In the digitalized business world, robust management of identities and access rights is essential, especially in the finance and insurance sector. Customers expect all services to be available online with the highest level of usability and comprehensive security. In addition, the handling of identities is subject to strict regulatory requirements.
The role of BaFin Circulars 10/2017 and 10/2018
Circulars 10/2017 and 10/2018 from the German Federal Financial Supervisory Authority (BaFin) define the “Banking and Insurance Supervisory Requirements for IT” (BAIT/VAIT). They set important guidelines for the management of identities, access rights and entitlements in the industry. Important sections are:
- BAIT/VAIT 6.2 – Authorization concepts
- BAIT/VAIT 6.2 – Segregation of duties
- BAIT/VAIT 6.3 – Acting persons
- BAIT/VAIT 6.7 – Logging
These sections are often the subject of audits, with many organizations having difficulties implementing them. The pandemic has intensified the situation, as many measures do not meet today’s strict standards. In this blog post, we focus on BAIT/VAIT 6.2 – Authorization concepts.
Advantages of digital Authorization concepts
With digital authorization concepts, companies can significantly reduce manual effort and ensure compliance with legal requirements. Traditional tools such as Excel, OneNote or Jira offer no automation, which can result in errors and outdated data. Digital concepts offer numerous advantages:
- Increased efficiency: Automation of manual processes.
- Improved compliance: Transparent documentation and audit-proof versioning.
- Increased security: Reduction of errors and standardization of processes.
- Flexibility and scalability: Adaptability to new requirements and company growth.
- Transparent documentation: Centralized and clear storage of all information.
- User-friendliness: Intuitive user interfaces and self-service functions.
The authorization concept management module in NEXIS 4 includes a best-practice data structure and covers the required content of the BAIT/VAIT regulations. Information is automatically synchronized with the application systems, particularly through self-service forms that supplement existing data in the identity management system (IDM). NEXIS 4 can draw not only on the IGA as a source system, but also on other leading systems that are connected via standard interfaces. To ensure that the authorization concept is up to date, the NEXIS 4 authorization concept management module carries out regular target/actual comparisons with the applications. All changes are versioned in an audit-proof manner, and a classic PDF document can be created at any time if required – even retrospectively for previous key dates. In addition, the NEXIS 4 authorization concept management module offers the option of importing existing documents. This makes the transition to this advanced system much easier.
Regular review and updating
According to BAIT/VAIT 6.2, authorization concepts must be regularly reviewed and updated. Our module provides support through automatic recertification, which takes place in several phases:
- Checking privileges: Changes to rights and inactive profiles.
- Archiving: Create new versions, archive old versions.
- Recertification: Implementation as required, regulated by work instructions.
Conclusion
The pandemic has shown how important robust authorization concepts are. With modern IAM/IGA solutions, organizations can work more efficiently, maximize the security of sensitive data and meet legal requirements. Our authorization concept module provides the necessary support to master these challenges and develop future-proof concepts.
Contact us for more details and individual consulting.