The Commission de Surveilance du Secteur Financier (“CSSF) is Luxembourg’s financial regulator, in charge of supervising banks, credit institutions, insurance, and other financial companies. In 2013, CSSF released new rules – known as “circulars” – regarding controls for Access Tools (e.g., Active Directory, Oracle Access Manager). In Circular 13/554, the CSSF specifically called for financial institutions (FIs) to “always have permanent full control over the [IT] resources under their responsibility and the corresponding accesses to these resources”. In effect, this means that the FIs must have a means to control the underlying Access Tools.
The context around 13/554 is that the CSSF had been concerned that international companies with Luxembourg offices, referred to as FSPs, would be able to externally change or control access to the FSP’s IT resources – files, users accounts, printers, servers – that by law, the Financial Sector Act of 1993, requires the approval of a Luxembourg-based financial services professional or PSF.
Circular 13/554 says that a Luxembourg FSP must first make a formal request to the CSSF proving it has control over it local IT resources. In addition:
The full list of FIs can be found in the Financial Sector Act of 1993, including:
FSPs must prove that they have permanent full control over IT resources under their responsibility and the corresponding access to these resources. In practical terms, they must implement processes and systems – a controlling tool – to oversee the Access Tools, document policies of the controlling tool, audit any changes to the policies, and monitor the Access Tools themselves.
|13/554 Requirement||Description||Varonis Product/Feature|
|Varonis pre-requirement: establish who owns the appropriate IT resources||Identify and assign business owners on the resource groups to feed the workflow||Varonis DatAdvantage recommends the revocation of permissions to data for those users who do not have a business need to the data – this ensures that user access to data is always warranted and driven by least privilege. DatAdvantage generates reports showing the history of permission revocations and the percentages by which overly permissive access was reduced.|
|Preventive Control||An FI must control that every AT policy change is authorised before its implementation. Such a preventive control will prevent the push of a non-approved policy.||Varonis DataPrivilege helps organizations notonly define the policies that govern who canaccess, and who can grant access to unstructureddata, but it also enforces the workflow and thedesired action to be taken (i.e. allow, deny,allow for a certain time period). This has atwo-fold effect on the consistent and broadcommunication of the access policy: 1) it unites allof the parties responsible including data owners,auditors, data users and IT around the sameset of information and 2) it allows organizationsto continually monitor the access framework inorder to make changes and optimize both forcompliance and for continuous enforcement ofwarranted access.|
|Corrective Controls||Corrective controls must be used to identify unauthorised access / AT policy changes which potentially occurred during the shutdown window and perform relevant corrections.Access to the tool and changesto the internal tool policy shouldbe logged. Access to those logsneeds to be adequately protected(for instance, no modification ordeletion by the tool administrators)||Varonis DatAlert provides real-time alerting based on file activity, Active Directory changes, permissions changes, and other events. Alert criteria and output are easily configurable so that the right people and systems can be notified about the right things, at the right times in the right ways. DatAlert improves your ability to detect possible security breaches, and misconfigurations.DatAlert can be configured to alert on changesmade outside a particular time window.Varonis DatAdvantage provides a completeaudit trail of all governance file system,SharePoint, Directory Services, and Exchangeactivity. DataPrivilege as a control for ATscaptures all change activity.|