VAIT Compliance
Apparity helps insurance companies evidence EUC controls for VAIT compliance, specifically associated with end user computing (EUC) policy, procedures and operational processes.
What is VAIT?
In 2018, Germany’s Federal Financial Supervisory Authority, BaFin, issued the Versicherungsaufsichtliche Anforderungen an die IT, or VAIT. VAIT sets out requirements relating to information security and information technology for the insurance industry.
What are VAIT EUC Requirements?
VAIT includes a number of requirements related to end user computing (EUC) applications like Excel spreadsheets. These requirements can be mapped directly to an EUC framework/ policy. Continue reading to see how Apparity’s EUC Risk Management software helps insurance companies address these requirements.
Jump to VAIT EUC Requirements
Requirement 14, Requirement 15, Requirement 18, Requirement 42, Requirement 43, Requirement 44, Requirement 49, Requirement 51, Requirement 54, Requirement 56, & Requirement 57
VAIT14
IT Governance
VAIT Requirement
“The scope and quality of technical and organizational resources shall be governed by the risk profile.”
EUC Framework
- Classification
(Impact, complexity, level of data protection) - Controls based on the level of risk
VAIT15
IT Governance
VAIT Requirement
“…IT systems and related IT processes shall ensure the integrity, availability, authenticity and confidentiality of the data. To achieve this, generally established standards shall be applied to the arrangement of the IT systems and the related IT processes; in particular, processes for appropriate assignment of access rights shall be established …”
EUC Framework
- Access control process
- Classification
(level of data protection) - Spreadsheet best practice
Apparity
- Active Management
Set access control - Integrity Check
VAIT18
Information Risk Management
VAIT Requirement
“The identification, assessment, monitoring and steering processes shall comprise in particular the definition of IT risk criteria, the identification of IT risks, the determination of the level of protection required and protective measures for IT operations derived from it, and the definition of measures to manage the remaining residual risks.”
EUC Framework
- Classification
(Impact, complexity, level of data protection) - Controls based on the level of risk
Apparity
- Discovery
Assign risk classification - Active Management
Manage critical EUCs - Solution Configuration
Maps to your policy to help define risk
VAIT42
Application Development
VAIT Requirement
“Material modifications to the IT systems in the course of IT projects, their impact on the organizational and operational structure of IT and on the related IT processes shall be evaluated in advance as part of an impact analysis. In doing so, the undertaking shall analyze in particular the impact of the planned changes on the control methods and the intensity of controls …”
EUC Framework
- Change management process including test plans
- Change log/ version history
Apparity
- Active Management
Enable change & version control
VAIT43
Application Development
VAIT Requirement
“… a standard process of development, testing, approval and implementation in the production processes shall be established. The production and testing environments shall generally be kept separate …”
EUC Framework
- Change management process
- Controls based on the level of risk
Apparity
- Active Management
Enable change & version control
VAIT44
Application Development
VAIT Requirement
“… in line with the criticality of the supported business processes and the importance of the application for those processes. The definition of measures to safeguard information security shall be governed by the protection requirement of the data being processed …”
EUC Framework
- Classification
(Impact, complexity, level of data protection) - Controls based on the level of risk
Apparity
- Discovery
Assign risk classification - Registration
Identify supported business processes and define associated risk
VAIT49
Application Development
VAIT Requirement
“Appropriate processes shall be defined for application development which contain specifications for identifying requirements, for the development objective, for (technical) implementation (including coding guidelines), for quality assurance, and for testing, approval and release.”
EUC Framework
- Change management process
- Change log/ version history
Apparity
- Active Management
Enable change & version control
VAIT51
Application Development
VAIT Requirement
“In the context of application development, appropriate arrangements shall be made, consistent with the protection requirement, to ensure that … the confidentiality, integrity, availability and authenticity of the data to be processed are comprehensibly assured.”
EUC Framework
- Change management process
- Change log/ version history
Apparity
- Active Management
Enable change & version control - MME
Trace where data is coming from and its validity
VAIT Requirement
“Suitable arrangements may include:
- checking of input data;
- system access control;
- user authentication;
- transaction authorisation;
- logging of system activity;
- audit logs …”
EUC Framework
- Input control
- Access control
- Change management
- Documentation
- Spreadsheet best practice
Apparity
- Active Management
Set access control - Integrity Check
VAIT54
Application Development
VAIT Requirement
“A methodology for testing applications prior to their first use and after material modifications shall be defined and introduced …”
EUC Framework
- Change management process
Apparity
- Active Management
Set access control - Inchange Process
VAIT Requirement
“Test documentation contains the following points as a minimum:
- test case description;
- documentation of the parameterisation …;
- test data;
- expected test result;
- actual test result;
- measures derived from the tests”
EUC Framework
- Change management process
- Change log/ version control
- Documentation
Apparity
- Active Management
Enable change & version control - Inchange Process
VAIT56
Application Development
VAIT Requirement
“An appropriate procedure shall be defined for the classification/ categorisation (protection requirements category) and handling of the applications developed or run by the organisational unit’s end users.”
EUC Framework
- Classification
(Impact, complexity, level of data protection) - Controls based on the level of risk
Apparity
- Discovery
Assign risk classification - Configurable Registration
Generate overall risk rating and define needed controls
VAIT57
Application Development
VAIT Requirement
“Rules shall be defined on the identification of the applications developed or run by the organisational unit’s end users, on documentation, on the coding guidelines and on the testing methodology for these applications, on the protection requirements analysis and on the recertification process for authorisations (e.g. in EUC guidelines).”
EUC Framework
- EUC policy and guidelines
VAIT Requirement
“… a central register of critical or material applications shall be maintained. As a minimum, the register shall generally document the applications that are used to identify, evaluate, monitor and manage the risks and to report on these risks, or that are important for performing other activities due to statutory requirements or activities that are necessary for operations.”
EUC Framework
- EUC inventory
- Classification
(Impact, complexity, level of data protection)
Apparity
- Discovery
- Registration
Register all spreadsheets (and other EUCs) to create and maintain an inventory
VAIT Requirement
“As a minimum, the following information will be collected:
- name and purpose …;
- version history, date;
- externally or internally developed;
- staff member(s) responsible …;
- technology;
- result of the risk classification/ protection requirements classification and … the protective measures derived from these.”
EUC Framework
- Register metadata
- Classification
(Impact, complexity, level of data protection)
Apparity
- Discovery
- Registration
Enable a central EUC inventory with the ability to classify level of risk