VAIT Compliance

VAIT Requirement

“The scope and quality of technical and organizational resources shall be governed by the risk profile.”

EUC Framework

• Classification
  (Impact, complexity, level of data protection)
• Controls based on the level of risk

VAIT Requirement

“…IT systems and related IT processes shall ensure the integrity, availability, authenticity and confidentiality of the data. To achieve this, generally established standards shall be applied to the arrangement of the IT systems and the related IT processes; in particular, processes for appropriate assignment of access rights shall be established …”

EUC Framework

• Access control process
• Classification
  (level of data protection)
• Spreadsheet best practice

VAIT Requirement

“The identification, assessment, monitoring and steering processes shall comprise in particular the definition of IT risk criteria, the identification of IT risks, the determination of the level of protection required and protective measures for IT operations derived from it, and the definition of measures to manage the remaining residual risks.”

EUC Framework

• Classification
  (Impact, complexity, level of data protection)
• Controls based on the level of risk

VAIT Requirement

“Material modifications to the IT systems in the course of IT projects, their impact on the organizational and operational structure of IT and on the related IT processes shall be evaluated in advance as part of an impact analysis. In doing so, the undertaking shall analyze in particular the impact of the planned changes on the control methods and the intensity of controls …”

EUC Framework

• Change management process including test plans
• Change log/ version history

VAIT Requirement

“… a standard process of development, testing, approval and implementation in the production processes shall be established. The production and testing environments shall generally be kept separate …”

EUC Framework

• Change management process
• Controls based on the level of risk

VAIT Requirement

“… in line with the criticality of the supported business processes and the importance of the application for those processes. The definition of measures to safeguard information security shall be governed by the protection requirement of the data being processed …”

EUC Framework

• Classification
  (Impact, complexity, level of data protection)
• Controls based on the level of risk

VAIT Requirement

“Appropriate processes shall be defined for application development which contain specifications for identifying requirements, for the development objective, for (technical) implementation (including coding guidelines), for quality assurance, and for testing, approval and release.”

EUC Framework

• Change management process
• Change log/ version history

VAIT Requirement

“In the context of application development, appropriate arrangements shall be made, consistent with the protection requirement, to ensure that … the confidentiality, integrity, availability and authenticity of the data to be processed are comprehensibly assured.”

EUC Framework

• Change management process
• Change log/ version history

VAIT Requirement

“Suitable arrangements may include:

• checking of input data;
• system access control;
• user authentication;
• transaction authorisation;
• logging of system activity;
• audit logs …”

EUC Framework

• Input control
• Access control
• Change management
• Documentation
• Spreadsheet best practice

VAIT Requirement

“A methodology for testing applications prior to their first use and after material modifications shall be defined and introduced …”

EUC Framework

• Change management process

VAIT Requirement

“Test documentation contains the following points as a minimum:

• test case description;
• documentation of the parameterisation …;
• test data;
• expected test result;
• actual test result;
• measures derived from the tests”

EUC Framework

• Change management process
• Change log/ version control
• Documentation

VAIT Requirement

“An appropriate procedure shall be defined for the classification/ categorisation (protection requirements category) and handling of the applications developed or run by the organisational unit’s end users.”

EUC Framework

• Classification
  (Impact, complexity, level of data protection)
• Controls based on the level of risk

VAIT Requirement

“Rules shall be defined on the identification of the applications developed or run by the organisational unit’s end users, on documentation, on the coding guidelines and on the testing methodology for these applications, on the protection requirements analysis and on the recertification process for authorisations (e.g. in EUC guidelines).”

EUC Framework

• EUC policy and guidelines

VAIT Requirement

“… a central register of critical or material applications shall be maintained. As a minimum, the register shall generally document the applications that are used to identify, evaluate, monitor and manage the risks and to report on these risks, or that are important for performing other activities due to statutory requirements or activities that are necessary for operations.”

EUC Framework

• EUC inventory
• Classification
  (Impact, complexity, level of data protection)

VAIT Requirement

“As a minimum, the following information will be collected:

• name and purpose …;
• version history, date;
• externally or internally developed;
• staff member(s) responsible …;
• technology;
• result of the risk classification/ protection requirements classification and … the protective measures derived from these.”

EUC Framework

• Register metadata
• Classification
  (Impact, complexity, level of data protection)