· Web viewThe outsourcing policy should consider the impact of outsourcing on the institution’s...

Authorisation request for IT Outsourcing of material activities1

1. Preliminary remarks and general principles

This template shall be used in case of IT outsourcing2 under

Circular CSSF 12/552, as amended for credit institutions and professionals performing lending operations for the outsourcing of material IT activities as defined in section 7.4.1. – Point 182. Please note that this template shall also be used in case of an outsourcing to a Luxembourg credit institution.

Circular CSSF 17/656, as amended for e-money institutions, payment institutions and PFS other than investment firms for the outsourcing of material IT activities as defined in section 1 – Point 182. Please note that this template shall also be used in case of an outsourcing to a Luxembourg credit institution.

Circular CSSF 20/758, for investment firms for the outsourcing of material IT activities as defined in section 7.4.1. – Point 184. Please note that this template shall also be used in case of an outsourcing to a Luxembourg credit institution.

This template shall not be used in the following cases (negative scope)

Outsourcing of material IT activities to a support PFS in accordance with Article 29-1 to 29-6 of the LFS.

IT outsourcing relying on a cloud computing infrastructure as defined in Circular CSSF 17/654, as amended. In this case please use the following templates: https://www.cssf.lu/en/Document/summary-of-the-information-to-be-transmitted-to-the-competent-authority-relating-to-your-outsourcing-to-a-cloud-computing-infrastructure-under-circular-cssf-17-654/

Outsourcing of non-material IT activities. Please refer to our FAQ on the assessment of IT outsourcing materiality: https://www.cssf.lu/en/Document/faq-on-the-assessment-of-it-outsourcing-materiality/

Business Process Outsourcing3

Please note that incomplete forms will be rejected. Should some questions not be applicable to the IT outsourcing project, please indicate “not applicable”.

The document shall be submitted in two formats, one PDF version duly signed by the authorised management, and one in editable MS Word format, via e-mail or secure communication channel to the CSSF agent in charge of the supervision of the institution.

1 Material activities are to be seen as “important or critical functions” in the sense of the EBA Guidelines on outsourcing arrangements (EBA/GL/2019/02).2 IT outsourcing means an arrangement of any form between the institution and a service provider (including of the same group) by which that service provider performs an IT process, an IT service or an IT activity that would otherwise be undertaken by the institution itself.3 A Business Process Outsourcing is an outsourcing that is not purely IT in nature, i.e. at least some of the outsourced services are business related.AUTHORISATION REQUEST FOR IT OUTSOURCING OF MATERIAL ACTIVITIES

1/26Unrestricted

https://www.cssf.lu/en/Document/faq-on-the-assessment-of-it-outsourcing-materiality/

https://www.cssf.lu/en/Document/summary-of-the-information-to-be-transmitted-to-the-competent-authority-relating-to-your-outsourcing-to-a-cloud-computing-infrastructure-under-circular-cssf-17-654/



Your internal reference: CSSF reference:

2. Identification & Submission details

2.1 Applicant’s identification:

1) Applicant’s corporate name: [please insert name here]

2) Applicant’s identifier assigned by the CSSF: [please insert identifier here]

Reserved for the administration

2.2 Name(s) and function(s) of the person(s) in charge of dealing with the application file, and their contact details (email and phone number):


2.3 Submission date to the administration:


2.4 Signature by authorised management:

1) Name: [please insert name here]

2) Title: [please insert title here]


AUTHORISATION REQUEST FOR IT OUTSOURCING OF MATERIAL ACTIVITIES

2/26Unrestricted

3) Signature: ________________________________

3. General information on the submitted material IT outsourcing project

3.1 Which IT services are covered by this authorisation request?

☐ IT system management/operation services (ref. sub-section 7.4.2.1. (12/552) / sub-section 2.1 (17/656) IT system management/operation services4)

☐ Consulting, development and maintenance services (ref. sub-section 7.4.2.2. (12/552) / sub-section 2.2 (17/656) Consulting, development and maintenance services5)

☐ Hosting services (ref. sub-section 7.4.2.3. (12/552) / sub-section 2.3 (17/656) Hosting services and infrastructure ownership)

☐ Other: [please insert details here]

Multiple selections possible.


3.2 Description of the IT outsourcing project and overall IT outsourcing strategy.

3.2.1 Please provide a short description of the envisaged IT outsourcing project, including a description of the current IT set-up (“as is”) and the planned future IT set-up (“to be”). Please also include the rationale for the specific project:

[Up to 1000 words] Reserved for the administration

4 Are considered as management/operation services those services where the service provider has a permanent administrator access to the systems and is responsible for their own actions and the actions of any sub-contractors under their responsibility.5 Are considered as maintenance services those services where the service provider does not have a permanent access to the production system. Their intervention on the system is supervised by the applicant.AUTHORISATION REQUEST FOR IT OUTSOURCING OF MATERIAL ACTIVITIES

3/26Unrestricted

3.2.2 Globally which proportion of production systems6 and applications will be outsourced (for operations and/or hosting services only) once the envisaged IT outsourcing project will be completed?


3.2.3 Please provide a short description of the overall IT outsourcing strategy (partial IT outsourcing, full IT outsourcing, etc.) that the applicant pursues in the medium to long term:


3.2.4 Please provide the names of the IT Officer and Information Security Officer (if applicable) and a short overview of IT staffing at the applicant7.


3.3 Why have you considered that the current IT outsourcing is material8? Please justify your answer taking into account Question 3 of the FAQ on the assessment of IT outsourcing materiality https://www.cssf.lu/en/Document/faq-on-the-assessment-of-it-outsourcing-materiality/.

An IT outsourcing is considered material if at least one of the following statements is met:

☐ From a technical point of view, the outsourced IT operational functions,


6 As defined in section 4.1.7 Each institution shall appoint an IT Officer and, if applicable, Information Security Officer. In smaller institutions this responsibility may be assumed by a member of the authorised management who may rely on external expert advice.8 Any activity that, when it is not carried out in accordance with the rules, reduces the institution’s ability to meet the regulatory requirements or to continue its operations as well as any activity necessary for sound and prudent risk management shall be deemed to be "material".AUTHORISATION REQUEST FOR IT OUTSOURCING OF MATERIAL ACTIVITIES

4/26Unrestricted

https://www.cssf.lu/en/Document/faq-on-the-assessment-of-it-outsourcing-materiality/

activities or services safeguard the security and continuity of critical parts of the IT infrastructure. A deficiency in these outsourced IT operational functions, activities or services may significantly disrupt the ability of the supervised entity to protect its IT infrastructure and, therefore, the ability of the supervised entity to operate its material activities in a controlled manner.

☐ From a business point of view, the outsourced IT operational functions, activities or services support a material activity. In case of failure or dysfunction of the IT operational functions, activities or services, there is a major impact on the business activity. This major impact may be one of the following in nature9:

☐ A financial impact, including (but not limited to) loss of funds or assets, potential customer compensation, legal and remediation costs, contractual damages, loss of revenue.

☐ A potential for business disruption, considering (but not limited to) the criticality of the financial services affected; the number of customers and/or branches and employees potentially affected.

☐ A potential reputational impact on the institution based on the criticality of the financial service or operational activity affected (e.g. theft of an important volume of customer data); the external profile/visibility of the IT systems and services affected (e.g. mobile or on-line banking systems, point of sale, ATMs or payment systems).

☐ A regulatory impact, including the potential for public censure by the regulator, fines or even variation of permissions.

☐ A strategic impact on the institution, for example if strategic product or business plans are compromised or stolen.

3.3.1 Please justify your answer:


3.4 Please provide details of the IT outsourcing service provider(s):

1) Service provider’s corporate name: [please insert name here]

2) Service provider’s address: [please insert here]


9 Reference: EBA/GL/2017/05AUTHORISATION REQUEST FOR IT OUTSOURCING OF MATERIAL ACTIVITIES

5/26Unrestricted

3) Is the service provider supervised by a supervisory authority?

☐ Yes

Please provide the name of the supervisory authority: [Insert here]

☐ No

4) Are the service provider and the applicant part of the same group?

☐ Yes

Please provide details of the affiliation: [Insert here]

☐ No

5) If you have answered question 4) with “Yes”, and in case the service provider is located in Luxembourg, does it provide its services exclusively to the group?

☐ Yes

☐ No

6) If the service provider is a group entity located in Luxembourg, please confirm that in case the systems contain readable confidential data on the customers, the institution ensures the compliance with the provisions of article 41, paragraph 2a of the financial sector law.

☐ Yes

☐ No

Please explain why: [Insert here]

7) If the service provider is located abroad, please confirm that in case the systems contain readable confidential data on the customers, the institution ensures the compliance with the provisions of article 41, paragraph 2a of the financial sector law.

☐ Yes

☐ No

Please explain why: [Insert here]


6/26Unrestricted

3.5 In case of outsourcing other than consulting, development and maintenance services, who owns the outsourced infrastructure:

☐ The applicant

☐ The system operator

☐ The hosting service provider

☐ Other: [please insert details here]


4. Description of the outsourced IT systems

4.1 In case of outsourcing of IT system management/operation services or hosting services , please specify which IT systems will be concerned by this outsourcing, indicating who will be in charge of system administration/operation and where the systems will be located. Please consider that by "IT systems" we mean both the business IT systems supporting the business activities (e.g. core banking system, software for portfolio management, accounting of domiciled companies, e-banking etc.) and the support IT systems used for the organization and administration of the entity seeking authorization (e.g. e-mail servers, internal file servers, access management tools like Active Directory, security and network tools, printing servers, archiving systems, voice network components, etc.). Please provide a separate table for business IT systems and a separate table for support IT systems.

4.1.1 IT system management/operation services (ref. sub-section 7.4.2.1. (12/552) / sub-section 2.1 (17/656) IT system management/operation services) – Business IT Systems

Name Description of system: purpose & function

Confidential data requiring client consent

Shared or dedicated system10

Entity in charge of the administration/operating

Primary and secondary hosting location11


☐ Yes

☐ No

☐ Dedicated

☐ Shared

10 Please indicate whether the system is dedicated to the applicant or shared with other entities, either within the group or with other third parties and on which level it is dedicated/shared, i.e. fully dedicated, including underlying infrastructure or not.11 Please provide the country and the city.AUTHORISATION REQUEST FOR IT OUTSOURCING OF MATERIAL ACTIVITIES

7/26Unrestricted

Please explain [up to 500 words]:

4.1.2 IT system management/operation services (ref. sub-section 7.4.2.1.(12/552) / sub-section 2.1 (17/656) IT system management/operation services) – Support IT Systems







☐ Yes

☐ No

☐ Dedicated

☐ Shared


4.1.3 Hosting services (ref. sub-section 7.4.2.3. (12/552) / sub-section 2.3 (17/656) Hosting services and infrastructure ownership) – Business IT Systems







☐ Yes

☐ No

☐ Dedicated

☐ Shared


4.1.4 Hosting services (ref. sub-section 7.4.2.3. (12/552) / sub-section 2.3 (17/656) Hosting services and infrastructure ownership) – Support IT Systems


8/26Unrestricted







☐ Yes

☐ No

☐ Dedicated

☐ Shared


5. ICT governance and strategy

5.1 Compliance with Circular CSSF 12/552 respectively Circular CSSF 17/656. Please confirm your compliance with the following paragraphs by ticking the appropriate check-boxes.

☐ 182. Outsourcing should not result in non-compliance with the rules of this circular on central administration (Chapters 1 and 3).

☐ 182. The strategic functions or core functions cannot be outsourced.

☐ 182. The institution shall retain the necessary expertise to effectively monitor the outsourced IT services and functions and manage the risks associated with the outsourcing.

☐ 182. The outsourcing does not relieve the institution of its legal and regulatory obligations or its responsibilities to its customers. It does not result in any delegation of the institution’s responsibility to the subcontractor.

☐ 182. The final responsibility of the risk management associated with outsourcing is incumbent upon the authorised management which is outsourcing.

☐ 182. The access of the CSSF, the réviseur d’entreprises agréé and the internal control functions of the institution to the information relating to the outsourced activities shall be guaranteed in order to enable them to issue an opinion on the adequacy of the outsourcing. This access implies that they may also verify the relevant data held by an external partner and, in the cases provided for in national law, have the power to perform on-site inspections on an external partner. The aforementioned opinion may, where appropriate, be based on the reports of the subcontractor’s external auditor.

☐ 189. For each outsourced activity, the institution shall designate from among its employees a person who will be in charge of managing the outsourcing relationship and managing access to confidential data.

☐ 190. The institution shall implement an IT policy which covers all IT activities scattered among the institution and all the actors in the outsourcing



9/26Unrestricted

chain. The IT organisation shall be adapted in order to integrate the outsourced activities to the proper functioning of the institution and the procedure manual shall be adapted accordingly. The institution’s continuity plan shall be established in accordance with the continuity plan of its subcontractor(s). The institution also foresees a regular control of the backups and of the ability to restore the backups.

☐ 199. It is not mandatory for the processing centre to be physically located in the premises of the entity which is contractually responsible for the management of the IT systems. Whether the processing centre is in Luxembourg or abroad, it is thus possible that the hosting of the site is entrusted with another provider than that which provides IT system management services. In this case, the institution shall ensure that the principles contained in sub-chapter 7.4.2.3 (12/552) / 2.3. (17/656) are complied with by the entity which is contractually responsible for the management of IT systems and that the sub-outsourcing process is under control.

☐ 207. Any outsourcing of material activities or not, including that carried out within the group to which the institution belongs, shall be in line with a written policy requiring approval from the authorised management and including the contingency plans and exit strategies. This outsourcing policy is updated and re-approved at regular intervals by authorized management, which ensures that appropriate changes are promptly implemented. Any outsourcing approval shall be the subject of an official and detailed contract (including specifications).

☐ 208. The written documentation should also provide a clear description of the responsibilities of the two parties as well as the clear communication means accompanied by an obligation for the external service provider to report any significant problem having an impact on the outsourced activities as well as any emergency situation.

5.2 Please provide the name and function of the person in charge of managing the outsourcing relationship and managing access to confidential data, i.e. the person responsible for the compliance of the accesses to the principles of "least privilege" and “need to know” in the frame of the outsourcing:


5.3 Please indicate the controls that are in place to monitor and govern the IT outsourcing (e.g. Steering committees, regular reporting on incidents and problems, key performance indicators, etc.) and the frequency at which they are executed:


10/26Unrestricted


5.4 Please confirm that a contract and/or SLA is signed between both parties and that this contract/SLA addresses the following points/requirements:

☐ description of services provided by your contractor;

☐ description of your and your contractor’s responsibilities;

☐ integration of your needs in your contractor's BCP/DRP and backup arrangements (e.g. the entity shall be able to continue its critical functions in case of exceptional events or crisis);

☐ conditions for revocation/termination of contract and transfer to another service provider or hand over to you (e.g. exit plan);

☐ management of the outsourcing relationship (e.g. regular reporting / meetings between your contractor and you, incident management process, KPI, etc.);

☐ conditions for sub-contracting for your contractor (e.g. your prior authorization);

☐ data confidentiality and security;

☐ possibility for your internal and external auditors and for the CSSF to perform an audit on site.

In case you have not ticked a box above, please provide further explanations why this point is not included in the contract [Up to 500 words]:


5.5 Please confirm that the contractual conditions mentioned above under 5.4 are also applied in case of sub-outsourcing (i.e. they apply to the whole outsourcing “chain”).

☐ Yes

☐ No



11/26Unrestricted

If No, please explain which elements are missing and provide a reason for why they are missing [up to 500 words]:

6. ICT risk management framework


☐ 183. The outsourcing institution shall base its decision to outsource on a prior and in-depth analysis demonstrating that it does not result in the relocation of the central administration. This analysis shall include at least a detailed description of the services or activities to be outsourced, the expected results of the outsourcing and an in-depth evaluation of the risks of the outsourcing project as regards financial, operational, legal and reputational risks. The analysis will include a detailed due diligence of the proposed service provider.

☐ 184. Special attention should be paid to the outsourcing of critical activities in respect of which the occurrence of a problem may have a significant impact on the institution’s ability to meet the regulatory requirements or even to continue its activities.

☐ 185. Special attention has been paid to the concentration and dependence risks which may arise when large parts of activities or important functions are outsourced to a single provider during a sustained period.

☐ 186. The institutions shall take into account the risks associated with the outsourcing "chains" (where a service provider outsources part of his/her outsourced activities to other service providers). In this respect, they shall take particular account of the safeguarding of the integrity of the internal and external control. Moreover, the institution shall ensure to provide the competent authority with any elements proving that the sub-outsourcing process is under control.

☐ 187. The outsourcing policy should consider the impact of outsourcing on the institution’s business and the risks it faces and in particular the operational risks resulting from it, such as legal risk, IT risk, reputation risk or concentration risk (at the level of the service provider). It sets out the requirements applicable to the outsourcing, from the preparatory phase through the reporting to expiry or termination, to which the service providers are subject and the control mechanism which the institution implements in this respect from inception to the end of the outsourcing agreement. Outsourcing may, in no circumstances, lead to the circumvention of any regulatory restrictions or prudential measures of the competent authority or challenge the supervision.



12/26Unrestricted

☐ 209. The institution shall take the necessary measures to ensure that the internal control functions have access to any documentation relating to the outsourced activities, at any time and without difficulty, and that these functions retain the possibility to exercise their controls.

6.2 Please provide a table summarising (i) the identified main risks (e.g. unauthorised access, loss of control due to sub-outsourcing, data loss), (ii) potential impacts (e.g. reputational negative impacts, loss of client relationship), (iii) mitigating controls in place and (iv) the remaining residual risk (4 Columns in total).

Please provide the table as an annex to the authorisation request [up to 1000 words].


6.3 Please confirm that you will continue to perform a risk analysis on these service providers while the outsourcing is in place and provide the frequency (no less than yearly) of the risk analysis.

☐ Yes

☐ No

If No, please explain why [up to 500 words]:

The frequency of the risk analysis is: [please insert frequency here]


6.4 To the best of your knowledge, are you aware of elements that would impact your ability to control outsourcing chains? If so, please indicate these below:

[up to 500 words] Reserved for the administration

7. Information Security


13/26Unrestricted


☐ 182. The institution shall ensure the protection of the data concerned by the outsourcing, in accordance with the General Data Protection Regulation (GDPR) and the requirements of the competent authority in this field, the National Commission for Data Protection (CNPD)

☐ 182. In case of outsourcing, the institution applies the provisions of the article 41, paragraph 2a of the financial sector law regarding professional secrecy.

☐ 182. The confidentiality and integrity of data and systems shall be controlled throughout the outsourcing chain. In particular, access to data and systems shall fulfil the principles of “need to know” and “least privilege”, i.e. access is only granted to persons whose functions so require, for a specific purpose, and their privileges shall be limited to the strict necessary minimum to exercise their functions.

☐ 191. The IT system security policy of the institution should consider the security established by its subcontractor(s) in order to ensure the overall consistency.

☐ 195. Third-party subcontractors which provide consulting, development or maintenance services shall operate by default outside the IT production system. Formal approval of the institution is required for each intervention on the production system. If an exceptional situation requires an intervention on the production system and if the access to confidential data cannot be avoided, the institution shall ensure that the third party in question is supervised throughout its mission by a person of the institution in charge of IT and that the provisions of article 41, paragraph 2a of the financial sector law are respected.

☐ 198. […] Where the IT infrastructure includes confidential data the institution ensures the compliance with the provisions of article 41, paragraph 2a of the financial sector law. Otherwise, the subcontractor cannot intervene on the premises of the institution without being accompanied, throughout its mission, by a person of the institution in charge of IT.

☐ 200. Where the processing centre is in Luxembourg, it may be hosted at a provider other than a credit institution or a support PFS, provided that does not act as system operator. If the service provider has physical and logical access to the institution’s systems, the institution ensures the compliance with the provisions of article 41, paragraph 2a of the financial sector law.

☐ 201. Where the processing centre is abroad, no confidential data which enables the identification of a customer of the institution can be stored therein, unless it is protected. The confidentiality and integrity of data and systems shall be controlled throughout the IT outsourcing chain. In particular, access to data and systems shall fulfil the principles of “need to know” and



14/26Unrestricted

“least privilege”, i.e. access is only granted to persons whose functions so require, with a specific purpose, and their privileges shall be limited to the strict necessary minimum to exercise their functions. The institution ensures the compliance with the provisions of article 41, paragraph 2a of the financial sector law.

☐ 203. In case of IT service provision via telecommunication, the institution shall ensure that sufficient safeguards are taken in order to avoid that non-authorised persons access its system. The institution shall, in particular, make sure that telecommunications are encrypted or protected through other available technical resources likely to ensure the security of communication

☐ 204. The institution shall ensure that the capture, printing, backup, storage and archiving mechanisms guarantee confidentiality of data.

Please answer all of the below questions in relation to the specific outsourcing project for which you have submitted this file.

7.2 Please provide an overall overview of who will have access (the service provider, the applicant, other (if applicable) indicating the number of employees, business functions / roles, etc.) to which system and for which reason.

System Name

Entity accessing

No. of employees

Business Functions / Roles

Reason for access


☐ Service Provider

☐ Applicant


15/26Unrestricted

☐ Other

Please specify:

Note: Add rows as needed. If rows are not applicable, please indicate.

7.3 Please confirm that you are responsible and actively involved in the management of the access rights (for instance validation of access rights requests and periodic access recertification, in accordance with “need to know” and “least privilege” principles, including access rights for subcontractors and admin accesses).

☐ Yes

☐ No


Please provide the frequency of the periodic access recertification:


7.3.1 Please provide details on how you control the principles of “need to know” and “least privilege” not only for business users but also for IT users (domain admin, developers, database administrators, etc), i.e. please describe the process.


7.4 Please confirm that environments such as test environment, qualification environment etc. which are accessible by persons other than the entity, do not contain confidential data.

☐ Yes

☐ No




16/26Unrestricted

7.5 Please confirm that, as part of this outsourcing project, developers and other non-authorised persons do not have access to the production environment or other environments which may contain confidential data.

☐ Yes

☐ No



7.6 With reference to the tables listed in section 4.1, in case the IT systems are shared with other entities, please provide a detailed description of:

How the data related to the entity (and its customers) is isolated from other entities;

How it is ensured that data can only be accessed by the users authorized to access this data.

How the entity is able to retrieve its data without e.g. extracting other entities data at the same time?

Please also confirm that the risks related to unauthorised access to the entities data have been adequately covered in the risk assessment of the entity.


7.7 Please indicate the mechanisms you have in place to guarantee the security and the authentication of the communication links between you and the third party provider in order to guarantee data confidentiality, reduce the risk of data corruption and unauthorized access, and to avoid data loss.

1) Are the communication lines redundant? Reserved for AUTHORISATION REQUEST FOR IT OUTSOURCING OF MATERIAL ACTIVITIES

17/26Unrestricted

☐ Yes

☐ No

Additional explanation: [up to 500 words]

2) Please provide details on the network communication protocols (e.g. IPSec, SSL), including the symmetric (e.g. AES) and asymmetric (e.g. RSA) encryption algorithms, and the size of the corresponding keys: [up to 500 words]

3) Please provide details on the controls in place to ensure that the implementation of the encryption technologies is not exposed to known vulnerabilities (e.g. SSL vulnerabilities like Heartbleed, Poodle, etc.); [up to 500 words]

the administration

7.8 Please describe if and how the outsourcing project impacts the cybersecurity risk profile of the institution (e.g. increased exposure, improved control environment, other). Please provide details on the key mitigation measures taken in case the risk has increased.


7.9 Who will be able to remotely access to the infrastructure? Should the remote accesses not be impacted by the current project and have been described and approved previously, please indicate the respective previous filing and its date of submission.

Entity / User group accessing remotely

System Name Access profile12

Types of access by profile13

Restricted remote accesses14


☐ Service ☐ Yes

12 E.g. business user, technical user etc.13 E.g. read or write access for function x14 Please explain whether accesses are identical when accessing remotely as when accessing from office premises.AUTHORISATION REQUEST FOR IT OUTSOURCING OF MATERIAL ACTIVITIES

18/26Unrestricted

Provider How are accesses different when accessing remotely:

☐ No

☐ Applicant ☐ Yes

How are accesses different when accessing remotely:

☐ No

☐ Other (e.g. clients)

Please specify:

☐ Yes

How are accesses different when accessing remotely:

☐ No

Note: Add rows as needed. If rows are not applicable, please indicate.

7.10 Please describe the controls in place for users when accessing remotely. Should the remote accesses not be impacted by the current project and have been described and approved previously, please indicate the respective previous filing and its date of submission.

1) Which devices are allowed for remote access?

☐ Corporate owned devices

☐ Employee owned devices (BYOD – Bring Your Own Device)

☐ Both

Additional explanation: [up to 500 words]

2) Details on the technical means used to provide remote access (e.g. VPN,



19/26Unrestricted

Citrix etc): [up to 500 words]

3) Details on the strong authentication methods used, e.g. tokens; [up to 500 words]

4) Details on the security controls in place to prevent data leakage (e.g. hard disk encryption, block of USB ports, block of copy/paste and printing, etc.) [up to 500 words]

5) Have you implemented additional preventive controls, for example based on behavioural elements, such as e.g. IP or geo-location restrictions, authorised connection time restrictions to working hours, etc.; [up to 500 words]

Note: In case these controls should differ depending on the user group/profile, please provide additional information

7.11 Please specify if data at rest is encrypted. Should data at rest be encrypted, please describe the encryption process providing, when known, the encryption protocol, the encryption algorithm and the key lengths. Please specify the location of the keys and of any potential copies (backups) as well as a list of persons (including the entity they work for and their function) having access to the encryption keys. Please also describe where the encryption/decryption process takes place (e.g. server side or client side).

Should data at rest not be encrypted then provide a risk-based justification of your decision.


7.12 Please describe the main physical security measures and controls (access controls and environmental security measures) in place at the IT room/data center of the service provider both at the primary and secondary sites. Should the set-up not be impacted by the current project and have been described and approved previously, please indicate the respective previous filing and its date of submission:

[up to 1000 words] Reserved for the


20/26Unrestricted

administration

8. ICT project and change management


☐ 196. Any change in the application functionality by a third party – other than the changes relating to corrective maintenance – shall be submitted for approval to the institution prior to its implementation.

☐ 198. […] Express approval of the institution is required for each intervention on the IT infrastructure, except interventions carried out by a support PFS as part of its mandate as system operator.

☐ 202. In order to enable the institution to assess the reliability and comprehensiveness of the data produced by the IT system as well as their compatibility with the accounting and internal control requirements, there should be one person among its employees with the required IT knowledge to understand both the impact of the programmes on the accounting system and the actions taken by the third party within the context of the provided services.

☐ 202. […] The institution shall also have, in its premises, sufficient documentation on the programmes used.



8.2 Please provide the name and function of the person with the required IT knowledge to understand both the impact of the programmes on the accounting system and the actions taken by the third party in the context of the provided services, if the described outsourcing has an impact on the accounting system.



21/26Unrestricted

8.3 Please confirm that you are responsible and actively involved in the change management process of IT systems (i.e. changes to the outsourced IT environment impacting the data of the entity should be approved by the entity).

☐ Yes

☐ No



9. Business continuity management


☐ 188. Special attention should be paid to the continuity aspects and the revocable nature of outsourcing. The institution shall be able to continue its critical functions in case of exceptional events or crisis. In this respect, the outsourcing agreements include a sufficiently long termination period to allow the institution to take the necessary measures to ensure the continuity of the outsourced services and shall not include termination clauses or service termination clauses because of resolution actions or reorganisation measures or a winding-up procedure applied to the institution, as provided for in the Law of 18 December 2015 on the failure of credit institutions and certain investment firms (12/552) / or, where applicable, bankruptcy, controlled management, suspension of payments, compositions and arrangements with creditors aimed at preventing bankruptcy or other similar proceedings (17/656)15. The institution shall also take the necessary measures to be in a position to adequately transfer the outsourced activities to a different provider or to perform those activities itself whenever the continuity or quality of the service provision are likely to be affected.

☐ 197. The institution shall ensure that there are, if needed, no legal obstacles


15 This provision differs from the equivalent provision of point 188 of Circular CSSF 12/552 as it has been adapted to the types of entities concerned.


22/26Unrestricted

to obtain access to operating systems which have been developed by this third-party subcontractor. This can be achieved, for example, when the institution is the legal owner of the programmes. The institution shall ensure that it is possible to continue operating the applications which are critical for the activity in case the subcontractor defaults, for a period compatible with a transfer of this outsourcing to another subcontractor or a taking over of the applications concerned by the institution itself.

☐ 203. In case of IT service provision via telecommunication, the institution shall ensure that the IT link enables the Luxembourg institution to have quick and unrestricted access to the information stored in the processing unit (i.e. through an adapted access path and debit and through data recovery).

☐ 205. Outsourcing shall not result in the transfer of the financial and accounting function to a third party. The institution shall have, at the closing of each day, the balance of all accounts and of all accounting movements of the day. The system shall allow keeping regular accounts in accordance with the rules applicable in Luxembourg and thus respecting the form and content rules imposed by the Luxembourg accounting laws and regulations.


9.2 In case the outsourced systems (such as e.g. accounting system, TA register etc.) are located abroad, please describe how the risk of not being able to access this data and thereby continue activities and/or meet regulatory requirements is covered.

[up to 500 words]. Reserved for the administration

9.3 If applicable, please specify whether a copy of the basic accounting documents (e.g. the general ledger and client transaction journals, etc.) is available in Luxembourg and provide copy / storage frequency and further details on format (e.g. paper, office software such as MS Excel, other electronic format requiring proprietary software, ,etc.)

☐ Yes Reserved for AUTHORISATION REQUEST FOR IT OUTSOURCING OF MATERIAL ACTIVITIES

23/26Unrestricted

☐ No

☐ Not applicable

Copy/Storage Frequency: [please provide details]

Format: [please provide details]

the administration

9.4 dHow is the availability of the outsourced services (i.e. data and systems) ensured? Should this not be impacted by the current project and have been described and approved previously, please indicate the respective previous filing and its date of submission.

1) Location:

☐ In the same data centre

☐ Across several data centres, but in the same region (less than 50km distance)

☐ Across several data centres, located in distant regions (more than 50km distance)

☐ Other: [please provide details]

2) Technology:

☐ Cold Standby (Active/Passive)

☐ Warm Standby (Active/Active but requiring latest data backup)

☐ Hot Standby (Active/Active and fully replicated, immediate failover)

☐ Clustered (with loadbalancing)


Explanations [up to 500 words]:


9.5 Please describe the backup process providing the following details. Should the backup process not be impacted by the current project and have been described and approved previously, please indicate the respective previous filing and its date of submission.

9.5.1 Who is in charge of the back-up process?

☐ The applicant Reserved for the


24/26Unrestricted

☐ The service provider


administration

9.5.2 Where is the backup media stored? Is it encrypted and what type of back-up is in place?

1) Location:

☐ Located in the same data centre as the production data

☐ Located in the secondary data centre


2) Is the back-up encrypted?

☐ Yes

☐ No

3) Please provide details on the back-up type, i.e. full, incremental, differential etc: [up to 500 words]


9.5.3 Please confirm that a backup restoration test procedure is implemented and confirm the test frequency.

☐ Yes

☐ No

What is the backup restoration test frequency?


9.6 Please confirm that your DRP and your contractor’s DRP will be updated, at the latest at go-live of the project, taking into account the specificities of the described outsourcing project.

☐ Yes

☐ No

If No, explain:



25/26Unrestricted

What is the DRP test frequency of your contractor?

Briefly describe your involvement in your contractor’s DRP test process [up to 500 words]:


26/26Unrestricted

· Web viewThe outsourcing policy should consider the impact of outsourcing on the institution’s...

Documents

Transcript of · Web viewThe outsourcing policy should consider the impact of outsourcing on the institution’s...