This site uses cookies to provide you with a more responsive and personalized service. By using this site you agree to our use of cookies. Please read our cookie notice for more information on the cookies we use and how to delete or block them.

Bookmark Email Print page

CSSF Circular 13/554 for banks and PSFs - 11/01/2013


DOWNLOAD  

Updated rules on the usage and control of certain IT tools

On 7 January 2013, the CSSF issued Circular 13/554 entitled "Evolution of the usage and control of the resources access tools". IT tools in scope of the circular are those allowing companies to manage access rights to the IT resources connected to their network and/or to centrally register and administer most of those resources (user accounts, printers, computers, services, etc.).

Applicable immediately to credit institutions and other professionals of the financial sector, the objectives of the new circular are:

  • To recognise that certain international financial institutions consolidate IT resources access tools at a Group level (e.g. shared Windows Active Directory), and
  • To reinstate that banks and PSFs in Luxembourg must have full and permanent control over the IT resources under their responsibility.

Thus, Circular 13/554 describes in detail the requirements to be observed when banks and PSFs use the global resources access tools of their Parent Group. In this case, banks and PSFs in Luxembourg must:

  1. Introduce a formal and detailed authorisation request to CSSF,
  2. Implement certain organisational and technical controls, and
  3. Conduct yearly audits to ensure controls operating effectiveness.

Those high-level requirements are further detailed below.  

Common questions and concerns

  • Which controls are required to ensure CSSF compliance?
  • Are we sufficiently isolated as a segment of our parent group resources access tool?
  • Did we detail sufficiently our “Approved AT policy” documentation?
  • What set-up can we use to ensure the configuration of our IT resources remains aligned with locally approved policy?
  • Do we have the right safeguards to meet current compliance regulations?

How can Deloitte help?

Deloitte assists organisations in addressing compliance of existing (or projected) global “resources access tools” implementations by in-depth analysis of IT regulatory issues and proposition of pragmatic technical and organisational solutions:

  • Compliance analysis: gap analysis of existing (or projected) global “resources access tools” implementations against regulatory requirements
  • Practical recommendations to achieve and sustain IT compliance
  • Assistance in communications with the Regulator: preparation or quality review of CSSF application files and participation in meetings with the Regulator
  • Yearly audits to ensure the preventive controls associated to the implementation operate effectively (i.e. at technical and organisational levels, including all documentation)

Summary of the requirements introduced by Circular 13/554

High level requirements Summary of requirements
1. Introduce a formal and detailed authorisation request to CSSF The authorisation request document needs to demonstrate that the obligation of a permanent full control by the entity over the resources under its responsibility and over the corresponding accesses to these resources is always fulfilled.
2. Implement certain organisational and technical controls

In order to achieve full and permanent control over the IT resources under their responsibility, banks and PSFs are required to:

  • Isolate the Luxembourg entity as a “segment” of the access tool (e.g. dedicated Active Directory domain for the Luxembourg entity)
  • Enforce a policy management procedure whereby the bank or PSF approves and continuously controls the access tool policy enforced in the bank or PSF’s “segment” of the access tool
  • Implement a software tool allowing to automate preventive controls over policy changes
  • Plan for corrective controls allowing to identify unauthorised access or policy change which may have occurred during unavailability of the solution enforcing preventive controls
3. Conduct yearly audits to ensure controls operating effectiveness

The solution enforcing preventive controls must be yearly audited at a technical and an organisational level including all documentation, e.g.:

  • Suitability of access to the software tool
  • Documentation of the solution
  • Suitability of the policy management procedure
  • Logging of access and changes
  • Monitoring of the proper functioning of the tool
  • Etc.

Download our flyer on CSSF Circular 13/554.

Page Last Updated

Contacts

Name:
Roland Bastin
Company:
Deloitte Luxembourg
Job Title:
Partner - Information & Technology Risk
Phone:
+352 451 452 213
Email
rbastin@deloitte.lu
Name:
Laurent de la Vaissière
Company:
Deloitte Luxembourg
Job Title:
Directeur - Information & Technology Risk
Phone:
+352 451 452 010
Email
ldelavaissiere@deloitte.lu

Share

 

Stay connected:
Get connected
Share your comments
More on Deloitte Luxembourg
Learn about our site

Recently published