Information Security Policy

download the pdf

For over 20 years GIS International Srl has been designing and developing IT software
taking into account the main needs of today’s businesses:

  • ensure the security of data and information focusing on both company data and customer-owned data.
  • Regulate the IT management of the data in question
  • protect businesses from cyber threats.

The creation of an information security management system (ISMS) proposed by ISO 27001 represents an added value for GIS International Srl which wants to stand out in its reference market.

The advantages of adopting a system conceived in this way can be summarised in the following fundamental points:

  • Increased awareness regarding the importance of information security among workers, management, managers, customers and suppliers, by providing a system of procedures defined on the basis of the company reality that emphasize training and information as well as responsibility on the part of all users;
  • Identify the assets that are critical to the company’s business, the particular informations and data, internal or the customer’s, fundamental for the management of systems and their maintenance;
  • Ensure a system of rules and structures that pursues, for the points specified by the standard, the security of company data and information and of the structures used for their storage;
  • Provide a system in which to place trust, both inside and outside the organization;
  • Updating and monitoring: that is, enriching the knowledge, familiarity and practical capacity of the Management in the management and maintenance of an information security system;
  • Develop a correct business system, through the reduction of the risk of uncontrolled external dissemination of information that is intended to be managed in a secure manner;
  • Continuous updating of its technical and organizational infrastructures in light of the binding and changing needs identified (Compliance and contract review);
  • Improve the management of relationships with third parties (communications, disclosure of information, access to company information, risk levels);
  • Legislative compatibility with current national and international regulations on privacy and personal data protection, intellectual property rights, copyright, competition. As well as compatibility with other international regulatory frameworks that regulate the implementation of other management systems already implemented (e.g. Management System for: ISO 9001 Quality; ISO 14001 environmental; ISO 45001 safety in the workplace);
  • Protection of access credentials to your IT systems and equipment by company users and customers;

The Organization has a system structured by documented information such as manual, policies, procedures, operating instructions, documents and records, pursues the objective of improving and maintaining the system, highlighting its strengths and weaknesses.

All actions that will give evidence of an improvement or of a management with particular problems, will be subject to annual registration and review, to evaluate their application and effectiveness.

With the information security management system (ISMS), the organization intends to protect corporate information and customer-owned information from the widest possible spectrum of threats, in order to ensure the continuity of our activities, minimize risks, guarantee return on investments, business opportunities, compliance with laws, and the profitability of the company’s business.

All data and related processing for the management of our business activities are protected to ensure that they reach those who need to use them intact, that they are not lost or, even worse, that they do not end up in the hands of competitors or profiteers in an unauthorized or uncontrolled manner.

“Information” is considered an asset, and like other assets, the material or immaterial structures that manage it are taken into consideration. The control of information is essential for the organization of GIS International Srl and as such it needs to be protected. Protections are all the more necessary where interconnections are more extensive, which exposes Information to a wider variety of risks and vulnerabilities: fraud, theft, espionage, vandalism, loss, fire.

The entire organization is aware of the problem and is committed to sharing the objectives and principles of information security. The SGSI, a system of operations and controls to manage risk, has been superimposed on the organizational structure and the company’s operational processes.

In particular with the implementation of this system:

  • Risks and opportunities from both internal and external factors are analyzed;
  • Risks are treated on the basis of risk acceptance criteria, in any case without compromising compliance with state laws and contractual requirements.

Therefore:

  • We knowingly accept risks if they meet those criteria; alternatively:
  • We avoid risks by not allowing actions/activities that could cause the risks themselves;
  • We try to transfer risks to third parties when possible;
  • We make all our resources and employees who operate in the heart of the system that manages the information that we intend to protect aware of the need to operate responsibly through training, at all levels;
  • We introduce specific disaster control and precaution activities;
  • We will take appropriate action whenever violations occur.

This system includes the principle of accountability through:

  • Monitoring of all events with periodic verification of the effectiveness of the prescribed controls and the subsequent annual review by Management;
  • Activation of improvement actions;
  • Management of system documentation and records;
  • Training, education and information of personnel to achieve competence and awareness on information security issues;
  • Carrying out internal audits, performed by competent external parties in compliance with the independence required by ISO 19011:2018, to verify that the controls are effective, the control objectives are achieved and that the procedures are applied: in short, that the ISMS complies with the reference standard ISO/IEC 27001;
  • Improvement through Corrective and Preventive Actions.

The following responsibilities are assigned within this system:

  • Company Management – ​​defining the Assets to be protected;
  • Security Team – assessment of the risks to which the various Assets may be exposed;
  • Security Team and System Administrators – setting up controls, implementing and monitoring them;
  • Security Team and System Administrators – recording all threats that have occurred, planning and implementing the necessary controls;
  • Personnel working with the respective tangible or intangible Assets – comply with the prescribed authorizations and report any threats encountered to the Security Team or System Administrator;
  • Corporate Management – ​​periodically review the information security status and effectiveness of this Policy;
  • Security Team and Quality – propose and undertake improvement actions.

 

With INFORMATION SECURITY MANAGEMENT we mean the definition of the stakeholders’ information security requirements, the risk analysis, the definition of a plan to meet the requirements, as well as the implementation of the improvement plan. We have defined the list of Assets that we must protect in terms of Hw, Sw, network, type of data, location and activities whose data are stored and/or processed in our Information System and the information systems of customers.

In particular, the protected assets, including those relating to legal and contractual requirements, are:
HARDWARE
• Server;
• Storage;
• Network Appliance;
• PC (Corporate Clients and Notebooks).

SOFTWARE
• Operating Systems;
• Applications.
• Fault and Performance Monitor Platforms

DATA TYPE
• Documentation, data and records of internal origin relating to company processes;
• Documentation, data and records of external origin (owned by the customer).

Our activities are highly dependent on the Information System: the absence of security or even the decrease in the level of security would compromise the management.

From the SGSI we intend to achieve the following objectives:
• Prevent access to our Information Systems by unauthorized personnel,
• Prevent the information that is transmitted and processed in our Information Systems from being modified, made unavailable to those who need to use it or destroyed intentionally or even accidentally.
• Protect the information that pertains to the State and European laws and to our business. The requirements to guarantee information security are:

▪ CONFIDENTIALITY: assignment to each employee involved in the
information system of physical and logical access to the Information System according to responsibilities and duties;
▪ INTEGRITY: information must be made available intact to those who have the right to it;
▪ AVAILABILITY: information must be available when requested by authorised personnel.

  • We must safeguard the capital invested in the Information System in terms of hardware, software, and maintenance of the system itself.
    • Become aware of the costs that we must face for replacements and maintenance resulting from security failures. Risk management is performed for the above-mentioned Assets with the following methodology:
    • Risk analysis of each Asset with the protections in place;
    • Identification of the Assets that from the analysis present a non-negligible Asset value “compromised” by the risk;
    • Detailed risk analysis on those Assets that from the analysis present a non-negligible compromised Asset value;
    • If from the detailed analysis the risk level remains non-negligible: verify the effectiveness of the Baseline protections and/or introduction of new protections dedicated to the specific Assets.

To ensure the above, the organization implements the following countermeasures:
▪ Setting up and implementing the necessary and adequate controls for defense against attacks or incidents;
▪ Training of all internal and external employees involved in the company Information System and those of customers, of their specific responsibilities to avoid unsuitable behavior and operating practices;
▪ Management commitment to pursuing security objectives;
▪ Mechanisms for the distribution of authorizations for physical and logical access and countermeasures in the event of a violation;
▪ Adoption of an access control system;
▪ Introduction of monitoring processes to evaluate application and effectiveness.

The adopted policies are communicated to workers through email and company noticeboard and are reviewed annually during the management review.