The Enhanced Competency Framework on Cybersecurity (ECF-C) is a non-statutory framework which sets out the common core competences required of cybersecurity practitioners in the Hong Kong banking industry.
Please refer to HKMA circular on “Enhanced Competency Framework on Cybersecurity” for details.
To support and facilitate the talent development in the cybersecurity related sector specifically in banking, The Hong Kong Institute of Bankers (HKIB) has developed a learning programme – the “ECF on Cybersecurity (Core Level)” to help individuals attain the Core Level of the competency standards set by the ECF on Cybersecurity. Upon the completion of the programme and fulfilled the corresponding requirements, the candidates would be eligible to apply for Associate Cybersecurity Professional (ACsP) and this Professional Qualification is recognised by HKMA.
The objectives of the ECF-C are twofold:
(a) to develop a sustainable talent pool of cybersecurity practitioners for the workforce demand in this sector; and
(b) to raise and maintain the professional competence of cybersecurity practitioners in the banking industry.
Although the ECF-C is not a mandatory licensing regime, authorised institutions (“AIs”) are encouraged to adopt the ECF-C for the following reasons:
(a) to serve as a benchmark to determine the level of competence required and to assess the ongoing competence of individual employees;
(b) to support relevant employees to attend training programmes and examinations that meets the ECF-C benchmark;
(c) to support the continuing professional development (CPD) of individual employees; and
(d) to specify the ECF-C as one of the criteria for recruitment purposes.
The ECF-C is aimed at persons (referred as ‘Relevant Practitioners’) engaged by AIs undertaking cybersecurity roles. Under the ECF-C, a ‘Relevant Practitioner’ is defined as:
“a new entrant or an existing practitioner engaged by an authorised institution to perform in roles ensuring operational cyber resilience”.
The following categories of staff are excluded from the definition of ‘Relevant Practitioners’:
(a) Those who are not required to perform the three key roles specified under the ECF-C (i.e. IT Security Operations and Delivery, IT Risk Management and Control, and IT Audit); and
(b) Those who performing key roles solely in the information technology operating function of an AI, such as system developers, system operators, helpdesk operators, and IT support.
The qualification structure of the ECF-C comprises the following two levels based on the year of work experience of Relevant Practitioners in performing the tasks:
(a) Core Level - This level is applicable for entry-level staff with less than 5 years of relevant work experience in the cybersecurity function.
(b) Professional Level - This level is applicable for staff with 5 and above years of relevant work experience in the cybersecurity function.
The qualification structure is driven by the key roles based upon the three lines of defence concept under cyber risk governance:
(i) first line of defence: IT Security Operations and Delivery
(ii) second line of defence: IT Risk Management and Control
(iii) third line of defence: IT Audit
Grandfathering arrangement is not applicable for the ECF on Cybersecurity.
To support and facilitate the talent development in the cybersecurity related sector specifically in banking, The Hong Kong Institute of Bankers (HKIB) has developed a learning programme – the “ECF on Cybersecurity (Core Level)” to help individuals attain the Core Level of the competency standards set by the ECF on Cybersecurity. It will facilitate the building of professional competencies and capabilities for relevant practitioners in cybersecurity related sector in banking through attaining a professional qualification by achieving the required competency level.
Programme Intended Learning Outcomes
Upon completion of the programme, participants should be able to
The chapter outline of the training programme is as follows:
|1||Technical Foundation of Cybersecurity
- Foundation of a Network
- IT Security Principles
- Foundation of Access Control
- Overview of Cryptography
- Foundation of Cloud Computing
- Open Banking with the API Framework
|2||Bank IT Security Controls
- International Standards and Regulatory Requirements
- Network Security Administration
- System Security Administration
- Threats, Malware and Malicious Activities
- Malware Infection Vectors
- Network and System Monitoring
- Network Attack Pattern Analysis
|4||Security Incident Response
- Security Incident Response Process
- Digital Evidence
- Security Incident Communication
|5||IT Risk Management and Control
- Risk Management Process
- Risk Monitoring and Compliance Checking
- Risk Acceptance
- Security and Risk Awareness Training
- Principles of IT Audit
- Security and Compliance Control Testing
- Audit Reports and Follow Up
- Penetration Test Process
- Red Team Approach
The Programme is open to members and non-members of the HKIB. Candidates must fulfil the stipulated minimum entry requirements:
- A Bachelor’s Degree awarded by a recognised university or equivalent; OR
- An Associate Degree (AD) / Higher Diploma (HD) in a banking and finance, computer studies/science, information systems/technology discipline or equivalent; OR
- Relevant professional qualifications; OR
- Mature applicants with either
Note: The recommended staff member should have the knowledge and skills to complete the training activities and achieve the intended learning outcomes. The employer should make the recommendation based on the competency of the potential learner. For example, in addition to 2 years of banking and finance experience, the recommended staff member also possesses other relevant traits and skills such as exhibiting a strong work ethic or transferable skills that the employer finds desirable. The recommendation may also include comments on the career advancement prospects of the staff member.
|Training Hours||15 Hours|
|Notional Learning Hours||200 Notional Learning Hours
(training + self-study + examination)
|HKIB CPD hours||20|
|Programme Fee||HKD3,750 (Study guide inclusive)|
|Examination Mode||Paper-based Examination|
|Examination Duration||2.5 Hours|
|Question Type||Multiple-choice Type Questions (MCQ)|
|No. of Questions||80|
Applicant should complete and sign the Application Form, together with the appropriate programme and/or examination fee, and return by email or by hand to HKIB Office on or before the corresponding enrolment deadline.
Late entries for training programmes will be accepted up to 7 days after the stipulated application deadlines. An additional late entry fee of HKD200 will apply.
Late entries examinations will be accepted up to 14 days after the stipulated application deadlines. An additional late entry fee of HKD200 will apply.
A relevant practitioner who performs the relevant tasks in cybersecurity function, completed the "ECF on Cybersecurity (Core Level)" training and passed the corresponding examination is eligible to apply for the certification of ACsP which is issued by HKIB and recognised by HKMA.
You may download the Guidelines of Certification and Certification Application Form for reference.
To ensure the Relevant Practitioners maintain their competency levels by updating their existing knowledge and skill set, they are required to fulfill the CPD requirements as stated by HKMA.
As a general guideline, Relevant Practitioners are expected to maintain a minimum of 20 CPD hours each year and a minimum of 120 CPD hours over every 3 years period.
No CPD is required in the year when the ACsP Professional Qualifications is granted. The CPD requirement starts in the following calendar year and pay for annual certification fee is also required.
Individuals who completed the training and passed at the relevant examinations are eligible to apply exemption to the relevant module under another HKIB programme, namely the Advanced Diploma Programme for Certified Banker (QF Level 4). Upon the completion of the programme and satisfaction of the required years of work experience, they may also be awarded the Certified Banker (Stage I) Professional Qualifications. Advanced Diploma Programme for Certified Banker (QF Level 4) is a CB professional banking qualification programmes developed and offered by HKIB. It is intended to raise the professional competency of banking and financial practitioners in Hong Kong to meet modern demands, while providing a transparent standard with international recognition.
|General enquiry||(852) 2153 email@example.com|
|Training and Examination||(852) 2153 firstname.lastname@example.org|
|Programme and Certification Details||(852) 2153 email@example.com|