On the 9^th of April, 2021, the Commission de Surveillance du Secteur Financier (hereinafter, “CSSF”) published a new Circular dedicated to teleworking (Circular CSSF 21/769), which comes into force on the 30^th of September, 2021. This Circular applies to all supervised companies and is a clear example of how the pandemic has tumbled the world and is slowly letting the way towards the “new normal”. Where teleworking was seen as an exception, it is now slowly becoming the new rule or at least an option for employees at a larger scale.

The pandemic took us all by surprise, and companies had to adapt to the situation as they could. Means to ensure continuity of businesses (which include teleworking) were implemented often in a rush, and now they are bound to stay. Due to the rapidity in which they were implemented, security was often overlooked in the design and set-up. This is where the Circular comes into play by setting the grounds and expectations in terms of governance and security in the event of teleworking under normal working conditions (not under pandemic situations or other exceptional circumstances with similar impact).

A deep dive into the requirements laid down by the CSSF

The requirements can be grouped into three main topics: on the one hand, substance remains a high priority for the CSSF and ensuring that the substance is kept at each supervised company’s premises is important.

On the other hand, governance requirements allow ensuring accessibility, integrity, and confidentiality of information regardless of the location from which information is accessed. Finally, the Circular establishes a set of security measures that companies are expected to implement to protect their assets from threats related to working from home.

Substance requirements

The first thing to keep in mind is that teleworking does not mean jeopardizing “the regular operational functioning of a Supervised entity”. Substance is at the core of this text, which means that the decision-making and the administrative center must be maintained. Therefore staff must be able to return to the premises in a short time if needed and deal with emergencies in a rapid manner.

In principle, all staff should be allowed to telework given a set of conditions. The company must assess the risks and therefore be able to decide to what extent employees are able to telework within which limits. Teleworking should in no case hinder the company’s capabilities to deliver its activities in an effective and secure manner.

Also, the company’s management remains responsible for how telework is organized.

Governance requirements when teleworking

Teleworking implies that employees are now accessing the company and its information from outside. New threats and vulnerabilities which were not necessarily considered in the past now must be considered.

A governance framework has to be created to ensure that risks are properly identified and managed. While setting up this framework, companies shall identify the different functions, policies and procedures.

Before taking the decision to allow employees to telework, a risk assessment must be performed, and risks must be managed. Several new risks arise from this situation that were not necessarily considered beforehand, such as physical security in a variety of locations outside of the company’s control, or remote access through unsecured networks which do not follow the security standards set up by the company.

In addition, the company must ensure that teleworking does not go against other legal provisions before making the decision to implement it.

Management must define and approve a teleworking policy that sets the company’s stance with regard to teleworking. This policy must be complied with and therefore the company must appoint a function in charge of ensuring this compliance. Also, it must be subject to internal control.

Security embedded throughout teleworking process

Finally, companies must ensure that security is embedded throughout the teleworking process, from the authorization to the implementation. This involves implementing several new security measures or adapting existing measures to the specificities of teleworking:

• adapting policies and procedures to take remote access into account.
• raising awareness among employees regarding the risks of teleworking and the best practices based on the company’s standards.
• reviewing access rights procedures and processes to ensure that remote access rights are also managed based on the criticality of the information systems accessed, and that security measures implemented are proportional to this criticality assessment (e.g. different access rights and controls will be implemented for accessing the company’s intranet or for accessing the production server’s administrator VLAN). Several remote access methods can be applied and must be managed appropriately.
• setting rules in terms of devices that can be used for teleworking. For instance, through providing configured and secured devices, or protecting with an adequate level of security personal devices – BYOD, if they had been considered as acceptable by the company. Such rules can include applying operating system and application updates, disabling unneeded services, requiring the use of anti-malware software and a personal firewall, among others.
• creating a strong infrastructure that will ensure a high level of security and availability. The company must define security measures for connecting from outside of the physical office. For instance, requiring multi-factor authentication for enterprise access, using encryption technologies to protect communications and data stored on employees’ devices, or securing and configuring remote access servers.

In addition, an independent control must be performed to ensure that security measures in place are properly implemented, monitoring shall be done on the new security trends and vulnerabilities, including devices used, and logs must be kept and reviewed.

How can Excellium help you?

Excellium, as a well-established cybersecurity company in Luxembourg and Belgium, makes it a priority to be on top of any new laws or regulations that may apply to its clients. Therefore, it continually adapts to the information security landscape and ensures that its clients are prepared for every situation.

Excellium proposes a tailored approach where it understands your organization and set-up, your main needs and business objectives, and helps you design and implement a teleworking framework adapted to your situation. Services offered include, but are not limited to: performing a risk management exercise to identify the risks before deciding on the modalities of teleworking, building a teleworking policy and reviewing and adapting the policy framework to be in line with the CSSF Circular, assisting in the identification of security measures and infrastructure necessary to support teleworking while mitigating the risks identified and protecting your assets, assisting in the design of an awareness program that is specific to you and tackles your specific needs in terms of teleworking, and more generally, providing advice and assistance throughout the entire process…