TEN-39 Are the requirements implemented in regards to the principle of proportionality by considering the nature, scale &
complexity of your activities? 39. In principle, all paragraphs under this section apply to all Supervised Entities. When implementing these requirements, Supervised Entities should have regard to the principle of proportionality by considering the nature, scale and complexity of their activities. Risks may require higher or permit lower ICT and security measures than those described in this section. Supervised Entities remain responsible for ensuring that ICT and security conditions CIRCULAR CSSF 21/769 11/16 under which they authorise their employees to telework are in proportion to the risks to which the Supervised Entities are or could be exposed.
TEN-40 Do you define a "telework security policy" to protect the confidentiality,
integrity & availability of the entity’s data & ICT systems ? 40. The Supervised Entity’s security policy shall define the high-level principles
and rules applicable in the context of Telework, to protect the confidentiality,
integrity and availability of the entity’s data and information and
communication technology (ICT) systems. These principles and rules can
either be part of the general security policy document or be included in the
Telework policy document and are, in both cases, referred to below as
“Telework security policy”. The Telework security policy shall be aligned with
the relevant results of the risk assessment process and approved by the Board
of Directors of the Supervised Entity or any body that represents the
Supervised Entity, by virtue of the law and of the instruments of incorporation
TEN-40.bis What is the level of maturity of this policy ? 40. The Supervised Entity’s security policy shall define the high-level principles
and rules applicable in the context of Telework, to protect the confidentiality,
integrity and availability of the entity’s data and information and
communication technology (ICT) systems. These principles and rules can
either be part of the general security policy document or be included in the
Telework policy document and are, in both cases, referred to below as
“Telework security policy”. The Telework security policy shall be aligned with
the relevant results of the risk assessment process and approved by the Board
of Directors of the Supervised Entity or any body that represents the
Supervised Entity, by virtue of the law and of the instruments of incorporation
Maturity* No expertise Initial - no process in place Reproductible - informal process Defined - writen process Continuous improvement Optimized
TEN-41 Are user procedures adapted, complemented & updated to complement the telework security policy ? 41. This Telework security policy shall be complemented at operational level by
adapting or completing the existing user procedures as appropriate. Telework
policies, procedures and related documents shall be updated as well as
communicated to the staff members on a regular basis
Maturity* No Yes Yes and documented
TEN-42 Are all staff members aware of the risk, best practice, their duties & responsibilities regarding the use of telework ? 42. The Supervised Entity shall ensure all staff members’ awareness on risks and
best practices regarding the use of Telework (e.g. through periodic training
sessions, newsletters or other communications) as well as on their duties and
responsibilities in line with the relevant security policies and procedures to
reduce human error, theft, fraud, misuse or loss.
Maturity* No Yes Yes and documented
TEN-43 Does the awareness initiatives (42) cover the organizational & technical risks of Teleworking & the behavior to be adopted by Teleworker. 43. The above-mentioned awareness initiatives and/or procedures and
documentation shall cover organisational and technical risks (e.g. social
engineering, phishing attacks, etc.) in relation to Telework as well as the
specific behaviour to be adopted by the Teleworkers
TEN-44 Are access rights management adapted and reviewed in line with the risk assessment and Telework security policy? 44. The Supervised Entity shall review and adapt its access rights management
procedures and the accesses granted for Telework in line with its risk
assessment and with its Telework security policy.
TEN-45 Do you create user roles/profiles & access rights (AR) dedicated to telework, maintaining the segregation of duties principle ? (Non-obligatory) 45. In particular, Supervised Entities should consider the need to create user
roles/profiles and access rights dedicated to the Telework situation (i.e.
limited compared to on-premises work), while maintaining the segregation of
duties principle.
Maturity* No Yes Yes and documented
TEN-46 Is AR of Teleworkers granted based on the "need-to-know" principle and recertified annually for non-privileged&biannually for privileged users? 46. Access rights of Teleworkers (including of service providers) should be granted
based on the “need-to-know” principle and recertified at least annually for
non-privileged users and at least biannually for privileged users.
TEN-47.a If data is stored on the devices used by the users to connect remotely to the ICT systems, it must be encrypted. 47. The Supervised Entity has to ensure that it keeps control over the security of
the devices used by the users to connect remotely to the Supervised Entity’s
ICT systems. In particular, the Supervised Entity should ensure that:
a. When data can be stored on the device, the storage media is
encrypted; the recourse to virtual desktop infrastructures, which allow
avoiding storage on the device, is encouraged;
b. The security mechanisms implemented by the Supervised Entity cannot
be modified, removed or bypassed by the staff members.
Maturity* No Yes Yes and documented
TEN-47.b Do you ensure that security mechanism implemented on the device used by users to connect remotely to your ICT can't be modified, removed or bypassed? 47. The Supervised Entity has to ensure that it keeps control over the security of
the devices used by the users to connect remotely to the Supervised Entity’s
ICT systems. In particular, the Supervised Entity should ensure that:
a. When data can be stored on the device, the storage media is
encrypted; the recourse to virtual desktop infrastructures, which allow
avoiding storage on the device, is encouraged;
b. The security mechanisms implemented by the Supervised Entity cannot
be modified, removed or bypassed by the staff members.
TEN-48 To achieve (47) do you only use company-owned devices under your full control ? 48. Compliance with the above requirements can best be achieved by using
company-owned devices, which are under the full control of the Supervised
Entity
TEN-49 Private device is only used for low-risk activities and systems. 49. Private devices are not considered as secure as company-owned devices; this
is why they should be considered only for low-risk activities and systems. In
addition, staff members carrying out critical activities shall not use private
devices to carry out such activities. In particular, ICT teams shall not be able
to access and administer ICT systems using private devices.
TEN-50 The use of these private devices is assessed through a specific risk analysis? 50. The potential use of privately owned devices must be considered carefully and
assessed through a specific risk analysis. Despite the fact that the Supervised
Entity is not the owner of the device, it must be in a position to monitor the
professional data and applications that will be used on it. Solutions where the
Supervised Entity installs a controlled professional environment (container)
inside the private environment of the tool should allow it to keep full control
over this container. Solutions based on the use of a virtual desktop
infrastructure (VDI) from a privately owned device may be considered as long
as the Supervised Entity is able to mitigate the risks resulting from a
potentially compromised privately owned device. In addition, independent
tests have to be organised on a regular basis in order to prove that either
solution using a privately owned device is sufficiently secure.
Maturity* No Yes Yes and documented
TEN-50.bis Are you able to monitor the professional use of the device ? 50. The potential use of privately owned devices must be considered carefully and
assessed through a specific risk analysis. Despite the fact that the Supervised
Entity is not the owner of the device, it must be in a position to monitor the
professional data and applications that will be used on it. Solutions where the
Supervised Entity installs a controlled professional environment (container)
inside the private environment of the tool should allow it to keep full control
over this container. Solutions based on the use of a virtual desktop
infrastructure (VDI) from a privately owned device may be considered as long
as the Supervised Entity is able to mitigate the risks resulting from a
potentially compromised privately owned device. In addition, independent
tests have to be organised on a regular basis in order to prove that either
solution using a privately owned device is sufficiently secure.
TEN-51 Can company-owned device or the professional container on the privately owned device be
remotely managed by a centralized management solution ? 51. Finally, the Supervised Entity shall ensure that the company-owned device or,
if applicable, the professional container on the privately owned device can be
remotely managed by a centralised management solution.
TEN-52 Can you ensure that the various components of Telework infrastructure are,at all times,properly
functioning, correctly secured & closely monitored? 52. The Supervised Entity shall maintain a high level of security and availability
of the Telework infrastructure over time. In this context, the Supervised Entity
has to ensure, at all times, that the various components are properly
functioning, correctly secured and closely monitored.
TEN-53 Do you implement mechanism allowing you to detect
abnormal connections and block/alert on them? 53. The Supervised Entity shall implement mechanisms allowing it to detect
abnormal connections and block/alert on them.
TEN-54 For (53), do you define a set of criteria that have to be ensured before allowing a Teleworker to access the ICT? 54. In particular, for the purpose of point 53, the Supervised Entity has to define
a set of security and non-security criteria and requirements that have to be
ensured before allowing a Teleworker to access the internal systems and data
based on the risks identified during the risk assessment performed. In this
context, possible criteria and requirements are (non-exhaustive list):
a. the correct authentication of the Teleworker;
b. the correct identification and authentication of the device;
c. the correct identification of the remote location of the Teleworker;
d. the connection time is within the defined working hours;
e. the security components and mechanisms implemented by the
Supervised Entity have not been modified or bypassed by the
Teleworker or an attacker, are up-to-date and running.
Maturity* No Yes Yes and documented
TEN-55 Do you have a change management process in place to ensure that changes do not jeopardize the implemented telework infrastrure & security level? 55. Maintaining the Telework infrastructure over time implies that the Supervised
Entity has a robust change management process in place, ensuring that
changes do not jeopardise the implemented Telework infrastructure and
security level.
Maturity* No Yes Yes and documented
TEN-55.bis What is the level of maturity of this policy ? 55. Maintaining the Telework infrastructure over time implies that the Supervised
Entity has a robust change management process in place, ensuring that
changes do not jeopardise the implemented Telework infrastructure and
security level.
Maturity* No expertise Initial - no process in place Reproductible - informal process Defined - writen process Continuous improvement Optimized
TEN-56 Are data in transit encrypted in accordance with data classification and with respect to current leading practices ? 56. The Supervised Entity has to ensure that data in transit is secured, i.e.
encrypted, in accordance with its data classification and that the implemented
encryption protocols (for instance IPSec, SSL), the encryption algorithm (for
instance RSA, AES) as well as the chosen key size respect current leading
practices.
TEN-57 Is a 2-Factor Authentication (2-FA) implemented when connecting
remotely to your systems? 57. A 2-Factor Authentication (2-FA) has to be implemented when connecting
remotely to the systems of the Supervised Entity.
TEN-58 Is this authentication mechanism adapted according to the
type of operations performed remotely and the user profile? 58. The implemented authentication mechanism may be adapted according to the
type of operations performed remotely and the user profile (principle of
proportionality).
TEN-59 For critical activities, is one of the factors of the 2-FA procedure dynamic ? 59. For critical activities Supervised Entities are expected to implement a strong
2-FA procedure with one of the factors being dynamic (e.g. OTP).
TEN-60 The communication chain &
security measures are reviewed by
independent security control function before & regularly after the golive of the
telework? 60. The proper functioning of the communication chain from the remote device to
the corporate infrastructure (e.g. remote access gateway) as well as the
effectiveness of the implemented security measures shall be reviewed by an
independent security control function (i.e. Information Security Officer,
Internal Audit or specialised external third party) before the go-live of the
Telework and on a regular basis thereafter.
TEN-61 Does this review confirm the security measures are correctly designed, tested, implemented
and configured? 61. In particular, this review must confirm that the implemented infrastructure,
the positioning of the different security barriers and applied security and data
leakage prevention mechanisms are correctly designed, tested, implemented
and configured.
TEN-62 Are vulnerability scans/penetration tests organized on a
regular basis? 62. In addition, vulnerability scans/penetration tests should be organised on a
regular basis, commensurate to the level of identified risk in relation to
Telework.
Maturity* No Yes Yes and documented
TEN-63 Is monitoring in place for teleworking related security vulnerability ? In particular for risk related to the use of privately owned devices. 63. A solid monitoring process should be in place to allow the Supervised Entity
to be quickly informed of the emergence of new security vulnerabilities and to
apply the necessary corrections within a short period of time. Particular
attention shall be paid to the risks related to the use of privately owned
devices in case their use is allowed.
TEN-64 Are all connections and relevant technical information related to
telework logged for reasons of
security monitoring with a sound logging process? 64. A sound logging process shall be implemented allowing the Supervised Entity
to ensure that all connections and relevant technical information related to
Telework (including the connecting device used) are logged for reasons of
security monitoring.
TEN-65 Are access logs secured and is the principle of proportionality ensured? 65. Access logs shall be secured to prevent unauthorised modification or deletion.
The principle of proportionality shall be ensured, e.g. the granularity of logged
information and the log retention period shall be proportional to the criticality
of the operation carried out by the Teleworker, without prejudice to the
retention requirements set out in EU and national law.
TEN-67.bis Does this collect of log respect the legislation in place? 65. Access logs shall be secured to prevent unauthorised modification or deletion.
The principle of proportionality shall be ensured, e.g. the granularity of logged
information and the log retention period shall be proportional to the criticality
of the operation carried out by the Teleworker, without prejudice to the
retention requirements set out in EU and national law.
