On January 7th 2013, the CSSF (COMMISSION de SURVEILLANCE du SECTEUR FINANCIER) of Luxembourg launched circular 13/554. The circular brings up some challenging, unique requirements regarding management of IT infrastructures of international financial institutions that maintain a Luxemburgish branch. Circular 13/554 main purpose is to separate the Luxemburg branch domain from the international group domain.
CSSF circular 13/554 requires that a NON Luxembourgish financial institution system administrator won’t have the possibility to bypass existing security mechanisms and gain access to confidential resources via centralized administration tools. circular 13/554 also requires several safeguards to be implemented by the financial institution wishing to rely on a group-level Active Directory.
According to the circular, the compliant approach to mitigate the risk of foreign administrators would be to prevent non-Luxembourg administrator employees from being able to edit the Luxembourg branch Active Directory domain overall configuration. CSSF 13/554 also demand from Luxembourg financial institutions the ability to centrally manage user access privileges and deploy baseline security policies which ensure that the right people have access to the right information at all time. As specified in circular 13/554, any financial institution wishing to use a group-level Active Directory is required to: