Namirial Information Technology
Cyber Security Statement
Namirial Group (the “Group”) is the organizational entity identified by the company Namirial S.p.A and its owned or controlled subsidiaries. Controlled subsidiary (the “Subsidiary”) means any subsidiary of Namirial S.p.A, 50% or more of the outstanding equity interests of which are owned by Namirial S.p.A and its direct or indirect subsidiaries and of which the company possesses, directly or indirectly, the power to direct or cause the direction of the management or policies, whether through the ownership of voting equity interests, by agreement or otherwise.
For us “Information Security” means to ensure that all information and information systems, on which the Group depends, including those related to customers, employees and our business partners data are adequately protected, guaranteeing the security of the company’s services and the continuity of our business activities. The current context, characterized by the ongoing evolution of cyber threats and the more stringent regulations imparted by the authorities, presents several major challenges to businesses. We are committed to guaranteeing that the Group is constantly equipped with appropriate security systems, thus becoming increasingly more reliable for our stakeholders.
More specifically, we pledge to:
- protect the company’s services and strengthen its security standards
- define internal security regulations and monitor their implementation
- define a solid management process for the IT risks
- ensure the implementation of security measures for the management of cyber threats
- raise awareness and understanding around the issue among all employees
We have therefore developed a strategy to continuously improve the Group’s security level, in four key areas.
The Group has developed a long-term cyber security program to address the cyber security issues analyzed. This includes suitable countermeasures for specific situations. All projects defined and included in the program are regularly reviewed according to a schedule while the long-term strategy is reviewed annually.
The cyber security program has been agreed upon by the Executive Management of the Group.
To strengthen the security and the IT risk management, the Board of Directors has set up a steering committee specifically dedicated to defining and developing the security strategy of the Group as well as governing and monitoring the corporate IT risks. This committee, operating at group level, is named Corporate Security & IT Risk Steering Committee and its effective members are the CEO, CFO, CHRO, CTO and the CISO.
We believe that the human factor is crucial to protect our information. In fact, we have developed a cyber security awareness program for all our employees in the form of periodical simulated phishing attacks and a miniseries of instructional videos. All the material is available on internal portals dedicated to employees. The episodes relate to specific information security areas, for example the smartphone and tablet security and social engineering.
Namirial S.p.A, the company of the Group that provides the qualified trust services and other services regulated by the Italian supervisory body AgID, also provides the IT services and infrastructures to the main Group companies and is certified according to the following standards:
- ISO/IEC 27001:2013
- ISO/IEC 27017:2015
- ISO/IEC 27018:2015
- Regulation (EU) 910/2014 eIDAS as Qualified Trust Service Provider
- ETSI EN 319 401 for Electronic Identification Trust Service
- Regulation (EU) 910/2014 eIDAS item 24 for the supplying of Trust Services of IT Documents Storage
- AgID regulations for document Long Time Preserving
- AgID regulations for SPID (Italian public system for digital identity)
The ISO/IEC 27k series certifications are tailored to implement the sectoral standards related to Namirial services with no exclusions in the Statement of Applicability; security controls reflect those required by the ETSI 319 401 and by AgID directives.
We have been undergoing annual audits for ISO/IEC certifications and all the previous standards by Bureau Veritas and by the national supervisory body AgID since 2010, as well as being regularly audited for the financial report.
The compliance to such regulations is assured by the Corporate Legal & Compliance Risk Steering Committee formed by the CFO, legal and compliance officers, and the lead auditor.
To avoid conflicts with standards and regulations for which the company is audited, and by virtue of the certifications held, Namirial will not implement on its services specific security policies issued and provided by its Customers.
Moreover, due to the criticality of the services provided, Namirial does not share documents or information relating to its security systems and controls to respond to the requests for additions and clarifications regarding the security of information made by third parties, be they Customers, Suppliers and/or Partners.
For this purpose, Namirial has international and technical certifications that can be verified on public sites with legal and contractual value. In fact, the protection of the confidentiality, integrity and availability of information, object of the Namirial activities, could be compromised if certain information were made available outside the Namirial context and/or were in some way subject to any form of unauthorized publication. Furthermore, some systems and protections are partially or totally integrated in services subject to technical, regulatory, contractual and legal security constraints therefore they won’t be disclosed to third parties.
Namirial is continually adapting to the changing cybersecurity landscape and to stay ahead threats to our systems and applications. However, keeping our customer and employee information safe is not achieved by technology alone, it takes alert employees, customers and partners, who know how to recognize and report issues. For this reason, we allow our customers and partners to submit vulnerabilities and/or security events they may discover on any public-facing website or application owned, operated or controlled by Namirial through a Responsible Disclosure Program.