SoftSystem srl

Our policy for the security of data and information

01

INTRODUCTION

Premise

SoftSystem It designs, engineer and develops automatic machines in the industrial automation sector for customers in the car industry, pharmaceutical products and glass, products and systems are made according to the specific needs of the customer and customized only for them.

SoftSystem srl He began to consider the security of information as a strategic to protect his information assets, and to provide high quality services to customers who show a growing interest in safety. The security of information has become a strategic value factor transformable to a competitive advantage.

The information is considered an essential asset for the corporate business and, as such, it must be protected. SoftSystem srl He therefore decided to carry out and keep active a management system for the security of information and to guarantee an adequate level of data security and information in the context of its production activities also through the identification, evaluation and treatment of the risks to which they are subject.

The safety management system for information SoftSystem srl defines a set of organizational, technical and procedural measures to guarantee the satisfaction of the basic security requirements:

Confidentiality, or the property of the information to be known only to those who have privileges;
Integrity, or the property of the information to be modified only and exclusively by those who own privileges;

Availability, or the property of the information to be accessible and usable when requested by the processes and users who enjoy the privileges.

02

DIRECTION

Strategic address and Declaration of the Management

In order to provide the general and strategic address of SoftSystem srl In the short, medium and long term, to guarantee the protection and protection of information in the context of its activities in accordance with the indications of the Uni Standard CEI ISO/IEC 27001, SoftSystem Srl has developed the policy regarding the protection of the company information heritage described in this document

To achieve the IT security objectives identified as necessary by the Management, a system of management of information consistent with the policy that the company intends to implement must be implemented. The maintenance of the system is guaranteed by a continuous process of improvement which involves all corporate functions:

The staff, who will implement the policies and security requirements to achieve the set objectives.
Customers, who will have guarantees for their safety needs, to an extent compliant with the commitments made by SoftSystem srl
The suppliers, who will contribute, as partner, to achieving the organization's objectives, and will accept the safety policies and risks connected to the supply.

The Management is aware that the realization of the management system requires a significant initial effort and that continuous maintenance and improvement must be guaranteed by adequate organizational support.

For this purpose the organization of SoftSystem srl It has been designed in such a way that the roles and responsibilities on the security of information are defined and able to operate in the direction indicated by this policy.

The Management will make available the investments suitable to satisfy the established policies and objectives and consider it appropriate to deal with the start -up phase of the system with the insertion of external resources that are able to give their qualitative and quantitative support on all aspects inherent to the security of information.

This policy represents the objectives and general requirements issued by the Management of SoftSystem srl which must be implemented by the company structures, each for the specific area of competence, so that the work activity complies with what is specified in this policy.

03

Risks

Risk assessment and general framework of controls

The security requirements are identified by a systematic risk assessment for safety with methodologies recognized by international standards.

The results of the risk assessment will help determine the appropriate actions for the management and implementation of controls to protect against these risks. The relative priorities will also determine.

The risk assessment will be repeated periodically to face any changes that could influence the risk factor.

From the risk assessment, the costs of the controls must be balanced by the benefits of protection against the damages that the business could report following defects in the security of information.

04

Heritage

The company information heritage

Any type of data aggregation that have a value for the company, regardless of the form and technology used for their treatment and conservation, contributes to the formation of the information heritage. The information must be protected in all possible formats in which it is made available:

paper (documents, letters, lists, etc.)
electronic (database, records, tapes, etc.)
minutes (meetings, personal and telephone conversations, seminars, interviews, etc.)

Depending on the type and origin, the information that constitutes the company information heritage can be divided into.

Information deriving from Customer's information heritage, represented by the set of information managed by SoftSystem srl through the production processes and currently located in the data centers managed directly or indirectly by the company. The security of this information must be guaranteed by contract with customers and any security accident would have direct consequences on the image and development of the corporate business
Information deriving from Internal information heritage, represented by all information within the company and partly managed through information systems. This information has influence on others and directly or indirectly condition all business activities.

The information must be evaluated to attribute the relative importance at the level of the corporate business in order to implement adequate safety countermeasures and proportional to the different forms and the different methods of interaction used.

05

GOALS

Objectives and implementation of the system

This information security policy identifies the security aspects to be implemented within the organization in order to support the mission of SoftSystem srl and to pursue the primary objectives reported below.

The company functions responsible for the management and safety of information have the task of translating the objectives identified and general information security requirements in more specific countermeasures and security policies, with a view to obtaining a congruous information management system.

The primary objectives to be pursued according to the security policy adopted are as follows:

Reduce to 0 serious events (ransomware, hijacking of payments, serious violations)
Structuring an IT department capable of having control on the safety of logical information: asset mapping, risk assessment and reduction of the overall risk level of 15-20%
Monitor data security system: implement logic and tools for monitoring safety performance (inventory, Network Monitoring, Vulnerability Assessment, State of threats, accidents, monitoring of equipment, systems and logs)
compliance with voluntary (ISO 27001 in the first place) and mandatory regulations (reg. EU GDPR in the first place)

achieving these objectives, the management expects to safeguard the corporate reputation, the physical and intangible heritage of the company, the continuity of the operations for the benefit of all stakeholders (customers, properties, workers, suppliers and community).

They are obtained and maintained through the collaboration of workers at all levels, which are required to:

guarantee the confidentiality, integrity and availability of information
evaluate risk levels
monitor safety levels.
formalize safety requirements in relations with customers and suppliers
guarantee a culture company for information security and a relative adequate level of competence;
plan and manage the continuity of the business;

The contents of the indications and prescriptions of the system apply to all internal and external staff, to partners companies, suppliers and outsourcers and anyone who comes into contact with the information owned by SoftSystem srl

All the staff who, by way of employee, consultant or collaborator, collaborates with the company in the processes of design, development, management and control of the services provided is responsible for compliance with the prescriptions and indications of the system and is required to protect all the information processed during its work activities. The staff, aware of the importance of the information processed, must act to guarantee its protection and report anomalies, even not formally coded, of which it should be learned about.

In the event that the established safety rules are disregarded by employees, consultants and/or collaborators of the company, the management of SoftSystem srl reserves the right to adopt, in full compliance with the legal and contractual constraints, the most appropriate measures towards transgressors.

External subjects who, entertain relationships with SoftSystem srl They must guarantee compliance with the security requirements made by this security policy also through the signing of a "confidentiality pact" at the time of the assignment of the assignment in the event that this type of bond is not expressly mentioned in the contract.

06

Conclusions

The information security policy must always be consistent with the company business objectives and therefore the Management reserves the right to make any changes to this document based on the achievement of the results of SoftSystem srl, to the expectations of all interested parties, to the progress of the reference market.

In accordance with the information security policy and at least annually, the Management will set the security objectives also using the results achieved during the previous year.

This policy was approved by the Management of SoftSystem srl