<iframe src="//www.googletagmanager.com/ns.html?id=GTM-TR8PWW" height="0" width="0" style="display:none;visibility:hidden">

Do You Fulfill Hong Kong Monetary Authority’s General Principles for Technology Risk Management?


Subscribe to Email Updates

We promise to send you awesome stuff you'll want to read more than once.

The commencement of Shanghai-Hong Kong Stock Connect represents not only increasing cross-border trading, but also continuously growing data exchange between financial institutions such as stock exchange authorities, banks, and brokerage firms.

The machine-to-machine (M2M) transactions that power the automation of critical business operations and data transfers are typically protected with some form of data-in-transit encryption.

The Secure Shell protocol is a commonly used encryption method in M2M processes within financial sectors – and has been for nearly two decades. The protocol is an IETF standard, has been subject to extensive scrutiny over the years, and is widely deployed and accepted as a recommended security technology for critical and sensitive data transfers. However, the lack of effective management and carefully controlled deployment, provisioning, access control, monitoring and auditing of encrypted networks can lead to compliance violations with industry and government mandates – as well as to costly breaches.

Hong Kong Monetary Authority (HKMA) published General Principles for Technology Risk Management [TM-G-1] (version V.1 – 24.06.03) to guide financial institutions in managing technology-related risks. While the guidelines are quite high-level and technology-agnostic, they contain several sections which have impact on the way that access controls, privileged users and SSH keys are managed.

As an example, TM-G-1 section 2.2.2 states: “Proper segregation of duties within and among various IT functions is crucial for ensuring an effective IT control environment.” A single individual (e.g. systems administrator) should not have the authority to execute all security functions of an IT system. Administration of access control to servers, and the auditing of operations performed on the servers, should be segregated from the privileges of the administrators who perform administration duties on the same servers. In practice, administrators should not have the capability to deploy access-granting Secure Shell public keys to servers they operate on, without oversight. Similarly, the administrator should not have access to the audit logs or recordings that enforce the accountability of administrator actions.

SSH Communications Security offers two solutions that help to enforce this principle:

(1) Universal SSH Key Manager provides the platform for centralized governance of Secure Shell key-based access.

(2) CryptoAuditor provides independent and transparent auditing and control of encrypted channels, such as Secure Shell and Windows RDP – that is fully segregated from the administrators and hosts that are being monitored.

It’s highly recommended for CISOs, IT security, compliance and audit experts to read our white paper and attend our webinar to understand more about the guidelines and the best practices on securing the encrypted connections.

Read the White Paper: Achieving Effective Compliance – Hong Kong Monetary Authority’s General Principles for Technology Risk Management

Register for the Webinar: How to Comply with HKMA’s General Principles for Technology Risk Management (Tuesday, December 9, 2014 4:00PM – 4:30PM HKT)
Book the demo

AuthorTommi Lampila

Vice President, APACTommi serves as Vice President, APAC and is responsible for sales, business development and channel operations for the region. During his 15 years at the company, Tommi has worked as a product manager for multiple network encryption, authentication, and security management solutions.

Prior to SSH Communications Security, Tommi was an Information Management Engineer at Rautaruukki, a large Finnish steel corporation. He has an masters degree in engineering from the Tampere University of Technology, Finland and carries a CISSP certification.

OPT IN for our newsletter

To be honest, we don’t do much outbound marketing. So if you give us your email, we’re unlikely to spam you.

Subscribe to Email Updates

Want to know more about SSH.COM solutions?

We design best-of-breed commercial solutions for secure access that help our customers win in the global data economy.

Read more about our solutions

Related posts from the SSH.COM blog