CSSF 13/554 Compliance

THE CHALLENGE

On January 7th 2013, the CSSF (COMMISSION de SURVEILLANCE du SECTEUR FINANCIER) of Luxembourg launched a circular 13/554. The circular surfaces some challenging and unique requirements regarding the management of IT infrastructures of international financial institutions that maintain a Luxembourgish branch. The main purpose of the Circular 13/554 is to separate the Luxembourg branch’s domain from its international group domain.

As per the CSSF circular 13/554, it is required that a NON-Luxembourgish financial institution system administrator doesn’t get empowered with the possibility to bypass the existing security mechanisms and gain access to the confidential resources via centralized administration tools. The Circular 13/554 also requires several safeguards to be implemented by the financial institution aspiring to rely on a group-level Active Directory.

According to the circular, the compliant approach to mitigate the risk of foreign administrators would be to prevent the non-Luxembourg administrator employees from being able to edit the overall configuration of the Luxembourg branch Active Directory domain. The CSSF 13/554 also demands from the Luxembourg financial institutions the ability to centrally manage user access privileges and deploy baseline security policies which ensure that the right people have access to the right information at all the time. As specified in the circular 13/554, any financial institution wishing to use a group-level Active Directory is required to:

  • Introduce a formal and detailed authorization request to the CSSF. This document needs to demonstrate that the obligation of a permanent full control by the financial institution over the resources under its responsibility and over the corresponding accesses to these resources is always fulfilled.
  • Set-up, configure and maintain a tool which will prevent the push of non-approved domain policy / configuration changes, before its implementation.
  • Set-up, configure and maintain corrective controls in case the preventive controls are down. The financial institution has to explain the technical feasibility of the chosen corrective controls in its authorization request. These controls can correspond to log reviews and/or audit tools or gap analysis tools.   To perform this operation and achieve compliance,  CSSF 13/554 recommends to implement a “preventive tool” that provides the next functions:
  • The tool must have its own internal AT (Access Tool) policy. The internal policy configured must be the exact digital transposition of the approved AT policy.
  • The tool locally controls the  AT policy of the local branch by systematically comparing a local branch AT policy change request (push) to the tool internal policy.
  • In case a policy is pushed and it contains a change that is not in line with the tools internal policy, the push must be blocked.

THE SOLUTIONS

How can we help? CalCom CHS offers a “one-stop-shop” preventive tool to comply with the CSSF 13/554 requirements:

    • CHS internal policy is managed and changed only by an authorized administrator (a Luxembourg admin)
    • CHS enforces the policy over AD and other areas of the organization in “real time”- the policy is continuously enforced.
    • The CHS “keys” is given only to the special administrator who is authorized to manage the FI security policy {any access (if any), is logged}.
    • CHS provides “real time” prevention of any attempt to push unapproved policies by unauthorized administrators. Any of this attempt gets logged.

     

Looking for an easy and cost effective way to achieve compliance?

Contact us today to discuss your CSSF 13/554 compliance!

DATASHEET