SoftSystem srl

Our Data and Information Security Policy

01

INTRODUCTION

Premise

SOFTSYSTEM designs, engineers, and develops automatic machines in the industrial automation sector for clients in the automotive, pharmaceutical, and glass industries. The products and systems are created based on the specific needs of the customer and customized uniquely for them.

SOFTSYSTEM Srl has begun to consider information security as a strategic factor for protecting its information assets and providing high-quality services to clients who are increasingly concerned about security. Information security has become a strategic factor that can be transformed into a competitive advantage.

Information is considered an essential asset for corporate business and, as such, must be protected. SOFTSYSTEM Srl has therefore decided to implement and maintain an active Information Security Management System and to ensure an adequate level of data and information security within its production activities, including by identifying, assessing, and addressing the risks to which they are subject.

The Information Security Management System of SOFTSYSTEM Srl defines a set of organizational, technical and procedural measures to ensure compliance with basic security requirements:

Confidentiality, or the property of information to be known only to those who have the privileges;
Integrity, or the property of information to be modified only and exclusively by those who have the privileges;

Availability, or the property of information to be accessible and usable when required by the processes and users who enjoy its privileges.

02

DIRECTION

Strategic direction and management statement

In order to provide general and strategic direction of SOFTSYSTEM Srl in the short, medium and long term, to ensure the protection and safeguarding of information within the scope of its activities in accordance with the indications of the UNI CEI standard ISO/IEC 27001, SOFTSYSTEM Srl has developed the policy regarding the protection of corporate information assets described in this document

To achieve the IT security objectives identified as necessary by Management, an Information Security Management System must be implemented that is consistent with the policy the company intends to implement. Maintenance of the system is ensured by a continuous process of improvement involving all company functions:

The staff, who will implement the safety policies and requirements to achieve the established objectives.
Customers, who will have guarantees for their security needs, in accordance with the commitments undertaken by SOFTSYSTEM Srl
Suppliers, who will contribute, as partners, to achieving the organization's objectives, and will accept the security policies and risks associated with the supply.

Management is aware that implementing the Management System requires significant initial effort and that maintenance and continuous improvement must be guaranteed by adequate organizational support.

For this purpose the organization of SOFTSYSTEM SRL It has been designed in such a way that the roles and responsibilities for Information Security are defined and able to operate in the direction indicated by this policy.

The Management will make available investments suitable for meeting the established policies and objectives and deems it appropriate to approach the System's start-up phase by including external resources capable of providing qualitative and quantitative support on all aspects of information security.

This policy represents the general objectives and requirements issued by the Management of SOFTSYSTEM SRL which must be implemented by the company structures, each for its specific area of expertise, so that work activities comply with what is specified in this policy.

03

RISKS

Risk assessment and control framework

Security requirements are identified through a systematic assessment of security risks using methodologies recognized by international standards.

The results of the risk assessment will help determine appropriate management and implementation actions to protect against those risks. They will also determine their priorities.

The risk assessment will be repeated periodically to address any changes that may affect the risk factor.

From the risk assessment, the costs of controls must be balanced against the benefits of protection against the damage that the business could suffer as a result of information security flaws.

04

HERITAGE

The company's information assets

Any type of data aggregation that has value for the company, regardless of the format and technology used for its processing and storage, contributes to the formation of the information asset. Information must be protected in all possible formats in which it is made available:

paper (documents, letters, lists, etc.)
electronic (databases, disks, tapes, etc.)
minutes (meetings, personal and telephone conversations, seminars, interviews, etc.)

Depending on its type and origin, the information that constitutes the company's information assets can be divided into.

Information derived from the Customer Information Assets, represented by the set of information managed by SOFTSYSTEM Srl through production processes and currently located in data centers managed directly or indirectly by the company. The security of this information must be guaranteed by contract with customers, and any security incident would have direct consequences on the company's image and business development.
Information derived from the Internal information assets, represented by all the company's internal information and partly managed through information systems. This information influences other information and directly or indirectly affects all business activities.

Information must be assessed to determine its relative importance at the corporate business level in order to implement adequate and proportionate security countermeasures for the different forms and methods of interaction used.

05

GOALS

System objectives and implementation

This information security policy identifies the security aspects to be implemented within the organization in order to support the mission of SOFTSYSTEM SRL and to pursue the primary objectives listed below.

The company functions responsible for information management and security have the task of translating the identified objectives and general information security requirements into more specific countermeasures and security policies, with a view to obtaining an appropriate Information Security Management System.

The primary objectives to be pursued according to the adopted security policy are the following:

Reduce serious events to 0 (Ransomware, payment hijacking, major breaches)
Structure an IT department capable of having control over the security of logical information: asset mapping, risk assessment and reduction of the overall risk level by 15-20%
Monitor Data Security System performance: Implement security performance monitoring tools and logic (inventory, network monitoring, vulnerability assessment, threat protection status, incidents, device, system, and log monitoring)
compliance with current voluntary regulations (primarily ISO 27001) and mandatory regulations (primarily EU Regulation GDPR)

By achieving these objectives, Management expects to safeguard the company's reputation, its physical and intangible assets, and the continuity of operations for the benefit of all stakeholders (customers, property, workers, suppliers, and the community).

They are achieved and maintained through the collaboration of workers at all levels, who are required to:

ensure the confidentiality, integrity and availability of information
assess risk levels
monitor security levels.
formalize security requirements in relationships with customers and suppliers
ensure a corporate culture of information security and an adequate level of related competence;
plan and manage business continuity;

The contents of the indications and prescriptions of the system apply to all internal and external personnel, partner companies, suppliers and outsourcers and to anyone who comes into contact with the proprietary information of SOFTSYSTEM SRL

All personnel who, as employees, consultants, or collaborators, collaborate with the company in the design, development, management, and control of the services provided are responsible for complying with the system's requirements and guidelines and are required to protect all information processed during their work activities. Aware of the importance of the information they process, personnel must take steps to ensure its protection and report any anomalies, even those not formally coded, of which they become aware.

In the event that the established safety rules are not respected by employees, consultants and/or collaborators of the company, the Management of SOFTSYSTEM SRL reserves the right to adopt, in full compliance with legal and contractual constraints, the most appropriate measures against offenders.

External subjects who have relationships with SOFTSYSTEM SRL They must ensure compliance with the security requirements set out in this security policy, including by signing a "confidentiality agreement" when awarding the assignment, if this type of obligation is not expressly mentioned in the contract.

06

CONCLUSIONS

Conclusions

The Information Security Policy must always be consistent with the company's business objectives and therefore the Management reserves the right to make any changes to this document based on the achievement of the results of SOFTSYSTEM SRL, to the expectations of all interested parties, to the trend of the reference market.

In accordance with the Information Security Policy and at least annually, Management will set Security objectives, also taking into account the results achieved during the previous year.

This policy has been approved by the Management of SOFTSYSTEM SRL