Through a process that involves in-depth analysis of the threats to which the companies are exposed, the evaluation of the security measures (technical and organizational) adopted, the identification of the corrective actions necessary to mitigate any risks and the carrying out of Audits to verify the security of business processes, Sernet SpA supports Companies in the process of adapting to the rules, regulations and Best Practices in the field of information security and personal data protection, supporting them, step by step, until obtaining the management system certification.The Business Unit’s goal is to ensure the implementation of efficient and safe ICT processes in the Company, in line with the most relevant International Standards and business needs, consistent with the risk assessments carried out and in compliance with current regulations.The services offered by Sernet SpA in the ICT Security include:• Risk Assessment: analysis of the risks to which the Company is exposed, using as reference the main information security and personal data protection Standards (eg ISO 27001, ISO 27701, etc.), with focus on the main aspects of Cyber-Security;• Security Advisory: specialist support on the various issues of information security and corporate Assets, especially during projects to digitize Business processes – which if not properly managed can introduce new elements of risk for Business security – and for the implementation of monitoring systems for security events (e.g. SOC);• Cloud Security: the spread of Cloud Computing requires specific security measures for the companies who use it. SERNET helps companies to ensure compliance with specific standards (e.g. ISO 27017, ISO 27018, etc.), preparing them for periodic surveillance visits;• Certifiable Management systems: implementation of management systems according to the International Standards mentioned above (e.g. ISO 27001, ISO 27701, ISO 22301, etc.) and support the Company in carrying out all the activities necessary for their certification vs these standards;• Cyber-Security Act Compliance: adapting the Business process to newly introduced rules (eg EU Regulation no. 881/2019, known as the ‘Cyber-Security Act’) and possibly certification, once the relevant scheme is available.
In addition to the listed services, SERNET’s ICT Security Business Unit addresses Business Continuity through a structured approach, that improves the performance of the organization by limiting losses, meeting the requirements imposed by business needs and regulatory and contractual obligations, protecting the solidity of the Company and substantially improving its image towards customers in terms of reliability.This approach, which is based on the ISO 22301 International Standard (international standard for Business Continuity Management that defines the requirements necessary to plan and implement a management system to handle destabilizing events for an organization), consist of the following main activities:• Context analysis: identification of the subjects who have legitimate expectations of continuity towards the Company and identify the regulatory and contractual constraints to which the Company is subject;• Identification of critical processes and services: identification, with the involvement of the organization and management members, of the business critical processes and services, which need to be analyzed in order to identify appropriate strategies to ensure their business continuity, consistent with their business objectives;• Impact analysis: definition of the risk scenarios from which the Company intends to protect itself, of the potential impacts on the critical processes and services identified in the event of such scenarios occur, of the recovery objectives (e.g. RTO, RPO, MTPD, MBCO, etc.) and the resources needed for the restart;· Risk analysis: conducting targeted risk analysis, in order to identify any critical issues related to the resources required to delivery critical processes (offices, human resources, IT systems and Outsourcing services), to assess the adequacy of the Company’s Business Continuity measures;· Strategies and solutions: definition of strategies and solutions to restore business critical processes, for each of the risk scenarios considered;· Business Continuity Plan: development of the Business Continuity Plan (BCP), to provide personnel with the necessary information to respond to a possible disaster and restore critical processes or services in certain times, minimizing the impact on the business;· Disaster Recovery Plan: development of a Disaster Recovery Plan (DRP) including technological, logistic and organizational measures to restore systems, data and infrastructure;· Training and testing: training of organization members (including Partners and Suppliers, if necessary), testing and periodic updating of business plans.SERNET’s offering extends to support in the certification process according to the International Standard ISO 22301, which sets the necessary requirements for the company business continuity management system to help protect and reduce the likelihood of incidents and ensure recovery to critical processes and services, in adverse conditions.