The “System Administrators” provision and the registration of access logs

Articles

  • log
  • log management
  • regulatory compliance

The “System Administrators” provision and the registration of access logs

The “System Administrators” provision is one of the fundamental steps for protecting personal data in organizations. It is still in force today, like the GDPR and the minimum measures of AGID, and is of central relevance in log management.

The System Administrators provision

The System Administrators provision was introduced by the Privacy Guarantor on November 27, 2008, modified by Provision of June 25, 2009, and is currently in force. The purpose is to improve the protection of personal digital data of people within companies, public administration, etc.
With this provision, the Guarantor sought to define and control one of the most important figures in the information society: the System Administrator.

They have a considerable power over personal data within organizations and, thanks to their privileged credentials, they are potentially able to know every activity and every data of the users within the IT infrastructure they manage. For this reason, the Guarantor created the provision with the aim of monitoring their actions and avoiding abuses.

What does the provision say?

Firstly, the provision defines the figure of the system administrator:

“The definition of ‘system administrator’ generally identifies professional figures aimed at the management and maintenance of a processing plant or its components. For the purposes of this provision, other comparable figures from the point of view of the risks related to data protection, such as database administrators, network and security apparatus administrators, and administrators of complex software systems, are also considered.”

The technical activities carried out by these figures, such as backup/recovery, network flow organization, storage media management, and hardware maintenance, often involve an effective capacity for action on information that must be considered, in all respects, equivalent to the processing of personal data. Even if the data is not consulted in clear.

For these reasons, the Guarantor has prescribed precautions and measures to the data controllers towards system, network, and database administrators.

What are the measures and precautions to comply with the provision?

The measures and precautions are divided into 5 points.

  • The evaluation of subjective characteristics: “The assignment of the functions of the system administrator must take place after evaluating the experience, capacity, and reliability of the designated person, who must provide adequate guarantees of full compliance with the current provisions on processing, including the security profile. Even when the functions of the system administrator or similar are assigned only within the framework of a designation as a data processor pursuant to Article 30 of the Code, the data controller and the data processor must still adhere to criteria for evaluation equivalent to those required for the designation of data processors under Article 29.” In essence, the system administrator cannot be just anyone but must have special subjective characteristics. Even when their functions are performed by a substitute, such as the data processor or data controller.
  • The designation of the system administrator must always include an analytical list of the allowed operating areas based on the authorization profile assigned. In practice, there must be a written document listing the activities and responsibilities of the system administrator.
  • The identification data and details of the system administrators must be transcribed into an internal document that can be provided at any time for any inspection checks, even when they are outsourced and not internal to the organization. If the personal data of the organization’s workers are included in the processing, the system administrators must also be known.
  • The activity of system administrators must be subject to at least annual control by the owners or data controllers.
  • Suitable systems for recording access logs to the computers and electronic archives of system administrators must be adopted. The recordings must include the timestamp, description of the generated event and be kept for at least six months.

In which cases are you excluded from complying with the measure?

Unfortunately, the definition of the measure itself prevents a clear and simple answer to the problem. It is often necessary to evaluate each case.

However, sometimes there is explicit exclusion from the measure, in particular:

  • Processing carried out for administrative-accounting purposes in the public and private sectors, which poses lower risks to data subjects and has been subject to simplification measures introduced by law in 2008 (art. 29 d.l. 25 June 2008, no. 112, converted, with amendments, by l. 6 August 2008, no. 133; art. 34 of the Provisional Data Protection Code of 27 November 2008).
  • There is an exclusion in the extreme case of a data controller who performs the functions of the sole system administrator, as can happen in very small business environments. In this specific case, the provisions relating to the verification of the administrator’s activities and the keeping of the computer access log will not apply.
  • In principle, even with a personal computer, sensitive processing can be carried out for which the data controller has a duty to foresee and implement the measures and precautions provided for in the provision. This is precisely the critical point, and it is necessary to understand on a case-by-case basis whether it is necessary to comply with the provision, understanding what type of data is being processed in your IT infrastructure. If no data processing is being carried out, it will not be necessary to comply.

How do I adapt the logs to the “System Administrators” provision?

The logs must be collected in a way that is unalterable, complete, verifiable at any time, and must be kept for at least six months. The Guarantor’s FAQs explain in detail that: “the log must include all interactive access events involving system administrators on all computing systems with which personal data is treated, even indirectly” and for unalterable: “Data integrity maintenance characteristics collected by log systems are generally available in the most common operating systems, or can be easily integrated with specific software. The requirement can be reasonably satisfied with the software equipment provided, in simpler cases, and with the periodic export of log data to non-rewriteable storage media. In more complex cases, data controllers may choose to adopt more sophisticated systems, such as centralized and “certified” log servers.”

There are two critical moments for logs regarding compliance and security: acquisition and transport. In the first case, it is necessary to certify that the acquisition has been carried out correctly, the log is complete and identical to the one generated. In addition, its properties of inalterability and completeness must be signed or otherwise guaranteed. In the second case, it is necessary to verify that the log cannot be attacked or modified along its path (for example, man-in-the-middle attacks). Finally, archiving the log and making it verifiable for inspection checks at any time is less complex.

Clearly, each organization can decide to collect logs independently, centralize them itself and make them secure without resorting to specific software. With all the risks involved. This is why there are log management solutions with a focus on log compliance that are already ready for use and guarantee a targeted solution to the problem.

HTS and the “System Administrators” provision

HTS – Hi-Tech Services solves the issue of compliance with the “System Administrators” provision with its LogBox and COALA products.
Would you like more information about our solutions? Contact us by filling out the form.

< Back to the blog