is here anybody from Germany? I'm looking for some discussion partners. Our team has quite different interpretation of the logging & monitoring requirements from the Banking Supervisory Requirements for IT (BAIT) and I would like to know. What is your interpretation of the particular logging & monitoring requirements.
I'm very appreciated all of you in advance for your replies.
If you can't locate someone from Germany in the Community, feel free to post the logging and monitoring section of BAIT for an outside perspective. Opinions and interpretations are not in short supply around here!
No worries, I get it. If you change your mind we just need to know what the specific BAIT logging section says.
Based on my experience with auditors they are looking to see if logging is enabled, has enough detail, and has all of the fields, e.g., timestamps, event type, identity, outcome, etc. listed in your internal logging policy.
I know this is going to be longer than what you wanted but bear with me on the process I had to use.
First, I pulled back a bit to look at the Primary Objective of BaFin: operates in the public interest. Its primary objective is to ensure the proper functioning, stability and integrity of the German financial system. Bank customers, insurance policyholders and investors ought to be able to trust the financial system.
Second, I looked at BaFin Supervisory Requirements Objective: This Circular provides a flexible and practical framework for institutions’ technical and organizational resources on the basis of section 25a (1) of the German Banking Act (Kreditwesengesetz) – in particular for IT resource management and IT risk management.
Third, I looked at User Access Management Objective: ensures that access rights granted to users are in line with and used as defined in the institution’s organizational and operational requirements. User access management shall meet the requirements set out in AT 4.3.1 number 2, AT 7.2 number 2 as well as BTO number 9 of MaRisk.
AT 4.3.1: Segregation of duties and conflicts of interest controls in place
AT 7.2: IT systems and processes ensure CIA of data and principle of least privilege applies to accounts
BTO #9: Segregation of duties by appropriate procedures and safeguards
Fourth, I looked at User Access Rights: Defines the scope and the conditions of use for access rights to IT systems in a manner that is consistently in line with the determined protection requirements and can be completely and comprehensibly deduced for all access rights for an IT system. User access rights concepts shall ensure that users are assigned access rights according to the need-to-know principle, that the segregation of duties is observed and that staff conflicts of interest are avoided
Protection Requirements Objective: Identify risk classification categories of (low, medium, high, very high) on CIA and Authenticity
Wrap up: The manner intended for user access rights are correlated with the protection requirements for each information system and are unique. Knowing this, I would say your 3rd interpretation is the closest to what BaFin intended. There should be a documented list of users and level of access they have for each information systems. Along with the logging setup to monitor user activity that correlates with the protection level of that system.
BaFin:...used only in the manner intended.
Actual picture of you at the office:
LOL, good luck!
Have you joined the (ISC)2 Germany Chapter? Since, as you suggested, it's most likely something people in Germany have experience with, I'd suggest joining it and connecting with people there.
During the pandemic, we started Community Chapter Groups here for each (ISC)2 Chapter. You can post discussion topics exactly like this there. You can find Germany's here: https://community.isc2.org/t5/Germany-Chapter/gh-p/Chapter_Germany
In addition, you can search for chapters and join them here: https://www.isc2.org/Chapters/Chapter-Directory
Once we are able to meet in-person, you can meet with fellow chapter members there - they may have resources for you.
I hope that helps!