VAIT Compliance

Apparity helps insurance companies evidence EUC controls for VAIT compliance, specifically associated with end user computing (EUC) policy, procedures and operational processes.

What is VAIT?

In 2018, Germany’s Federal Financial Supervisory Authority, BaFin, issued the Versicherungsaufsichtliche Anforderungen an die IT, or VAIT. VAIT sets out requirements relating to information security and information technology for the insurance industry.

What are VAIT EUC Requirements?

VAIT includes a number of requirements related to end user computing (EUC) applications like Excel spreadsheets. These requirements can be mapped directly to an EUC framework/ policy. Continue reading to see how Apparity’s EUC Risk Management software helps insurance companies address these requirements.

VAIT14

IT Governance

VAIT Requirement

“The scope and quality of technical and organizational resources shall be governed by the risk profile.”

EUC Framework

  • Classification
    (Impact, complexity, level of data protection)
  • Controls based on the level of risk

VAIT15

IT Governance

VAIT Requirement

“…IT systems and related IT processes shall ensure the integrity, availability, authenticity and confidentiality of the data. To achieve this, generally established standards shall be applied to the arrangement of the IT systems and the related IT processes; in particular, processes for appropriate assignment of access rights shall be established …”

EUC Framework

  • Access control process
  • Classification
    (level of data protection)
  • Spreadsheet best practice

Apparity

VAIT18

Information Risk Management

VAIT Requirement

“The identification, assessment, monitoring and steering processes shall comprise in particular the definition of IT risk criteria, the identification of IT risks, the determination of the level of protection required and protective measures for IT operations derived from it, and the definition of measures to manage the remaining residual risks.”

EUC Framework

  • Classification
    (Impact, complexity, level of data protection)
  • Controls based on the level of risk

Apparity

VAIT42

Application Development

VAIT Requirement

“Material modifications to the IT systems in the course of IT projects, their impact on the organizational and operational structure of IT and on the related IT processes shall be evaluated in advance as part of an impact analysis. In doing so, the undertaking shall analyze in particular the impact of the planned changes on the control methods and the intensity of controls …”

EUC Framework

  • Change management process including test plans
  • Change log/ version history

Apparity

VAIT43

Application Development

VAIT Requirement

“… a standard process of development, testing, approval and implementation in the production processes shall be established. The production and testing environments shall generally be kept separate …”

EUC Framework

  • Change management process
  • Controls based on the level of risk

Apparity

VAIT44

Application Development

VAIT Requirement

“… in line with the criticality of the supported business processes and the importance of the application for those processes. The definition of measures to safeguard information security shall be governed by the protection requirement of the data being processed …”

EUC Framework

  • Classification
    (Impact, complexity, level of data protection)
  • Controls based on the level of risk

Apparity

  • Discovery
    Assign risk classification
  • Registration
    Identify supported business processes and define associated risk

VAIT49

Application Development

VAIT Requirement

Appropriate processes shall be defined for application development which contain specifications for identifying requirements, for the development objective, for (technical) implementation (including coding guidelines), for quality assurance, and for testing, approval and release.”

EUC Framework

  • Change management process
  • Change log/ version history

Apparity

VAIT51

Application Development

VAIT Requirement

“In the context of application development, appropriate arrangements shall be made, consistent with the protection requirement, to ensure that … the confidentiality, integrity, availability and authenticity of the data to be processed are comprehensibly assured.”

EUC Framework

  • Change management process
  • Change log/ version history

Apparity

  • Active Management
    Enable change & version control
  • MME
    Trace where data is coming from and its validity

VAIT Requirement

“Suitable arrangements may include:

  • checking of input data;
  • system access control;
  • user authentication;
  • transaction authorisation;
  • logging of system activity;
  • audit logs …”

EUC Framework

  • Input control
  • Access control
  • Change management
  • Documentation
  • Spreadsheet best practice

Apparity

VAIT54

Application Development

VAIT Requirement

“A methodology for testing applications prior to their first use and after material modifications shall be defined and introduced …”

EUC Framework

  • Change management process

Apparity

VAIT Requirement

Test documentation contains the following points as a minimum:

  • test case description;
  • documentation of the parameterisation …;
  • test data;
  • expected test result;
  • actual test result;
  • measures derived from the tests”

EUC Framework

  • Change management process
  • Change log/ version control
  • Documentation

Apparity

VAIT56

Application Development

VAIT Requirement

“An appropriate procedure shall be defined for the classification/ categorisation (protection requirements category) and handling of the applications developed or run by the organisational unit’s end users.”

EUC Framework

  • Classification
    (Impact, complexity, level of data protection)
  • Controls based on the level of risk

Apparity

VAIT57

Application Development

VAIT Requirement

Rules shall be defined on the identification of the applications developed or run by the organisational unit’s end users, on documentation, on the coding guidelines and on the testing methodology for these applications, on the protection requirements analysis and on the recertification process for authorisations (e.g. in EUC guidelines).”

EUC Framework

  • EUC policy and guidelines

VAIT Requirement

“… a central register of critical or material applications shall be maintained. As a minimum, the register shall generally document the applications that are used to identify, evaluate, monitor and manage the risks and to report on these risks, or that are important for performing other activities due to statutory requirements or activities that are necessary for operations.”

EUC Framework

  • EUC inventory
  • Classification
    (Impact, complexity, level of data protection)

Apparity

VAIT Requirement

“As a minimum, the following information will be collected:

  • name and purpose …;
  • version history, date;
  • externally or internally developed;
  • staff member(s) responsible …;
  • technology;
  • result of the risk classification/ protection requirements classification and … the protective measures derived from these.”

EUC Framework

  • Register metadata
  • Classification
    (Impact, complexity, level of data protection)

Apparity

VAIT EUC Reference Guide

This free   VAIT EUC Reference Guide   provides a summary of how Apparity helps insurance companies evidence EUC controls for VAIT compliance.

DOWNLOAD NOW