information security policy

Motivation

Opticon Data Solutions S.r.l. is a company operating in the Legal Tech sector with the goal of supporting businesses in the digitalization processes and monitoring compliance with Governance and Data Protection requirements.

Given the nature of its activities, Opticon Data Solutions considers information security a primary factor for protecting its informational assets and a strategic value that can easily be transformed into a competitive advantage.

The company pays particular attention to security issues throughout the lifecycle of its service design and development processes, which are regarded as a core asset of the business.

The ISMS (Information Security Management System) applies to all activities related to the development of cloud-based solutions supporting Governance and Data Protection, including the analysis, design, and production of tools and the associated data stored within Opticon Data Solutions’ data centers.

Aware that its services for external parties may involve the handling of critical data and information, the technical organizational unit operates in accordance with internationally recognized security standards.

It is deemed essential to share this “Information Security Policy” with all suppliers, collaborators, partners, and any external parties to Opticon Data Solutions who may significantly impact the company’s information security. The aim is to request and implement, where necessary, actions to mitigate risks and enhance the level of Information Security.

For these reasons, the company adopts both technical and organizational measures necessary to ensure the integrity, confidentiality, and availability of both its internal informational assets and those entrusted by its clients.

On this basis, Opticon Data Solutions has decided to implement an Information Security Management System (ISMS) defined according to the rules and criteria outlined by international “Best Practices” and standards, in compliance with the requirements of the ISO/IEC 27001:2013 international standard.

Purpose and Scope

The objective of the Information Security Management System of Opticon Data Solutions is to deliver Cloud services supporting governance and compliance in Data Protection, while ensuring an adequate level of data and information security. This is achieved within the design, development, and delivery of Cloud services supporting governance and compliance in Data Protection through the identification, assessment, and treatment of risks to which these services are subject.

The Information Security Management System of Opticon Data Solutions establishes a set of organizational, technical, and procedural measures to guarantee the fulfillment of the following basic security requirements:

Confidentiality: information must be known only to those with appropriate privileges;
Availability: the information must be accessible and usable when required by processes and users with the relevant privileges.
Integrity: the information must be modifiable only and exclusively by those who have the privileges;

Furthermore, with this policy, Opticon Data Solutions intends to formalize the following objectives in the field of information security:

-Preserve the company’s image as a reliable and competent provider;

-Protect the informational assets of both the company and its clients;

-Operate under defined rules to maintain adequate information security within the company’s hardware and software systems;

-Continuously improve business processes, increasing efficiency and the added value of individual activities, through the ongoing maintenance of a dynamic Information Security Management System aligned with the ISO/IEC 27001:2013 standard;

-Optimize processes for delivering document outputs derived from client consulting, adhering to rules that ensure proper data and information management for clients and other stakeholders;

-Implement measures to ensure employee loyalty and professionalism;

-Fully comply with current and applicable regulations;

-Enhance employees’ sensitivity and competence on security-related topics;

-Raise awareness among suppliers, collaborators, and partners who may impact information security;

– Improve the security of the system implemented by Opticon Data Solutions S.r.l.

Policy Content

The ISMS applies to the provision of Cloud services supporting governance and compliance in Data Protection matters and to the related data.

All information created or used by the company must be safeguarded and protected, according to the assigned classification, from its creation, during its use, and until its disposal. Information must be managed securely, accurately, and reliably, and must be readily available for authorized purposes.

The term “use of information” refers to any form of processing that utilizes electronic or paper-based means or enables verbal communication in any form.

With respect to consulting activities, this system requires—under the ISO/IEC 27001:2013 standard—that the Information Security Manager periodically conducts a risk analysis. This analysis must consider the strategic objectives outlined in this policy, incidents occurring during the period, and strategic, business, and technological changes. The purpose of the risk analysis is to evaluate the risk associated with each asset to be protected against identified threats.

The Management collaborates with the Information Security Manager to define the methodology to be used for risk assessment and approves the corresponding document. In drafting the methodology, the Management also participates in defining the value scales to evaluate the parameters contributing to the risk assessment.

Following the completion of the risk analysis by the Information Security Manager and based on the methodology agreed upon with Management, Management evaluates the results. This includes accepting the acceptable risk threshold, determining mitigation measures for risks exceeding this threshold, and evaluating residual risks after mitigation.

This analysis will also consider the business value of the individual assets to be protected and must clearly identify the actions to be undertaken. These actions will be classified according to a priority scale that respects business objectives, available budget, and the need to maintain compliance with applicable regulations and laws.

Such analysis must also be performed following events that may alter the overall risk profile of the system.

Responsibilities

All personnel collaborating with the company, in any capacity, are responsible for adhering to this policy and reporting any anomalies, even if not formally codified, that they become aware of.

The Management and the appointed Information Security Management System (ISMS) Manager, with the possible support of the appointed internal DPO, are tasked with setting objectives, ensuring clear alignment with business strategies, and providing visible support for security initiatives. They promote security by ensuring the adequacy of individual security budgets, in line with the defined corporate policies and strategic guidelines.

The Information Security Manager is responsible for designing the ISMS and specifically for:

-Issuing all necessary regulations, including document classification types, to ensure the organization can securely conduct its activities;

-Adopting criteria and methodologies for risk analysis and management;

-Recommending organizational, procedural, and technological security measures to safeguard the security and continuity of Opticon Data Solutions S.r.l.’s activities;

-Planning specific and periodic training programs on security for personnel;

-Periodically monitoring the exposure of company services to major threats;

-Investigating security incidents and implementing appropriate countermeasures;

-Promoting a culture of information security;

-Actively involving, when necessary, suppliers, collaborators, and partners who may have impacts and interactions with the ISMS.

All external parties engaging with Opticon Data Solutions must ensure compliance with the security requirements outlined in this policy, potentially through the signing of specific confidentiality clauses/agreements.

Applicability

This policy applies equally to all departments within the company. The implementation of this policy is mandatory for all personnel and collaborators of Opticon Data Solutions, and it must be included in the regulation of agreements with any external party who, in any capacity, may gain access to the information managed within the company. Opticon Data Solutions permits the communication and dissemination of information to external parties only for the proper execution of business activities, which must be carried out in compliance with rules and mandatory regulations.

Review

Opticon Data Solutions will periodically assess the effectiveness and efficiency of the Information Security Management System, ensuring adequate support for the adoption of necessary improvements to enable a continuous process that monitors changes in the surrounding conditions or the company’s business objectives, in order to ensure its proper alignment.

Extract from SGSI Manual – Rev. 03 of 10.10.2023

The Executive Board of Opticon Data Solutions Srl

24/10/2024 - Integration of ISO 27017 and 27018

Integration ISO 27017 and 27018

Introduction

This document extends and integrates the content outlined in the “Opticon Information Security Policy” document. It specifies how the management of Opticon Data Solutions S.r.l. is committed to implementing and improving its Management System in accordance with the requirements of the ISO/IEC 27001:2022 standard on Information Security.

Therefore, this document serves as a continuous reference for all subsequent strategic choices and decisions deemed appropriate for the operational context. Its distribution involves all relevant stakeholders through publication on the internal information system and, upon request, is made available to other interested parties, including through publication on the company’s website.

Company managers are familiar with and share the guidelines expressed by management and the policy documents; all personnel are made aware that they operate within a Management System aimed at implementing the company’s documentation.

The entire structure of Opticon Data Solutions S.r.l. is focused, through the commitment of management, on continuous improvement based on the achievement of the following objectives.

Cloud Service Provider (CSP)

Opticon Data Solutions S.r.l. operates as a Cloud Service Provider, offering Software as a Service (SaaS) data management services that facilitate regulatory compliance.

In delivering SaaS services, Opticon Data Solutions S.r.l.:

Has assessed the applicable baseline security requirements in the design and implementation of cloud services, specifically relying on one of the leading market players to provide a scalable infrastructure without specific responsibilities for managing it.

When delivering SaaS services to its clients, the company periodically evaluates and updates the risks related to information security within cloud services.

Has implemented technical and organizational measures to mitigate risks stemming from internal personnel through security policies, targeted training campaigns, and internal audits.

Ensures that clients can access only their own data and services.

Ensures the security of the virtualization system in line with market best practices, partnering with one of the world’s leading providers.

Allows clients to access the data uploaded to the SaaS service through specific authentication methods, ensuring consistent segregation of information.

Guarantees an appropriate lifecycle for user credentials accessing the SaaS service, promptly removing outdated access credentials.

Provides timely communication to clients in case of changes, whether related to applications, infrastructure, or services.

Ensures that internal personnel with roles as System Administrators and Data Controllers are formally appointed and bound to the best available technological security measures currently on the market.

PII Processor

Ensures that any data breaches are promptly managed through a dedicated reporting procedure to the relevant authorities.

Has formalized a specific procedure for managing information security incidents. The client of Opticon Data Solutions S.r.l. is required to verify that the assignment of responsibilities for managing information security incidents is adequate and, therefore, meets their own requirements.

Ensures that management focuses all efforts on the continuous protection and segregation of clients’ personal data processed through proprietary cloud services, in full compliance with applicable regulations.

Ensures that, in the event of an incident involving the loss of any of the following characteristics of personal information (PII): confidentiality, integrity, availability, and authenticity, the incident is promptly notified to the affected party.

If necessary, and in any case within a maximum of 48 hours, Opticon Data Solutions S.r.l. will decide jointly with the relevant party which party is responsible for reporting the data breach. The communication to the Data Protection Authority, as required by EU Regulation 2016/679 – GDPR, must be sent within 72 hours of becoming aware of the incident.

For further details on the technical and organizational measures adopted by Opticon Data Solutions S.r.l. to ensure the security of information and personal data within its proprietary cloud services, please refer to the “ISO 27017-27018 Technical Discipline.”

This document is subject to periodic revisions and updates in order to make corrections, add enhancements, and ensure its adequacy and effectiveness, especially in the case of significant changes concerning information security, in the spirit of continuous improvement. In the interest of maximum transparency and collaboration, this annex to the “Opticon Information Security Policy” is communicated to all employees and made available to stakeholders as deemed necessary.

Milan, 24/10/2024

The management of Opticon Data Solutions S.r.l.