CYBER SECURITY POLICY

Our corporate cybersecurity policy outlines our guidelines and provisions for preserving the security of our data and technological infrastructure.

Human errors, hacker attacks, and system malfunctions could cause extensive damage to the ‘company. Therefore, we implemented a company policy that would minimize these risks. This was carried out when adapting to the GDPR regulation, and then was further improved when adapting to the new European directive NIS-2. This was documented and shared with employees and external companies or agencies where required. In addition, both the GDPR policy and the cybersecurity policy have been posted on our website.

The goal is to make the terminal’s digital infrastructure stable and secure while minimizing attack surfaces. To do this, we have implemented many security services provided by an internationally recognized vendor, which provides us with an in-depth analysis of all network traffic in real time. Internally, we have updated almost every hardware and software asset, as well as optimized the network configuration to minimize the effects of any attack. Even in the latter case, a backup strategy has been adopted that actually allows full recovery in any situation that may arise. In addition, we have defined operational instructions for employees to help mitigate risks, and all staff have taken cybersecurity courses.

This policy applies to all our employees, suppliers, and anyone with permanent or temporary access to our hardware and software systems.

For all those who, for the performance of the activity, need to access our infrastructure, a deed of appointment as the person responsible for the processing of personal data has been defined and made accepted.

In the documentation mentioned earlier, the main criteria for:

  • The processing of personal data
  • The processing of corporate data
  • The use of assigned devices, such as desktop PCs, laptops, and smartphones
  • The use of the corporate network
  • The management of access credentials to the various environments
  • The management of electronic mail
  • Managing situations related to malware or scam attempts

The same also specifies the tools and configurations adopted for security, both at the network and backup levels. Specifically in the risk analysis, a medium-low risk emerged, which, in relation to our reality, we consider acceptable. Nevertheless, we have planned the necessary interventions in the coming years to mitigate the critical issues that have emerged, with the goal of achieving low risk. We are also planning more specific training on our reality for all employees.