S 5.25 Using transmission and reception logs

Initiation responsibility: IT Security Officer

Implementation responsibility: IT Security Officer, Fax Mail Centre, Person in Charge of the Fax System

When using fax services, a differentiation between traditional fax machines and fax servers must be made in the use of transmission and reception logs.

Use of a traditional fax machine

List-type logs of transmission procedures maintained automatically by the fax machine (communication journal) must be printed regularly. It must be specified who does these printouts, where and for how long these are stored, and how these are subjected to random verifications for irregularities. The requirements of the Federal Data Protection Act (BDSG) must be taken into consideration. Access of unauthorised persons must be prevented in particular.

Additionally, a fax journal should be maintained detailing who sent a fax to whom at which time. Optionally, a fax receipt book may be maintained additionally.

It must be pointed out that there is an additional control option if the fax machine is connected to a state-of-the-art PBX system. In this case, it may be possible to evaluate the charge-related datasets of the fax number in the PBX system (see also S 2.40 Timely involvement of the staff/factory council).

Use of a fax server:

Transmission procedures may also be logged on fax servers. These logs should be evaluated and archived at regular intervals. In particular, the general conditions and responsibilities regarding the evaluation and archiving of the logs must be specified.

For example, it is conceivable that the Fax Mail Centre is responsible for these activities, but the logs may only be evaluated in the presence of a member of the Personnel or Supervisory Board and/or a member of the auditing department or of data protection. The requirements of the BDSG must be taken into consideration here as well, and access of unauthorised persons must be prevented in particular.

When using fax servers, it does not make any sense to manually maintain fax journals. Rather, continuously archiving the transmission and reception logs should be sufficient.

In some cases it is also possible to use accruing charge-related datasets for outgoing fax transmissions from the fax server for costs-by-cause settlement.

Review questions:

• Are fax transmissions logged?
• Has it been defined who performs the regular evaluation and irregularities verification of the fax transmission logs?
• Has it been defined where and for how long the transmission and reception logs of the fax machine are kept?
• Is access to the transmission and reception logs of the fax machine only granted to authorised persons?
• Is a fax journal maintained detailing who sent a fax to whom at which time?