Académique Documents
Professionnel Documents
Culture Documents
1. BACKGROUND
In view of the advances in mobile computing technologies and the emerging need for
bank employees to access corporate data safely and remotely for work related purpose
(e.g. to manage and handle operational incidents in a timely manner, for business
continuity purpose), HKAB supports Bring Your own Device (BYOD) in the Hong
Kong banking industry and the implementation of BYOD must have sufficient
security controls that are close to the protection implemented for computing
devices owned by banks, especially in the access to Consumer & Personal Data .
HKAB, in consultation with the Hong Kong Monetary Authority (HKMA), has
developed this document to set out the minimum controls for BYOD implementation.
Such minimum control standards may be updated by HKAB from time to time in the
light of technological change and such updates should be supported by the HKMA.
Member banks are expected to adopt all the control requirements as stipulated in section
5 of this paper if they are to implement BYOD program.
The control requirements aim at addressing the key risks of BYOD, including the risks
of malicious application or software installed on the devices, loss of devices, leakage of
information when being stored or transmitted between the devices and the bank’s
systems, and unauthorized access to the bank’s systems via the devices. This standard
adopts a two-tier approach to protect customer data which commensurate with the risk
of loss or leakage of customer data via BYOD.
In order to apply the most practical control measures, it is proposed that BYOD
implementation can be categorised into TWO types based on the sensitivity of data
access:
CATEGORY 1 (CAT1): BYOD for staff whose job duties do not involve accessing
Consumer or Personal Data
CATEGORY 2 (CAT2): BYOD for staff whose job duties involve accessing Consumer
or Personal Data
Control requirements for these BYOD implementations are differentiated and are
defined in section 5B below. Because of the importance of data protection, especially
for Consumer or Personal Data, the control requirements for CAT1 can be viewed as a
sub-set for those defined for CAT2.
Page 1 of 11
It is possible that a member bank will offer BYOD implementation for CAT1 or CAT2
only; or a combination of both. The relevant member bank would need to demonstrate
its controls are implemented to meet the requirements for the respective category.
4. GLOSSARY
BYOD with Data This refers to BYOD that will store sensitive data, such as
Storage corporate or Consumer or Personal Data, in the local device
storage area even after the connection to the member
banks corporate network is terminated.
BYOD with Read This refers to BYOD that will only access the member
Only Access bank’s corporate network in read only mode, i.e. no
sensitive data, such as corporate or Consumer or Personal
Data, will be stored in the local device storage area after
the connection to the member bank’s corporate network
is terminated.
Page 2 of 11
Another example is information about the account numbers
of private or retail banking customers together with the
names of the account holders.
Page 3 of 11
5. CONTROL REQUIREMENTS
A. The following table contains controls that are required for all BYOD implementation and are applicable to all device types:
Expected Controls Descriptions
A.1 Data classification 1. Corporate data should be properly classified into different confidentiality levels and protected with appropriate measures.
Although some of the controls in section 5B are optional for CAT1, member banks should consider implementing more
stringent controls in accordance with the member bank’s data classification and risk assessment results, especially when
accessing business customers’ data or internal sensitive data (e.g. network diagram, firewall rules).
2. Proper risk assessment of data being accessed should be performed before allowing systems to be accessed via BYOD. In
principle, highly sensitive customer data (e.g. passwords etc.) should not be accessed via BYOD.
A.2 Policies, and terms and 1. Proper policies should be established to govern the security of BYOD as well as restrictions on member banks’ access to
conditions staff’s data in their devices for BYOD.
2. Proper terms and conditions in relation to BYOD should be clearly established and signed-off between the member bank
and its staff. Such terms and conditions should be fair and balanced to both the member banks and their staff. Staff should
be given an option on whether to use their devices for BYOD after being informed of the implications for their devices.
3. Member banks should provide sufficient guidance to staff on the proper usage of BYOD, related security precautions and
ways of complying with the terms and conditions related to BYOD. Member banks should also remind staff the possible
disciplinary actions for any violations of the terms and conditions.
A.3 Regular risk Regular risk assessment should be conducted (at least once a year or when there is major release of new OS version) to select
assessment on the and review the appropriate device types (for the cases of mobile devices only) and OS for BYOD implementation. The
supportable OS & assessment should cover the control requirements as set out in section 5 of this paper. System controls should be in place to
devices ensure that only those devices fulfilling all the controls requirements stipulated in this paper are allowed for BYOD
A.4 Regular independent An independent party with sufficient expertise should be engaged to certify the control requirements before any new BYOD
certification / audit initiative is implemented and thereafter, at least once annually. If significant issues (e.g. data leakage incidents, etc.) or
material risks of data leakage are found, the relevant member bank is required to take appropriate actions to mitigate any
potential risks promptly and perform appropriate certification/audit to validate the adequacy of the actions taken.
The certification or audit should be performed by internal audit function or equivalent independent unit, with sufficient
technical expertise that is considered to be an independent party.
A.5 Violations of policies Effective control mechanisms should be in place to ensure compliance of the BYOD policies by the staff. Where a staff
and consequences member is found to violate the established policies, the member bank concerned should take appropriate remedial actions.
Page 4 of 11
B. The following table contains controls that are required for different types of BYOD implementation and different categories of data access
(‘O’ for optional control and ‘’ for mandatory control):
2(a).Only registered devices should be 2(a) or 2(a) or 2(a). Only registered devices should be 2(a) or 2
allowed to access member bank’s 2(b) 1 2(b)1 allowed to access member bank’s 2(b) 1
corporate network and systems. corporate network and systems.
2(b).Strong and effective two-factor 2(a) or 2(a) or 2(b).Strong and effective two-factor 2(a) or 2
authentication (2FA) (such as static 2(b)1 2(b) 1 authentication (2FA) (such as static 2(b) 1
login password plus one-time login password plus one-time
passwords generated by a separate passwords generated by a separate
security token, static login password security token, or static login password
plus non-duplicable digital plus non-duplicable digital certificate,
certificate, etc.) should be in place or pre-registration etc.) should be in
for authenticating and establishing place for authenticating and
connection to the member bank’s establishing connection to the member
internal network. bank’s internal network.
3. Strong password and account lockout 3. Strong password and account lockout
controls in line with the corporate controls in line with the corporate
policy at application level should be policy at application levels should be
in place. in place.
1
B.1.2(a) and B.1.2(b) denote a pair of substitution controls where at least one of them should be implemented.
2
As an example, a unique non-duplicable digital certificate installed on a device together with a static login password can fulfil both control requirements B.1.2(a) and
B.1.2(b). If B.1.2(a) is not implemented, there could be cases where Consumer or Personal data can be accessed from and stored at public devices (e.g. in coffee shops)
using 2FA.
Page 5 of 11
Expected BYOD with Read Only Access CAT 1 CAT 2
BYOD with Data Storage CAT 1 CAT2
Controls
4. Effective and proper session timeout 4. Effective and proper session timeout
controls should be in place for controls should be in place for
application connecting to the member application connecting to the member
bank’s corporate network. bank’s corporate network.
Page 6 of 11
Expected BYOD with Read Only Access CAT 1 CAT 2
BYOD with Data Storage CAT 1 CAT2
Controls
B.2 Application For Mobile devices only: For Mobile devices only:
Vetting
1. A reasonable process should be in 1. A reasonable process should be in place
place to establish and promptly update to establish and promptly update a
a blacklist of well-known malicious blacklist of well-known malicious apps
apps (e.g. update the blacklist based on (e.g. update the blacklist based on the
the security alerts provided by third- security alerts provided by third-party
party security vendors, etc.). security vendors, etc.).
Page 7 of 11
Expected BYOD with Read Only Access CAT 1 CAT 2
BYOD with Data Storage CAT 1 CAT2
Controls
B.3 Protection 1. Effective sandbox architecture and 1 or 2(a) 3 1 or 1. Effective sandbox architecture and 1 or
against controls should be enforced at OS 2(a&b) 4 controls should be enforced at OS 2(a&b) 4
malicious level. level.
apps/virus
For devices not supporting sandbox For devices not supporting sandbox
architecture: architecture:
2(a) Staff should be specifically required 1 or 2(a)3 1 or 2(a) Staff should be specifically required 1 or N/A 5
(e.g. in the terms and conditions) and 2(a&b)4 (e.g. in the terms and conditions) and 2(a&b) 4
reminded to install anti-virus reminded to install anti-virus software
software and the latest virus and the latest virus definitions.
definitions.
2(b) Effective measures (e.g. member O 1 or 2(b) Effective measures (e.g. member banks 1 or N/A5
banks to provide anti-virus software 2(a&b) 4 to provide anti-virus software to 2(a&b) 4
to relevant staff) or system controls relevant staff) or system controls
should be in place to ensure that only should be in place to ensure that only
BYOD devices with latest version of BYOD devices with latest version of
anti-virus software and latest virus anti-virus software and latest virus
definitions are allowed to connect to definitions are allowed to connect to
the member bank’s network and the member bank’s network and
systems. systems.
3
For devices not supporting sandbox architecture, control B.3.2(a) should be implemented to substitute the control B.3.1.
4
For devices not supporting sandbox architecture, controls B.3.2(a) and B.3.2(b) should be implemented to substitute the control B.3.1.
5
For the avoidance of doubt, only devices supporting sandbox architecture at OS level can be used for CAT2 with data storage. As such, this control is not applicable.
Page 8 of 11
Expected BYOD with Read Only Access CAT 1 CAT 2
BYOD with Data Storage CAT 1 CAT2
Controls
2. The secure container should be
encrypted by internationally
recognized strong cryptographic
algorithms.
3. Sound key management practices and
mechanisms with internationally
recognized strong cryptographic
modules certification should be
implemented to safeguard the
cryptographic keys for data encryption.
6
For the avoidance of doubt, this control is not applicable if the encryption key of the deployed technologies is robustly derived on the fly and there is no static master key
being stored and protected by the device.
Page 9 of 11
Expected BYOD with Read Only Access CAT 1 CAT 2
BYOD with Data Storage CAT 1 CAT2
Controls
3. Prevention of data leakage (including, 3. Prevention of data leakage (including,
among others, prohibit copy & paste, among others, prohibit copy & paste,
disallow local printing etc.) disallow local printing, disallow the
storage of corporate data on removable
4. Data stored in memory and/or SD card and all other devices/storage
temporary files should be deleted media, synchronization of member
immediately upon normal termination bank’s data and customer data to other
of the session. devices/cloud/other storage media, etc.)
Page 10 of 11
Expected BYOD with Read Only Access CAT 1 CAT 2
BYOD with Data Storage CAT 1 CAT2
Controls
B.6 Security 1. Staff should be specifically required 1. Staff should be specifically required
Patching / (e.g. in the terms and conditions) and (e.g. in the terms and conditions) and
Operating System reminded to install security patches reminded to install security patches
(OS) Updates and OS updates according to the and OS updates according to the
company policy. company policy.
Page 11 of 11