Bank supervisory requirements for IT (BAIT) | By Regulations | Your needs | IPG - Experts in IAM (Identity and Access Management)

Bank supervisory requirements for IT (BAIT) BaFin is tightening the requirements for authorisation management

The draft of the Banking Supervisory Requirement for IT (BAIT) of the German Federal Financial Supervisory Authority (BaFin) in the February 2017 consultation aims to specify the requirements of the MaRisk and the Banking Act §25a. The practical examples refer to topics such as IT strategy, IT governance, information risk management and information security management, as well as authorisation management.

Particularly in regards to the specifications for authorisation management, the so far rather "soft" requirements and requirements of the corresponding chapters from the MaRisk (AT 4.3.1 structure and process organisation, as well as AT 7.2 technical-organisational equipment) are defined more precisely and allow less scope for the future.

IT authorisation concepts

Form the basis for the assignment of entitlements in the future and describe the conditions of use of the IT authorisations aligned with the protection requirements of the IT system.

Assignment of accounts to persons to be traded

Non-personalised IT entitlements and accounts must be assigned to an acting person without doubt in the future.

Approval and control processes

Processes involving the responsible department ensure that the establishment, modification, deactivation and deletion of IT authorisations are complied with in accordance with the IT authorisation concepts.

Re-certification

Regular review of the assigned IT authorisations with regard to their necessity, as well as the possibly associated revocation.

Traceability and documentation

According to the requirements of the BAIT, all processes of setting up, modifying, deactivating and deleting authorisations in IT systems must be documented in a comprehensible and evaluable manner.

The roll of IAM

Identity & Access Management meets BAIT requirements regarding:

Automatic assignment of technical accounts to natural persons
Traceable authorisation and control processes of authorisations
Uniform, company-wide business role model
Regular re-certification of authorisations

Ask us for more information and support in the implementation.

Use

Assignment of technical accounts to persons to be traded
Implement approval and control processes efficiently
Implementation of a company-wide business role model
Regular re-certifications of authorisations

Our Services

Advisory

Our advisory develops processes and workflows with the customer in the form of workshops, taking into account the regulatory requirements and incorporation of existing processes.

Integration

We offer support with the development and integration of IAM solutions, and lay the foundations for successful IAM operation in line with individual operating manuals.

Operations

Operations helps with day-to-day operations, monitoring and further training.

Education

Education raises awareness of BAIT requirements.