SUCCESS STORY
New recertification solution from FI-TS to meet governance and MaRisk compliance requirements
With the support of the TIMETOACT GROUP, the IT service provider has succeeded in raising the quality of recertification of authorizations to a new level.
As the central IT service provider for the SparkassenFinanzgruppe, Finanz Informatik offers a full range of IT services – from application development, infrastructure and data center operation to consulting, training and support. It is supported by its subsidiary Finanz Informatik Technologie Service (FI-TS), the largest IT service provider for Landesbanken. Its 1,000 employees work daily in the IT systems of the financial institutions, Finanz Informatik and its own systems – a highly sensitive area in which it must be clearly regulated who has which rights to administer the respective software. The financial institutions supported by FI-TS are subject to the relevant regulatory requirements, in particular the Minimum Requirements for Risk Management (MaRisk) of BaFin (BA), compliance with which is also regularly checked by the authorities. The financial institutions are obliged to pass these regulations on to their subcontractors so that FI-TS must provide all services, including access to software, in compliance with regulatory requirements. Special identity access governance (IAG) software has been used for internal authorization management for several years. “However, access authorizations are not set in stone,” says Christian Rothlauf: ”They need to be reviewed regularly as governance requirements become stricter.” For this reason, recertification takes place. This ensures that each user of the IT systems only has the exact authorizations required to perform their tasks at any given time, whereby the principle of need-to-know is applied. Managers check for each employee assigned to them which authorizations they can retain and which should be withdrawn. Roles in which several rights are bundled are also recertified. It is therefore necessary to check whether each role contains the correct rights at all times.
Recertification via Excel confusing and error-prone
FI-TS carries out such recertifications every six months. It uses the Nexis Controle software for this, implemented by its project partner, the IAG (Identity & Access Governance) business unit of TIMETOACT Software & Consulting GmbH. It replaced the previous Excel-based working method and was tailored to today’s technical requirements. Previously, it was not necessarily ensured that managers or those responsible for rights actually saw all rights when confirming them. However, governance guidelines require technical proof that the manager has also viewed the last Excel spreadsheet and scrolled all the way to the bottom of the table. Another disadvantage of Excel-based working is that not all user types are fully recertified. A distinction is made between personal and technical users as well as different classes. MaRisk requires completeness here: all authorizations must be checked.
Comprehensive recertification: exclusive and twin roles as well as users without an account
With its new recertification software, FI-TS can meet the requirements described above. Among other things, it also enables the recertification of exclusive roles, as is the case with FI-TS’s IAG system.
Such roles are used to control attributes for employees. Users who do not have any accounts can also be recertified. FI-TS uses the so-called HPU procedure (highly privileged user) for the temporary activation of rights. A specific authorization role is requested as normal, but no rights are initially associated with it. These rights can then be activated via a separate workflow and the user receives a so-called twin role. The new recertification solution is also able to map this special rights constellation. Architecturally designed as a web application, it works with a universally applicable data model. This maps the entities of a normal IAG system.
Nexis Controle links third-party systems with the IAG software
The data from the IAG solution (Garancy IAM from Beta Systems Software AG), which contains all roles and users, responsible persons and organizational structures, can thus be easily transferred to the recertification solution. They are exported nightly and can be adapted, aggregated or filtered again at the interface. In this way, the construct with twin roles and HPU rights is elegantly mapped. FI-TS systems that do not communicate with the IAG software also supply data on all accounts and authorizations to the certification solution. This links them with the IAG solution and thus finds the responsible manager. TIMETOACT created the integrative connection between the individual systems for FI-TS.. The first recertification already showed how the MaRisk requirement of completeness is solved with FI-TS: In the new system, the manager only ever sees a specific section, can make a decision for the objects displayed there and then has to click on. This ensures that a decision is actively made for every employee and their rights and roles. Thanks to the flexibility of the manufacturer Nexis Controle, the TIMETOACT team was able to implement the customer’s current requirements very quickly and make new features ready for use in the standard system within a few weeks.
The software requires virtually no programming, but can be configured in the user interface and settings can be clicked together. This allows granular control of what is to be recertified and displayed.
Further step by FI-TS to meet BaFin requirements in authorization management
- With the implementation of Nexis Controle for recertification by the TIMETOACT GROUP’s IAG team, FI-TS is working in compliance with industry regulations in terms of authorization management
- The principle of completeness is fulfilled by a twotier role model with specialist and component roles
- Constant updates of the recertification through permanent comparison with the IAG software instead of working on a cut-off date basis
- A better overview when checking user rights and roles increases the overall recertification quality
- Potential for further use of recertification software for role modeling
About TIMETOACT GROUP
The TIMETOACT GROUP comprises eight companies with over 550 employees at 13 locations in Germany, Austria and Switzerland. The companies of the TIMETOACT GROUP – ARS, CLOUDPILOTS, edcom, GIS, novaCapta, synaigy, TIMETOACT, X-INTEGRATE – provide services in the areas of Digital Workplace, Business Process Integration & Automation, Mathematical Optimization, Data Warehouse & Governance, Business Intelligence and Predictive Analytics, Identity & Access Governance as well as Commerce and Customer Experience
These companies rely on NEXIS
💡Get to know NEXIS 4 in action!
Let us guide you through the software in a 60-minute no-obligation session and explore its full potential for your business.
Here’s what to expect from your personal NEXIS 4 web demo:
- 15-minute preliminary talk
We’ll start with a brief preparation call to understand your needs and expectations. In this way, we can optimally adapt to your priorities. - Approx. 60-minute demo
After that, we’ll schedule a tailored demo session with you.
During this time you will receive:- Insight into all product functions
- Tailored to your priorities
- Personalized guidance for you and your team
