Investment funds and financial institutions: CSSF FAQ on minimum IT security requirements for remote access

On 17 March 2020, the CSSF issued an FAQ clarifying the recommended minimum IT security requirements for remote access implemented to meet the demands of the exceptional situation created by Covid-19 and issuing minimum recommendations with respect to:

high-privileged access: identification of user profiles with the highest risk levels (IT administrators, employees in charge of transactions/payments, etc.) and the implementation of proper security measures (strong authentication, access from a secure laptop, logging and review of sensitive actions);
secure communication: encryption of communication channels (e.g. use of VPN with AES-256, RSA-2048 encryption);
connection monitoring: controls to ensure, at least, that remote connections are consistent with recourse to teleworking (i.e. access during office hours, geofencing); 
the duration of remote access: remote access introduced due to the exceptional Covid-19 situation should be temporary and disabled once the exceptional circumstances have passed.

The CSSF is further “urging financial institutions under its prudential supervision to favour working from home as part of their business continuity plans. As already mentioned in the communication of 2 March, satisfactory IT security conditions should be guaranteed and no prior authorisation is needed for such work arrangements.