The Guarantor for the protection of personal data has already established since December 15, 2009 that most companies – private and public – must record and maintain data on the access of System Administrators to systems containing sensitive data managed by them, in order to facilitate the “verification of their activity by those who have ownership of databases and IT systems” (Official Gazette No. 300, December 24, 2008).
The provisions of the Guarantor have not been canceled but reiterated by the GDPR, Regulation (EU) no. 2016/679.
The provision for system administrators refers to the administrators of networks, databases, security devices and complex software systems. The company or the institution is therefore required to identify the system administrators, to then record and store the logs of all logical accesses: this means that to be registered they must be by law only the “log in” and “log out “Of administrators on systems containing the most sensitive data, and not all activities aimed at such systems.
Registered logs must “understand the time references and the description of the event that generated them and must be kept for a reasonable period of not less than six months”. The recordings of the accesses must also be complete, conservable on systems that guarantee their inalterability and at the same time the possibility of verifying their integrity
In practice, every company or entity, after having appointed the directors, will have to have a Log Management system, able to track the system administrators’ access to the various devices and applications that they manage and that can store data in a secure manner for a minimum period of six months.
What you need to do in practice
Identify the systems that contain the most critical data (network devices, databases, security devices and complex software systems).
Appoint the System Administrators – internal and external – and keep an updated list of them.
Provide a system capable of tracing operators’ access to the devices and applications they manage.
Keep the data in a way that can not be changed.
Keep the data for a minimum period of six months in order to allow for any checks and checks.
How to get yourself in the Rule
BCD ITALIA offers a specific solution for the IBMi world (AS400) thanks to an integrated suite of products of its own production:
BIGBLUE INTELLIGENT AGENT X IBMI (AS400
any company can choose the most suitable technological solution to adapt in complete safety to the provisions of the Privacy Authority. But not only.
BCD ITALIA staff can support you in all the technical / organizational activities necessary to put your company in compliance with the provisions of the Guarantor. Below is a list of the main activities we can offer you:
Identification of the systems to be monitored
Univocal identification of system administrators and creation of users connected to the natural person
Analysis and sizing of servers and network equipment to be monitored
Legal and technical-organizational advice on the provision
register for more information