The Company Policy requires that, consistent with the corporate mission, the management of all business processes is set with the rules of the application of the TISAX Data Security Management System developed taking into account the ISO/IEC 27001:2013 standard and the controls provided in Annex A.
PURPOSE AND OBJECTIVES
The management of MODEL 5 S.R.L. has defined, disseminated and is committed to maintaining active at all levels of its organization this policy for the Management of Information Security.
The purpose of this policy is to guarantee maximum customer satisfaction in the use of our services and the safeguarding and protection from all threats, internal or external, intentional or accidental, of the information within the scope of our activities in accordance with the indications provided by the TISAX and ISO/IEC 27001 standards and the guidelines contained in the ISO/IEC 27002 standard in their latest versions.
SCOPE OF APPLICATION
This policy applies equally to all bodies and levels of the Company.
The implementation of this policy is compulsory for all personnel and must be included in the regulation of agreements with any external party that, for any reason, may be involved with the processing of information falling within the scope of the TISAX Management System.
The information assets to be protected consist of all the information managed through the services provided and located in all the company’s locations.
It is necessary to ensure:
- the confidentiality of the information: i.e. the information must only be accessible by authorised persons.
- the integrity of the information: i.e. protecting the accuracy and completeness of the information and the methods for processing it.
- the availability of the information: i.e. that authorised users can effectively access the information and related assets when they require it.
The lack of adequate levels of security can lead to damage to the company’s image, a lack of customer satisfaction, the risk of incurring penalties for violating current regulations as well as economic and financial damage.
An adequate level of security is also fundamental to the sharing of information.
The company identifies all its security needs through a risk analysis of its assets, which allows it to gain an appropriate awareness of the level of exposure to threats. The risk assessment assesses the potential consequences and damage that may result from not applying security measures to the information system and what the realistic likelihood of implementation of the identified threats is.
The results of this assessment determine the actions necessary to manage the identified risks and the most suitable security measures.
Our information security management principles cover the following aspects:
1- ALWAYS UPDATED ASSET INVENTORY – Ensure a constantly updated catalogue of the company’s assets relevant to information management and a responsible person must be identified for each. Information must be classified according to its level of criticality, so that it is managed with consistent and appropriate levels of confidentiality and integrity.
2- UPDATED INFORMATION RISK ASSESSMENT – The information risk assessment is updated at least once a year at the time of the management review or in case of adverse events or when there is an adjustment of the asset inventory.
3- SECURE SYSTEM ACCESS – In order to guarantee the security of information, all access to systems must be subject to an identification and authentication procedure. Authorisations to access information must be differentiated according to the role and responsibilities of individuals, so that each user can access only the information he or she needs, and must be reviewed periodically.
4- SAFE USE OF COMPANY ASSETS – Procedures must be defined for the safe use of company assets and information and their management systems.
5- CONTINUOUS TRAINING OF PERSONNEL – Full awareness of information security issues must be encouraged in all staff (employees and collaborators) from the moment of selection and throughout the duration of the employment relationship.
6- TIMELY MANAGEMENT OF ADVERSE EVENTS – In order to be able to manage incidents in a timely manner, everyone must report any security issue. Each incident must be handled as outlined in the procedures.
7- ADJUSTED PHYSICAL PROTECTION OF BUSINESS LOCATIONS – Unauthorised access to business premises and individual business premises where information is managed must be prevented, and the security of equipment must be ensured.
8- MANAGEMENT OF CONTRACTUAL COMPLIANCE WITH THIRD PARTIES – Compliance with legal requirements and information security principles in contracts with third parties must be ensured.
RESPONSIBILITY FOR COMPLIANCE AND IMPLEMENTATION
Compliance and implementation of the policies are the responsibility of:
1- All personnel who, in any capacity, collaborate with the company and are in some way involved with the processing of data and information falling within the scope of the Management System. All personnel are also responsible for reporting all anomalies and violations of which they become aware.
2-All external parties that have relations and collaborate with the company. They must ensure compliance with the requirements contained in this policy. The Head of the Management System who, within the framework of the Management System and by means of appropriate rules and procedures, must:
conduct the risk analysis with the appropriate methodologies and adopt all measures for risk management establish all the rules necessary for the safe conduct of all company activities verify security breaches and take the necessary countermeasures and control the company’s exposure to the main threats and risks organise training and promote staff awareness of all matters relating to information security periodically check the effectiveness and efficiency of the Management System.
Anyone, whether employees, consultants and/or external collaborators of the Company, who intentionally or negligently disregards the established security rules and thereby causes damage to the Company, may be prosecuted in the appropriate forums and in full compliance with legal and contractual constraints.
The Management will periodically and regularly verify or in conjunction with significant changes the effectiveness and efficiency of the Management System, in order to ensure adequate support for the introduction of all necessary improvements and in order to encourage the activation of a continuous process, by which the control and adjustment of the policy is maintained in response to changes in the corporate environment, business, legal conditions.
The Management System Manager is responsible for reviewing the policy.
The review shall verify the status of improvement and corrective actions and adherence to the policy.
It shall take into account all changes that may affect the company’s approach to information security management, including organisational changes, the technical environment, the availability of resources, legal, regulatory or contractual conditions and the results of previous reviews.
The outcome of the review shall include all decisions and actions related to improving the company’s approach to quality and information security management.
Management shall actively support information security in the company through clear direction, commitment, explicit assignments and recognition of information security responsibilities.
The management commitment is implemented through a structure whose tasks are:
- to ensure that all objectives relating to information security are identified and that these meet corporate requirements;
- to establish corporate roles and responsibilities for the development and maintenance of the TISAX Management System;
- to provide sufficient resources for the planning, implementation, organisation, control, review, management and continuous improvement of the TISAX Management System;
- to monitor that the TISAX Management System is integrated into all business processes and that procedures and controls are effectively developed;
- to approve and support all initiatives aimed at improving the quality and security of information;
- to activate programmes to spread information security awareness and culture.
9- SIMULATIONS OF THE CORPORATE CONTINUITY PLAN – A continuity plan must be drawn up to enable the company to deal effectively with an unforeseen event, guaranteeing the restoration of critical services in a timeframe and in a manner that limits the negative consequences on the company mission.
10- COMPUTER SECURITY BY DESIGN – Security aspects must be included in all phases of design, development, operation, maintenance, support and decommissioning of computer systems and services.
11- CONTINUOUS LEGISLATIVE UPDATE – Compliance with the provisions of the law, statutes, regulations or contractual obligations and with any requirement relating to information security shall be ensured, minimising the risk of legal or administrative sanctions, significant losses or damage to reputation.
12- PERIODIC PENETRATION TESTS – Periodic penetration tests must be carried out on infrastructures and applications to assess the resilience of systems to external attacks and to detect any vulnerability and allow subsequent fixing.