Alessandro Pratesi, CEO of ICT Plus by HiSolution, illustrates problems and solutions for the protection of privacy and security for local administrations.
Since the entry into force in 2018 of the GDPR (General Data Protection Regulation) in the Public Administration, an implementation process has started which is not limited only to the fulfillment of a regulation but includes the protection of citizens’ personal data to avoid the risk of data breaches or identity theft. The penalties envisaged for non-compliance with the law are heavy, and also include the penalty in the event of unlawful processing of personal data, fraudulent acquisition, communication and unlawful dissemination of personal data processed on a large scale, or false declarations and non-compliance with measures of the Guarantor.
The difficulties of the PA in managing the privacy of citizens’ data have been confirmed by the numbers of penalties published on the website of the Privacy Guarantor, between 2020 and the first quarter of 2021. Over 71% of the penalties for personal data violations have been paid to public entities and 29% to private entities. In detail, the sanctions addressed to the Municipalities concerned 31% of the measures.
What must the PA do to avoid the sanctions envisaged in the field of privacy?
First of all, it must define the office responsible for the matter and appoint a Data Protection Officer (DPO). Then it is required to designate the data processors and to register the activities related to the data processing itself. But, above all, it must guarantee the integrity of the information, a highly complex activity that includes the recording of log files in a manner compliant with the GDPR; the retention of access files for a period of at least 180 days with the guarantee that this remains unchanged; the timestamp of each log file; the detection and blocking of unauthorized access; the implementation of appropriate technical and organizational measures aimed at effectively implementing the principles of data protection.
Local administrations: what about small municipalities?
The protection of the right to privacy of its citizens passes through a personal data protection system which must be able to guarantee compliance with the provisions and principles of European Regulation 679/2016 and national legislation on privacy. This also applies to small municipalities, where, however, implementation is complicated by the endemic shortage of personnel, the lack of skills in the field and the reduced economic resources that do not allow them to keep up with the challenges of digital innovation . In such contexts, compliance with the law requires a considerable organizational effort but also the need to implement technical measures relating to the IT part that operate on data security.
Log management, a fundamental tool for data management
With the entry into force of the GDPR, it is therefore clear that log management has become an essential tool for organizations, including public administrations.
By log management we mean the aggregation, conservation and registration in accordance with the law of the access register to information systems. The aim is to guarantee the total security of the systems themselves. Access logs must have characteristics such as inalterability and completeness, and the possibility of verifying their integrity. Log collection is important because it serves to verify any anomalies in the frequency of external accesses and in their methods (in terms of times, dates, duration and systems from which access is made).
What approach to use
Relying on log management software solutions specifically designed and developed to ensure compliance with the main regulations in force that allow for complete visibility on the security posture of public and private companies is undoubtedly the first step to be foreseen.
HiSolution, MSP specializing in technological solutions in the VoIP, UCC, networking, security and IT fields, which provides end-to-end services with NOC support to the customer, collaborates with various Public Administration entities by proposing Log Management solutions that adopt SGBox technology with an economic approach based on the number of data sources managed and not on the traffic generated. This is very important in order not to have surprises on the cost (traffic could increase significantly in the event of an attack), especially for Public Administrations.
Local administrations and GDPR
Furthermore, the proposal is based on the modularity of the offer which goes from the simple collection of basic logs, up to the collection of all logs, their correlation through Threat Intelligence engines and the artificial intelligence management of user behavior with orchestration activities and SOAR (Incident Management and Security Orchestration, Auditing and Response). The system manages multi-site environments and can be installed both in virtual and on premise mode or in the cloud on an AgID certified data center.
The goal is to timely support incident investigations and law compliance reporting precisely because it analyzes in depth data and events arriving from the entire IT infrastructure, as well as offering an “alert” system for all non- compliant with corporate security.
However, the adoption of a log management solution is often not enough, especially if the dedicated staff within the structure does not have the necessary skills.
In cases like these, very frequent especially in medium-small municipalities, the best solution could be to rely on dedicated managed services, provided by specialized Managed Service Providers capable of taking charge of the management and monitoring of logs, integrated with the capacity detection and remediation of critical activities that may arise. The managed service proposal also allows you to have specific reports for the constant management of security within the company or the Public Administration.