One of the many undeniable facts of the 21st century is that we live in a time of ever-expanding globalization. People everywhere are connected. Events that occur at opposite ends of the earth can make ripples in various places across the entire world. So, when a document from the “Commission de Surveillance du Secteur Financier” in Luxembourg entitled, “Circular CSSF 13/554” (CSSF for short) came across our desks earlier last week, we dove right into it. Finding the translation of the legal jargon in the memo a tedious task, we decided that we would like to help make some sense of it all with a nice, easy-to-read overview. So, whether you’re someone with an affinity for financial compliance standards in other countries or a member of a Luxembourg institution itself (Bonjour!) read on for some CSSF knowledge.
From the start of the document, the message that the CSSF is trying to display to the various financial organizations in Luxembourg is very clear- “Professionals of the financial sector must always have full control over the resources under their responsibility and the corresponding access to these resources, primarily for compliance and governance reasons and secondly in order to protect confidential data subject to professional secrecy.” Simple enough. Now, reading the various requirements listed that are required in order to adhere to that goal is where my eyes began to glaze over. Split up below into bullet points are some of the most important requirements for compliance along with their corresponding sections, simplified. For reference, the original document can be found here. Phrases To Know:
Approved AT Policy
An access tools policy written in a way that is easy to understand by people who are not IT specialists. It must be approved by the management of the financial institution.
Implemented AT Policy
The technical implementation of the “Approved AT Policy” on access tools systems.
Tool Internal Policy
The digital copy of the “Approved AT Policy” located within the tool used to perform the preventative controls. It is the baseline used to compare an AT policy change request to the “Approved AT Policy” and decide whether to authorize or implement said change.
“Annex: Technical note – Evolution of the usage and control of the resource access tools”
- All of the identities and resources that are located within the Luxembourg environment have to be contained in their own, separate OU.
- The financial institution (FI) itself is responsible for creating and reviewing its access tools (AT) policy for the Luxembourg segment. It is also the only entity that can change or manipulate it.
- The FI must be able to prove that the approved AT policy has been implemented and is in effect. This can be done by comparing the “approved” policy to the “implemented” policy and ensuring that they are the same. All modifications must be communicated to the appropriate parties prior to taking effect.
“Considerations on preventive versus corrective controls/usage of specific tools”
- For said policies that are created and “pushed” to the appropriate systems, FI’s must implement a tool that allows them to control the policies, not just measure adherence to them.
- The tool used to prevent the push of a non-approved policy must be able to create/map controls exactly to the “approved” and “implemented” AT policy for the proper segment of the environment. The ability to prevent the unauthorized modification of the policy is mandatory. Additionally, corrective controls are no longer sufficient safeguards and should only be used as a contingency plan in the case of preventative control failure (server failure, agent breakdown, etc.)
“Conditions for preventative control effectiveness”
- The only people who can control the tool are members of the FI or the company that they outsourced to. Within those organizations, only the appropriate people may have access. The people must be located in Luxembourg.
- All policies created in the tool must be documented.
- A process must be executed that proves the “approved,” “tool internal,” and “implemented” policies are all in alignment with each other.
- An audit of the above process must be conducted on a yearly basis. There must also be complete audit trails of all activity conducted inside the tool.
- All authentication and/or policy changes in the tool must be logged for audit purposes. These logs must be protected and secured.
- Users of the tool must be trained in how to properly operate it.
- The FI must prove that the tool is always functioning properly by monitoring it. If anything happens, alerts must be sent in real time regarding the nature of the issue.
- If the preventative control tool becomes unavailable, logs from the access provisioning solutions (i.e. Active Directory Security Logs) can be used in conjunction with audit and gap analysis tools as an interim solution. (Authorization must be granted by CSSF)
- Logging must be enabled to provide the greatest detail possible, including admin activity logging and events corresponding to the actions performed by users outside of Luxembourg relating to data confidentiality.
- FI’s must also be able to prove that the logs have been protected from deletion or other manipulation, and have been safely stored.
“Use of corrective controls as contingency solutions”
- If the tool being used for preventative control is not operational, the FI must have the ability to manually push, implement, and control the “approved AT policy.”
“Particular Case of Policy Import”
- If an FI has a separate directory structure or implementation, but copies directory data from a disk or other source, a procedure must be put in place to ensure access is limited only to members of the FI or the company they have outsourced to. Again, only admins located in Luxembourg may interact with the dataset.
Although brief, this summary gives a good overview as to what financial companies are up against in Luxembourg. Hopefully, you were able to stick with it to the end as it is very important for companies located in Luxembourg to adhere to these provisions as quickly as possible (The original circular was distributed on January 7th, active immediately).
That said, you’re probably scratching your head wondering where you can find a company/product to work with that will help you satisfy all of these complicated compliance requirements. Look no further!
StealthINTERCEPT® – produces a complete audit trail of all change and access activities, providing a more complete and accurate record of events than native logging can provide alone. Granular policy definition also provides the ability to prevent undesired and unauthorized changes, mitigating the threat of downtime, security breach, and compliance failure.