Governance |
• The circular instantiates existing requirements on outsourcing in the context of cloud computing (e.g., compliance with the ISCR’s formal outsourcing policy, clear documentation on respective roles and responsibilities, etc.), but also introduces a cloud officer (as seen above) |
Customers consent and notification |
• The circular refers to legal requirements and thus paves the way for the changes foreseen concerning the obligation of professional secrecy (i.e. Bill of Law 7024)
• The ISCR ensures whether it is necessary or not to inform its customers and to obtain their consent
• The ISCR complies with data protection regulations
• Encryption with localization of the encryption keys in Luxembourg is no longer mandatory |
Prior authorization from or notification to the CSSF |
• Entities in scope of the circular shall engage with the CSSF where they plan to recourse to the cloud. The nature of the communications will depend on the materiality of the activities outsourced in the cloud:
o Cloud solutions supporting material activities require prior authorization
o Other cloud solutions require notification
• The termination of a cloud computing outsourcing needs to be notified to the CSSF
• Support PSFs authorized as IT systems and communication networks operators shall obtain the prior authorization of the CSSF to offer cloud services
|
Outsourcing risk management |
• The resource operator and its Cloud Officer need to ensure that the staff in charge of operating cloud resources, the internal audit, and the staff in charge of information security have been duly trained via training which is specific to the cloud solution’s resources operations and security (there could be more than one cloud solutions in use)
• The circular instantiates existing requirements on outsourcing in the context of cloud computing (e.g., prior and in-depth risk analysis), but also draws attention to specific risks, such as geopolitical risks where the cloud service provider hosts its systems abroad
• The ISCR shall formally document its compliance with the requirements set forth in the circular (the CSSF may ask for this documentation at any time) |
Business continuity |
• The circular instantiates existing requirements on outsourcing in the context of cloud computing (e.g., continuity aspects and the revocable nature of outsourcing), but also draws attention to specific risks, such as data portability |
Systems security |
• The confidentiality and integrity of data and systems must be controlled throughout the IT outsourcing chain (i.e., at the ISCR, the resources operator, and the cloud service provider)
• The circular explicitly requires access to data and systems to comply with the “need to know” and “least privilege” principles |
Contractual terms |
• The contract signed with the cloud service provider shall normally be governed by the law of a EU member state and shall normally plan for resilience of cloud services in the EU
• In the event of contract termination, the CSP undertakes to permanently delete the data and systems within a reasonable time frame
• The CSSF must have an unconditional right to audit the cloud service provider in the context of the services used by the ISCR and resources operator under its supervision |
Outsourcing oversight |
• The cloud service provider regularly provides relevant indicators (i.e., KPIs) to the signatory (and by extension to the ISCR)
• Proper isolation of ISCR’s systems and data must be regularly controlled by the cloud service provider |
Right to audit |
• The signatory may obtain sufficient assurance on the cloud service provider’s compliance to its contractual obligations and suitable risk management practices through the in-depth review of the cloud service provider’s audit reports or certifications
• The signatory shall have the contractual right to request reasonable adaptations in the scope of these audit reports or certifications to fulfil their essential needs, and should retain the contractual right to perform direct audits |