Supervised Entities: IT Security Conditions Recommended by CSSF for Remote Access
_On 18 March 2020, CSSF updated its COVID-19 FAQ page regarding minimum IT security conditions recommended for remote access.
Given the exponential development of the disease, and the call by the Luxembourg and EU governments to limit circulation of people to the extent possible, the CSSF is urging financial institutions under its prudential supervision to favour working from home as part of their business continuity plans. As already mentioned in the communication of 2 March, satisfactory IT security conditions (see below) should be guaranteed and no prior authorisation is needed for such work arrangements.
This recommendation applies to all supervised entities and, thus, also to support PFS, including in the context of the services they provide to the financial sector, subject to satisfactory IT security conditions. To ensure rapid and effective implementation of these measures, prior authorisation by the CSSF is not required. As regards the services provided to clients, a support PFS must, however, receive authorisation from its client for any service provided from home by the employees of the PFS, which involves access to the IT environment of the client, including for the implemented security measures. Similarly to its responsibility with respect to authorised access from home by its own employees, each supervised entity is responsible to define the conditions, including the IT security conditions, under which it authorises remote access on its IT environment to the employees of external providers in proportion to the risks to which it is exposed. These risks are, in particular, based on the role and the access rights of the provider’s employees concerned, the duration of this remote access and the sensitivity of the systems and data involved.
The CSSF reminds that each entity is responsible for defining the conditions, including relating to IT security, under which it authorises one or more of its employees to work from home in proportion to the risks to which it is exposed. These risks are, in particular, based on the role and the access rights of the relevant employees, the duration of this remote access and the sensitivity of the systems and data involved.
The CSSF issued the following minimum recommendations:
- High privileged access: Professionals should identify the user profiles with the highest risks (such as IT administrators, employees in charge of transactions/payments, etc.). At least for these higher risk profiles and, where possible, more broadly, proper security measures should be implemented: strong authentication, access from a secure laptop which is managed by the professional, logging and ex post review of the sensitive actions carried out.
- Securing communication: Connections should be secured by encrypting the communication channel (e.g. use of VPN solution with AES-256, RSA-2048 encryption).
- Connection monitoring: Professionals should have controls in place which ensure, at least, that the remote connections are consistent with the recourse to teleworking. Thus, remote access should be disabled outside office hours, the originating IP address connecting remotely should come from Luxembourg or the neighbouring countries (geofencing).
- Exceptional situation and limited time period: This remote access is an answer to the exceptional situation arising from the Covid-19 virus and should be considered as a temporary and time-limited measure. Professionals should define activation/triggering conditions (trigger event) to authorise the remote access and they should ensure that it is disabled once this exceptional situation is over.