Information Security
- ISO/IEC 27001 – Information Security
- ISO/IEC 20000 – IT System Security
- ISO 28000 – Supply chain security
- ISO 22301 – Business Continuity
- EU Regulation 679/2016 and D,Lgs 196/2003
ISO/IEC 27001 – Information Security
All stored computerized information represents 60% of the company’s intellectual capital. They are therefore a company asset whose management becomes strategic for the protection and development of the company. It is about ensuring:
- Confidentiality: protect key information from unauthorized access;
- Integrity: safeguard the accuracy and completeness of information;
- Accessibility: Make sure your data and information is accessible when prompted
THE SET OF ISO/IEC 27000
The 27000 series mean regulate the entire area of information security, risk management, metric and measurement issues, especially the effectiveness of implemented security systems, and implementation methodologies.
The ISO 27000 series is as follows:
- ISO/IEC 27000: Principles and vocabulary
- ISO/IEC 27001: Information security management system – Requirements
- ISO/IEC 27002: Guidelines
- ISO/IEC 27003: ISMS Implementation guidance
- ISO/IEC 27004: Information security management metrics and measurement
- ISO/IEC 27005: ISMS Risk management
THE ROLE OF M&IT CONSULTING
The M&IT Consulting program is characterized by strong pragmatism, result orientation and widespread use of technologies and support with the goal to make activities more effective than traditional approaches.
The Information Security Management System Development Advisory Program is developed with following steps:
- The first phase of the project is the preliminary analysis (free chek-up at the company), through which M&IT Consulting estimates the gap in the organization processes from the necessary compliance to certification and at the same time allows the company to evaluate the professionalism of M&IT consultants.
The preliminary analysis report allows to create the project ad hoc for the company by giving information regarding the necessary investment in economic, time and resources terms.
- The second phase involves the following activities:
The ISO 27001 setting is consistent and integrated with the ISO 9001 Quality Management System and Risk Management: Process Approach, Security Policy, Identification, Risk Analysis, Risk Assessment and Treatment, Risk Review and Reassessment, PDCA Model (PLAN-DO-CHECK-ACT), Use of Procedures and Tools such as Internal Audits, Non-Compliance, Corrective actions and Preventive , continuous improvement.
EUROPEAN REGULATION 679/2016 and D. LGS. 3/196
In Italy, in relation with data protection and process, the EU Regulation 679/2016 came into effect, integrated by the Testo Unico Privacy D.Lgs 196/2003.
THE ROLE OF M&IT
- CENSUS AND DATA DISCRIMINATION
It involves mapping the data present (and therefore processed) in the company, classifying it in common, commom subjects with high risk and sensitive. For each family of data collected, the tools used for processing will be recorded. In this context, it will also be checked for any outdated and unused data, data that cannot be held by the company beyond a certain time frame.
- ANY NOTIFICATION TO THE AUTHORITY FOR PERSONAL DATA PROTECTION
If you are into the categories for which the AUTHORITY is notified and the exemption cannot be used in accordance with the Deliberation of the Authority issued on 7 April 2004, the electronic signature will be obtained and the electronic notification procedure will be carried out.
- RISK STRUCTURE ANALYSIS
It involves the identification of internal staff (and possibly external contractors) who process the data by assessing the possible damage (and the level of probability of malicious events), analyzing the security measures already activated and identifying those to be activated.
- DEFINITION OF ORGANIZATION CHART AND DRAFTING OF APPOINTMENTS
Drafting the organizational structure functional to the processing of data and identification of the individual responsibilities. The following documentation will also be prepared: informed consent for treatment, letter of appointment of managers, letter of assignment.
- DRAFTING OF THE “PRIVACY OPERATIONAL MANUAL (optional activity)
The company situation and organizational procedures to ensure safety in treatments will be summarized in the “OPERATING MANUAL OF PRIVACY”.
- DRAFTING MANAGEMENT PROCEDURES (optional activity)
Good practices and rules to follow to keep the organization compliant with privacy regulations will be summarized in management procedures that, at the same time, will respond to the need to provide written and detailed information to those responsible for processing personal data. In addition, a COMPANY RULE will be prepared for the USE of the COMPUTER SYSTEM for all company staff.
- INFORMATION TO THE STAFF IN CHARGE
All personnel identified as responsible for processing personal data will be involved in a moment of information in order to create the conditions for the proper management of data. This time, depending on the number of people, may take place in the form of a meeting (in this case it is planned to form a homogeneous group and hold a meeting of about 1 hour).
- TRAININF OF THE RESPONSIBLE OF THE PRIVACY
The Privacy Officer will receive on-the-job training through direct involvement in all evaluation and documentation activities.
(* required fields)