Spindox’s Compliance & Cybersecurity Service Line has collaborated with Ceva Logistics, an international transport and logistics company active in over 170 countries, to conduct a complete update of its processes and internal procedures, including all documentation aspects, associated with the activities of the System Administrators (Italian Data Protection Authority Decree of 27/11/2008) to provide a clear definition of the tasks assigned and a verification of their activities.
The objective of the procedural review is to adapt processes and documentation according to the provisions of the EU Regulation 2016/679, also known as the General Data Protection Regulation (GDPR).
The system administrator, the role of which, although, is not expressly identified in the GDPR, is responsible for performing functions that are crucial for data security and is entrusted with the implementation of some of the technical and organizational measures aimed at guaranteeing a level of data security that matches the risk. The company is responsible for defining in detail all the safety measures to be taken. In this context, the appointment of system administrator becomes the moment in which the company policy on data security is implemented by assigning the operating instructions to the responsible members of the team. The project, after the initial phase of analyzing the procedures and documentation in use and identifying the reference legislation, was divided into 3 phases.
Phase 1 | Drafting of the “Letter of appointment for the role of System Administrator”
The above-mentioned “Letter of appointment for the role of System Administrator” represents a very important act of assignment of office and instructions.
In this context, the Dogix team has actively collaborated with Ceva Logistics to:
- identify the different types of system administrators present at the client site (for example the Junior or Senior Unix Specialist, Junior or Senior Microsoft AD Specialist, or Junior or Senior Network Specialist);
- identify the instructions and operational tasks to be assigned to the system administrators, according to the role, that allow the implementation of corporate security measures (e.g., physical security, log management, data backup);
- create a letter of appointment updated according to the enforced regulations and specific to the role, with different operational tasks depending on each role.
Phase 2 | Complete review of the system administrator’s annual audit process
The delicate nature of the System Administrator role imposes the need for an annual audit procedure of its activities. The review conducted was aimed at updating the procedure according to the GDPR and identifying and establishing new control mechanisms based on the tasks and instructions assigned during the appointment.
Phase 3 | Create a checklist for the annual audit procedure of the System Administrator role
In order to render the control process of the System Administrator’s activities systematic and clear, a check list has been defined that guides the process with clear and measurable controls, as defined in the revised procedure.
Documentation provided for each phase of the project
Phase 1: Ten different types of appointment letters for the different System Administrator roles identified and with the operational tasks related to the security measures defined and specified for each role.
Phase 2: A new updated version of the control procedure.
Phase 3: Final checklist with approximately 40 inspection points regarding the System Administrator activities.