For us “Security” means protecting our customers, employees and the data of our business partners, guaranteeing the security of the company’s ecosystem and the continuity of our business activities. The current context, in which the technological evolution also involves exponential growth in cyber threats and the more stringent regulations imparted by the authorities, present several major challenges to businesses. We are committed to guaranteeing that the Group is constantly equipped with appropriate security systems, thus becoming increasingly more reliable for our stakeholders.
To achieve our mission and to be able to effectively manage the increasing complexity of security-related risks, we have adopted a “One-Security” approach, based on a strong integration between Information & Cyber and Physical & Corporate Security.
The adoption of such holistic approach for Security leads to the integration of processes and tools for the identification, evaluation and management of security risks and to an increasing resilience against adverse events.
More specifically, we pledge to:
- protect the company’s ecosystem and strengthen its security standards
- define internal security regulations and monitor their implementation
- define a solid management process for IT and Security-related risks
- ensure the implementation of security measures for the management of Security-related threats
- raise awareness and understanding around the issue among all employees
Our Governance model
The Group Chief Security Officer is in charge of overseeing the security within the Group, identifying and implementing the Group Security strategy, managing the security budget and regularly reporting on security to the Board of Directors. To strengthen IT security risk management, the Group Risk Management Department has set up a unit specifically dedicated to monitoring and managing cyber risk. The unit is called “Group IT Risk Framework”.
The Group Security is ruled by a structured regulatory framework, recently integrated by a crisis management model.
To constantly protect ourselves from new threats, our long-term Security Program is periodically reviewed and integrated: we developed an updated IT security strategy, named Cyber Security Transformation Program 2, 2020-2022, with the aim to further increase our security posture through the adoption of innovative and advanced solutions and the progressive standardization and centralization of the Group security services. All projects defined and included in the program are regularly reviewed according to a schedule while the long-term strategy is reviewed annually.
The transformation program has been agreed upon by the Senior Management of the Group and the Board of Directors, having been previously reviewed by the Risk and Control Committee.
The Board of Directors, with the support of the Risk and Control Committee, is in charge of all decisions concerning cyber security and ICT governance and is informed at least once a year about security matters and the implementation of the Group Security Strategic Plan across the Group (during the 2020 year the Board of Directors and the Risk and Control Committee examined security matters more than once).
The Group Audit function performs regular activities on IT Security topics, and both the Risk and Control Committee and the Board of Directors are promptly informed, at least once a year, about audit results and the follow-up on findings.
Our Operational model
We continue to strengthen our ability to prevent, identify and respond to potential cyber attacks, implementing the most innovative security solutions and constantly improving our response processes. Through the Security Operation Center (SOC) we are able to monitor all events recorded by our security solutions 24 hours a day, identify potential incidents and intervene with containment and refreshment measures. Moreover, a dedicated process has been set up to let employees notify any suspicious events in order for the SOC to promptly respond. A Business Continuity and Disaster Recovery plan together with an Incident Response procedure have been defined to proper guarantee the preservation or, if not possible, the timely recovery of data, services and critical business activities in case of a significant incident or crisis. The plan is yearly updated and tested.
We are able to monitor the threats landscape evolution and trends through our Intelligence service in order to proactively prevent or be ready to react to potential threats.
We carry out internal and external vulnerability assessments every year in order to identify potential vulnerabilities in our systems and we also test the response capacities of our SOC through cyber attack simulations. All customer solutions, including those based on IoT technology, are carefully tested in terms of security.
Focusing on the whole supply chain management, we adopted proper processes and tools for the identification, evaluation and management of the Third Parties Security risk, with a dedicated and strong commitment to secure the transition to and the consumption of cloud services.
We defined and implemented proper procedures to guarantee the protection of company buildings, internal workspaces and employees during business travels as well as to manage all the aspects related to the Corporate Security.
We believe that the human factor is crucial to protecting our information. In fact, we have developed an IT security awareness program for all our employees which consists of various initiatives such as dedicated training courses, videos and ad hoc communications, together with internal campaigns simulating phishing attacks. Awareness-raising events have also been held in both the company sites and the virtual domain with internal challenges designed to increase the engagement of employees and promote best practices in the area of IT security conduct. All of the material is available on the Group portal dedicated to employees. Some episodes are connected with specific information security areas, such as the classification of information, smartphone and tablet security and social engineering.
We have also adopted a Group insurance policy to reduce residual exposure to cyber risk, considered in the Group’s Internal Model for calculating the capital for operational risks.