Tutoring management software like Proxima handles some of the most sensitive data in the medico-social sector: assets, income, civil identity, medical documents. The protection of this information falls under specific regulatory obligations, strengthened since the implementation of the GDPR and the recent recommendations from the CNIL specifically targeting organizations supporting protected adults.
Access Logging and Traceability on Proxima: What the CNIL Requires
The CNIL explicitly demands that tools used for protected adults integrate a detailed access logging: who logged in, when, and from which device. This requirement is not merely a technical comfort. It allows for proving compliance in case of an audit and tracing any security incidents.
Read also : How to use Netypareo Greta Montpellier online for your CFA registration
On Proxima, this traceability concerns every user with access to the software. Every file consultation, every modification of asset or personal data is supposed to leave an exploitable trace. The question for the guardianship services is: do their current settings truly cover this level of detail?
Field feedback varies on this point. Some organizations have complete and regularly audited access logs, while others settle for a minimal history without a review procedure. The regulatory framework is the same for everyone, but the ability to manage their Proxima account securely largely depends on the rigor of the internal procedures established by each service.
Recommended read : How to Effectively Manage Your Online Invoices with Supermarkets?
Internal Security Procedures: Formalizing to Withstand ARS and Prosecutor Audits
Since 2023, several judicial courts and judicial representatives must indicate in their written internal procedures how they secure access to their business software. This document must cover passwords, authentication, backups, and access rights management.
The novelty is not the security obligation itself, but the requirement to produce these procedures in black and white during audits by the Regional Health Agency or the Prosecutor’s Office. A service that uses Proxima correctly but cannot demonstrate how it secures it exposes itself to observations or even injunctions.
What the Procedure Document Must Cover
- Password policy: minimum length, periodic renewal, prohibition of sharing between users. A unique password per user account is the minimum expected.
- Access management: who accesses which files, with what level of rights (read-only, modification, deletion). Profiles must correspond to the actual missions of each professional.
- Protocol in case of an employee’s departure: immediate account deactivation, review of shared access, verification that no collective password remains.
- Frequency and scope of backups, as well as restoration tests performed.
The available data does not allow for a conclusion on the percentage of organizations actually equipped with such formalized procedures. However, the trend towards increased controls makes this formalization difficult to circumvent.
Multi-Factor Authentication and Account Separation: Recommendations from the CNIL 2024 Guide
The CNIL 2024 guide on cybersecurity for medico-social organizations highlights a resurgence of ransomware attacks targeting healthcare facilities and social services. Among the explicit recommendations are multi-factor authentication (MFA) and strict separation of professional and personal accounts.
Multi-factor authentication adds a verification step beyond the password: code sent via SMS, authentication app, physical key. For software like Proxima, which manages asset information and legal documents, this layer of protection significantly reduces the risk of fraudulent access in case of password theft.
Separating Accounts: A Simple Measure but Rarely Applied
The CNIL recommends that each professional has their own identifier, without sharing. A shared account among several representatives renders logging useless: it becomes impossible to know who actually consulted or modified a file.
This separation also applies to devices. Accessing Proxima from a personal computer, without dedicated protection, exposes the data of protected adults to additional risks (malware, unsecured Wi-Fi, lack of disk encryption).
Proxima Access Rights Management: Adapting Permissions to Actual Missions
Proxima allows for defining differentiated access levels based on each user’s role. A delegated representative does not have the same needs as an accountant or a service manager. Precisely configuring these rights limits the exposure of sensitive files.
The principle of least privilege applies: each user only accesses the information necessary for their mission. An administrative assistant does not need to consult the bank accounts of a protected adult. A representative does not need access to files managed by a colleague, except in a formalized replacement situation.
This granularity requires regular review of permissions. Changes in position, long absences, and contract terminations must trigger an immediate update of rights. Without this discipline, ghost accounts (users who have left but are still active in the system) represent a security breach documented by the CNIL in its recommendations to medico-social organizations.
The secure management of a Proxima account is not limited to choosing a good password. It involves a chain of responsibilities that goes from technical configuration to writing procedures, including training each user. Organizations that anticipate audits by formalizing these practices place themselves in a position of active compliance, where mere daily use of the software is no longer sufficient to demonstrate the effective protection of the data of protected adults.