Understanding Luxembourg CSSF IT Requirements

How to bring your network and data into compliance with the Luxembourg Commission de Surveilance du Secteur Financier

Background

The Commission de Surveilance du Secteur Financier (“CSSF) is Luxembourg’s financial regulator, in charge of supervising banks, credit institutions, insurance, and other financial companies. In 2013, CSSF released new rules – known as “circulars” – regarding controls for Access Tools (e.g., Active Directory, Oracle Access Manager). In Circular 13/554, the CSSF specifically called for financial institutions (FIs) to “always have permanent full control over the [IT] resources under their responsibility and the corresponding accesses to these resources”. In effect, this means that the FIs must have a means to control the underlying Access Tools.

The context around 13/554 is that the CSSF had been concerned that international companies with Luxembourg offices, referred to as FSPs, would be able to externally change or control access to the FSP’s IT resources – files, users accounts, printers, servers – that by law, the Financial Sector Act of 1993, requires the approval of a Luxembourg-based financial services professional or PSF.

Circular 13/554 says that a Luxembourg FSP must first make a formal request to the CSSF proving it has control over it local IT resources. In addition:

  • The Luxembourg FSP must be isolated as a user of any Access Tools.
  • The company must have a formal Access Tools policy wherein only the FSP can approve and control access of its resources and can perform its own technical implementation.
  • Any changes to the Access Tools policy – referred to as a “preventive controls” – must be approved by the FSP.
  • The FSP can undo any non-approved Access Tools policy changes – “corrective controls”.

Who Needs To Comply

The full list of FIs can be found in the Financial Sector Act of 1993, including:

  • Investment firms (investment advisers, securities brokers, portfolio managers, market makers, underwriters)
  • Financial professionals (registrars, currency exchange dealers, professional depositories, mutual savings fund administrators)
  • Support professionals (client communications agents, IT system operators)

Access Tool Control Requirements

FSPs must prove that they have permanent full control over IT resources under their responsibility and the corresponding access to these resources. In practical terms, they must implement processes and systems – a controlling tool – to oversee the Access Tools, document policies of the controlling tool, audit any changes to the policies, and monitor the Access Tools themselves.

Key IT Requirements

13/554 Requirement Description Varonis Product/Feature
Varonis pre-requirement: establish who owns the appropriate IT resources Identify and assign business owners on the resource groups to feed the workflow Varonis DatAdvantage recommends the revocation of permissions to data for those users who do not have a business need to the data – this ensures that user access to data is always warranted and driven by least privilege. DatAdvantage generates reports showing the history of permission revocations and the percentages by which overly permissive access was reduced.
Preventive Control An FI must control that every AT policy change is authorised before its implementation. Such a preventive control will prevent the push of a non-approved policy. Varonis DataPrivilege helps organizations notonly define the policies that govern who canaccess, and who can grant access to unstructureddata, but it also enforces the workflow and thedesired action to be taken (i.e. allow, deny,allow for a certain time period). This has atwo-fold effect on the consistent and broadcommunication of the access policy: 1) it unites allof the parties responsible including data owners,auditors, data users and IT around the sameset of information and 2) it allows organizationsto continually monitor the access framework inorder to make changes and optimize both forcompliance and for continuous enforcement ofwarranted access.
Corrective Controls Corrective controls must be used to identify unauthorised access / AT policy changes which potentially occurred during the shutdown window and perform relevant corrections.Access to the tool and changesto the internal tool policy shouldbe logged. Access to those logsneeds to be adequately protected(for instance, no modification ordeletion by the tool administrators) Varonis DatAlert provides real-time alerting based on file activity, Active Directory changes, permissions changes, and other events. Alert criteria and output are easily configurable so that the right people and systems can be notified about the right things, at the right times in the right ways. DatAlert improves your ability to detect possible security breaches, and misconfigurations.DatAlert can be configured to alert on changesmade outside a particular time window.Varonis DatAdvantage provides a completeaudit trail of all governance file system,SharePoint, Directory Services, and Exchangeactivity. DataPrivilege as a control for ATscaptures all change activity.

Request a demo

Interested in finding out how Varonis can help with your compliance initiatives?

Request a demo

Or contact sales at 877-292-8767