HKMA has recently completed an onsite examination of certain banks' controls over customer data protection and published a list of common controls issues identified:
Compliance with PDPO and Regulatory Requirements:
- Keep personal data longer than data retention period stated in customer agreements
- Not perform more stringent background checks for potential employees and contractors who need to access sensitive customer data
- Conduct of compliance reviews of statutory & regulatory requirements and internal security policies on a regular basis
Security Controls over Electronic Data:
- Lack of controls to protect sensitive customer data stored in portable computing devices and removable storage devices
- Not adopt data encryption for computer tapes that are transported between premises
- Not prevent users from copying customer data from computer workstations into removable storage devices
- Audit logs of customer data access activities for regular reviews
Security Controls over Hardcopy Documents:
- Not provide staff and service providers with guidance for handling sensitive hardcopy documents outside bank premises
- Insufficient surveillance controls (e.g. CCTV) in certain highly sensitive areas (e.g. computer tape rooms)
- Confidential wastes bags are left unattended after office hours in public office areas
Other Areas for Improvements:
- Not fully set out the contractual liabilities and obligations of service providers in outsourced service contracts
- Regular security training arranged for all relevant employees of outside service providers
- Adequate incident management procedures for loss or unauthorized access of customer data
No comments:
Post a Comment