At the start of November 2017, BaFin published the Supervisory Requirements for IT in Financial Institutions (Bankaufsichtliche Anforderungen an die IT – BAIT, see BaFinJournal November 2017).

The BAIT have now become the cornerstone of IT supervision for all credit and financial services institutions in Germany. The requirements are directed at the management boards of such companies. They specify what BaFin considers to be adequate technical and organisational resources for IT systems, particularly in relation to the requirements for information security and suitable contingency management.

The BaFin requirements stipulate how financial institutions’ management boards must regularly deal with the various aspects of IT for the business, including dealing with end-user computing (EUC) in their organisational units.

The extract below from BaFin’s article IT Security: BaFin specifies requirements for the banking industry details expectations for how financial institutions should approach the management of their IT applications, including end-user computing applications. This is covered specifically in Section 11. 6. of the BAIT - IT Projects and application development.

In BaFin’s view, EUC applications developed or operated by an institution's organisational units should be divided into risk classes. This achieves transparency within the institution in relation to the risks arising from the use of such applications. Furthermore, banking supervisors expect the institution to maintain a central register of all EUC applications, especially those that are important for banking business processes, for risk management and monitoring or for accounting purposes.

How CIMCON supports BaFin requirements

CIMCON’s EUC Insight solution will help you satisfy your requirements regarding the BaFin regulations with its following capabilities:

Automated or Manual Risk Analysis - EUC Insight will allow you to perform either automated or manual risk analyses on your end-user computing files to help classify them into risk classes. Most financial institutions use three or four risk classes, consisting of High, Medium, Low and Out of Scope (for EUC files that cannot be considered as holding any risk), with EUC Insight any number of risk classes can be supported, and you are allowed to configure both automated or manual risk analysis methods.

Central Register – EUC Insight Inventory Management Solution is a fully featured inventory system that allows you to store details about your EUC files in a central database. This will not only maintain full details about each EUC file, but will also allow you to institute a configurable, automated recertification process to ensure the Inventory is kept current, accurate and complete, as well as providing full lifecycle management.

EUC Application monitoring – the integrated Change Management module will monitor both the application development process as well as the use of the EUC in everyday operations, enforcing a robust but efficient automated change management process for your high risk EUCs.

Detection of possible EUC Applications. In addition, we provide a comprehensive scanning solution to detect possible EUC Applications (not just MS Office files) for security and audit issues. This will ensure you have details about all the critical EUCs in your inventory, without having to rely on the business to volunteer them.

Note – All EUC Insight processes take place in accordance with the General Data Protection Regulation.