Namirial Information Technology
Cyber Security Statement
Namirial Group (the “Group”) is the organisational entity identified by the company Namirial S.p.A and its owned or controlled subsidiaries. Controlled subsidiary (the “Subsidiary”) means any subsidiary of Namirial S.p.A, 50% or more of the outstanding equity interests of which are owned by Namirial S.p.A and its direct or indirect subsidiaries and of which the company possesses, directly or indirectly, the power to direct or cause the direction of the management or policies, whether through the ownership of voting equity interests, by agreement or otherwise.
For us “Information Security” means to ensure that all information and information systems, on which the Group depends, including those related to customers, employees and our business partners data, are adequately protected, guaranteeing the security of the company’s services and the continuity of our business activities. The current context, characterised by the ongoing evolution of cyber threats and the more stringent regulations imparted by the authorities, presents several major challenges to businesses. We are committed to guaranteeing that the Group is constantly equipped with appropriate security systems, thus becoming increasingly more reliable for our stakeholders.
More specifically, we pledge to:
- protect the company’s services and strengthen its security standards;
- define internal security regulations and monitor their implementation;
- define a solid management process for the IT risks;
- ensure the implementation of security measures for the management of cyber threats;
- raise awareness and understanding around the issue among all employees.
We have therefore developed a strategy to continuously improve the Group’s security level, in four key areas..
The Group has developed a long-term cyber security program to address the cyber security issues analysed. This includes suitable countermeasures for specific situations. All projects defined and included in the program are regularly reviewed according to a schedule while the long-term strategy is reviewed annually.
The cyber security program has been agreed upon by the Executive Management of the Group.
To strengthen the security and the IT risk management, the Board of Directors has set up a steering committee specifically dedicated to defining and developing the security strategy of the Group as well as governing and monitoring the corporate IT risks. This committee, operating at group level, is called Corporate Security & IT Risk Steering Committee and its members are the CEO, CFO, CHRO, CTO and the CISO.
We believe that the human factor is crucial to protecting our information. In fact, we have developed a cyber security awareness program for all our employees in the form of a mini series of instructional videos. All of the material is available on internal portals dedicated to employees. Some episodes are connected with specific information security areas, such as the smartphone and tablet security and social engineering.
Namirial S.p.A, the company of the Group that provides the qualified trust services and other services regulated by the Italian supervisory body AgID, provides also the IT services and infrastructures to the main Group companies and is certified according to the following standards:
- ISO/IEC 27001:2013;
- ISO/IEC 27017:2015;
- ISO/IEC 27018:2015;
- Regulation (EU) 910/2014 eIDAS as Qualified Trust Service Provider;
- ETSI EN 319 401 for Electronic Identification Trust Service;
- Regulation (EU) 910/2014 eIDAS item 24 for the supplying of Trust Services of IT Documents Storage;
- AgID regulations for document Long Time Preserving;
- AgID regulations for SPID (Italian pubic system for digital identity).
The ISO/IEC 27k series certifications are tailored to implement the sectoral standards relating to namirial services, there are no exclusions in the Statement of Applicability and security controls reflect those required by the ETSI 319 401 and those required by AgID directives.
We are undergoing annually audits for ISO/IEC certifications and all the previous standards by Bureau Veritas and by the national supervisory body AgID since 2010, as well as being regularly audited for the financial report.
The compliance to such regulations is assured by the Corporate Legal & Compliance Risk Steering Committee formed by the CFO, legal and compliance officers, lead auditor.
By virtue of the certifications held and the particular activities carried out, Namirial does not publicly issue documents of a general nature relating to its security systems to respond to the requests for additions and clarifications regarding the security of information made by third parties, be they Customers, Suppliers and/or Partners.
For this purpose, Namirial has international and technical certifications that can be verified on public sites with legal and contractual value. In fact, the protection of the confidentiality, integrity and availability of information, object of the Namirial activities, could be compromised in the event that certain information were made available outside the Namirial context and/or were in some way subject to any form of publication unauthorized by all parties involved. Furthermore, some systems and protections are partially or totally integrated in services subject to technical, regulatory, contractual and legal security constraints, therefore they won’t be disclosed.