Image by - Opticon Data Solutions

information security policy

Motivation

Opticon Data Solutions S.r.l. is a company operating in the Legal Tech sector with the aim of supporting companies in digitization processes and monitoring compliance in the field of Governance and Data Protection.

Given the nature of its business, Opticon Data Solutions considers information security a primary factor for the protection of its information assets and a factor of strategic value that can easily be transformed into a competitive advantage.

The company pays particular attention to security issues during the design and development life cycle of its services, which must be considered an asset of the company.

The ISMS (Information Security Management System) applies to all activities related to the development of Cloud solutions in support of Governance and Data Protection, including the analysis, design and production of tools and related data stored within Opticon Data Solutions’ data centres.

Aware that its services to external parties may involve the entrusting of critical data and information, the technical organization unit operates in accordance with internationally recognized security regulations.

It is deemed necessary to share this “Information Security Policy” with all suppliers, collaborators, partners, and any entity external to Opticon Data Solutions that could have a significant impact on the Security of company information, in order to request and implement, where necessary, actions to mitigate risks and increase the level of Information Security.

For these reasons the necessary measures, both technical and organizational, are adopted to best guarantee the integrity, confidentiality and availability of both internal information assets and those entrusted by its Customers.

On this basis, Opticon Data Solutions has decided to put in place an Information Security Management System (ISMS) defined according to the rules and criteria envisaged by the “Best Practices” and international reference Standards in compliance with the indications of the international standard ISO/IEC 27001.

Purpose and Scope

The purpose of the Opticon Data Solutions Information Security Management System is to provide Cloud services in support of Data Protection governance and compliance as well as to ensure an adequate level of data and information security in the design, development and delivery of Cloud services in support of Data Protection governance and compliance through the identification, assessment and treatment of the risks to which the services are subject.

The Opticon Data Solutions Information Security Management System defines a set of organisational, technical and procedural measures to ensure that the basic security requirements listed below are met:

  • Confidentiality: information must be known only to those with appropriate privileges;

  • Availability: the information must be accessible and usable when required by processes and users with the relevant privileges.

  • Integrity: the information must be modifiable only and exclusively by those who have the privileges;

Furthermore, with this policy Opticon Data Solutions intends to formalise the following objectives in the area of information security

– to preserve as best as possible the company’s image as a reliable and competent supplier;

– to best protect its own and its customers’ information assets;

– operate with defined rules to maintain adequate security of the information managed by the company with its hardware and software systems;

– achieve the continuous improvement of company processes, increasing the efficiency and added value of individual activities, through the continuous maintenance of a dynamic Information Security Management System consistent with the company management model defined in the UNI CEI ISO/IEC 27001 standard;

– optimise the processes for the delivery of the documental output deriving from consultancy to clients, in compliance with rules that guarantee the correct management of data and information vis-à-vis clients and other interested parties;

– adopt measures to ensure staff loyalty and professionalism;

– fully comply with current and binding regulations;

– increase the level of awareness and competence of its personnel on security issues;

– increase the level of awareness of its suppliers/collaborators/partners who may have an impact on information security;

– improve the security of the system implemented by Opticon Data Solutions S.r.l.

Policy Content

– The ISMS applies to the provision of Cloud services in support of Data Protection governance and compliance and the data related to it.

All information, which is created/used by the company is to be safeguarded and must be protected, according to the classification assigned, from its creation, during its use, until its disposal. Information must be managed securely, accurately and reliably, and must be readily available for permitted uses.

The term ‘use of information’ is to be understood here as any form of processing that makes use of electronic or paper media or enables verbal communication in any form.

With regard to the scope of consultancy activities, this system requires – in accordance with ISO/IEC 27001:2013 – that the Information Security Officer periodically carry out a risk analysis that takes into account the strategic objectives expressed in this policy, the incidents that have occurred during this period and the strategic, business and technological changes that have taken place; the purpose of the risk analysis is to assess the risk associated with each asset to be protected with respect to the threats identified.

The Management shares with the Information Security Officer the methodology to be used for risk assessment, approving the relevant document; in drafting the methodology, the Management also participates in the definition of the value scales to be used to value the parameters that contribute to risk assessment.

Following the drafting of the risk analysis by the Information Security Officer and on the basis of the methodology shared with the Management, the Management itself assesses the results obtained by accepting the acceptable risk threshold, the risk mitigation treatment beyond this threshold and the residual risk following treatment.

This analysis shall also be weighed against the business value of the individual assets to be protected, and shall clearly identify the actions to be taken, which shall be ranked according to a priority scale that respects the corporate objectives, the available budget and the need to maintain compliance with the standards and laws in force.

This analysis shall also be performed in the face of events that may change the overall risk profile of the system.

Responsibilities

All personnel who, in any capacity, collaborate with the company are responsible for compliance with this policy and for reporting any anomalies, even if not formally codified, of which they may become aware.

The Management and the appointed Information Security Management System, with the possible support of the appointed internal DPO, have the task of setting objectives, ensuring a clear and shared direction with corporate strategies and visible support for security initiatives. He/she promotes security by ensuring the appropriateness of individual security budgets, consistent with the defined corporate policies and strategies.

The information security manager is responsible for the design of the Information Security Management System and in particular for

– issuing all the necessary regulations, including the type of document classification, so that the company organization can conduct its activities in a secure manner;

– adopt criteria and methodologies for risk analysis and management;

– Suggest organizational, procedural and technological security measures to protect the security and continuity of Opticon Data Solutions S.r.l.’s activities;

– plan a specific and periodic security training course for personnel;

– periodically check the exposure of company services to the main threats;

– verify security incidents and adopt appropriate countermeasures;

– promote an information security culture;

– actively involving, where necessary, suppliers/collaborators/partners who may have an impact and interaction with the Information Security Management System.

All external parties that have relations with Opticon Data Solutions must guarantee compliance with the security requirements set out in this security policy, possibly also through the signing of appropriate confidentiality clauses/agreements.

Applicability

This policy applies equally to all organs of the Company. The implementation of this policy is mandatory for all Opticon Data Solutions’ personnel and collaborators, and

must be included in the regulation of the agreements towards any external subject that, for any reason, may become aware of the information managed in the company.

Opticon Data Solutions allows the communication and dissemination of information to the outside world only for the proper performance of business activities that must take place in compliance with the rules and regulations in force.

Extract from SGSI Manual – Rev. 02 of 30.09.2022

The Executive Board of Opticon Data Solutions Srl