The CSSF (COMMISSION de SURVEILLANCE du SECTEUR FINANCIER) of Luxembourg launched the circular 13/554. The circular surfaces some challenging and unique requirements regarding the management of IT infrastructures of international financial institutions that maintain a Luxembourgish branch. The main purpose of the Circular 13/554 is to separate the Luxembourg branch’s domain from its international group domain.
As per the CSSF circular 13/554, it is required that a NON-Luxembourgish financial institution system administrator doesn’t get empowered with the possibility to bypass the existing security mechanisms and gain access to the confidential resources via centralized administration tools. The Circular 13/554 also requires several safeguards to be implemented by the financial institution aspiring to rely on a group-level Active Directory. According to the circular, the compliant approach to mitigate the risk of foreign administrators would be to prevent the non-Luxembourg administrator employees from being able to edit the overall configuration of the Luxembourg branch Active Directory domain. The CSSF 13/554 also demands from the Luxembourg financial institutions the ability to centrally manage user access privileges and deploy baseline security policies which ensure that the right people have access to the right information at all the time. As specified in the circular 13/554, any financial institution wishing to use a group-level Active Directory is required to: