Information security management system policy
The Company’s Information Assets are the main resource for correctly managing Customer relations, planning the continuous innovation of the offer and guaranteeing the quality of the service offered by LUTECH to its customers; as such, they must be adequately protected with a constant balance between the level of risk accepted and the corresponding level of protection required, correctly combining the need to protect the value of information with the need to ensure efficiency and effectiveness of business processes.
Information Security is obtained by applying a complex set of controls indicated by UNI CEI ISO/IEC 27001:2017 standard and by constantly and effectively setting up Policies, Processes, Procedures, Organisational Structures, Hardware and Software Functions and constant monitoring for continuous improvement. Information is increasingly managed in electronic form and systems are used by a growing number of stakeholders: this, while on the one hand allows better accessibility and availability, on the other hand entails deep and rapid changes in risk scenarios that require the presence of appropriate security measures and tools to make information secure, ensuring its protection also in response to a growing demand for security by customers.
In such a context, LUTECH governs the Security of corporate Information Assets in compliance with and on the basis of recognised standards, consolidated methodologies, contractual obligations, Laws and Regulations, binding requests arising from third party audits and due diligence operations. However, information security is a managerial responsibility, not just a technological aspect. Based on this assumption, accompanied by the constant need to search for new market strategies to provide guarantees, not only on the quality of services provided, but also on how to process information about customers, suppliers and other stakeholders, as well as its own organisational structure, LUTECH decided to implement an ISMS (Information Security Management System) shaped on UNI CEI ISO/IEC 27001:2017 standard.
LUTECH’s ISMS currently covers, together with the integrated Quality System pursuant to UNI EN ISO 9001 2015, the activities provided in the field of design, development and delivery of products and consulting in the software/IT field for the management and governance of complex information systems.
In fact, LUTECH intends to achieve and maintain the highest level of requirements, in terms of quality and security for the services provided, aims to protect corporate information assets, including information and data relating to customers and suppliers, against all threats – internal or external, intentional or accidental; it also aims to maintain and give evidence of the correctness of negotiations with customers and suppliers and to show that the services provided do not directly increase risks for customers.
In order to pursue these goals, LUTECH has identified risk assessment methods and management criteria in the documentation of the Information Security Management System, evaluating the economic investments that the implementation and maintenance of the Management System may entail.
Furthermore, in accordance with ISO/IEC 27017:2015 Guidelines for Cloud Services, and ISO/IEC 27018:2019 Guidelines for the Protection of Personal Identifiable Information (PII) in the public Cloud, which are fully integrated into the corporate ISMS, LUTECH has decided to address the legal obligations applicable to the context also with the conscious support of these standards and for the benefit of all stakeholders, thus facilitating the definition of robust and secure cloud service contracts (understood as “Set of remote technological infrastructures used as a virtual resource for storage and/or processing in the context of a service” in accordance with AgID circular letters) and improving transparency and credibility of services themselves.
Ensuring compliance with data protection principles and increasing customer confidence in cloud computing technologies is a strategic goal for LUTECH. The same commitment specifically concerns the protection of PII (Personally Identifiable Information) or that of providing a structured mode, based on privacy by design, to address the main legal and contractual issues related to the management of personal data in IT infrastructure distributed according to the model of the public cloud. This specifically concerns the design, development, implementation, monitoring and measurement of privacy policies and privacy controls in cloud computing services.
In the light of the foregoing, LUTECH, in compliance with the mandatory requirements and current legislation on data and information security and related information systems, undertakes to ensure that:
- the information is protected from unauthorised access, including by encrypting data and communications, with due regard for confidentiality and is available to authorised users when they need it, this being a key aspect of the current ISMS perimeter;
- the information is appropriately classified, since the classification of information is the basic activity to assess risk and therefore the potential damage to the corporate data;
- the information is not disclosed to unauthorised persons as a result of deliberate action or negligence and, with due regard for its integrity, is safeguarded from unauthorised alteration;
- business continuity plans are prepared and these plans are kept up to date and controlled as much as possible;
- Staff receive training and refresher courses on information security;
- all breaches of information security and possible weaknesses are reported to the appropriate person and examined.
In implementing the above, a commitment to continuous improvement is maintained at all times and throughout the value chain, both in the management of information and data and in the technological and document infrastructure supporting it.
By implementing this policy, LUTECH intends to meet its commitment to comply with UNI CEI ISO/IEC 27001:2017 and to obtain and maintain this certification. To achieve this objective, the management of LUTECH undertakes to ensure that this policy is disseminated, understood and implemented not only by internal staff, but also by interns, external collaborators, consultants, suppliers under contract, with particular attention to outsourcers who are in any way involved with the information falling within the scope of the Information Security Management System.
Finally, the management of LUTECH undertakes to regularly review the policy and any changes that affect it, to ensure that it remains suitable for the company’s business and ability to satisfy Customers, Suppliers and other stakeholders.