[cap-talk] Excerpt of Italy Data Privacy: Legislative Decree 30 Jun 2003 n.196.

[Valerio Bellizzomi]

Italy Data Privacy: Legislative Decree 30 Jun 2003 n.196.

Technical specifications concerning minimum security measures (Annex
‘B’).

The following technical arrangement to be implemented by all data
controller, data processor - if nominated - and person(s) in charge of the
processing whenever data are processed by electronic means:

Computerised Authentication Systems

On Annex ‘B’ Document, point 7(seven):

Authentication credential* shall be de-activated if they have not been
used for at least six months, except for those that have been authorised
exclusively for technical management purpose.

* Authentication credential means: Application Userids and Technical
Userids.

1 Introduction

Managers with Application Owner’s support also including the employees
whenever necessary, are responsible to revoke all Userids defined in all
applications assigned to Italian employees when e.g. users are on period
leave, sabbatical, or maternity leave and they have not used for at least
6 (six) months. Except for those that have been authorised exclusively for
technical management purposes.

Whenever it is present, an automatic process can perform the control on
behalf the human intervention of the Managers described above.

--
This suggests that user account checks are a must. Validity periods being
selectable, of course.

val