Recertification solution to meet governance and MaRisk requirements

With the support of TIMETOACT GROUP, the IT service provider FI-TS succeeded in raising the quality of authorization recertification to a new level.

As the central IT service provider of the Sparkassen-Finanzgruppe, Finanz Informatik offers the complete IT service - from application development to infrastructure and data center operation to consulting, training and support. It is supported by its subsidiary Finanz Informatik Technologie Service (FI-TS), the largest IT service provider for Landesbanken. Its 1,000 employees work daily in the IT systems of the financial institutions, Finanz Informatik and its own systems - a highly sensitive area in which it must be clearly regulated who has what rights to administer the software in question. The financial institutions serviced by FI-TS are subject to the relevant regulatory requirements, in particular the Minimum Requirements for Risk Management, abbreviated MaRisk, of the German Federal Financial Supervisory Authority (BaFin), compliance with which is also regularly monitored by the authorities. The financial institutions are obliged to pass on these regulations to their subcontractors, so FI-TS must provide all services, including access to software, in compliance with supervisory law.

Access permissions are not cut in stone. In fact, they need to be reviewed regularly as governance requirements become more stringent.

Christian Rothlauf BRM Planung & Beratung Finanz Informatik Technologie Service

For several years, a special Identity Access Governance (IAG) software has been used for internal authorization management. "However, access authorizations are not set in stone", knows Christian Rothlauf: "Rather, they have to be checked regularly in the course of increasingly strict governance requirements". For this reason, a so-called recertification is taking place. It ensures that every user of the IT systems has only those authorizations in these systems at any given time that are necessary for the performance of his or her tasks, whereby the principle of economy (need-to-know) is applied. The managers check for each of the employees assigned to them which authorizations they can retain and which are to be withdrawn. Roles in which several rights are bundled are also recertified. It must therefore be checked whether each role also contains the correct rights at all times.  

Recertification via Excel unclear and error-prone

Site Haar near Munich ©FI-TS

FI-TS carries out such recertifications every six months. To do this, it uses the Nexis Controle software, implemented by its project partner, the IAG (Identity & Access Governance) business unit of TIMETOACT Software & Consulting GmbH. This software replaced the previous Excel-based approach and was tailored to today's business requirements. Previously, it was not necessarily ensured that the managers or those responsible for rights actually saw all rights in the course of their confirmation. However, governance guidelines require technical proof that the manager has also viewed the last Excel spreadsheet and scrolled down the table to the bottom. Another disadvantage of Excel-based work: Not all user types are fully recertified. A distinction is made between personal and technical users and different classes. MaRisk demands completeness here: all authorizations must be checked.

Comprehensive recertification: Exclusive and twin roles and users without an account

With its new recertification software, FI-TS can meet the requirements described above. Among other things, it also enables recertification of exclusive roles, as the IAG system from FI-TS does. Such roles are used to control attributes of employees. Users who have no accounts can also be recertified.

For temporary activation of rights, FI-TS uses the HPU (highly privileged user) procedure. This involves applying for a specific authorization role as normal, but initially no rights are associated with it. These rights can then be activated via a separate workflow and the user is assigned a so-called twin role. The new recertification solution is also able to map this special rights constellation. Architecturally designed as a web application, it works with a universally applicable data model. This model maps the entities of a normal IAG system.

Nexis Controle links third-party systems with IAG software

The data from the IAG solution (Garancy IAM from Beta Systems Software AG), which contains all roles and users, responsible persons and organizational structures, can thus be easily transferred to the recertification solution. They are exported at night and can be adapted, aggregated or filtered again at the interface. In this way, the construct with twin roles and HPU rights is elegantly mapped. FI-TS systems that do not communicate with the IAG software also deliver data from all accounts and authorizations to the certification solution. The latter links it to the IAG solution and thus finds the responsible manager. TIMETOACT created the integrative connection between the individual systems for FI-TS.

The software requires almost no programming, but gets by with pure configuration in the interface and the "clicking together" of settings. This allows granular control of what is to be recertified and displayed.

Christian Höfs Project Lead FI-TS

Even during the first recertification, it became clear how the MaRisk requirement of completeness is being met by FI-TS: In the new system, the manager only ever sees a certain section of the screen, can make a decision for the objects displayed there and then has to click on. This ensures that a decision is actively made for each employee and his or her rights and roles. Thanks to the flexibility of the manufacturer Nexis Controle, the TIMETOACT team was able to implement the customer's current requirements very quickly and make new features ready for standard use within a few weeks. Project manager Christian Höfs: "The software requires virtually no programming, but gets by with pure configuration in the user interface and clicking together settings. This allows granular control of what is to be recertified and displayed".

Another step by FI-TS towards meeting BaFin requirements in authorization management

  • With the implementation of Nexis Controle for recertification by TIMETOACT GROUP's IAG team, FI-TS is compliant with industry regulations when it comes to authorization management.

  • Completeness thanks to a two-tier role model with specialist and component roles. 

  • Continuous updates of recertification through permanent comparison with the IAG software instead of working on a key date basis 

  • Better overview when checking user rights and roles increases overall recertification quality. 

  • Potential for further use of recertification software for role modeling. 

Used technologies:

FI-TS is an innovative IT partner for companies in the finance and insurance sectors.

Download Success Story as PDF
Wissen 2/25/25

General Data Protection Regulation of idea management

Walldorf-based dacuro GmbH provides the external data protection officer for companies, helps with the fulfillment of documentation obligations and advises on all aspects of data protection. Fulfilling the requirements of the GDPR without blocking everyday life is the claim of dacuro GmbH. The team of lawyers and IT specialists provides support for all GDPR challenges, whether they are of a legal or technical nature.
Training

Jira Administration Part 1 (Cloud)

Over the course of the "Jira Administration Part 1 (Cloud)" training course participants learn how to set up a new Atlassian Cloud site and Jira Cloud products.
Referenz 2/25/25

The new Idea and Innovation Management of the DDPS

The new solution is available to employees in the familiar portal and in the same design. It is very easy to use and adapted to the needs of the role holders. It was easy to move away from the old platform. The switch to the new solution is rated very positively by all roles.
Releasewechsel eines eingesetzten IAM-Tools
Referenz

Release change of a deployed IAM tool

TIMETOACT received the order to carry out a major release change for the IAM tool used and to develop the processes back to the standard of the product as far as possible. At the same time, a change of service provider became necessary, which meant that all components of the IAM had to be moved to a new data center.
Titelbild IPG Partner Imprivata
Partner 2/25/25

Imprivata

Imprivata is a leading provider of authentication access management solutions for the healthcare sector.
Referenz

Introduction of Jira to Hamburger Hochbahn

The Hamburger Hochbahn AG controls the development of its new mobility platform "Switchh" via the Atlassian project management tool Jira – introduced, administered and hosted by the TIMETOACT GROUP.
News 2/21/24

Trustbit becomes part of TIMETOACT GROUP

TIMETOACT GROUP, a leading provider of IT services for medium-sized businesses, corporations and public institutions, is acquiring Trustbit, an experienced Austrian consulting firm focused on digital transformation and the development of digital business models.
Der Weg zur sicheren Digitalen Transformation mit Identity Management
Referenz

Trusted Advisory

It started with a project to introduce an IAM solution in a corporate division. Over several years, the collaboration developed into a trusted advisory with many individual implementation projects. In the meantime, the customer's IAM extends throughout the group, which also requires decentralized deployment worldwide.
News 12/12/24

JOIN(+) becomes part of TIMETOACT GROUP

TIMETOACT GROUP, a leading provider of IT services for the upper mid-sized-market companies, corporations and public institutions, is acquiring JOIN(+), an experienced consulting firm in the field of Big Data & AI.

IPG Partner Nexis
Partner 2/25/25

Nexis

Identity and access management that is perfectly equipped for practical use.
Headerbild zum TIMETOACT Onboarding
Referenz 2/25/25

Onboarding solution of TIMETOACT

Introducing new employees to the company is faster, easier and more efficient with an efficient ticket system in Jira, for example. Our experts have developed a solution for this.
Kompetenz 2/25/25

Shaping the future with technology

ARS Computer and Consulting is one of the leading companies in the field of software engineering. Our mission: The Art of Software Engineering. This includes high-quality consulting and successful projects for the agile development of high-quality software.
News 6/17/22

The new target Idea Management Release SVP 9 is now availabl

The new SVP 9 release of our on-premise software target Idea Management offers numerous advantages. The highlight: complete workflow mapping with Fiori apps!
News 12/11/24

JOIN(+) becomes part of TIMETOACT GROUP

Cologne/Villingen-Schwenningen, 11 December 2024 – TIMETOACT GROUP, a leading provider of IT services for the upper mid-sized-market companies, corporations and public institutions, is acquiring JOIN(+), an experienced consulting company in the field of Big Data & AI. The two managing directors of JOIN(+) will continue to manage the company after the transaction and will be responsible for its integration into TIMETOACT GROUP.
News 1/10/25

A new chapter for catworkx US

catworkx is excited to announce a new chapter in the USA: Nick Howser is our new CEO! With over 13 years of experience in the Atlassian ecosystem and a strong focus on customer success, Nick will continue to drive growth in the US.

News 1/20/25

beBOLD becomes part of TIMETOACT GROUP

Cologne/Hamburg, January 20, 2025 – TIMETOACT GROUP, a leading provider of IT services for large enterprises, mid-sized businesses, and public institutions, has acquired beBOLD, an independent consultancy specializing in cloud transformation projects. The two founders and managing directors of beBOLD will continue to lead the company after the transaction and oversee its integration into the TIMETOACT GROUP.
Kompetenz 2/25/25

Cloud native architecture

Digital services require a high level of maturity in architectural work! Service quality, availability, stability and connectivity with adjacent ecosystems are the tip of the iceberg, which is significantly perceived by your customers when using your services.
Führender Atlassian-Champion STAGIL wird Teil der Timetoact Group
News 7/6/23

Leading Atlassian Champion: STAGIL becomes part of TIMETOACT

TIMETOACT GROUP, a leading provider of IT services for upper mid-sized companies, corporations and public institutions, acquires STAGIL, one of Germany's largest Atlassian Platinum and Enterprise Solution Partners: With this acquisition, TIMETOACT GROUP's Atlassian consulting portfolio, which is managed under the catworkx brand, moves up into the top league in the German-speaking region. The former STAGIL managing director Björn Frauen becomes co-managing director of catworkx Germany in the course of the merger. He will also become a shareholder in TIMETOACT GROUP. The parties have agreed not to disclose details of the transaction.

Referenz 10/29/21

Standardized data management creates basis for reporting

TIMETOACT implements a higher-level data model in a data warehouse for TRUMPF Photonic Components and provides the necessary data integration connection with Talend. With this standardized data management, TRUMPF will receive reports based on reliable data in the future and can also transfer the model to other departments.
Referenz

HOCHBAHN Managed Services

A high-performance and transparent IT forms the basis for being able to react quickly to new requirements. The IT specialists of TIMETOACT GROUP take over the managed services for the entire IBM WebSphere platform of Hamburger Hochbahn AG (HOCHBAHN).

Bleiben Sie mit dem TIMETOACT GROUP Newsletter auf dem Laufenden!