The COMPANY POLICY requires that, in line with the company mission, the management of all business processes applies the rules of the ISMS (Information Security Management System) also called ISO/IEC 27001:2022.
PURPOSE AND OBJECTIVES
System Data Center management has defined, has disseminated, and is committed to keeping this Information Security Management Policy active at all levels of its organization.The purpose of this policy is to ensure the safeguarding and protection of the information concerning its activities, from all threats, internal or external, intentional or accidental, in accordance with the standard procedure provided by the ISO/IEC 27001 and its current guidelines.
SCOPE OF APPLICATION
This policy applies indiscriminately to all company’s administration bodies and levels.
All the staff have to carry out this policy and it must be included in the regulation of agreements with any third person who may be involved, in any capacity, with the processing of information that falls within the scope of the Information Security Management System (ISMS).The company allows the outward communication and spread of information only for the proper execution of business activities, which must take place in accordance with mandatory rules and regulations.
INFORMATION SECURITY POLICY
The information asset to be protected consists of all data managed through the services provided and located at all company locations.
It is necessary to ensure:
- confidentiality of information: information should be accessible only by those who are authorized.
- the integrity of information: in other words, protecting the accuracy and completeness of data and the methods for processing it.
- availability of the information: authorized users can essentially have the access to information and related goods at the time they request it.
Lack of adequate security levels can result in damage to corporate image, miss customer satisfaction, risk of incurring penalties related to violation of regulations in force as well as economic and financial injuries.
An appropriate level of security is also basic for data sharing.
To conduct a thorough risk assessment to identify potential threats, provides
awareness of the level of danger exposure of its information system. Risk analysis
makes it possible to evaluate the potential issues and damages that may result from
failure to apply security measures and the probability with which threats can act.
The evaluation results determine the necessary steps to minimize the identified risks and establish the most suitable security measures.
The general principles of information security management include various aspects:
- There must be a constantly updated list of company assets relevant to information management, and must identify an administrator for each of them. Information should be classified according to its level of criticality so that it can be organized with logical and appropriate levels of confidentiality and integrity.
- To ensure data security, every access to the systems must undergo an identification and authentication procedure. Access permissions should be reviewed periodically and be differentiated according to the role and positions held by individuals, so each user could have at one's disposal only the information needed.
- Procedures must be established for the secure use of company assets and information, also for their management systems.
- All employees must be educated about these secure file sharing practices by promoting awareness, from the time of selection and throughout the employment relationship.
- In order to promptly handle incidents, everyone must report any security-related issues. Each security breach attempt should be managed as outlined in the procedures.
- The organization has to implement a robust set of information security controls for unauthorized access to company places and ensure device security.
- Compliance with legal requirements and principles related to information security in contracts with third parties must be ensured.
- An ongoing plan must be in place to allow the company to effectively deal with an unforeseen event, ensuring the restoration of critical services in a timeframe and manner that limits the negative impact on its task.
- All the security aspects must be taken into account during the entire planning, development, management, maintenance, support and removal phases of computer systems and services.
- Compliance with legal provisions, statutes, regulations or contractual constraints, and any information security prerequisites must be ensured, reducing the risk of legal or administrative sanctions, significant loss or reputational damage.
RESPONSIBILITY FOR COMPLIANCE AND IMPLEMENTATION
Policy compliance and implementation are the responsibility of:
1- All personnel who, in any capacity, work with the company and are in any way involved with the processing of data and information that fall within the scope of the Management System. Employees are also responsible for reporting all aberrations and violations of which they become aware.
2- All external parties who have relationships and cooperate with the company. They must ensure observance with the requirements contained in this policy.
The Management System Manager who, as part of the Management System and through appropriate standards and procedures, shall:
- Carry out risk analysis with appropriate methodologies and take all measures for risk management
- Set up all regulations necessary for the safe conduct of all business activities
- Verify security breaches and take necessary countermeasures, monitoring the company's exposure to key threats and risks
- Organize training and promote staff awareness regarding the cyber security sphere.
- Periodically verify the effectiveness and efficiency of the process adopted through the Management System.
Anybody, employees, consultants and/or external partners of the Company, intentionally or attributable to negligence, disregards the established safety rules and thereby causes damage to the Company, may be prosecuted in the appropriate forums and in full compliance with legal and contractual constraints.
REVIEW
Management will periodically and regularly, or in conjunction with relevant changes, review the effectiveness and efficiency of the Management System, so as to ensure adequate support for the introduction of all necessary improvements and in order to encourage the activation of a continual process by which control and adjustment of the policy is maintained in response to changes in the work environment, business, and legal conditions.
The Management System Manager is responsible for reviewing the policy.
The re-examination should verify the status of preventive and corrective actions and
its conformity of the policy.
It should take into account all dynamics that may affect the company's approach to
information security management, including organizational changes, the technical
environment, resource availability as well as legal, regulatory or contractual
conditions, and the results of previous reviews.
The re-examination results should include all decisions and operations related to improving the company's approach to information security management.
MANAGEMENT COMMITMENT
Management actively supports information security in the company through clear direction, overt diligence, explicit assignments, and identification of responsibilities related to information security.
Management loyalty is carry out through a structure whose tasks are:
- Ensure that all information security aims are identified and that they meet business requirements;
- Decide upon corporate roles and tasks for developing and maintaining the ISMS;
- provide enough resources for planning, implementation, organization, control, review, management and constant improvement of the ISMS;
- Check that the ISMS is integrated into all business processes and that procedures and controls are developed efficiently;
- Approve and strengthen all initiatives aimed at improving information security;
- Activate programs to spread information security awareness and culture.
Rome, 23/10/2023
