Request Demo

Request Demo

CSSF-13/554 Compliance

THE CHALLENGE

On January 7th 2013, the CSSF (COMMISSION de SURVEILLANCE du SECTEUR FINANCIER) of Luxembourg launched circular 13/554. The circular brings up some challenging, unique requirements regarding management of IT infrastructures of international financial institutions that maintain a Luxemburgish branch. Circular 13/554 main purpose is to separate the Luxemburg branch domain from the international group domain.

CSSF circular 13/554 requires that a NON Luxembourgish financial institution system administrator won’t have the possibility to bypass existing security mechanisms and gain access to confidential resources via centralized administration tools. circular 13/554 also  requires several safeguards to be implemented by the financial institution wishing to rely on a group-level Active Directory.

According to the circular, the compliant approach to mitigate the risk of foreign administrators would be to prevent non-Luxembourg administrator employees from being able to edit the Luxembourg branch Active Directory domain overall configuration. CSSF 13/554 also demand from Luxembourg financial institutions the ability to centrally manage user access privileges and deploy baseline security policies which ensure that the right people have access to the right information at all time. As specified in  circular 13/554, any financial institution wishing to use a group-level Active Directory is required to:

  • Introduce a formal and detailed authorization request to the CSSF. This document needs to demonstrate that the obligation of a permanent full control by the financial institution over the resources under its responsibility and over the corresponding accesses to these resources is always fulfilled.
  • Set-up, configure and maintain a tool which will prevent the push of non-approved domain policy / configuration changes, before their implementation.
  • Set-up, configure and maintain corrective controls in case the preventive controls is down. The financial institution has to explain the technical feasibility of the chosen corrective controls in its authorization request. These controls can correspond to log reviews and/or audit tools or gap analysis tools.   To perform this operations and achieve compliance  CSSF 13/554 recommends to implement a“preventive tool” that provide the next functions:
  • The tool must have its own internal AT (access tool) policy. the internal policy configured  must be the exact digital transposition of the approved AT policy.
  • The tool locally controls the local branch AT policy by systematically comparing a local branch AT policy change request (push) to the tool internal policy.
  • In case a policy is pushed and it contains a change that is not in line with the tools internal policy, the push must be blocked.

THE solutions

  • CHS internal policy is managed and changed only by an authorized administrator (a Luxembourg admin)
  • CHS enforce the policy over AD and other areas of the organization in “real time”- the policy is continuously enforced.
  • The CHS “keys” is given only to the special administrator who is authorized to manage the FI security policy (any access is logged)
  • CHS provide “real time” prevention of any attempt to push unapproved policies by unauthorized administrators. any of this attempt is logged.