BAIT from BaFin (banking supervisory requirements for IT)

The most important thing in brief:

‍

At the end of 2017, the BaFin (Federal Financial Supervisory Authority) the BAIT (Banking supervisory requirements for IT). These are regarded as the central component of IT supervision for all credit and financial services institutions in Germany. This is aimed at the management boards of the companies.

BAIT: Amendment dated 16.8.2021

As part of the amendments of 16.8.2021, two additional new chapters were created. These chapters “Operational Information Security” and “IT Emergency Management” contain various requirements that were not explicitly listed in the last version. In particular, these two chapters summarize requirements for monitoring information security, monitoring the effectiveness of information security measures and specifying AT 7.3 MaRisk (emergency management) in connection with time-critical processes and activities. Responsibilities and controls for information risk management and physical information security requirements were also specified.

Basic tasks of BaFin BAIT

The idea behind BAIT is based on the deficiencies that have occurred in recent years by BaFin during audits of IT from financial services companies found, explain. Significant deficiencies were identified, among other things, in IT strategy, IT reporting, IT organization and IT outsourcing, IT emergency management and user authorizations. The deficiencies result from Section 25a paragraph 1 sentence 3 numbers 4 and 5 of the Banking Act (KWG) and the reference to the “Minimum Risk Management Requirements” (MaRisk). (Source: Federal Financial Supervisory Authority — https://www.bafin.de)

In order to be able to address the individual issues, those responsible must be able to obtain a comprehensive and, above all, an up-to-date overview of the entire IT structures, their dependencies, software levels, security measures, user authorizations, etc. at any time (BAIT 1.1 and BAIT 1.2 a-f). And in the event of an emergency, the company must also have well-maintained and immediately available emergency management. This includes a regularly updated IT emergency plan as well as the seamless linking of responsibilities and processes. The outsourcing of activities and processes in accordance with the requirements of the Banking Act KWG §25b is also specified.

Raise risk awareness

Global networking through the Internet also creates a constant threat and threat to one's own systems. Eine IT Strategy, which is designed so that hopefully nothing will happen and old systems are used until they fail, has always been one of the most dangerous practices — not just for banks and financial services companies. A successful attack from outside, which results from convenience, ignorance or cost savings in IT, will have very unpleasant consequences. The probability of having to deal with criminal charges is likely to be particularly high. Because, as a rule, you can always find someone who has to stick their head out for it.

These responsible persons define themselves in accordance with the MaRisk AT 3 Paragraph 1: All managing directors, regardless of internal jurisdiction, are responsible for proper business organization and development. In addition, each managing director is responsible for setting up appropriate control and monitoring processes in their respective area of responsibility (MaRisk AT 3 paragraph 2).

If you start reading the BAIT, the first point immediately points out the requirements of MaRisk AT 4.2. It is about a sustainable business strategy. In particular, MaRisk includes the mandate for management to define a sustainable IT strategy, which outlines the goals and measures to achieve these goals.

However, there is no universal guide on how to address the individual points of BAIT.

Meet BAIT requirements

For most companies, IT has steadily expanded in all areas. Older systems have been combined with newer ones, new business processes have replaced old ones or continue to run in parallel with some existing ones. Structures grow in all directions and when locations become too small, more are added.

In order to meet BAIT requirements, it is necessary to always have an up-to-date overview of all systems, networks, devices and business processes. Achieving this is a mammoth task for everyone involved and usually requires a high and continuous amount of personnel. This is probably also one of the main reasons why internal IT structures or business processes have, at best, outdated documentation or an incomplete inventory overview. If necessary, everything must first be laboriously prepared by hand.

The IT strategy after BAIT

(BAIT 1.1, MaRisk AT 4.2)

Under these conditions, it will also be difficult to guarantee the minimum content required in BAIT 1.2 a-f. Because in order to define a strategy, for example, basic information about the current status and inventory is necessary.

In order to comply with this, it is necessary to start with a basic inventory of all IT structures. As already mentioned, a basic inventory can only be carried out manually for a complete new purchase. With established IT structures, the enormous effort should be met with the highest possible level of automation through special software solutions. There are special inventory and documentation software solutions for this purpose, which do a considerable part for you without much effort.

These not only relieve the burden on the IT staff, but special software with various scanning options also does not miss out on “forgotten” systems in the network. This fact alone significantly reduces security gaps in your own network due to outdated and little-noticed systems. The determined data from the automatic scans is stored centrally in a database. With an automatic update, this basic data is not only quickly retrievable, but is also continuously up to date.

Based on this database, the foundations for the IT strategy requirements in accordance with BAIT 1.1 and BAIT 1.2 a-f have been laid. This also makes it easy to subdivide the subject areas and can also be presented graphically. In this way, information can be displayed granularly both for IT professionals and for those who are only looking for the necessary information.

This data also serves as a basis for IT emergency handbook, which is thus always provided with the latest information and is an integral part of overall emergency management (BAIT 1.2 e).

IT Governance

(BAIT 2.3, MaRisk ATA 4.3.1, AT 4.3.2, AT 7.1, AT 7.2/2+4, AT5/1+2)

From the ones mentioned here Minimum requirements (MA) of BAIT and the MaRisk is aware that management is responsible for ensuring that the relevant IT governance regulations are effectively implemented within the institute and vis-à-vis third parties. It must also ensure that information risk and information security management, IT operations and application development in particular are adequately staffed.

You should be aware that the word “appropriate” does not just refer to the number of employees in IT departments. Because although there are enough employees often enough, according to the paper, they are often buried deep in day-to-day business. Organizational tasks such as planning, inventory and documentation are then usually postponed. In the best case, such things only stay there for a while, at worst, they fall off the table completely or are forgotten.

In order to be able to meet the requirements of BAIT and MaRisk here alone, it is important to relieve the IT team as much as possible and to achieve the highest possible level of professional automation in organizational tasks. And as is already known from the IT strategy, the basis for functioning IT governance is a solid database of inventory, network and device information and the current status of the software solutions used.

Information risk management

(MaRisk AT 4.3.1/2, AT 7.2/1, AT 7.2/2, AT 7.2/4, BT 3.2/1)

Here too, management is responsible for ensuring that IT systems, the associated IT processes and other components of the information network ensure the integrity, availability, authenticity and confidentiality of the data (MaRisk AT 7.2/2).

The institute must define and coordinate the tasks, competencies, responsibilities, controls and communication channels associated with managing information risks. For this purpose, it is helpful if complete business processes can be documented in an adapted manner together with IT documentation. This makes it possible to control responsibilities, competencies and tasks and fulfill the reporting requirements arising from MaRisk BT 3.2/1.

Information security management

(BAIT, MaRisk BT3.2/1)

Management (BAIT, MaRisk) is responsible for adopting an information security guideline and publishing it internally. It is also responsible for compliance with these guidelines. However, management may appoint an information security officer for the task of reporting. In accordance with MaRisk BT 3.2/1, the latter must submit a regular report with the necessary data to management.

The effort that is required here primarily due to regular reporting can in turn be counteracted with a professional software solution from the inventory and documentation sector. Because the required reports must also include the latest data and information, the basic database must also be brought up to date at the time the report is created. Here, too, the effort is reduced to a minimum if you have cleanly configured and automatically working documentation software in the background.

Points 3.8 to 3.10 have been added to the BAIT in the amended version. Here, too, reference is expressly made to the fact that risk-reducing measures, risk analysis and ongoing information about threats and weaknesses of the information network must be effectively coordinated, documented, monitored and managed.

In addition, with immediate effect, there is an order that the Institute shall introduce a Directive on the testing and review of measures to protect information security and that this Directive shall be reviewed regularly and as appropriate and amended as necessary. This undoubtedly requires one or more emergency plans, which include, among other things, all IT systems and must be brought up to date at regular intervals.

It is also necessary not only to establish generally applicable security measures and procedures for information security, but also to document and control them. Software and patch versions of the installed operating systems and programs often give rise to criticism and should therefore also be precisely documented and immediately patched.

Operational information security

It is primarily required to use current standards when planning IT systems and associated IT processes. Since current standards are subject to continuous expansion and adjustment to legal and safety-related requirements, the use of alternative and possibly poorly maintained, non-standards-compliant solutions is avoided, which could become more and more of a security risk over time.

Appropriate monitoring and control processes must also be set up for IT risks, which include in particular the definition of IT risk criteria, the identification of IT risks, the definition of protection requirements, derived protective measures for IT operations and the definition of appropriate measures to treat and mitigate risks (see AT 7.2 Tz. 4 Ma-Risk).

The other sub-items of the BAIT (5.3 to 5.6) also point out in detail that safety-relevant events must be documented in detail and must be responded to as quickly as possible.

In the new paragraphs of the latest amendment to the BAIT, it is always urgently stated that all monitoring, control, analysis and review activities for effectiveness must be reviewed and further developed at regular intervals. Here, too, professional inventory and documentation software is required as support, without which regular inspection cannot be carried out, or at least not with reasonable effort. You should always keep in mind that although the hardware used does not change overnight, serious gaps and security measures must be taken within hours with software products. Without an accurate, up-to-date and always available inventory, there is no chance here to safely avoid safety-related damage.

User permission management

(MaRisk AT 4.3.1 Pz. 2, AT 7.2 Pz. 2, BTO Pz. 9)

In the past, user rights were often assigned individually on the basis of internal decisions and approvals. Over time, however, you build up a very large, usually confusing authorization structure, which can hardly be controlled over the years. In this way, the rights of employees who have changed departments or are no longer authorized to access certain areas are simply overlooked.

BAIT (5.26) requires a procedure for setting up, changing, deactivating or deleting. In addition, control processes are required so that the requirements of the authorization process are met. In addition, authorizations must be assigned at any time (preferably automatically, BAIT 5.25) and must be checked and recertified regularly (BAIT 5.27).

Authorization structures are sometimes presented in a very confusing way with normal on-board tools. At the latest when it comes to inherited rights, many IT departments are reaching their (time) limits and the risk that user rights are not being assigned and controlled accurately grows with every change.

Even if a complete approval process is introduced in the company, it is up to those responsible to carry out a regular check or, if necessary, to carry out a complete review of the rights of groups or individual users. Especially because this always requires up-to-date data, continuous, manual data collection is not effective. Without an appropriate software solution that not only breaks down complete authorization structures but also presents them clearly and in report form, this would be a very error-prone and time-consuming task.

IT projects

(MaRisk AT 8.2 Section 1, AT 7.2 (Section 3 and Item 5), AT 8.2 Section 1, AT 8.3 Section 1)

The entire paragraph 6 of the BAIT (points 31 to 44) is about making it possible to document and monitor processes and procedures both for internal IT projects and when awarding to external IT service providers.

In particular, the dependencies that arise between the individual projects and the departments involved must also be constantly kept in mind. Management (BAIT, MaRisk) is in turn responsible for facilitating and complying with this, and must report regularly and on a case-by-case basis.

It is absolutely essential that data is collected centrally via internal IT, software and documentation. This is the only way to ensure that a complete report can be prepared across all departments, locations and sub-areas. It is also essential for the recipient of the reports (management) that data is also prepared in a readable and evaluable way. It must be ensured that this data comes from an up-to-date and reliable data source and does not come from the last manual entry from last year.

The precautions required in MaRisk and BAIT can be implemented with inventory and documentation. In order to take account of the timeliness, seamless content and reasonable personnel costs, a professional software solution developed specifically for such tasks is recommended. This allows individualized reports, lists and graphical overviews to be created from all basic data, which meet the requirements of BAIT and MaRisk.

IT operations

(MaRisk AT 7.2 Tz. 1 and Tz. 2)

IT departments in particular have a lot to do. With the necessary and high security measures from MaRisk and BAIT, it is essential to properly document all actions within the IT department. But it is not only registration that is important, but also the opportunity to provide information about your own IT on a regular and case-by-case basis.

Paragraph 8 of the BAIT is primarily concerned with ensuring both complete documentation and regular inventory updates of IT systems. Changes and implementation must also be assessed for risks, which is hardly possible without an up-to-date database of existing systems and business processes.

In general, everything that concerns IT must be recorded and documented. Here, too, great attention should be paid to ensuring that all information can be combined in a central data collection point if possible. The risk of incomplete recording or incorrect inventory caused by different or poorly maintained management tools must be ruled out. The use of different software products, which solve individual tasks well but do not offer connectivity to other solutions used, also makes these tasks unnecessarily difficult or impossible.

Outsourcing and other outsourcing of IT services

It does not always make sense to involve your own IT managers for each area of IT. Whether it fails because of the required specialization or simply because of the required number of employees in the IT department — outsourcing to an external IT service provider is unavoidable in many cases. In addition, the topic of cloud and the transfer of data and systems to the cloud is becoming ever larger and is already part of everyday IT life today.

In any case, the MaRisk AT 9 requirement must be observed, which not only describes how to handle critical infrastructures, but also the taking and regular testing of appropriate emergency preparedness measures (MaRisk 9.60 — KRITIS protection goal).

Here, too, a basic inventory, extensive documentation and automatically updated emergency manuals are required first, in which any changes to the IT systems are immediately recorded and documented.

The provision of evidence in accordance with Section 8a paragraph 3 BSIG (Act on the Federal Office for Information Security, BSI Act — BSIG) is also supported by good documentation software and generates the necessary reports from the latest inventory data. These can be easily adapted and extended to meet the respective requirements.

IT emergency management

With the amendment to the BAIT, point 10, namely IT emergency management, has been added.

Here, too, a comprehensive inventory of all IT processes and systems serves as a basis in order to implement the emergency concepts, emergency manuals and recovery plans required here (BAIT 10.1 to 10.5). As in all other previous points, a regular review is also required. For time-critical activities and processes, this review must be proven at least once a year and as appropriate for all relevant systems and their dependencies (see AT 7.3 Tz. 3 MaRisk).

IT contingency plans include Restart, emergency operation and recovery plans as well as the parameters defined for this purpose, such as recovery time objective (RTO) and maximum tolerable period of time in which data loss can be accepted (recovery point objective — RPO).

The IT test concept includes tests of individual IT systems (e.g. components, individual applications) as well as their combination into system networks (e.g. high-availability clusters) and processes (e.g. access and access management).

Documentation and inventory as a basis for BAIT, Marisk/KRITIS

In order for data to be available for evaluation and report preparation, it must first be collected. Since an IT network not only contains computers and servers, but usually a large number of additional devices, such as printers, routers, switches, WLAN stations, are connected to the network, you quickly run the risk of overlooking rarely used or well-hidden devices during a manual inventory.

If you use professional inventory and documentation software such as Docusnap, not only is the time required significantly lower. Due to the various scan modes, the software automatically searches for all devices that are on the network. Good software is not limited to the IP protocol, but also uses different scanning techniques to detect and inventory every device.

Docusnap does this without any agents. This means that no additional software needs to be installed on any device on the network. In particular, this has the major advantage that neither security gaps occur due to additional software nor are individual systems forgotten or overlooked as described above.

Docusnap collects data centrally in an SQL database in its own network. Other locations or branches that are connected to their network are also automatically inventoried. This is a major advantage, especially for locally separated sites, as trained IT personnel are not always on site at all branch offices.

With the exception of the initial setup, basic inventory is largely automatic and requires very little additional work.

Linking business processes with the data in Docusnap then becomes a bit more complex. This can only be achieved with manual effort and, above all, know-how from their own division. However, this creates a unique opportunity to create a comprehensive database with ingenious capabilities within a system with constantly updated data.

You are already able to create emergency plans and emergency manuals that are automatically updated with any changes in the network and are always up to date. You are also already able to graphically represent network plans and topology plans.

Since Docusnap provides a variety of different reports right from the start, monitoring the status of the entire IT systems requires little effort. Not only can outdated operating systems be easily identified in this way. The information even goes so far that software versions or installed patch versions can even be evaluated. These reports can be selected fully automatically and without further action.

Of course, Docusnap also has its own authorization hierarchy. Because in principle, you don't need highly specialized professionals to use Docusnap. Quite the opposite. Docusnap is structured in such a way that even users who otherwise have little experience with IT technology have no problems using the software. This makes it easy to assign people to different areas of responsibility and to provide them with the necessary information. They can then independently create all necessary reports without the intervention of the IT department and submit them to their supervisors or management.

Docusnap: The starting point for BAIT (banking supervisory requirements for IT)

It is often the case that software comes from other countries. Often even outside the EU. And the rules there cannot always be implemented one-to-one with our laws and regulations. Docusnap is developed in Germany (Bavaria). All support is also provided by the manufacturer himself. Instead of a call center with nerve-wracking phone calls, the software manufacturer's specialists will answer your questions themselves and assist you with your concerns.

If you have your IT managed by an external service provider, Docusnap also offers a brilliant feature for this case. Because Docusnap can also be multi-tenant, external IT service providers are able to use Docusnap to obtain all the benefits that their own internal IT department would also enjoy. And Docusnap is a brilliant starting point not only for the requirements of BAIT and MaRisk, but also for all other IT activities. This is because not only systems are included in the database, but also maintenance contracts (subscriptions) with terms, license agreements with expiration dates or documentation of work carried out in the system (both internal implementation and by external service providers).

If you want to relieve yourself a bit of the scare, BAIT, MaRisk, KRITIS and KWG requirements It makes sense to make use of sophisticated and established documentation software from the German market leader Docusnap.

Do you have any questions or need help? Just take advantage of the opportunity Try Docusnap free for 30 days. We will also provide you with professional support from our team within 30 days — also at no cost.
‍