Image by - Opticon Data Solutions

information security policy

Motivation

Opticon Data Solutions S.r.l. operates in the Legal Tech sector with the goal of supporting companies in their digital transformation and compliance monitoring processes in the fields of Governance and Data Protection.

Given the nature of its activities, Opticon Data Solutions considers information security a primary factor in protecting its informational assets and a strategic value that can easily be turned into a competitive advantage.

The company places particular emphasis on security throughout the design and development lifecycle of its services, which are regarded as valuable assets of the company.

The Information Security Management System (ISMS) applies to all activities related to the development of cloud solutions that support Governance and Data Protection, including the analysis, design, and production of tools, as well as the associated data stored within Opticon Data Solutions’ data centers.

Aware that its services may involve the handling of critical data and information from external entities, the technical organizational unit operates in compliance with internationally recognized security standards.

It is essential to share this “Information Security Policy” with all suppliers, collaborators, partners, and any external entities that could significantly impact the company’s information security. This ensures that, when necessary, appropriate actions are taken to mitigate risks and enhance information security levels.

For these reasons, both technical and organizational measures are adopted to best ensure the integrity, confidentiality, and availability of internal informational assets as well as those entrusted by clients, including personal data.

On this basis, Opticon Data Solutions has decided to implement an Information Security Management System (ISMS), structured according to best practices and international standards, in compliance with the ISO/IEC 27001:2022 framework.

Purpose and Scope

The objective of Opticon Data Solutions’ Information Security Management System (ISMS) is to provide cloud services that support governance and compliance in Data Protection, while ensuring an adequate level of data and information security throughout the design, development, and delivery of these services. This is achieved through the identification, assessment, and treatment of risks to which these services are exposed.

The ISMS of Opticon Data Solutions defines a set of organizational, technical, and procedural measures to guarantee compliance with the following fundamental security requirements:

  • CONFIDENTIALITY: Information must only be accessible to those with appropriate privileges.
  • INTEGRITY: Information must only be modified by authorized individuals.
  • AVAILABILITY: Information must be accessible and usable when required by authorized users and processes.

Furthermore, through this policy, Opticon Data Solutions aims to formalize the following information security objectives:

  • Preserve the company’s reputation as a reliable and competent service provider.
  • Protect both its own and its clients’ informational assets.
  • Operate with defined security rules to ensure the protection of information managed by the company’s hardware and software systems.
  • Continuously improve business processes, increasing efficiency and adding value to activities by maintaining a dynamic ISMS aligned with the ISO/IEC 27001:2022 framework.
  • Optimize document output processes derived from consultancy services, ensuring correct data and information management for clients and stakeholders.
  • Implement measures to enhance employee retention and professional growth.
  • Fully comply with all applicable legal and regulatory requirements.
  • Increase awareness and expertise among employees regarding information security.
  • Raise security awareness among suppliers, collaborators, and partners who may impact information security.
  • Enhance the security of the system implemented by Opticon Data Solutions S.r.l.

Policy Content

The ISMS (Information Security Management System) applies to the provision of cloud services supporting governance and compliance in Data Protection and the data associated with them.

All information created or used by the company must be safeguarded and protected according to its assigned classification, from its creation through its use and eventual disposal. Information must be managed securely, accurately, and reliably, and must be readily available for authorized uses.

The “use of information” refers to any form of processing that involves electronic or paper-based media or enables verbal communication in any form.

Regarding consulting activities, the ISMS, in compliance with ISO/IEC 27001:2022, requires the Information Security Officer to periodically conduct a risk analysis that considers the strategic objectives outlined in this policy, security incidents that occurred during the period, and strategic, business, and technological changes that took place. The purpose of this analysis is to evaluate the risks associated with each asset, considering the identified threats.

The Management Team collaborates with the Information Security Officer to define the risk assessment methodology, approving the relevant documentation. In drafting this methodology, the Management Team also participates in defining the scales and parameters used for risk evaluation.

Following the risk analysis, the Management Team evaluates the results, determining the acceptable risk threshold, the risk mitigation strategies for risks exceeding this threshold, and the residual risk after mitigation. This assessment also considers the business value of the assets being protected and clearly identifies necessary actions, prioritized based on company objectives, available budget, and legal and regulatory compliance requirements.

Additionally, this analysis must be conducted whenever events occur that could alter the system’s overall risk profile.

Responsibilities

All personnel who, in any capacity, collaborate with the company are responsible for complying with this policy and reporting any anomalies, even if not formally codified, that they become aware of.

The Management Team and the appointed Information Security Management System Officer, with the possible support of the appointed internal DPO, are responsible for setting objectives, ensuring clear alignment with corporate strategies, and providing visible support for security initiatives. They promote security by ensuring the adequacy of individual security budgets, in line with the defined corporate policies and strategic guidelines.

The Information Security Officer is responsible for designing the Information Security Management System and, in particular, for:

  • Issuing all necessary regulations, including document classification types, to ensure that the company can conduct its activities securely;
  • Adopting criteria and methodologies for risk analysis and management;
  • Suggesting organizational, procedural, and technological security measures to protect the security and continuity of Opticon Data Solutions S.r.l.’s activities;
  • Planning a specific and periodic security training program for personnel;
  • Regularly monitoring the exposure of corporate services to major threats;
  • Investigating security incidents and implementing appropriate countermeasures;
  • Promoting a culture of information security;
  • Actively involving, where necessary, suppliers, collaborators, and partners who may have an impact on or interact with the Information Security Management System.

 

All external entities that engage with Opticon Data Solutions must ensure compliance with the security requirements stated in this security policy, potentially through the signing of specific confidentiality clauses/agreements.

Applicability

This policy applies equally to all corporate bodies within the company. Its implementation is mandatory for all personnel and collaborators of Opticon Data Solutions and must be included in the regulatory framework of agreements with any external entity that, in any capacity, may become aware of the information managed within the company. Opticon Data Solutions allows the communication and dissemination of information externally only for the proper execution of business activities, which must comply with applicable rules and regulations.

Review

Opticon Data Solutions will periodically assess the effectiveness and efficiency of the Information Security Management System, ensuring adequate support for the implementation of necessary improvements. This will enable the activation of a continuous process that monitors changes in surrounding conditions or business objectives to ensure proper adaptation.

Extract from SGSI Manual – Rev. 05 of 10.12.2024

The Executive Board of Opticon Data Solutions Srl

24/10/2024 - Integration of ISO 27017 and 27018

Integration ISO 27017 and 27018

Introduction

This document extends and integrates the content outlined in the “Opticon Information Security Policy” document. It specifies how the management of Opticon Data Solutions S.r.l. is committed to implementing and improving its Management System in accordance with the requirements of the ISO/IEC 27001:2022 standard on Information Security.

Therefore, this document serves as a continuous reference for all subsequent strategic choices and decisions deemed appropriate for the operational context. Its distribution involves all relevant stakeholders through publication on the internal information system and, upon request, is made available to other interested parties, including through publication on the company’s website.

Company managers are familiar with and share the guidelines expressed by management and the policy documents; all personnel are made aware that they operate within a Management System aimed at implementing the company’s documentation.

The entire structure of Opticon Data Solutions S.r.l. is focused, through the commitment of management, on continuous improvement based on the achievement of the following objectives.

Cloud Service Provider (CSP)

Opticon Data Solutions S.r.l. operates as a Cloud Service Provider, offering Software as a Service (SaaS) data management services that facilitate regulatory compliance.

In delivering SaaS services, Opticon Data Solutions S.r.l.:

  • Has assessed the applicable baseline security requirements in the design and implementation of cloud services, specifically relying on one of the leading market players to provide a scalable infrastructure without specific responsibilities for managing it.

 

When delivering SaaS services to its clients, the company periodically evaluates and updates the risks related to information security within cloud services.

  • Has implemented technical and organizational measures to mitigate risks stemming from internal personnel through security policies, targeted training campaigns, and internal audits.
  • Ensures that clients can access only their own data and services.
  • Ensures the security of the virtualization system in line with market best practices, partnering with one of the world’s leading providers.
  • Allows clients to access the data uploaded to the SaaS service through specific authentication methods, ensuring consistent segregation of information.
  • Guarantees an appropriate lifecycle for user credentials accessing the SaaS service, promptly removing outdated access credentials.
  • Provides timely communication to clients in case of changes, whether related to applications, infrastructure, or services.
  • Ensures that internal personnel with roles as System Administrators and Data Controllers are formally appointed and bound to the best available technological security measures currently on the market.

PII Processor

  • Ensures that any data breaches are promptly managed through a dedicated reporting procedure to the relevant authorities.
  • Has formalized a specific procedure for managing information security incidents. The client of Opticon Data Solutions S.r.l. is required to verify that the assignment of responsibilities for managing information security incidents is adequate and, therefore, meets their own requirements.
  • Ensures that management focuses all efforts on the continuous protection and segregation of clients’ personal data processed through proprietary cloud services, in full compliance with applicable regulations.
  • Ensures that, in the event of an incident involving the loss of any of the following characteristics of personal information (PII): confidentiality, integrity, availability, and authenticity, the incident is promptly notified to the affected party.

 

If necessary, and in any case within a maximum of 48 hours, Opticon Data Solutions S.r.l. will decide jointly with the relevant party which party is responsible for reporting the data breach. The communication to the Data Protection Authority, as required by EU Regulation 2016/679 – GDPR, must be sent within 72 hours of becoming aware of the incident.

For further details on the technical and organizational measures adopted by Opticon Data Solutions S.r.l. to ensure the security of information and personal data within its proprietary cloud services, please refer to the “ISO 27017-27018 Technical Discipline.”

This document is subject to periodic revisions and updates in order to make corrections, add enhancements, and ensure its adequacy and effectiveness, especially in the case of significant changes concerning information security, in the spirit of continuous improvement. In the interest of maximum transparency and collaboration, this annex to the “Opticon Information Security Policy” is communicated to all employees and made available to stakeholders as deemed necessary.

Milan, 24/10/2024

The management of Opticon Data Solutions S.r.l.