Recertification solution to meet governance and MaRisk requirements

With the support of TIMETOACT GROUP, the IT service provider FI-TS succeeded in raising the quality of authorization recertification to a new level.

As the central IT service provider of the Sparkassen-Finanzgruppe, Finanz Informatik offers the complete IT service - from application development to infrastructure and data center operation to consulting, training and support. It is supported by its subsidiary Finanz Informatik Technologie Service (FI-TS), the largest IT service provider for Landesbanken. Its 1,000 employees work daily in the IT systems of the financial institutions, Finanz Informatik and its own systems - a highly sensitive area in which it must be clearly regulated who has what rights to administer the software in question. The financial institutions serviced by FI-TS are subject to the relevant regulatory requirements, in particular the Minimum Requirements for Risk Management, abbreviated MaRisk, of the German Federal Financial Supervisory Authority (BaFin), compliance with which is also regularly monitored by the authorities. The financial institutions are obliged to pass on these regulations to their subcontractors, so FI-TS must provide all services, including access to software, in compliance with supervisory law.

Access permissions are not cut in stone. In fact, they need to be reviewed regularly as governance requirements become more stringent.

Christian RothlaufBRM Planung & BeratungFinanz Informatik Technologie Service

For several years, a special Identity Access Governance (IAG) software has been used for internal authorization management. "However, access authorizations are not set in stone", knows Christian Rothlauf: "Rather, they have to be checked regularly in the course of increasingly strict governance requirements". For this reason, a so-called recertification is taking place. It ensures that every user of the IT systems has only those authorizations in these systems at any given time that are necessary for the performance of his or her tasks, whereby the principle of economy (need-to-know) is applied. The managers check for each of the employees assigned to them which authorizations they can retain and which are to be withdrawn. Roles in which several rights are bundled are also recertified. It must therefore be checked whether each role also contains the correct rights at all times.  

Recertification via Excel unclear and error-prone

Site Haar near Munich ©FI-TS

FI-TS carries out such recertifications every six months. To do this, it uses the Nexis Controle software, implemented by its project partner, the IAG (Identity & Access Governance) business unit of TIMETOACT Software & Consulting GmbH. This software replaced the previous Excel-based approach and was tailored to today's business requirements. Previously, it was not necessarily ensured that the managers or those responsible for rights actually saw all rights in the course of their confirmation. However, governance guidelines require technical proof that the manager has also viewed the last Excel spreadsheet and scrolled down the table to the bottom. Another disadvantage of Excel-based work: Not all user types are fully recertified. A distinction is made between personal and technical users and different classes. MaRisk demands completeness here: all authorizations must be checked.

Comprehensive recertification: Exclusive and twin roles and users without an account

With its new recertification software, FI-TS can meet the requirements described above. Among other things, it also enables recertification of exclusive roles, as the IAG system from FI-TS does. Such roles are used to control attributes of employees. Users who have no accounts can also be recertified.

For temporary activation of rights, FI-TS uses the HPU (highly privileged user) procedure. This involves applying for a specific authorization role as normal, but initially no rights are associated with it. These rights can then be activated via a separate workflow and the user is assigned a so-called twin role. The new recertification solution is also able to map this special rights constellation. Architecturally designed as a web application, it works with a universally applicable data model. This model maps the entities of a normal IAG system.

Nexis Controle links third-party systems with IAG software

The data from the IAG solution (Garancy IAM from Beta Systems Software AG), which contains all roles and users, responsible persons and organizational structures, can thus be easily transferred to the recertification solution. They are exported at night and can be adapted, aggregated or filtered again at the interface. In this way, the construct with twin roles and HPU rights is elegantly mapped. FI-TS systems that do not communicate with the IAG software also deliver data from all accounts and authorizations to the certification solution. The latter links it to the IAG solution and thus finds the responsible manager. TIMETOACT created the integrative connection between the individual systems for FI-TS.

The software requires almost no programming, but gets by with pure configuration in the interface and the "clicking together" of settings. This allows granular control of what is to be recertified and displayed.

Christian HöfsProject LeadFI-TS

Even during the first recertification, it became clear how the MaRisk requirement of completeness is being met by FI-TS: In the new system, the manager only ever sees a certain section of the screen, can make a decision for the objects displayed there and then has to click on. This ensures that a decision is actively made for each employee and his or her rights and roles. Thanks to the flexibility of the manufacturer Nexis Controle, the TIMETOACT team was able to implement the customer's current requirements very quickly and make new features ready for standard use within a few weeks. Project manager Christian Höfs: "The software requires virtually no programming, but gets by with pure configuration in the user interface and clicking together settings. This allows granular control of what is to be recertified and displayed".

Another step by FI-TS towards meeting BaFin requirements in authorization management

  • With the implementation of Nexis Controle for recertification by TIMETOACT GROUP's IAG team, FI-TS is compliant with industry regulations when it comes to authorization management.

  • Completeness thanks to a two-tier role model with specialist and component roles. 

  • Continuous updates of recertification through permanent comparison with the IAG software instead of working on a key date basis 

  • Better overview when checking user rights and roles increases overall recertification quality. 

  • Potential for further use of recertification software for role modeling. 

Used technologies:


FI-TS is an innovative IT partner for companies in the finance and insurance sectors.