There may be several reasons why it might be necessary to implement security functions such as access control, administration and checking of access rights or logging within the application programs themselves:
If the logging facilities of the IT system, including the additional IT security products used, are not sufficient to guarantee adequate verification security, then these protocol elements must be implemented in the application program. (Example: BDSG, Appendix to § 9, Input Monitoring: "to guarantee that it is subsequently possible to check and ascertain which person-related data have been entered into data processing systems at what time and by whom".)
If the granularity of the IT system's access rights inclusive of additional security products used is not sufficient to guarantee proper operation, then administration and monitoring of access rights must be implemented in the application program. (Example: a data base with a joint data pool. It should be assumed that access is only permissible to certain fields depending on the user's role.)
If it is not possible with the IT system, including the additional IT security products used, to prevent the administrator from gaining access to certain data or at least to log this access and monitor it, then this must be implemented where necessary by additional security features in the application program. For example, by encrypting the data it is possible to prevent the administrator from reading this data in plain text if he does not possess the appropriate key.
These additional requirements on IT applications must be taken into account at the time of planning and development, as subsequent implementation is usually no longer possible for reasons of cost.
Additional controls:
When developing new IT applications, is there a systematic determination of the security functions the application must provide?