Cyber Security and Data protection

The data and information that we handle are strategic assets that can be compromised by cyber attacks and by any other events resulting from vulnerabilities in information networks. This kind of situation can undermine the company’s resilience, jeopardizing the services available to customers and the company’s reputation.

We strive to rapidly intercept any such threats so as to be able to deal with them as effectively as possible.

Guarding against cyber threats

Our Group Security & Cyber Defence team adopt a holistic approach in managing the Group’s security. It works specifically to ensure the protection of data of our workforce, our customers and all our stakeholders.

We tackle these threats in the following ways:

  1. Cyber risk analysis of Industrial Assets and Digital Services
  2. Cyber Security processes and safeguards compliant with best practices and international standards (i.e. ISO27001 and IEC 62443) as well as industry regulations
  3. Business continuity and information security management system
  4. Evaluation of the cyber resilience of third parties
  5. Public-Private Partnership
  6. Awareness and continuous employee training
  7. Cyber threat intelligence activity

Cyber defence

Our Cyber Defence department has the task of handling the increasing complexity of threats in both the classic ICT sphere and that of industrial worlds, and of doing so within a single encompassing and convergent framework.

More specifically, it guarantees the data protection and cyber resilience of business services and digital infrastructures through the implementation of the Information Security Management System (ISMS). Moreover, in a process of continuous innovation, it provides, develops and consolidates new-generation digital security services able to deliver 360-degree protection to our company’s businesses, all constantly in line with Board policy.

Finally, through the IRIS: Intelligent Resilience Information Security Services unit, made up of IT security experts, we deploy activities of defence and response to attacks targeting information, IT infrastructures and digital business services.

IRIS offers the following IT security services:

Security monitoring and rapid reaction activities

Protecting the company 24/7 against digital criminals and providing real-time monitoring of threats to the security of both ICT and industrial infrastructures, reducing the exposure to and the impact of attacks on the Group’s services, applications and digital and industrial assets.

Platform resilience

Integrating digital and security technologies to guarantee that the highest possible levels of security and monitoring efficiency remain uninterrupted in line with the most updated threat models.

Active defence

Assessing the resilience levels of the company and its services by means of a Security Lab, a team of white hats (ethical hackers) and other specialists tasked with evaluating company and service resilience in order to define the most critical current risk scenarios and study future threat trends.

Cyber threat intelligence activities

Providing an intelligence capability through proactive research and analysis of external sources, both public and non-public. Backing up strategic security decisions and cyber security operations, monitoring and safeguarding the Group’s digital data and brand from improper use.

Pagina Cyber Security e Data protection
Pagina Cyber Security e Data protection

Privacy

So as to guarantee compliance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereafter referred to as the “GDPR”), we have equipped ourselves with a personal data management model which:

  • indicates the figures actively involved in the management of privacy within the company and their respective responsibilities;
  • defines how personal data is managed in line with GDPR provisions, including the principles of privacy by design and privacy by default; on the basis of this, whoever is responsible for the data must ensure adequate technical and administrative security measures to safeguard individual rights.subjects.

We have also laid down procedures designed to regulate the following:

  • the definition of the timing of storage of personal data (so-called data retention);
  • the preliminary assessment of risk for each processing of personal data and assessment of the impact (DPIA - Data Protection Impact Assessment) relating to the processing of data involving a high level of risk for the rights and freedoms of the individual so as to determine the need, the proportionality and relative risks involved in such high-risk processing and the identification of the most suitable measures to adopt
  • the management of requests with which the data subjects exercise their rights;
  • the handling of data breaches, which involves analysis of the extent of the breach and the working out of a remediation plan for the purpose of resolving the privacy incident and reducing the risk identified

Furthermore, with those suppliers who process personal data on behalf of our businesses, we draw up specific agreements which, as well as incorporating statutory provisions, contain specific instructions that the supplier is obliged to follow in the processing of such data.