It is certain that companies have to evolve, if only to follow new trends, respond to new market demands,… However, it is the duty of the Compliance Office to keep control over the business, no matter what decisions are taken. Indeed, it goes without saying that no manager would allow himself to risk the security of this company. Therefore, the same reasoning must also be applied to IT in general.
To do this, various tools are made available to Compliance Officers. First of all, they can rely on the recommendations issued by the European Banking Authority (EBA). Then, CSSF circulars are drawn up to guide PSF and to form a basis of regulation with which they must comply. Among these, we can find some relating to the outsourcing of IT services, others concerning cloud computing infrastructures, as well as a series on IT solutions located directly on the client’s site.
One of the first steps not to be neglected is to understand the need in order to approach it in the best possible way. In addition, it is essential to find out about products and competitors, but also to ask questions about the company’s IT infrastructure (what model is in place? what type of assets are handled? how many positions are held? what is in place in the event of a disaster? is support available? is security an integral part of the strategy?…). Finally, to complete the reflection process to be followed, it is necessary to take into account the limitations/constraints (legal, compliance, security, temporal, budgetary,…), and to detect potential weaknesses.
Then comes the step of evaluating the selected solution. It is advisable to carry out due diligence, but also to consider different risk/threats scenarios, as well as vulnerabilities that the company may have. In this way, the real and residual risks can be studied for each scenario considered.
Once the solution has been approved, it is important to reduce the risks associated with the use of this solution. To do this, various points can be addressed: in the case of outsourcing, it is necessary to ensure that a contract is drawn up and signed, and then check the conditions of the contract. Then, it may be useful to write a protocol for internal training courses in order to supervise them as effectively as possible. Finally, internal user policies as well as IT security policies should be formulated.
The task of Compliance Officers is not yet finished. Indeed, if it has been decided to use a cloud solution (outsourced or not) for material activities and handling confidential data, they are obligated to request prior authorisation from the CSSF. In this case, various documentation must be provided such as a summary of the risks, the design of the solution, as well as the security and training protocols. If, on the other hand, the chosen solution does not meet these conditions, a simple notification to the CSSF is sufficient.
Need help for your IT compliance ?