The business continuity imposed by the health crisis implements new working ways and also brings out new IT risks.
As a precautionary measure, part of the activity of companies, administrations and institutions is done remotely. This opens up new communication channels and new risks to your information systems.
The current crisis facilitates cyber attacks and data leaks.
Critical infrastructures must protect themselves to not face a cyber crisis. They must not undergo a crisis amplification or have their operations paralyzed. The business continuity of the States’ essential services prevails.
Businesses, administrations and institutions must ensure that the mechanisms for preventing data leaks as part of their business continuity are in place.
Personal data and intellectual property data require protection continuity. If this is not insured, a data leak could occur.
Remote work: best practices to be followed
Within the remote work framework implementation, it is advisable to follow the best practices proposed by the security standards such as ISO 27001, NIST, PCI-DSS etc …
Some of the best practices to be implemented are listed hereafter:
- differentiate between the different access types: standard users and privileged users.
- determine the rights associated with access and limit them according to the risk strategy of the entity.
- set up remote access monitoring.
- protect communications between the information system and remote connections by implementing communication encryption.
For physical workstations provided to employees, antivirus, firewalls and automated updates of applications and operating system updates are minimum requirements that must be installed.
The virtual office solutions implementation or other remote access solutions, cloud-based solutions for example requires additional accompanying security measures. A security minimum must be ensured from the point of connection to these solutions.
Special case of long-distance work and backup sites of the business continuity plan for the entities supervised by the CSSF
In its “Communiqué” of March 2, 2020, the CSSF indicated to the supervised entities that « the professionals must take reasonable and appropriate security measures for the safety of their staff members. ».
To implement these recommendations, the CSSF indicates:
- that the recourse to long-distance work should be possible under certain conditions as satisfactory IT security conditions.
- that if required, professionals must activate their business continuity plan and use other production facilities in or outside the Grand Duchy of Luxembourg, if any.
- that to ensure rapid and effective implementation of these measures, prior authorisation by the CSSF is not required.
In its “FAQ COVID-19” of March 20, 2020, the CSSF specifies the reasonable and appropriate security measures that it had indicated on March 3, 2020.
It reminds that each entity is responsible for defining the conditions, including IT security, under which it authorizes one or more of its employees to work at home. These conditions must be proportional to the risks to which the entity is exposed.
The CSSF specifies that « these risks are, in particular, based on the role and the access rights of the relevant employees, the duration of this remote access and the sensitivity of the systems and data involved. »
The minimum recommendations issued by the CSSF are:
- high privileged access: Professionals should identify the user profiles with the highest risks (such as IT administrators, employees in charge of transactions/payments, etc.). At least for these higher risk profiles and, where possible, more broadly, proper security measures should be implemented: strong authentication, access from a secure laptop which is managed by the professional, logging and ex post review of the sensitive actions carried out.
- securing communication: Connections should be secured by encrypting the communication channel (e.g. use of VPN solution with AES-256, RSA-2048 encryption).
- connection monitoring: Professionals should have controls in place which ensure, at least, that the remote connections are consistent with the recourse to teleworking. Thus, remote access should be disabled outside office hours, the originating IP address connecting remotely should come from Luxembourg or the neighbouring countries (geofencing).
- exceptional situation and limited time period: This remote access is an answer to the exceptional situation arising from the Covid-19 virus and should be considered as a temporary and time-limited measure. Professionals should define activation/triggering conditions (trigger event) to authorise the remote access and they should ensure that it is disabled once this exceptional situation is over.
Special case of remote work for support PSFs
The CSSF provides a clarification on March 18, 2020 for support PSFs which must set up remote work for their employees: the prior authorization of the client and guarantees on the security measures implemented with regards to the risks incurred are required.
In fact, the CSSF specifies that:
- as regards the services provided to clients, a support PFS must, however, receive authorisation from its client for any service provided from home by the employees of the PFS, which involves access to the IT environment of the client, including for the implemented security measures.
- the risks are, in particular, based on the role and the access rights of the provider’s employees concerned, the duration of this remote access and the sensitivity of the systems and data involved.
- the security recommendations previously defined apply also to support PFS and to the supervised entities in the framework of access granted to employees of external providers from their home.
Special case for entities supervised by the CSSF: remote work with virtual office solutions or other remote access solutions, in the cloud or not
In its “Communiqué” of March 22, 2020, the CSSF indicates that supervised entities must immediately review their organization to minimize the number of people required to travel to their usual workplace or to the backup site. Only people performing vital functions that cannot be performed remotely remain essential on the operational site.
The CSSF requests that where staff is not equipped with laptops or other mobile devices, entities implement as soon as possible virtual desktop and other remote access solutions, cloud based or not.
Advanced tools use
In this time of crisis with a reduced workforce, the use advanced tools use can reduce the impact of security on your entity employees.
Advanced security tools with artificial intelligence offer automated alert analysis and auto response modules to attacks.
They allow teams:
- to be able to best manage the fatigue factor by receiving only the relevant alerts and by increasing proactivity in order to intervene before the cyber crisis.
- to be helped by auto response modules to attacks against the information system for better responsiveness in order to limit impacts.
Aubay supports you
Aubay has first rank partnerships in software solutions equipped with artificial intelligence. These solutions allow to secure your information systems, your personal data and intellectual property. They relieve your teams by automating the alerts analysis and by offering auto response modules to attacks. Some of these solutions also allow real-time variable geometry network mapping.
Aubay supports you in securing your information system by assisting you with risk analysis, securing your infrastructure, adapting crisis alert reporting processes and / or implementing advanced security tools.
Aubay also offers user support services.
If you want to discuss the subject of these advanced tools or if you need support in managing your IT risks and information system security, you can reach us at CM@aubay.lu .
- CSSF “Communiqué” regarding « CORONAVIRUS (COVID-19): CLARIFICATION FROM THE CSSF REGARDING THE CONDUCT TO ADOPT BY SUPERVISED ENTITIES » dated as of March 2, 2020
- CSSF “FAQ Covid-19” dated as of March 20, 2020
- CSSF “Communiqué” regarding « CORONAVIRUS (COVID-19): IMMEDIATE REVIEW OF CURRENT ORGANISATIONAL SETUPS » dated as of March 22, 2020