PL
DE
UK
What is the job of a systems administrator?
Proper management and security of a company’s personal data is a cornerstone in any organization. Every company must comply with both the European Data Protection Regulation (RODO) and the Data Protection Act. Neither, however, defines the obligation to hire an employee for the position of ASI, or administrator of information systems. They only define the function of data administrator, authorized persons or data protection officer. So where did the information systems administrator come from and what does his job entail?
Who is a systems administrator (ASI)?
A controller of information systems is a person who is required to manage an information system (used in the processing of personal data). The main task is to interact with the Data Protection Officer. The Data Protection Officer is in charge of protecting the personal data processed by the organization when it comes to ICT security. This position was particularly relevant before May 25, 2018.
However, it was recognized that the data protection officer (DPO) very often does not have sufficient knowledge of IT security. For this reason, a position has emerged among employees who deal with the management and protection of personal data: information systems administrator. The systems administrator is responsible for the security of personal data, and is expected to prevent unauthorized persons from gaining access to the system where personal data is processed.
It’s important to realize that every second a site or server fails means lost productivity, lost revenue and huge downtime costs. Given the numerous operating systems, network configurations and security issues to keep in mind – being a successful system administrator means that the systems administrator (ASI) must constantly enrich his or her knowledge of ICT systems.
Who can be a systems administrator (ASI)?
A person who wants to be an ASI should have the necessary knowledge of “information technology” (IT), as well as a constant interest in new threats and solutions in the subject of data security that appear on the market. This knowledge can be obtained by attending specialized training courses, conferences and other meetings that are closely related to this topic.
There are also a number of different types of formalities associated with being an administrator of information systems. A person who works internally in a company is given the authority to process personal data. Wanting to give such powers to an external person, you need to include adequate provisions in the contract.
The ideal system administrator candidate will have experience with databases, networks, hardware and software upgrades, network design, LAN infrastructure, troubleshooting network and user failures, and the ability to communicate clearly. He or she will also be up-to-date on the latest security protocols for LAN and wide area networks (WAN), and be able to educate users on how to handle suspicious emails and the principle of information confidentiality.
What is the job of a systems administrator?
The primary task of the administrator of information systems, is to cooperate with the data protection officer. This cooperation is carried out in terms of monitoring compliance with the company’s data protection rules when it comes to ICT security, and includes a number of tasks, which include the following:
1. cooperation on the preparation, implementation and respect of documents related to the protection of personal data by employees
First and foremost, this is related to the IT system management manual. The provisions of the RODO do not directly indicate the sufficiency of the procedures within such a document (in contrast to the provisions that applied before). Of importance in the RODO is the so-called principle of accountability, based on which the systems administrator is required to implement appropriate technical and organizational safeguards, and it must be possible to demonstrate these within the framework of an audit undertaken. According to the RODO, every company should adopt an appropriate policy, but again the scope of the policy is not specified. The areas that must be governed by organizational safeguards within the framework of appropriate documentation have been given by the President of the Office of Personal Data Protection.
2. cooperation in periodic inspections
This involves controlling compliance with the provisions of the RODO, awareness-raising activities, training of employees who are involved in personal data processing and other related processes. However, there is nothing in the regulations about at what intervals such activities should be carried out. Practices of applying the regulations that were in effect before the RODO indicated that because of the difficulties that often occur, the time-consuming nature of implementing safeguards and modifying them, and especially for the rate at which new threats emerge, and how quickly technologies develop, such inspections of information systems should be carried out at least once a year.
3. securing systems against malware
The task of malware and hackers is often precisely to gain access to data. The administrator must exercise care to ensure that it does not fall into the hands of someone unauthorized. The basis is antivirus software with an up-to-date virus database, which must be implemented not only on the company’s ICT systems, but also on the systems in the company’s office, whether accessible on smartphones or tablets.
4. cooperation in the risk analysis process
Risk analysis is a process during which areas are reviewed that have not been secured or require better security because current ones are proving inadequate. It is specifically about those where there is the highest probability of possible threats, which means higher risks regarding the security of personal data. The RODO here also does not specify how often this process should be carried out. There is only a statement that it is a continuous process, not a one-off. It appears in the Working Group’s Guidelines that a risk analysis is worth doing at least once every three years.
5. adaptation to the requirements of RODO of the systems used to process data
This involves ensuring that you can exercise your right to data portability, limit processing or object to marketing efforts. It is worth bearing in mind here the possibility of verifying the date and time of giving or withdrawing such consent.
6. cooperation in ensuring the continuity of system operations
The ASI is also tasked with securing the personal data itself, along with the programs used to process it, which includes regular backups. On top of this, the ASI must also take care of storing these copies so that they do not fall into the wrong hands and get modified, damaged or destroyed. Most often, the backups are saved via external media and secured in places with a ban on unauthorized access or in a fire zone.
- Protection against threats from the public network
Such protection involves the implementation of physical or logical safeguards that protect against unauthorized access and software. These can include firewalls, spam filters, VLANs, devices that can access production networks, and other solutions that take into account specific technologies and the financial resources allocated for this.
8 Provision of emergency power and protection against disturbances
The sudden interruption of personal data processing equipment and programs often results in data loss or leakage. The most common devices used here are UPS-type devices, which sustain the network and servers of critical systems before they are safely shut down. It is both important to implement a notification system for switching to emergency power.
9. supervision of repairs and disposal of computer equipment
Destined to be decommissioned, repaired or handed over to someone not authorized to process the data on them, the devices and storage media must be wiped of data so that recovery is not possible in any way. This must be done under the control of the systems administrator so that it is done properly.
10. inspection of inspection and maintenance of equipment and systems for processing personal data
Inspection and maintenance should only be done with software where there is manufacturer support and regular updates. The review and update process should not apply only to systems used on server devices and workstations.
11. security of premises where data is processed
The specified premises must be secured against unauthorized entry or other random events.
It is worth mentioning that the listed tasks are not all the ASI’s duties. These are only his basic tasks. Often the scope of the safeguards he implements and supervises is greater than indicated in the regulations, and the activities are related to other regulations, not only directly to RODO.
A secure network is essential – guarantee it now!
It will be of no use to protect personal data in cooperation between the IOD and ASI if there is no high-quality computer network and Internet connection in the company. This can be provided by ITH, which offers professional network and Internet services, now available under the crisis shield as a Freemium service that can be used until December 31, 2022.
As part of the shield, you can try out ITH’s services, such as fiber-optic connectivity, public IP subnet and hosting for only one zloty and only later decide whether to extend the use of the services. The ITH Group is probably the first fully flexible telecommunications operator that brings together a number of partners that also offer a variety of services related to building a company’s network and protecting it. ITH provides full link security.
Just choose the most suitable package and check whether the company’s location is covered by the ITH shield. If so, the installation of the ITH Net service will take place in about 7 days after the order. Buying services is really easy, and the services themselves can be perfectly tailored to the company’s needs. It is not worth delaying, as there is not much time left to try ITH services at such an attractive promotional offer. It’s worth checking out the services before you have to pay for them.