Log management and Italian regulations


  • log management
  • regulatory compliance

Log management and Italian regulations

The current regulations in force in Italy that require compliance with log management are:

  • “System Administrators” Provision – November 27, 2008
  • Security of Telecommunications and Telematic Traffic Data – January 17, 2008
  • European Regulation 2016/679 (GDPR)
  • AgID Minimum Measures

“System Administrators” Provision – November 27, 2008

Within the “System Administrators” Provision of November 27, 2008, the guarantor explicitly describes how log collection should be performed to ensure organizations’ compliance with the regulations (provision text link).

In section “4.4 Activity Verification,” the provision states:

“The activities of system administrators must be subject to verification by data controllers or data processors at least once a year, in order to ensure compliance with the organizational, technical, and security measures for the processing of personal data provided by the applicable regulations.”

Furthermore, in section “4.5 Access Logging,” it is specified that:

“Systems suitable for logging logical accesses (computer authentication) to processing systems and electronic archives must be adopted by system administrators. The logs (access logs) must be complete, unalterable, and verifiable in terms of their integrity to achieve the verification purpose for which they are required.

The logs must include the timestamps and a description of the event that generated them, and they must be kept for a reasonable period, not less than six months.”

How do COALA and LogBox address the regulatory issue?

How can COALA help with compliance to the “System Administrators” Provision?

The Collector module collects logs in a complete, unaltered, and unmodifiable manner through various techniques:

  • – Agents perform checks to ensure correct log acquisition, encrypting the transmitted packet to protect it during transport to the server farm, and the cache allows logging even in case of issues during transmission. This ensures complete, unaltered, and unmodifiable log collection during both acquisition and transport.
  • – Data is hashed with the possibility of integrating digital signatures and timestamps.
  • – The log retention is customizable, allowing the desired retention period to be set and ensuring its expiration after the specified storage period. Additionally, retention can be differentiated by log source (not just by host), allowing different retention periods on the same infrastructure for different purposes.
  • – The annual verification or audit of system administrators’ activities can be managed using the reporting module, which allows automatic documentation creation based on log content (one standard template is already included).

Security of telephone and telematic traffic data – January 17, 2008″ provision

The Guarantor specifies the measures to be taken for log management and the protection of data access (link to the provision text). In particular, sections 6, 7.1, and 7.6 provide explicit information:

In section “6. Data acquisition methods,” the retention periods for data are mentioned. “The Code identifies the methods by which traffic data stored by providers can be acquired, prescribing, with regard to the first retention period (the first twenty-four months and six months, respectively, for telephone and telematic traffic), that the request must be made by a ‘reasoned decree of the public prosecutor, also upon request of the defendant’s counsel, the person under investigation, the victim, and other private parties’ (Article 132, paragraph 3, of the Code).”

However, a 72-month term is preserved for the prosecution of all types of offenses, as provided for in Article 24 of Law 167 of November 20, 2017.

In section “7.1. Authentication systems,” strong authentication tools are identified: “The processing of telephone and telematic traffic data by providers should only be allowed for authorized personnel and solely based on the prior use of specific computer authentication systems based on strong authentication techniques, consisting of the simultaneous use of at least two different authentication technologies, regardless of whether the access to the processing system is local or remote, ensuring that access cannot occur without the personnel having passed an authentication phase as described above.”

For traffic data stored exclusively for the purpose of investigation and prosecution of crimes (i.e., data generated for more than six months, or all data processed for these purposes if kept separately from data processed for other purposes since their generation), one of these technologies must be based on the processing of biometric characteristics of the personnel to ensure their physical presence at the workstation used for processing.

These authentication methods must also be applied to all technical staff (system administrators, network administrators, database administrators) who may access the traffic data stored in the provider’s databases.

Finally, section “7.6. Other measures” indicates the characteristics that the log collection must have: “Suitable computer solutions must be adopted to ensure control over the activities carried out on traffic data by each data controller, regardless of their qualifications, skills, operational areas, and processing purposes. The control must be effective and detailed, even for operations performed on individual information elements in different databases.”

These solutions include recording, in a dedicated audit log, the operations performed directly or indirectly on traffic data and other personal data connected to them, whether through interactive system use or automated computer programs.

The audit log systems must guarantee the completeness, immutability, and authenticity of the recorded information regarding all processing operations and security events subject to auditing. To achieve this, storage systems on non-alterable devices, even in a centralized form for each processing facility or data center, must be adopted for logging data. Before writing, the data or data groups must undergo computer procedures to ensure their integrity, based on the use of cryptographic technologies.

The measures described in this paragraph are adopted in compliance with the principles regarding the control of workers’ use of electronic tools, with particular regard to informing the individuals concerned (see Provision dated March 1, 2007, web document No. 1387522).”

How COALA and LogBox support compliance with the “Security of telephone and telematic traffic data” provision:

In this case, COALA can also assist with regulatory compliance. The same reasons listed in the “System Administrators Provision” section apply to the “Security of telephone and telematic traffic data” provision. The technicalities protect the log from acquisition during transport and until it reaches the server farm, and the differentiable retention for log sources allows for the acquisition of logs for both retention periods of 6 and 24 months.

Furthermore, strong authentication is required. For this reason, COALA’s collector includes an authentication method using a USB token, including biometric options.

The EU Regulation 2016/679 (GDPR)

The GDPR imposes a fundamental principle: accountability. It requires those who process personal data to demonstrate that, in case of suspected breaches, all possible protective actions have been taken. For this reason, organizations that want to be GDPR compliant are compelled to reconsider their approach to log management.

From an accountability perspective (Article 5, paragraph 2 of the GDPR), the adoption of a log management tool proves to be useful in demonstrating the data controller’s commitment to safeguarding their archives and IT systems. As the principle itself emphasizes the need for reporting activities, data controllers must equip themselves with such tools to demonstrate that they have done everything possible to protect the data in case of breaches.

How can COALA and LogBox help with GDPR compliance?

The real-time analysis module and the alarm module can assist in being proactive in data protection and, above all, demonstrating compliance with Article 5 regarding accountability:

  • The alarm module allows setting up alerts based on log content, which, once triggered, notifies personnel of potential threats that can be prevented or addressed.
  • Even in the absence of alarms, the ability to analyze logs in real time enables proactive monitoring of access, contributing to data protection and the accountability required by the GDPR.

AgID Minimum Measures

The “Misure minime AgID” (Minimum Measures by AgID) document includes several tables that identify the controls or improvements to be implemented for various topics.

In particular, within the section on “Appropriate use of administrator privileges: Rules, processes, and tools to ensure the correct use of privileged accounts and administrative rights,” explicit references are made to log traceability for failed access attempts by system administrators, alert generation, monitoring of behavioral anomalies on administrator accounts, and traceability of changes to system administrator accounts.

How can COALA and LogBox assist with compliance with the minimum measures set by AgID?

Within the minimum measures set by AgID, the rules regarding log management primarily refer to the provisions and regulations already described in this article.