Recommended Standards of Bring Your Own Devices for Work by Bank Staff in

Hong Kong by the Hong Kong Association of Banks (October 2014)

1. BACKGROUND

In view of the advances in mobile computing technologies and the emerging need for
bank employees to access corporate data safely and remotely for work related purpose
(e.g. to manage and handle operational incidents in a timely manner, for business
continuity purpose), HKAB supports Bring Your own Device (BYOD) in the Hong
Kong banking industry and the implementation of BYOD must have sufficient
security controls that are close to the protection implemented for computing
devices owned by banks, especially in the access to Consumer & Personal Data .

2. PURPOSE OF THE DOCUMENT

HKAB, in consultation with the Hong Kong Monetary Authority (HKMA), has
developed this document to set out the minimum controls for BYOD implementation.
Such minimum control standards may be updated by HKAB from time to time in the
light of technological change and such updates should be supported by the HKMA.
Member banks are expected to adopt all the control requirements as stipulated in section
5 of this paper if they are to implement BYOD program.

The control requirements aim at addressing the key risks of BYOD, including the risks
of malicious application or software installed on the devices, loss of devices, leakage of
information when being stored or transmitted between the devices and the bank’s
systems, and unauthorized access to the bank’s systems via the devices. This standard
adopts a two-tier approach to protect customer data which commensurate with the risk
of loss or leakage of customer data via BYOD.

3. TYPE OF BYOD IMPLEMENTATION

In order to apply the most practical control measures, it is proposed that BYOD
implementation can be categorised into TWO types based on the sensitivity of data
access:

CATEGORY 1 (CAT1): BYOD for staff whose job duties do not involve accessing
Consumer or Personal Data

CATEGORY 2 (CAT2): BYOD for staff whose job duties involve accessing Consumer
or Personal Data

Control requirements for these BYOD implementations are differentiated and are
defined in section 5B below. Because of the importance of data protection, especially
for Consumer or Personal Data, the control requirements for CAT1 can be viewed as a
sub-set for those defined for CAT2.

Page 1 of 11
 It is possible that a member bank will offer BYOD implementation for CAT1 or CAT2
only; or a combination of both. The relevant member bank would need to demonstrate
its controls are implemented to meet the requirements for the respective category.

In principle, the control requirements in section 5 of this paper should be implemented

by member banks’ service providers (including third party outsourcing operators and
overseas offices of the banking group) that have access to member banks’ customer data,
especially for CAT 2.

4. GLOSSARY

App Application that is developed specifically for mobile devices.

‘3rd party Apps’ refer to those Apps developed by party
outside of the bank.

App Store Online Store for purchasing or/and downloading mobile

Apps.

BYOD Bring Your Own Device to work. It refers to the use of

computing devices (e.g., personal computers, tablets or smart
phones) personally-owned by staff members for work.

BYOD with Data This refers to BYOD that will store sensitive data, such as
Storage corporate or Consumer or Personal Data, in the local device
storage area even after the connection to the member
banks corporate network is terminated.

BYOD with Read This refers to BYOD that will only access the member
Only Access bank’s corporate network in read only mode, i.e. no
sensitive data, such as corporate or Consumer or Personal
Data, will be stored in the local device storage area after
the connection to the member bank’s corporate network
is terminated.

For example, BYOD equipped with Virtual Desktop

Infrastructure (VDI) solution, such as Citrix, is considered as
Read Only Solution.

Consumer or Consumer or personal data include (i) sensitive information

Personal Data about the accounts or transactions of personal banking
customers (e.g. private banking or retail banking customers),
and/or (ii) personal information such as names, personal
phone numbers, residential addresses and HKID / passport
information of personal banking customers, or Human
Resource (HR) records of the member bank’s employees.

For instance, data about account numbers together with the

associated account balances / transaction details are
generally regarded as sensitive information about the
accounts or transactions.

Page 2 of 11
 Another example is information about the account numbers
of private or retail banking customers together with the
names of the account holders.

OS It is a technical terminology. This refers to the Operating

System (OS) of the Personal Computing and Mobile Device.

Personally-owned A device owned by an individual employee, that has a

Computing and micro-processor(s) and can be used to remotely access the
Mobile Device member bank’s internal network via communication media
such as the Internet. For ease of understanding, some of the
examples are, Personal Computer (PC), in various footprints
such as Desktop, Laptop, Notebook; Mobile Computing
Device such as smart phone and tablet.

Registered Device In general, this refers to BYOD that requires pre-registration

with the bank before it is allowed to connect to the bank’s
corporate network.

For example, BYOD loaded with Digital Certificate is also

considered to be an acceptable form of pre-registration.

Sandboxing Sandboxing is a security environment whereby an App is

protected from unathorised access by malicious software
(malware), intruders, system resources or/and other Apps.

Secure Container The latest approach in mobile security whereby sensitive

data, such as corporate or Consumer or Personal Data, is put
into a container which is separated from other data residing
on the same device. The Secure Container is securely
protected by proper encryption and authentication methods.
Access to data in the Secure Container is strictly controlled
for authorised Apps only. Usually the Secure Container has
its application specific Virtual Private Network (VPN)
and/or SSL encryption which is used to securely connect to
bank’s internal network. Also, bank may exercise the rights
to selectively wipe off the data in the Secure Container.

Page 3 of 11
5. CONTROL REQUIREMENTS
A. The following table contains controls that are required for all BYOD implementation and are applicable to all device types:
Expected Controls
A.1 Data classification
A.2 Policies, and terms and
conditions
A.3 Regular risk
assessment on the
supportable OS &
devices
A.4 Regular independent
certification / audit
A.5 Violations of policies
and consequences
Descriptions
1. Corporate data should be properly classified into different confidentiality levels and protected with appropriate measures.
Although some of the controls in section 5B are optional for CAT1, member banks should consider implementing more
stringent controls in accordance with the member bank’s data classification and risk assessment results, especially when
accessing business customers’ data or internal sensitive data (e.g. network diagram, firewall rules).
2. Proper risk assessment of data being accessed should be performed before allowing systems to be accessed via BYOD. In
principle, highly sensitive customer data (e.g. passwords etc.) should not be accessed via BYOD.
1. Proper policies should be established to govern the security of BYOD as well as restrictions on member banks’ access to
staff’s data in their devices for BYOD.
2. Proper terms and conditions in relation to BYOD should be clearly established and signed-off between the member bank
and its staff. Such terms and conditions should be fair and balanced to both the member banks and their staff. Staff should
be given an option on whether to use their devices for BYOD after being informed of the implications for their devices.
3. Member banks should provide sufficient guidance to staff on the proper usage of BYOD, related security precautions and
ways of complying with the terms and conditions related to BYOD. Member banks should also remind staff the possible
disciplinary actions for any violations of the terms and conditions.
Regular risk assessment should be conducted (at least once a year or when there is major release of new OS version) to select
and review the appropriate device types (for the cases of mobile devices only) and OS for BYOD implementation. The
assessment should cover the control requirements as set out in section 5 of this paper. System controls should be in place to
ensure that only those devices fulfilling all the controls requirements stipulated in this paper are allowed for BYOD
An independent party with sufficient expertise should be engaged to certify the control requirements before any new BYOD
initiative is implemented and thereafter, at least once annually. If significant issues (e.g. data leakage incidents, etc.) or
material risks of data leakage are found, the relevant member bank is required to take appropriate actions to mitigate any
potential risks promptly and perform appropriate certification/audit to validate the adequacy of the actions taken.
The certification or audit should be performed by internal audit function or equivalent independent unit, with sufficient
technical expertise that is considered to be an independent party.
Effective control mechanisms should be in place to ensure compliance of the BYOD policies by the staff. Where a staff
member is found to violate the established policies, the member bank concerned should take appropriate remedial actions.
Page 4 of 11
B. The following table contains controls that are required for different types of BYOD implementation and different categories of data access
(‘O’ for optional control and ‘’ for mandatory control):

Expected BYOD with Read Only Access CAT 1 CAT 2

BYOD with Data Storage CAT 1 CAT2
Controls
B.1 Access Effective system controls should be Effective system controls should be
Controls implemented to enforce the following implemented to enforce the following
measures: measures:

1. Only authorized users should be   1. Only authorized users should be  

allowed to access member bank’s allowed to access member bank’s
corporate network and systems. corporate network and systems.

2(a).Only registered devices should be 2(a) or 2(a) or 2(a). Only registered devices should be 2(a) or 2
allowed to access member bank’s 2(b) 1 2(b)1 allowed to access member bank’s 2(b) 1
corporate network and systems. corporate network and systems.

2(b).Strong and effective two-factor 2(a) or 2(a) or 2(b).Strong and effective two-factor 2(a) or 2
authentication (2FA) (such as static 2(b)1 2(b) 1 authentication (2FA) (such as static 2(b) 1
login password plus one-time login password plus one-time
passwords generated by a separate passwords generated by a separate
security token, static login password security token, or static login password
plus non-duplicable digital plus non-duplicable digital certificate,
certificate, etc.) should be in place or pre-registration etc.) should be in
for authenticating and establishing place for authenticating and
connection to the member bank’s establishing connection to the member
internal network. bank’s internal network.

3. Strong password and account lockout   3. Strong password and account lockout  
controls in line with the corporate controls in line with the corporate
policy at application level should be policy at application levels should be
in place. in place.

1
B.1.2(a) and B.1.2(b) denote a pair of substitution controls where at least one of them should be implemented.
2
As an example, a unique non-duplicable digital certificate installed on a device together with a static login password can fulfil both control requirements B.1.2(a) and
B.1.2(b). If B.1.2(a) is not implemented, there could be cases where Consumer or Personal data can be accessed from and stored at public devices (e.g. in coffee shops)
using 2FA.

Page 5 of 11
Expected BYOD with Read Only Access CAT 1 CAT 2
BYOD with Data Storage CAT 1 CAT2
Controls
4. Effective and proper session timeout   4. Effective and proper session timeout  
controls should be in place for controls should be in place for
application connecting to the member application connecting to the member
bank’s corporate network. bank’s corporate network.

5. Transmission of data should be   5. Transmission of data should be  

protected by secure and strong protected by secure and strong
encryption that makes use of encryption that makes use of
internationally recognised strong internationally recognised strong
cryptographic algorithms and cryptographic algorithms and
mechanisms (such as SSL) when mechanisms (such as SSL) when
establishing connection to the establishing connection to the member
member bank's internal network. bank’s internal network.

6. Access rights to the bank’s   6. Access rights to the bank’s applications  

applications and data should be and data should be granted on a need-
granted on a need-to-have basis. to-have basis.
7. Audit trails should be in place for   7. Audit trails should be in place for  
BYOD online access to member BYOD online access to member bank’s
bank’s corporate network. corporate network.

8. Staff should be specifically required O 

(e.g. in terms and conditions) and
reminded that passcode controls such as
alphanumeric, minimum password
length and complexity and lockout
controls (where appropriate), in line
with corporate policy, at device level
should be in place. Where the device’s
passcode is related to the strength of the
encryption in control B.4, complex
passcode and lockout controls at device
level should be enforced by effective
system controls.. In general, stronger
passcode helps reduce the risk that the
device will be jailbroken/rooted or the
encrypted data will be compromised.

Page 6 of 11
Expected BYOD with Read Only Access
Controls
B.2 Application For Mobile devices only:
Vetting
1. A reasonable process should be in
place to establish and promptly update
a blacklist of well-known malicious
apps (e.g. update the blacklist based on
the security alerts provided by third-
party security vendors, etc.).
2. Staff should be specifically required
(e.g. in the terms and conditions) and
reminded not to install apps on the
blacklist.
3. Risk assessment mentioned in control
A.3 should cover whether the device
effectively restricts users to download
apps only from an Apps Store with
effective and proper vetting process. If
such control is not enforced effectively
by the device or can be optional to
users, effective system controls should
be in place to enforce download of
apps only from an Apps Store with
effective and proper vetting process or
other reliable sources.
CAT 1 CAT 2
BYOD with Data Storage CAT 1 CAT2
For Mobile devices only:
  1. A reasonable process should be in place  
to establish and promptly update a
blacklist of well-known malicious apps
(e.g. update the blacklist based on the
security alerts provided by third-party
security vendors, etc.).
  2. Staff should be specifically required  
(e.g. in the terms and conditions) and
reminded not to install apps on the
blacklist.
O O 3. Risk assessment mentioned in control O 
A.3 should cover whether the device
effectively restricts users to download
apps only from an Apps Store with
effective and proper vetting process. If
such control is not enforced effectively
by the device or can be optional to users,
effective system controls should be in
place to enforce download of apps only
from an Apps Store with effective and
proper vetting process or other reliable
sources.
Page 7 of 11
 Expected BYOD with Read Only Access CAT 1 CAT 2
BYOD with Data Storage CAT 1 CAT2
Controls
B.3 Protection 1. Effective sandbox architecture and 1 or 2(a) 3 1 or 1. Effective sandbox architecture and 1 or 
against controls should be enforced at OS 2(a&b) 4 controls should be enforced at OS 2(a&b) 4
malicious level. level.
apps/virus
For devices not supporting sandbox For devices not supporting sandbox
architecture: architecture:

2(a) Staff should be specifically required 1 or 2(a)3 1 or 2(a) Staff should be specifically required 1 or N/A 5
(e.g. in the terms and conditions) and 2(a&b)4 (e.g. in the terms and conditions) and 2(a&b) 4
reminded to install anti-virus reminded to install anti-virus software
software and the latest virus and the latest virus definitions.
definitions.

2(b) Effective measures (e.g. member
banks to provide anti-virus software
to relevant staff) or system controls
should be in place to ensure that only
BYOD devices with latest version of
anti-virus software and latest virus
definitions are allowed to connect to
the member bank’s network and
systems.
O 1 or 2(b) Effective measures (e.g. member banks 1 or N/A5
2(a&b) 4 to provide anti-virus software to 2(a&b) 4
relevant staff) or system controls
should be in place to ensure that only
BYOD devices with latest version of
anti-virus software and latest virus
definitions are allowed to connect to
the member bank’s network and
systems.

B.4 Encryption of Not applicable. 1. Effective system controls should be  

Data stored in implemented to ensure that corporate
Devices (i.e. data can only be stored in the secure
encrypt the container which should prohibit such
member bank’s data from being copied, sent via non-
and customers’ corporate e-mails, synchronized to
data) other devices/cloud/other storage
media, etc.

3
For devices not supporting sandbox architecture, control B.3.2(a) should be implemented to substitute the control B.3.1.
4
For devices not supporting sandbox architecture, controls B.3.2(a) and B.3.2(b) should be implemented to substitute the control B.3.1.
5
For the avoidance of doubt, only devices supporting sandbox architecture at OS level can be used for CAT2 with data storage. As such, this control is not applicable.

Page 8 of 11
 Expected BYOD with Read Only Access CAT 1 CAT 2
BYOD with Data Storage CAT 1 CAT2
Controls
2. The secure container should be  
encrypted by internationally
recognized strong cryptographic
algorithms.
3. Sound key management practices and  
mechanisms with internationally
recognized strong cryptographic
modules certification should be
implemented to safeguard the
cryptographic keys for data encryption.

4. If the ultimate encryption keys are O 6

B.5 Data Protection 1. Staff should be specifically required
(e.g. in the terms and conditions) and
reminded not to jailbreak/root the
mobile devices.
stored in the BYOD device, such
encryption key should be protected by
secure hardware chips. (Note: mobile
devices should only be selected if they
can fulfil this requirement)
  1. Staff should be specifically required  
(e.g. in the terms and conditions) and
reminded not to jailbreak/root the
mobile devices.

Effective system controls should be Effective system controls should be

implemented to enforce the following: implemented to enforce the following:

2. For mobile devices, effective and O  2. Effective and timely detection of  

timely detection of jailbreak/rooting jailbreak/rooting (including, among
(including, among others, immediate others, immediate local detection upon
local detection upon jailbreak/rooting, jailbreak/rooting, etc.) should be in
etc.) should be in place. place.

6
For the avoidance of doubt, this control is not applicable if the encryption key of the deployed technologies is robustly derived on the fly and there is no static master key
being stored and protected by the device.

Page 9 of 11
Expected BYOD with Read Only Access
Controls
3. Prevention of data leakage (including,
among others, prohibit copy & paste,
disallow local printing etc.)
4. Data stored in memory and/or
temporary files should be deleted
immediately upon normal termination
of the session.
CAT 1 CAT 2
BYOD with Data Storage CAT 1 CAT2
  3. Prevention of data leakage (including,  
among others, prohibit copy & paste,
disallow local printing, disallow the
storage of corporate data on removable
  SD card and all other devices/storage
media, synchronization of member
bank’s data and customer data to other
devices/cloud/other storage media, etc.)
4. Wipe the member bank’s data and  
customer data immediately after
detection of violations (including,
among others, password retry count
exceeded the maximum number of retry
attempts, jailbreak, loss of device, etc.).
5. Member banks should have a proper  
process in place to handle and report in
a timely manner lost devices and
devices to be disposed (including
transfer out of ownership). Member
banks should take all necessary actions
to prevent unauthorized access to the
data stored in the Secure Container.
Page 10 of 11
Expected BYOD with Read Only Access
Controls
B.6 Security 1. Staff should be specifically required
Patching / (e.g. in the terms and conditions) and
Operating System reminded to install security patches
(OS) Updates and OS updates according to the
company policy.
2. Member bank should promptly
inform staff of important security
patches or OS updates and where
appropriate, require staff to confirm
the installation of the patches or OS
updates.
3. Effective system controls should be
implemented to ensure that only
BYOD devices with the required
security patches (only applicable to
PC) and/or OS updates which align
with corporate policies/standards are
allowed to connect to the member
bank’s network and systems.
CAT 1 CAT 2
BYOD with Data Storage CAT 1 CAT2
  1. Staff should be specifically required  
(e.g. in the terms and conditions) and
reminded to install security patches
and OS updates according to the
company policy.
  2. Member bank should promptly inform  
staff of important security patches or
OS updates and where appropriate,
require staff to confirm the installation
of the patches or OS updates.
O O 3. Effective system controls should be  
implemented to ensure that only
BYOD devices with the required
security patches (only applicable to
PC) and/or OS updates which align
with corporate policies/standards are
allowed to connect to the member
bank’s network and systems.
Page 11 of 11