MAS 技术风险管理指南
MAS Technology Risk Management Guidelines
别名: TRM Guidelines · MAS TRM · TRM 2021
阐述 MAS 对所有金融机构在技术风险治理、IT 运营、系统可靠性、网络安全、IT 审计上的期望。
Sets out MAS's expectations on technology risk governance, IT operations, system reliability, cybersecurity, and IT audit for all FIs.
文件关系
- companion-tosg-mas-cyber-hygiene
- referencessg-mas-outsourcing-cloud
原子条款(360)
在搜索器中打开 →每家金融机构应了解其技术风险敞口,并建立稳健的风险管理框架以确保IT和网络韧性。
Each FI should seek to understand their exposure to technology risks and put in place a robust risk management framework to ensure IT and cyber resilience.
董事会和高级管理层应培养强大的风险文化,并确保建立稳健的技术风险管理框架。
The board of directors and senior management should cultivate a strong risk culture, and ensure the establishment of a sound and robust technology risk management framework.
金融机构应建立并持续改进IT流程和控制,以保护数据和IT系统的机密性、完整性和可用性。
It is also important that FIs establish and continuously improve their IT processes and controls to preserve confidentiality, integrity and availability of data and IT systems.
金融机构应采取纵深防御方法加强网络韧性。
FIs should adopt a defence-in-depth approach to strengthening cyber resilience.
金融机构还应选择符合其安全目标和要求的适当算法和加密密钥长度。
The FI should also select an appropriate algorithm and encryption key length that meet its security objectives and requirements.
金融机构应采用来自公认国际标准的加密算法。
The FI should adopt cryptographic algorithms from well-established international standards.
若加密算法的安全性依赖于随机种子或数字的不可预测性,金融机构应确保种子或随机数具有足够的长度和随机性。
Where the security of the cryptographic algorithm depends on the unpredictability of a random seed or number, the FI should ensure the seed or random number is of sufficient length and randomness.
金融机构应确保所有使用的加密算法经过严格测试或审查,以满足确定的安全目标和要求。
The FI should ensure all cryptographic algorithms used have been subject to rigorous testing or vetting to meet the identified security objectives and requirements.
金融机构应监控密码分析领域的发展,并在必要时更新或更改加密算法或增加密钥长度,以确保其能够抵御不断演变的威胁。
The FI should monitor developments in the area of cryptanalysis and, where necessary, update or change the cryptographic algorithms or increase the key lengths to ensure they remain resilient against evolving threats.
应建立涵盖密钥生成、分发、安装、更新、撤销、恢复和过期的密钥管理政策、标准和程序。
Cryptographic key management policy, standards and procedures covering key generation, distribution, installation, renewal, revocation, recovery and expiry should be established.
金融机构应维护加密密钥的备份以便恢复,并给予高度保护。
The FI should maintain backups of cryptographic keys for recovery purposes and accord them a high level of protection.
金融机构应确保加密密钥安全生成并防止未经授权的披露。
The FI should ensure cryptographic keys are securely generated and protected from unauthorised disclosure.
用于生成或派生密钥的任何加密密钥或敏感数据也应在密钥生成后受到保护或安全销毁。
Any cryptographic key or sensitive data used to generate or derive the keys should be also be protected or securely destroyed after the key is generated.
加密密钥应在生命周期结束前安全替换。
The cryptographic key should be securely replaced, before it expires at the end of its lifespan.
金融机构应根据数据敏感性、系统关键性以及面临的威胁和风险等因素,确定每个加密密钥的适当生命周期。
The FI should determine the appropriate lifespan of each cryptographic key based on factors, such as the sensitivity of the data, the criticality of the system to be protected, and the threats and risks that the data or system may be exposed to.
为保护敏感加密密钥,金融机构应使用强化且防篡改的系统(如硬件安全模块)来管理、处理和存储这些密钥。
To protect sensitive cryptographic keys, the FI should manage, process and store such keys in hardened and tamper resistant systems, e.g. by using a hardware security module.
传输敏感加密密钥时,金融机构应确保密钥在传输过程中不被暴露,并通过带外通道或其他安全方式分发以降低拦截风险。
Where sensitive cryptographic keys need to be transmitted, the FI should ensure these keys are not exposed during transmission. The keys should be distributed to the intended recipient via an out-of-band channel or other secure means to minimise the risk of interception.
加密密钥应仅用于单一目的,例如数据加密密钥应与生成数字签名的密钥不同。
Cryptographic keys should be used for a single purpose. For instance, the cryptographic key for data encryption should be different from the one that is used to generate cryptographic digital signatures.
如果发现加密密钥被泄露,金融机构应撤销并替换该密钥以及可能因此受影响的其他密钥。
If a cryptographic key is found to be compromised, the FI should revoke and replace the key and all other keys whose security could also be compromised as a result of the exposed key.
当加密密钥过期或已被撤销时,金融机构应使用安全的密钥销毁方法确保密钥不可恢复。
When cryptographic keys have expired or have been revoked, the FI should use a secure key destruction method to ensure the keys are not recoverable.
替换或更新受损或即将过期的加密密钥时,金融机构应确保新密钥的生成方式使得知晓旧密钥部分或全部信息的攻击者无法推导出新密钥。
When replacing or renewing a compromised or expiring cryptographic key, the FI should generate the new key in a manner such that any adversary who has knowledge of part or whole of the previous key will not be able to derive the new key from it.
金融机构应制定全面的数据丢失预防政策,并采取措施检测和防止对机密数据的未授权访问、修改、复制或传输,考虑数据在运动、静止和使用中的状态。
The FI should develop comprehensive data loss prevention policies and adopt measures to detect and prevent unauthorised access, modification, copying, or transmission of its confidential data, taking into consideration data in motion, data at rest, and data in use.
金融机构应确保其服务提供商管理的系统获得相同级别的保护并遵守相同的安全标准。
The FI should ensure systems managed by the FI’s service providers are accorded the same level of protection and subject to the same security standards.
金融机构应实施适当措施,防止和检测数据盗窃以及系统和终端设备中的未授权修改。
The FI should implement appropriate measures to prevent and detect data theft, as well as unauthorised modification in systems and endpoint devices.
存储在系统和终端设备中的机密数据应加密并受到强访问控制的保护。
Confidential data stored in systems and endpoint devices should be encrypted and protected by strong access controls.
金融机构应确保仅使用授权的数据存储介质、系统和终端设备来通信、传输或存储机密数据。
The FI should ensure only authorised data storage media, systems and endpoint devices are used to communicate, transfer, or store confidential data.
应实施安全措施,防止和检测使用允许用户通信或存储机密数据的未经授权的互联网服务。
Security measures should be implemented to prevent and detect the use of unauthorised internet services which allow users to communicate or store confidential data.
金融机构应确保在非生产环境中实施适当控制,以管理此类数据的访问和删除,防止数据泄露。在可能的情况下,应在非生产环境中对此类数据进行脱敏。
The FI should ensure appropriate controls are implemented in non-production environments to manage the access and removal of such data to prevent data leakage. Where possible, such data should be masked in the non-production environments.
应限制在非生产环境中使用敏感生产数据。在特殊情况下,需获得高级管理层的适当批准。
The use of sensitive production data in non-production environments should be restricted. In exceptional situations where such data needs to be used in non-production environments, proper approval has to be obtained from senior management.
金融机构应确保在处置或重新部署存储介质、系统和终端设备之前,不可撤销地删除机密数据。
The FI should ensure confidential data is irrevocably deleted from storage media, systems and endpoint devices before they are disposed of or redeployed.
金融机构应安装防火墙等网络安全设备,以保护金融机构与互联网之间以及与第三方的连接。
The FI should install network security devices such as firewalls to secure the network between the FI and the Internet, as well as connections with third parties.
为降低横向移动和内部威胁等网络威胁风险,金融机构应部署有效的安全机制来保护信息资产。信息资产可根据系统关键性、功能角色或数据敏感性进行网络分段。
To minimise the risk of cyber threats, such as lateral movement and insider threat, the FI should deploy effective security mechanisms to protect information assets. Information assets could be grouped into network segments based on the criticality of systems, the system’s functional role (e.g. database and application) or the sensitivity of the data.
应在FI网络中部署网络入侵防御系统,以检测和阻止恶意网络流量。
Network intrusion prevention systems should be deployed in the FI’s network to detect and block malicious network traffic.
FI应实施网络访问控制,以检测和防止未经授权的设备连接到其网络。
The FI should implement network access controls to detect and prevent unauthorised devices from connecting to its network.
应及时删除过时的规则和不安全的网络协议,因为这些可能被利用来获得对FI网络和系统的未授权访问。
Obsolete rules and insecure network protocols should be removed promptly as these can be exploited to gain unauthorised access to the FI’s network and systems.
应定期审查网络设备(如防火墙、路由器、交换机和接入点)中的网络访问控制规则,以确保其保持最新。
Network access control rules in network devices such as firewalls, routers, switches and access points should be reviewed on a regular basis to ensure they are kept up-to-date.
FI应考虑通过物理或逻辑控制将互联网网页浏览活动与其终端设备隔离,或实施等效控制,以减少其IT系统遭受网络攻击的风险。
The FI should consider isolating internet web browsing activities from its endpoint devices through the use of physical or logical controls, or implement equivalent controls, so as to reduce exposure of its IT systems to cyber attacks.
FI可以聘请DoS缓解服务提供商,在潜在DoS流量到达FI网络基础设施之前进行过滤。
The FI could engage DoS mitigation service providers to filter potential DoS traffic before it reaches the FI’s network infrastructure.
应实施有效的拒绝服务攻击防护,以检测和应对各种类型的DoS攻击。
An effective DoS protection should be implemented to detect and respond to various types of DoS attacks.
应定期审查FI的网络架构,包括网络安全设计以及系统和网络互连,以识别潜在的网络安全漏洞。
A review of the FI’s network architecture, including the network security design, as well as system and network interconnections, should be conducted on a periodic basis to identify potential cyber security vulnerabilities.
应定期审查标准的相关性和有效性。
The standards should be reviewed periodically for relevance and effectiveness.
金融机构的硬件和软件安全标准应概述最小化网络威胁暴露的配置。
The security standards for the FI’s hardware and software (e.g. operating systems, databases, network devices and endpoint devices) should outline the configurations that will minimise their exposure to cyber threats.
应及时处理偏离标准所产生的风险。
Risks arising from deviations should be addressed in a timely manner.
金融机构应建立流程,验证标准在系统上统一应用,并识别偏离标准的情况。
The FI should establish a process to verify that the standards are applied uniformly on systems and to identify deviations from the standards.
应实施端点保护,包括基于行为和签名的解决方案,以保护金融机构免受恶意软件感染。
Endpoint protection, which includes but is not limited to behavioural-based and signature-based solutions, should be implemented to protect the FI from malware infection and address common delivery channels of malware, such as malicious links, websites, email attachments or infected removable storage media.
金融机构应确保反恶意软件签名保持最新,并定期扫描系统以查找恶意文件或异常活动。
The FI should ensure that anti-malware signatures are kept up-to-date and the systems are regularly scanned for malicious files or anomalous activities.
金融机构应实施检测和响应机制,及时扫描入侵指标,并主动监控系统进程的异常和可疑活动。
The FI should implement detection and response mechanisms to perform scanning of indicators of compromise (IOCs) in a timely manner, and proactively monitor systems’, including endpoint systems’, processes for anomalies and suspicious activities.
应实施安全措施,如应用程序白名单,确保仅允许授权软件安装在FI的系统上。
Security measures, such as application white-listing, should be implemented to ensure only authorised software is allowed to be installed on the FI’s systems.
实施BYOD时,FI应进行全面的风险评估并实施适当措施以保护BYOD环境,然后才允许员工使用个人设备访问公司网络。
When implementing Bring Your Own Device (BYOD), the FI should conduct a comprehensive risk assessment and implement appropriate measures to secure its BYOD environment before allowing staff to use their personal devices to access the corporate network.
FI应确保为虚拟化解决方案的所有组件建立安全标准。
The FI should ensure security standards are established for all components of a virtualisation solution.
应实施强访问控制,限制对虚拟机管理程序和主机操作系统的管理访问。
Strong access controls should be implemented to restrict administrative access to the hypervisor and host operating system as both control the guest operating systems and other components in the virtual environment.
FI应制定管理虚拟镜像和快照的策略和标准,包括安全、创建、分发、存储、使用、退役和销毁的细节。
The FI should establish policies and standards to manage virtual images and snapshots. The standards should include details that govern the security, creation, distribution, storage, use, retirement and destruction of virtual images and snapshots so as to protect these assets against unauthorised access or modification.
金融机构应维护所有物联网设备的清单,包括其连接的网络和物理位置等信息。
The FI should maintain an inventory of all its IoT devices, including information such as the networks which they are connected to and their physical locations.
金融机构应评估并实施流程和控制措施,以减轻物联网带来的风险。
The FI should assess and implement processes and controls to mitigate risks arising from IoT.
托管物联网设备的网络应得到保护。
The network that hosts IoT devices should be secured.
金融机构应将物联网设备托管在与承载其系统和机密数据的网络不同的网段中。
The FI should host IoT devices in a separate network segment from the network that hosts the FI's systems and confidential data.
金融机构应实施控制措施,防止未经授权访问物联网设备。
The FI should implement controls to prevent unauthorised access to IoT devices.
金融机构应监控物联网设备的可疑或异常系统活动,以便及时采取行动隔离受损设备。
The FI should monitor IoT devices for suspicious or anomalous system activities so that prompt actions can be taken to isolate compromised devices.
金融机构应建立流程,收集、处理和分析网络相关信息,评估其对业务和IT环境的相关性和潜在影响。
The FI should establish a process to collect, process and analyse cyber-related information for its relevance and potential impact to the FI’s business and IT environment.
金融机构应采购网络情报监控服务。
The FI should procure cyber intelligence monitoring services.
金融机构应积极参与与可信方的网络威胁信息共享安排,以分享和接收及时且可操作的网络威胁信息。
The FI should actively participate in cyber threat information-sharing arrangements with trusted parties to share and receive timely and actionable cyber threat information.
金融机构应考虑聘请外部媒体监控服务,以促进在线虚假信息的评估和识别。
The FI should consider engaging external media monitoring services to facilitate the evaluation and identification of online misinformation.
金融机构应建立流程,检测和应对通过互联网传播的与自身相关的虚假信息。
The FI should establish a process to detect and respond to misinformation related to the FI that are propagated via the Internet.
应定义安全运营的流程、角色和职责。
The processes, roles and responsibilities for security operations should be defined.
金融机构应建立安全运营中心或获取托管安全服务。
The FI should establish a security operations centre or acquire managed security services.
应建立收集、处理、审查和保留系统日志的流程,以促进金融机构的安全监控操作。
A process to collect, process, review and retain system logs should be established to facilitate the FI’s security monitoring operations.
这些日志应受到保护,防止未经授权的访问。
These logs should be protected against unauthorised access.
为便于识别异常,金融机构应建立每个IT系统日常活动的基线档案,并对照基线档案分析系统活动。
To facilitate identification of anomalies, the FI should establish a baseline profile of each IT system’s routine activities and analyse the system activities against the baseline profiles.
应定期审查和更新这些档案。
The profiles should be regularly reviewed and updated.
金融机构应考虑应用用户行为分析以增强安全监控的有效性。
The FI should consider applying user behavioural analytics to enhance the effectiveness of security monitoring.
应对系统日志中记录的多个事件进行关联分析,以识别可疑或异常的系统活动模式。
Correlation of multiple events registered on system logs should be performed to identify suspicious or anomalous system activity patterns.
应建立流程,确保及时向相关利益相关者上报可疑或异常的系统活动或用户行为。
A process should be established to ensure timely escalation to relevant stakeholders regarding suspicious or anomalous system activities or user behaviour.
金融机构应制定网络事件响应和管理计划,以迅速隔离和消除网络威胁,并安全恢复受影响的服务。
The FI should establish a cyber incident response and management plan to swiftly isolate and neutralise a cyber threat and to securely resume affected services.
该计划应描述应对可能的网络威胁场景的沟通、协调和响应程序。
The plan should describe communication, coordination and response procedures to address plausible cyber threat scenarios.
调查还应评估对金融机构影响的全部范围。
The investigation should also evaluate the full extent of the impact to the FI.
作为计划的一部分,金融机构应建立流程,调查并识别导致安全漏洞的安全或控制缺陷。
As part of the plan, the FI should establish a process to investigate and identify the security or control deficiencies that resulted in the security breach.
应利用网络情报信息和网络事件中吸取的经验教训来加强现有控制或改进网络事件管理计划。
Information from cyber intelligence and lessons learnt from cyber incidents should be used to enhance the existing controls or improve the cyber incident management plan.
漏洞评估的频率应与IT系统的关键性和所面临的安全风险相称。
The frequency of VA should be commensurate with the criticality of the IT system and the security risk to which it is exposed.
金融机构应建立定期对其IT系统进行漏洞评估的流程,以识别安全漏洞并及时解决相关风险。
The FI should establish a process to conduct regular vulnerability assessment (VA) on their IT systems to identify security vulnerabilities and ensure risk arising from these gaps are addressed in a timely manner.
对于基于Web的系统,漏洞评估范围应包括常见Web漏洞的检查。
For web-based systems, the scope of VA should include checks on common web-based vulnerabilities.
进行漏洞评估时,范围至少应包括漏洞发现、弱安全配置识别、开放网络端口以及应用程序漏洞。
When performing VA, the scope should minimally include vulnerability discovery, identification of weak security configurations, and open network ports, as well as application vulnerabilities.
对于在线金融服务,应结合黑盒测试和灰盒测试。
A combination of blackbox and greybox testing should be conducted for online financial services.
金融机构应进行渗透测试,以深入评估其网络安全防御能力。
The FI should carry out penetration testing (PT) to obtain an in-depth evaluation of its cyber security defences.
金融机构可考虑实施漏洞奖励计划,以测试其IT基础设施的安全性,作为渗透测试的补充。
The FI may consider conducting a bug bounty programme to test the security of its IT infrastructure to complement its PT.
渗透测试应在生产环境中进行。
PT should be conducted on the production environment.
在生产环境中进行渗透测试时,应实施适当的保护措施。
Proper safeguards should be implemented when PT is conducted on the production environment.
对于可直接从互联网访问的系统,FI应至少每年或系统发生重大变更时进行渗透测试以验证安全控制的有效性。
For systems that are directly accessible from the Internet, the FI is expected to conduct PT to validate the adequacy of the security controls at least once annually or whenever these systems undergo major changes or updates.
FI应定期开展基于场景的网络演习,以验证其响应、恢复及通信计划的有效性。
The FI should carry out regular scenario-based cyber exercises to validate its response and recovery, as well as communication plans against cyber threats.
根据演习目标,FI应让相关利益相关者参与,包括高级管理层、业务部门、企业通讯、危机管理团队、服务提供商以及负责网络威胁检测、响应和恢复的技术人员。
Depending on the exercise objectives, the FI should involve relevant stakeholders, including senior management, business functions, corporate communications, crisis management team, service providers, and technical staff responsible for cyber threat detection, response and recovery.
金融机构应进行对抗性攻击模拟演练,以测试和验证其网络防御和响应计划的有效性。
The FI should perform an adversarial attack simulation exercise to test and validate the effectiveness of its cyber defence and response plan against prevalent cyber threats.
应在演练开始前定义目标、范围和交战规则,并在密切监督下以受控方式进行演练,确保红队活动不干扰生产系统。
The objectives, scope and rules of engagement should be defined before the commencement of the exercise, and the exercise should be conducted in a controlled manner under close supervision to ensure the activities carried out by the red team do not disrupt the FI’s production systems.
威胁场景应基于具有挑战性但合理的网络威胁进行设计。
The threat scenario should be designed and based on challenging but plausible cyber threats.
金融机构可使用与其IT环境相关的威胁情报设计演练场景,以识别最可能构成威胁的行为体及其战术、技术和程序。
The FI could also design the exercise scenario by using threat intelligence that is relevant to their IT environment to identify threat actors who are most likely to pose a threat to the FI; and identify the tactics, techniques and procedures most likely to be used in such attacks.
应建立全面的补救流程,以跟踪和解决网络安全评估或演练中发现的问题。
A comprehensive remediation process should be established to track and resolve issues identified from the cyber security assessments or exercises.
该流程至少应包括问题的严重性评估和分类。
The process should minimally include severity assessment and classification of an issue.
该流程至少应包括不同严重性问题的修复时间框架。
The process should minimally include timeframe to remediate issues of different severity.
该流程至少应包括风险评估和缓解策略,以管理偏离框架的情况。
The process should minimally include risk assessment and mitigation strategies to manage deviations from the framework.
在提供在线金融服务时,金融机构应实施与风险相称的安全和控制措施,以确保数据和在线服务的安全。
In delivering online financial services, the FI should implement security and control measures which are commensurate with the risk involved to ensure the security of data and online services.
金融机构应保护其通信渠道以保障客户数据安全,可通过数据加密和数字签名实现。
The FI should secure its communications channels to protect customer data. This can be achieved through data encryption and digital signatures.
还应采取适当措施,尽量减少金融机构在线金融服务暴露于常见攻击向量(如代码注入、跨站脚本、中间人攻击、DNS劫持、DDoS、恶意软件和欺骗攻击)的风险。
Adequate measures should also be taken to minimise exposure of the FI’s online financial services to common attack vectors such as code injection attack, cross-site scripting, man-in-the-middle attack (MITMA), domain name system (DNS) hijacking, distributed denial of service (DDoS), malware and spoofing attacks.