Your browser version is not updated, please update it.

IT security With a view to safeguarding business and achieving strategic and operational objectives, the Group considers it strategically important to guarantee the protection of the information assets of the Company, and of its customers and other stakeholders, and to ensure the security of transactions.

In a global scenario in which technology plays a crucial role in the development and continuity of the company’s business, Poste Italiane believes it is necessary to adopt effective security systems to protect the company’s information assets, avoiding the possibility that its IT infrastructure may be subject to attacks and consequent data breaches. Through its information security systems, the Group ensures the proper functioning and provision of its services and guarantees the confidentiality of data and information, preventing any type of access by unauthorised parties. 
 
With this in mind, the Corporate Affairs - Information Security function carries out monthly assessments of the company’s cyber risk, adopting a methodology that assesses the risk from a purely technological point of view, based on technical security audits carried out on individual applications or groups of applications. In particular, Poste Italiane implements three types of preventive security activities:
  • Vulnerability Assessment is the process of identifying, measuring and prioritising the vulnerabilities of a system. It is performed with special tools twice a year for each application;
  • Code Review (Static and Dynamic) represents the process of checking the source code of an application to verify that the correct security controls are in place and that they are working as intended. By means of special tools, the verification is carried out of both the source code (“Static CR”) and of the code in execution (“Dynamic CR”);
  • Penetration Test is the process of evaluating the security of a system or a network through the simulation of attacks that aim to gain undue access to the system. Being a time-consuming activity, it is performed on a specific perimeter of applications. 
 
Poste Italiane combines these precautions with two other fundamental techniques in order to guarantee effective and efficient management of the Company’s IT risks: patching and hardening; together, these activities are aimed at resolving vulnerabilities while ensuring that operating systems, firmware and software are up to date, only activating the required ports and services and hiding system components that are easy to breach.

In addition, the Group launched a series of additional initiatives during the year:
  • developed a Security Planning, defining and implementing a methodology for planning technical security audits (Penetration Tests, Static and Dynamic Code Review) deriving from regulatory/contractual requirements and from the Security By Design process;
  • extended the scope of Cyber Risk analysis to include BancoPosta, PostePay, PosteVita, Poste Assicura, Poste Welfare Servizi and other compliance/security areas;
  • set up the Information Security Committee - DTO, a periodic working table between the Information Security and Digital, Technology & Operations functions with the aim of jointly planning and directing security activities and identifying areas for improvement. 
  • to ensure better management of the topic, responsibility for the Group’s IT security has been assigned to a Chief Information Security Officer (CISO).
 
In order to ensure business continuity for the management of crises following sector-wide incidents, company-related incidents or extensive catastrophes affecting the Group, Poste Italiane has defined and implemented a business continuity plan based on an appropriate identification of the most critical systems, the potential threats to them and the countermeasures to be adopted. This plan must, therefore, describe the criteria, procedures, technical and organisational measures and instruments adopted for emergency management (Contingency Plan) and for the recovery of the operating conditions prior to a damaging event (Disaster Recovery) in compliance with the Service Level Agreements (SLAs) agreed with internal customers. To ensure its efficacy over time, the business continuity plan is tested and updated periodically (at -35% leaks or data breaches compared to 2020 page 350 least every six months) and against relevant organisational, technological and infrastructural innovations or, in general, in any situation capable of generating new risks.
Poste Italiane’s main projects within this area are “Personal data protection” and “The Computer Emergency Response Team (CERT) and business continuity”, which are detailed below.
 

Personal Data Protection

Poste Italiane is constantly aware of the socio-economic developments of the community it operates in and for this reason has strengthened its data protection regulatory framework, ensuring full compliance with applicable legal provisions. Specifically, in order to fulfil the General Data Protection Regulation (GDPR), the Company has undertaken responsibility of the management review process at Group level, as envisaged by Art. 32. This regulatory system, formed of procedures, guidelines and policies, is also applied to relations with all partners and suppliers, in order to ensure correct risk management in relation to privacy across all Group operations. Failure to comply with the standards defined by the system, leading to violations, may see the disciplinary sanctions being imposed on employees envisaged by the Poste Italiane National Collective Bargaining Agreement, which become gradually more serious based on the severity of the violation (written warning, fine, suspension from service without salary, dismissal without notice, etc.).
In this regard, Poste Italiane has issued a Company Policy on Personal Data Protection and Privacy Guidelines and a Personal Data Protection Management System, introduced with the aim of ensuring uniform data management across the Group. In particular, the Guidelines define the company privacy model and implement the principles of Privacy by Design and Privacy by Default; these principles firstly enforce respect for suitable data protection measures from the very beginning of the design process of products/services and information systems and secondly guarantee compliance with privacy regulations as standard in all data collection and processing procedures. Poste Italiane is furthermore committed to ensuring appropriate data protection risk management, by means of monitoring the main processes within the Poste Italiane Group and their relevant liabilities.
Poste Italiane’s Privacy Framework was established with the aim of guaranteeing compliance with the relevant obligations and striving towards continuous improvement in the management system. The framework defines the scope for intervention of the relevant organisational controls, developed with the aim of guaranteeing continuous monitoring of the achieved progresses. 
sicurezza informatica

The Computer Emergency Response Team (CERT) and business continuity

Poste Italiane established the Computer Emergency Response Team in 2013 with the aim of guaranteeing controls on cyber security and data protection at Group level and proactively tackling cyber crime. The team includes a number of IT security experts that carry out their functions in real time, 24 hours a day, for risk prevention, the management of IT incidents affecting company systems and the development of actions in response to cyber events, thus strengthening the defence capacity of the entire Company. The organisation is part of a wider network of similar departments, at national page 351 and international level, with which it constantly interacts to share information, indicators of compromise and attack models in general. In line with the above, Poste Italiane collaborates with CNAIPIC (National Centre Against Cybercrime for the Protection of Critical Infrastructure) of the Postal Police.

CERT has structured its services in such a way as to ensure the overall protection of Poste Italiane’s business, acting on a number of levels:
  • External perimeter, which prevents attacks by collecting and exchanging information on threats and vulnerabilities that may affect the Group’s services;
  • Internal perimeter, which protects the corporate infrastructure and responds to potential IT events. 
 
Computer Emergency
The Business Control Center and the security agreement with the Postal Police are linked to the attention that Poste reserves for the protection of the security of all its customers and employees, in light of its leading role for the country and in constant synergy with the institutions. One of the main tasks of the structure is to monitor in real time, 24 hours a day, the services provided by Poste Italiane, to protect the security of customers in Post Offices and employees in all workplaces, to combat fraud and cybercrime, and to test the services offered by the Company.
 
 
COVID-19: GESTIONE INTEGRATA E CONTINUITÀ OPERATIVA DELLO SMART WORKING
 
The continuation of the pandemic has made it necessary to carry on focusing on the impacts caused by Covid-19. In keeping with measures implemented during the most acute phases of the pandemic, Poste Italiane has continued to manage IT security aspects linked to Covid-19. Starting with these aspects, drivers were defined that were used to implement the IT Security Strategies. The main adopted drivers are shown below:
 
smart working
In keeping with its launch in 2020, the Group maintained several initiatives aimed at ensuring continuity in its remote working model, also with reference to the interventions and controls put in place by Poste Italiane in terms of monitoring and safety checks. Specifically, the Company conducted:
  • continuous monitoring of the number of VPN connections, type, purpose and security of remote access to the corporate Intranet;
  • monitoring of the level of updating, patching and security of the operating systems used, both for company PCs/laptops and BYOD (Bring Your Own Device);
  • monitoring of third-party access and related security aspects;
  • monitoring of AdS (System Administrators) accesses and related security aspects;
  • verification and eventual blocking of remote connections coming from foreign IP addresses and/or not reliable in terms of security.