The draft of the Banking Supervisory Requirement for IT (BAIT) of the German Federal Financial Supervisory Authority (BaFin) in the February 2017 consultation aims to specify the requirements of the MaRisk and the Banking Act §25a. The practical examples refer to topics such as IT strategy, IT governance, information risk management and information security management, as well as authorisation management.
Particularly in regards to the specifications for authorisation management, the so far rather "soft" requirements and requirements of the corresponding chapters from the MaRisk (AT 4.3.1 structure and process organisation, as well as AT 7.2 technical-organisational equipment) are defined more precisely and allow less scope for the future.
IT authorisation concepts
Form the basis for the assignment of entitlements in the future and describe the conditions of use of the IT authorisations aligned with the protection requirements of the IT system.
Assignment of accounts to persons to be traded
Non-personalised IT entitlements and accounts must be assigned to an acting person without doubt in the future.
Approval and control processes
Processes involving the responsible department ensure that the establishment, modification, deactivation and deletion of IT authorisations are complied with in accordance with the IT authorisation concepts.
Regular review of the assigned IT authorisations with regard to their necessity, as well as the possibly associated revocation.
Traceability and documentation
According to the requirements of the BAIT, all processes of setting up, modifying, deactivating and deleting authorisations in IT systems must be documented in a comprehensible and evaluable manner.
The roll of IAM
Identity & Access Management meets BAIT requirements regarding:
- Automatic assignment of technical accounts to natural persons
- Traceable authorisation and control processes of authorisations
- Uniform, company-wide business role model
- Regular re-certification of authorisations
Ask us for more information and support in the implementation.