Tag Archive for: regulation

Homepage Admin

IT compliance through the intro­duction of an ISMS

Increasing compliance requirements

“The depen­dency of core and value-added processes on the IT infra­structure and the IT systems operated there is constantly increasing at credit insti­tu­tions. This means that the associated compliance require­ments are also increasing almost to the same extent”. In an article that has just been published on the specialist platform “Security Insider”, SRC expert Dagmar Schoppe explains the different regulatory and legal require­ments that determine the daily business of credit insti­tu­tions and how IT compliance is improved by the intro­duction of an ISMS.

Value creation processes are threatened

The protection of these value-added processes through compliance with regulatory and legal require­ments, e.g. from BAIT, MaRisk or the IT Security Act, is a very topical issue. After all, the danger of hacker attacks is a real and current threat. This is one of the reasons why IT security is one of the central audit focuses of the BaFin. The TIBER-EU programme, which is intended to strengthen the resilience of the financial world against cyber attacks, also aims in this direction.

Holistic infor­mation security management system creates security

For a holistic approach to the protection of corporate values, the various organ­i­sa­tional and technical aspects must be combined into a holistic concept. This leads to the intro­duction of an infor­mation security management system, e.g. on the basis of ISO 27001.

The experts of the SRC division Banking Compliance will gladly advise you on regulatory and legal require­ments and their imple­men­tation, e.g. by intro­ducing an infor­mation security management system (ISMS) or by carrying out TIBER tests. SRC is a member of the Cyber-Alliance.

Amendment of BAIT 2021
Homepage Admin

Amendment of BAIT 2021- The new require­ments for financial institutions

The amendment of BAIT for 2021 means new require­ments for credit insti­tu­tions. In contrast, BaFin faces the challenge of imple­menting the Guide­lines on security measures for opera­tional and security risks under the PSD2 and the Guide­lines on ICT and security risk management of the EBA in Germany. This is to be completed by 31 December 2020 with an amendment to the BAIT (banking super­visory require­ments for IT). First drafts have already been discussed and commented on in the insti­tutes and associations.

BAIT 2021 focuses on IT security

With a separate and new chapter, opera­tional IT security is moving further into focus. The require­ments formu­lated there can only be fulfilled with a Security Infor­mation and Event Management System (SIEM). This also includes the estab­lishment and operation of a Security Opera­tions Centre (SOC). Regular opera­tional checks are required. These include:

  • internal deviation analyses
  • Vulner­a­bility scans
  • Penetration tests
  • the simulation of attacks (“Red Teaming”)

The new require­ments of BAIT 2021 lead to the estab­lishment of a profes­sional cyber security infra­structure. This means extensive and independent internal infor­mation security structures.

The management assumes overall responsibility

It is noticeable that the draft already refers not only to the respon­si­bility of the management. The management is even required to explicitly acknowledge the overall respon­si­bility for infor­mation security. This also includes regular infor­mation about their concerns and the decision to deal with security risks appropriately.

Require­ments for IT emergency management are consolidated

We expect further changes in the area of IT emergency management. The require­ments from BAIT will be consol­i­dated with those from section AT7.3 of MaRisk. This creates uniform national require­ments. In addition, we expect to tighten and specify the require­ments with regard to emergency planning and prevention, BCM, disaster recovery and backup strategies. In our view, outsourcing to service providers will also be covered by the revised version.

Financial insti­tu­tions face major challenges

According to the assessment of the SRC experts for bank compliance, the expected changes will pose great challenges for the affected insti­tu­tions. This concerns especially the required know-how and the limited resources on the labour market.