cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
MagMa
Newcomer I

Logging/monitoring requirements from German Banking Supervisory Requirements for IT (BAIT)

Hello together,

 

is here anybody from Germany? I'm looking for some discussion partners. Our team has quite different interpretation of the logging & monitoring requirements from the Banking Supervisory Requirements for IT (BAIT) and I would like to know. What is your interpretation of the particular logging & monitoring requirements.

 

 

I'm very appreciated all of you in advance for your replies.

 

Kind regards

Mariia

8 Replies
tmekelburg1
Community Champion

If you can't locate someone from Germany in the Community, feel free to post the logging and monitoring section of BAIT for an outside perspective. Opinions and interpretations are not in short supply around here!  

MagMa
Newcomer I

@tmekelburg1 thank you for your reply. It's a quite specific question regarding some points of administrative instructions in banking branche in Germany. That's why I'm looking for the people who probably have already some experience with BAIT and probably has had some audits regarding logging and monitoring. Because dependent on the interpretation of this requirements the policies for logging and efforts for logging (how detailed and which details must be logged) and monitoring (the scope of monitoring according to these instructions) could be quite different. The BAIT administrativ instructions definitely oblige to log and monitor users with privileged rights. But regarding the other users there is some doubt in the interpretation of the scope.
tmekelburg1
Community Champion

No worries, I get it. If you change your mind we just need to know what the specific BAIT logging section says.

 

Based on my experience with auditors they are looking to see if logging is enabled, has enough detail, and has all of the fields, e.g., timestamps, event type, identity, outcome, etc. listed in your internal logging policy.  

MagMa
Newcomer I

Hello emekelburg1,
thank you for sharing you experience!

OK, it's probably better to cite the requirement about which there are some doubts: "The institution shall set up logging and monitoring processes consistent with the protection requirements and the target requirements that enable checks to be carried out to ensure that access rights are used only in the manner intended."
Our first discussion point is the interpretation of "used only in the manner intended"?
1st possible interpretation: there are definitions of "intended manner" of accesses, actions definded for all rights and the logging & monitoring allow the comparison against such definitions [e.g. SIEM use cases and identification of threats using these use cases].
2nd possible interpretation: there is a documented state of allowed rights for each user (approved in regular IAM processes) . If these rights are used they are used in the manner intended. If someone uses not approved rights this is not the "intended manner".
3rd possible interpretation: a combination of both of the above mentioned interpretations.

The 1st & 3rd interpretation can result in very complex/detailed definitions of that ist "intended manner".

Probably there are other ideas, interpretations of this expression...
tmekelburg1
Community Champion

I know this is going to be longer than what you wanted but bear with me on the process I had to use.

 

First, I pulled back a bit to look at the Primary Objective of BaFin: operates in the public interest. Its primary objective is to ensure the proper functioning, stability and integrity of the German financial system. Bank customers, insurance policyholders and investors ought to be able to trust the financial system.

 

Second, I looked at BaFin Supervisory Requirements Objective: This Circular provides a flexible and practical framework for institutions’ technical and organizational resources on the basis of section 25a (1) of the German Banking Act (Kreditwesengesetz) – in particular for IT resource management and IT risk management.

 

Third, I looked at User Access Management Objective: ensures that access rights granted to users are in line with and used as defined in the institution’s organizational and operational requirements. User access management shall meet the requirements set out in AT 4.3.1 number 2, AT 7.2 number 2 as well as BTO number 9 of MaRisk.

 

AT 4.3.1: Segregation of duties and conflicts of interest controls in place

AT 7.2: IT systems and processes ensure CIA of data and principle of least privilege applies to accounts

BTO #9: Segregation of duties by appropriate procedures and safeguards

 

Fourth, I looked at User Access Rights: Defines the scope and the conditions of use for access rights to IT systems in a manner that is consistently in line with the determined protection requirements and can be completely and comprehensibly deduced for all access rights for an IT system. User access rights concepts shall ensure that users are assigned access rights according to the need-to-know principle, that the segregation of duties is observed and that staff conflicts of interest are avoided

 

Protection Requirements Objective: Identify risk classification categories of (low, medium, high, very high) on CIA and Authenticity 

 

Wrap up: The manner intended for user access rights are correlated with the protection requirements for each information system and are unique. Knowing this, I would say your 3rd interpretation is the closest to what BaFin intended. There should be a documented list of users and level of access they have for each information systems. Along with the logging setup to monitor user activity that correlates with the protection level of that system.

MagMa
Newcomer I

Dear tmekelburg1,
thank you very much for your reply and this detailed analysis!
The topic is not quite easy, so I haven't expected a short and quick reply.
Every contribution helps me, cause it's good to know what other people (unbiased through the discussion in our team) think about it 🙂
tmekelburg1
Community Champion

BaFin:...used only in the manner intended.

 

Actual picture of you at the office:

tmekelburg1_0-1622722259737.png

 

LOL, good luck!

AndreaMoore
Community Manager

@MagMa 

 

Have you joined the (ISC)2 Germany Chapter? Since, as you suggested, it's most likely something people in Germany have experience with, I'd suggest joining it and connecting with people there. 

During the pandemic, we started Community Chapter Groups here for each (ISC)2 Chapter. You can post discussion topics exactly like this there. You can find Germany's here: https://community.isc2.org/t5/Germany-Chapter/gh-p/Chapter_Germany

 

In addition, you can search for chapters and join them here: https://www.isc2.org/Chapters/Chapter-Directory 

Once we are able to meet in-person, you can meet with fellow chapter members there - they may have resources for you. 

 

I hope that helps!




ISC2 Community Manager