gaps
HKMA TM-E-1 has specific internet banking security requirements that extend beyond general IT security controls. These include: mandatory two-factor authentication for high-risk transactions (transfers, payee additions), transaction signing for high-value payments, customer notification of login and transaction activity (SMS/push alerts), anti-phishing measures (personalised security images), fraud detection systems with real-time transaction monitoring, and specific requirements for protecting against man-in-the-browser attacks. SP 800-53 provides strong foundational controls but does not address these banking-specific security measures or the HKMA's e-banking security expectations.
TME1.10.2 Mobile Banking Security
Rationale
AC-19 access control for portable and mobile devices provides mobile device management policy. SC-08 transmission integrity and SC-13 use of cryptography ensure secure mobile communications. SC-28 protection of information at rest secures data stored on mobile devices. SC-18 mobile code governs mobile application security. IA-02 user identification and authentication covers mobile authentication. IA-03 device identification and authentication enables device binding. SI-07 software and information integrity verifies mobile application integrity.
Gaps
HKMA requires specific mobile banking security controls including: mobile application hardening (anti-tampering, jailbreak/root detection, code obfuscation), secure local data storage with application-level encryption, certificate pinning to prevent man-in-the-middle attacks, device binding to link mobile banking to authorised devices, and biometric authentication integration. TM-E-1 mandates mobile banking apps be subject to security assessment before release and regularly thereafter. SP 800-53 provides mobile device controls but does not address these banking-specific mobile application security requirements or the HKMA expectations for mobile banking app security testing.
TME1.10.3 Electronic Payment Security
Rationale
SC-07 boundary protection segments payment processing infrastructure. SC-08 transmission integrity and SC-13 use of cryptography protect payment data in transit. SC-12 key management and SC-28 protection at rest secure payment credentials. AU-02 auditable events and AU-10 non-repudiation provide transaction audit trails. AC-03 access enforcement and AC-04 information flow enforcement control payment system access.
Gaps
HKMA TM-E-1 has extensive electronic payment security requirements covering FPS (Faster Payment System), CHATS (Clearing House Automated Transfer System), SWIFT connectivity, and card payment processing. Specific gaps include: FPS real-time fraud monitoring requirements, SWIFT Customer Security Programme (CSP) compliance, payment message integrity verification (SWIFT message authentication codes), transaction limits and velocity checks, and compliance with the Hong Kong Stored Value Facility (SVF) licensing requirements. SP 800-53 provides foundational security controls but does not address Hong Kong payment system-specific requirements, FPS/CHATS security standards, or the HKMA's expectations for payment fraud prevention.
TME1.10.4 Two-Factor Authentication for Online Services
Rationale
IA-02 user identification and authentication covers multi-factor authentication requirements. IA-05 authenticator management governs the lifecycle of authentication tokens and devices. IA-10 adaptive authentication enables risk-based step-up authentication for high-risk transactions. IA-11 re-authentication enforces periodic re-verification during sessions. SC-37 out-of-band channels provides the framework for out-of-band authentication delivery (SMS OTP, push notification) used in two-factor authentication.
Gaps
HKMA mandates two-factor authentication (2FA) for internet banking with specific requirements: 2FA must use separate channels or devices (not just two factors on the same device), high-risk transactions (fund transfers to unregistered payees, limit changes) require transaction signing, and the HKMA expects progressive migration from SMS OTP to more secure methods (hardware tokens, push authentication, biometrics). SP 800-53 covers multi-factor authentication comprehensively but does not address the HKMA-specific 2FA channel separation requirements, transaction signing mandates, or the progression pathway away from SMS-based OTP.
TME1.11.1 ATM Physical Security
Rationale
PE-01 physical and environmental protection policy provides the physical security framework. PE-02 and PE-03 physical access authorisation and control govern access to ATM locations. PE-06 monitoring physical access enables surveillance of ATM sites. PE-20 (new in Rev 5) asset monitoring and tracking supports ATM asset management and location tracking. SC-41 (new in Rev 5) port and I/O device access restriction controls physical ports on ATM hardware to prevent skimming device attachment.
Gaps
HKMA TM-E-1 has specific ATM physical security requirements that go well beyond general physical access control. These include: anti-skimming device installation on card readers, PIN shield/privacy guard requirements, CCTV monitoring of ATM locations with defined retention periods, physical tamper detection on ATM cabinets and card slots, cash cassette security with dual-control access, and specific requirements for off-premises ATM locations (convenience stores, shopping centres). SP 800-53 PE family provides general physical security but does not address ATM-specific physical security measures, anti-skimming technology requirements, or the HKMA standards for ATM site security.
TME1.11.2 ATM Transaction Security
Rationale
SC-08 transmission integrity protects ATM-to-host communications. SC-12 key management and SC-13 use of cryptography cover PIN encryption and key management. SC-28 protection of information at rest secures data stored in ATM hardware. AU-02 auditable events creates transaction audit trails. AU-10 non-repudiation ensures transaction accountability. AC-03 access enforcement controls ATM administrative access.
Gaps
HKMA requires specific ATM transaction security measures including: point-to-point encryption (P2PE) for PIN data from keypad to HSM, EMV chip transaction processing with fallback restrictions, dynamic currency conversion security, transaction velocity monitoring and geographic anomaly detection, and compliance with card scheme security requirements (Visa, Mastercard, UnionPay, JCB). TM-E-1 mandates ATM software to run on supported operating systems with hardened configurations and application whitelisting. SP 800-53 provides general cryptographic and access controls but does not address ATM-specific transaction security, PIN block encryption standards, EMV processing requirements, or the multi-scheme compliance requirements relevant to Hong Kong's ATM network.
TME1.11.3 Anti-Skimming and Fraud Prevention
Rationale
PE-03 physical access control and PE-06 monitoring physical access support surveillance of ATM locations. PE-20 (new in Rev 5) asset monitoring and tracking enables detection of unauthorised modifications to ATM hardware. SI-04 information system monitoring supports detection of unusual ATM transaction patterns. SC-41 (new in Rev 5) port and I/O device access restriction helps prevent attachment of skimming devices to USB or serial ports. IR-04 incident handling covers response to detected skimming or fraud incidents.
Gaps
HKMA has specific anti-skimming and ATM fraud prevention requirements that are largely outside SP 800-53 scope. These include: mandatory anti-skimming technology (jitter mechanisms, card reader guards, detection sensors), real-time transaction fraud monitoring with neural network/machine learning models, geographic velocity checks for card transactions, coordination with the Joint Financial Intelligence Unit (JFIU) for suspicious transaction reporting, customer fraud notification and card blocking procedures, and liability frameworks for ATM fraud. SP 800-53 provides general monitoring and physical security but does not address the banking-specific ATM fraud prevention technology, Hong Kong law enforcement coordination, or the HKMA's expectations for ATM fraud prevention programmes.
TME1.12.1 Outsourcing Risk Assessment and Due Diligence
Rationale
SA-04 acquisitions establishes vendor evaluation criteria. SA-09 external information system services governs outsourced services. SA-21 (new in Rev 5) developer screening adds personnel vetting for outsourced providers. SR-01 through SR-05 and SR-07 provide comprehensive supply chain risk management including policy, planning, controls, provenance, and acquisition strategies. RA-03 risk assessment and RA-09 (new in Rev 5) criticality analysis support risk-based evaluation of outsourcing arrangements, identifying which outsourced functions are critical to banking operations.
Gaps
HKMA TM-E-1 and the HKMA outsourcing circular require specific due diligence for outsourcing including: assessment of the service provider's financial stability, business reputation, and regulatory standing; evaluation of political and country risk for offshore outsourcing; specific assessment of data protection implications under the PDPO for cross-border data transfers; HKMA notification before outsourcing critical banking functions; and assessment of the provider's business continuity and disaster recovery capabilities. SP 800-53 provides strong supply chain controls but does not address the HKMA-specific pre-outsourcing notification requirement, the PDPO cross-border data transfer assessment, or the Hong Kong-specific country risk evaluation for offshore outsourcing.
TME1.12.2 Contractual and SLA Requirements
Rationale
SA-04 acquisitions includes contractual security requirements. SA-09 external information system services defines service-level expectations. SR-03 supply chain controls and processes establishes contractual control requirements. SR-06 supplier assessments and reviews enables performance monitoring against SLAs. SR-08 notification agreements covers incident notification between parties. PS-07 third-party personnel security governs personnel requirements in contracts.
Gaps
HKMA requires specific contractual provisions for outsourcing arrangements including: HKMA right of access to inspect the service provider's operations and records; data ownership and return provisions; mandatory inclusion of HKMA audit rights in outsourcing contracts; performance penalties and service credit mechanisms; security incident notification to the AI and the HKMA within specified timeframes; provisions for regulatory changes in Hong Kong affecting the outsourced service; and termination and transition provisions including data migration and knowledge transfer. SP 800-53 covers contractual security but does not address the HKMA-mandated regulatory access rights, HKMA audit provisions in contracts, or the Hong Kong-specific contractual requirements.
TME1.12.3 Ongoing Monitoring and Oversight
Rationale
SR-06 supplier assessments and reviews provides the ongoing vendor monitoring framework. SR-10 inspection of systems or components enables periodic assessment of outsourced environments. CA-07 continuous monitoring extends monitoring capability to outsourced services. SA-09 external information system services maintains oversight of service delivery. PM-06 measures of performance tracks vendor performance metrics. AU-16 cross-organizational audit logging enables audit trail visibility across organisational boundaries with outsourced providers.
Gaps
HKMA requires ongoing oversight of outsourcing arrangements including: regular on-site assessments of service providers, independent audit reports (SOC 2 Type II or equivalent), performance reporting against SLAs with escalation procedures, annual review of outsourcing risk assessments, and specific oversight of sub-contractors performing critical functions. TM-E-1 mandates that AIs maintain in-house expertise to oversee outsourced functions and avoid over-reliance on service providers. SP 800-53 provides monitoring and assessment controls but does not address the HKMA-specific requirements for maintaining in-house capability or the oversight expectations for sub-contractors.
TME1.12.4 Cloud Computing Governance
Rationale
SA-09 external information system services governs cloud service provider relationships. AC-20 use of external information systems controls access from cloud environments. CM-12 (new in Rev 5) information location identifies where data resides across cloud deployments, critical for data residency compliance. CM-13 (new in Rev 5) data action mapping documents data processing in cloud environments. SC-07 boundary protection and SC-28 protection at rest secure cloud connectivity and storage. SR-01 and SR-03 provide supply chain governance for cloud providers.
Gaps
HKMA has specific cloud computing requirements including: data residency considerations (customer data of Hong Kong residents should ideally be stored in Hong Kong or jurisdictions with adequate data protection laws); encryption key management where the AI retains control of encryption keys (not the cloud provider); multi-cloud and vendor lock-in risk assessment; cloud provider exit strategy and data portability provisions; specific HKMA notification requirements before adopting cloud services for critical banking functions; and assessment against the HKMA Cloud Computing circular. SP 800-53 provides foundational controls for external services but does not address the HKMA-specific cloud governance requirements, data residency expectations, or the regulatory notification process for cloud adoption.
TME1.12.5 Sub-outsourcing and Concentration Risk
Rationale
SR-01 supply chain policy and SR-02 supply chain risk management plan provide the sub-outsourcing governance framework. SR-03 supply chain controls and processes establishes controls for the extended supply chain. SR-06 supplier assessments and reviews extends monitoring to sub-contractors. RA-09 (new in Rev 5) criticality analysis identifies where critical functions create concentration risk through shared service providers.
Gaps
HKMA requires specific controls for sub-outsourcing including: contractual right to approve or reject sub-outsourcing of critical functions; visibility into the full outsourcing chain; assessment of concentration risk where multiple AIs use the same service provider for critical functions; HKMA notification of material sub-outsourcing arrangements; and specific controls for fourth-party and nth-party risk. The HKMA also monitors systemic concentration risk across the Hong Kong banking sector where multiple institutions depend on the same cloud or technology providers. SP 800-53 provides supply chain controls but does not address the HKMA-specific sub-outsourcing approval requirements, sector-wide concentration risk assessment, or the regulatory notification obligations for sub-outsourcing.
Methodology and Disclaimer
This coverage analysis maps from HKMA TM-E-1 clauses/requirements back to NIST SP 800-53 Rev 5 controls, assessing how well the SP 800-53 control set addresses each framework requirement.
Coverage weighting represents an informed estimate based on control-objective alignment, not a definitive compliance determination. Weightings consider whether SP 800-53 controls address the intent of each framework requirement, even where terminology and structure differ.
This analysis should be validated by qualified assessors for use in compliance or audit activities. The authoritative source for any compliance determination is always the framework itself.