DevSecOps Team Led to BaFin Audit Readiness with Incident Processes and Automation

Background

An automotive bank with around 150 employees in its IT department faced the challenge of making its DevSecOps team audit-ready for upcoming BaFin examinations. Existing operational processes were insufficiently documented, incident management followed no standardised procedure, and recurring manual tasks consumed capacity that was needed for security-relevant work. Regulatory requirements from BAIT (Supervisory Requirements for IT in Financial Institutions) as well as ISO 27001 and ISO 22301 demanded demonstrable, structured processes.

Measures

Wenske Cyber Solutions was commissioned to build up the DevSecOps team and guide it to audit readiness. We developed comprehensive, audit-relevant operational documentation and supported the preparation and execution of BaFin examinations. For incident management, we introduced a structured procedure based on ITIL and security best practices that classifies incidents by severity and clearly defines escalation paths. To reduce manual attack vectors, we developed automation solutions in Python, Bash, and Ansible that standardise recurring tasks such as configuration checks and deployments. We also designed a middleware tool for synchronising the ITSM system with the Kanban board to create transparency about the processing status of security-relevant tickets. Team enablement was achieved through systematic code reviews and pair programming.

Results

The DevSecOps team subsequently passed the BaFin examination without material findings. The operational documentation covers all audit-relevant processes and is independently maintained by the team. The automation solutions have measurably reduced the manual effort for routine tasks while increasing the consistency of results. The team now works according to a standardised incident management procedure and is capable of handling and documenting security incidents in a structured manner.