In a global scenario in which technology plays a crucial role in the development and continuity of the company’s business, Poste Italiane believes it is necessary to adopt effective security systems to protect the company’s information assets, avoiding the possibility that its IT infrastructure may be subject to attacks and consequent data breaches. Through its information security systems, the Group ensures the proper functioning and provision of its services and guarantees the confidentiality of data and information, preventing any type of access by unauthorised parties.
With this in mind, the Corporate Affairs - Information Security function carries out monthly assessments of the company’s cyber risk, adopting a methodology that assesses the risk from a purely technological point of view, based on technical security audits carried out on individual applications or groups of applications. In particular, Poste Italiane implements three types of preventive security activities:
Poste Italiane combines these precautions with two other fundamental techniques in order to guarantee effective and efficient management of the Company’s IT risks: patching and hardening; together, these activities are aimed at resolving vulnerabilities while ensuring that operating systems, firmware and software are up to date, only activating the required ports and services and hiding system components that are easy to breach.
During 2022, the implementation of the new BCM (Business Continuity Management) model in the financial perimeter was started with the definition of the relevant Business Continuity Plan, Business Continuity Risk Analysis and Assessment Methodology.
In addition, the Group launched a series of additional initiatives during the year:
In order to ensure business continuity for the management of crises following sector-wide incidents, company-related incidents or extensive catastrophes affecting the Group, Poste Italiane has defined and implemented a business continuity plan based on an appropriate identification of the most critical systems, the potential threats to them and the countermeasures to be adopted. This plan must, therefore, describe the criteria, procedures, technical and organisational measures and instruments adopted for emergency management (Contingency Plan) and for the recovery of the operating conditions prior to a damaging event (Disaster Recovery) in compliance with the Service Level Agreements (SLAs) agreed with internal customers. To ensure its efficacy over time, the business continuity plan is tested and updated periodically (at -35% leaks or data breaches compared to 2020 page 350 least every six months) and against relevant organisational, technological and infrastructural innovations or, in general, in any situation capable of generating new risks.
Poste Italiane’s main projects within this area are “Personal data protection” and “The Computer Emergency Response Team (CERT) and business continuity”, which are detailed below.
Poste Italiane’s main projects within this area are “Personal data protection” and “The Computer Emergency Response Team (CERT) and business continuity”, which are detailed below.
In this regard, Poste Italiane has issued a Company Policy on Personal Data Protection and Privacy Guidelines and a Personal Data Protection Management System, introduced with the aim of ensuring uniform data management across the Group. In particular, the Guidelines define the company privacy model and implement the principles of Privacy by Design and Privacy by Default; these principles firstly enforce respect for suitable data protection measures from the very beginning of the design process of products/services and information systems and secondly guarantee compliance with privacy regulations as standard in all data collection and processing procedures.
Furthermore, to ensure the highest standards of personal data protection, the Group conducts annual audits in order to verify the compliance of its privacy policy. Specifically, these audits are conducted both internally through the Group's functions and externally as part of the audits conducted to obtain and maintain ISO 27001 and ISO 20001 certifications.
Poste Italiane is furthermore committed to ensuring appropriate data protection risk management, by means of monitoring the main processes within the Poste Italiane Group and their relevant liabilities.
Poste Italiane’s Privacy Framework was established with the aim of guaranteeing compliance with the relevant obligations and striving towards continuous improvement in the management system. The framework defines the scope for intervention of the relevant organisational controls, developed with the aim of guaranteeing continuous monitoring of the achieved progresses.
Poste Italiane identifies for the entire Group the figure of the Data Protection Officer, a privacy expert who assumes responsibility for supervising compliance with the regulations on the protection of personal data by the data controller, as provided for by the GDPR, and who also ensures the drive towards continuous improvement.
Poste Italiane established the Computer Emergency Response Team in 2013 with the aim of guaranteeing controls on cyber security and data protection at Group level and proactively tackling cyber crime. The team includes a number of IT security experts that carry out their functions in real time, 24 hours a day, for risk prevention, the management of IT incidents affecting company systems and the development of actions in response to cyber events, thus strengthening the defence capacity of the entire Company. The organisation is part of a wider network of similar departments, at national page 351 and international level, with which it constantly interacts to share information, indicators of compromise and attack models in general. In line with the above, Poste Italiane collaborates with CNAIPIC (National Centre Against Cybercrime for the Protection of Critical Infrastructure) of the Postal Police.
CERT has structured its services in such a way as to ensure the overall protection of Poste Italiane’s business, acting on a number of levels:
With this in mind, the Corporate Affairs - Information Security function carries out monthly assessments of the company’s cyber risk, adopting a methodology that assesses the risk from a purely technological point of view, based on technical security audits carried out on individual applications or groups of applications. In particular, Poste Italiane implements three types of preventive security activities:
- Vulnerability Assessment is the process of identifying, measuring and prioritising the vulnerabilities of a system. It is performed with special tools twice a year for each application;
- Code Review (Static and Dynamic) represents the process of checking the source code of an application to verify that the correct security controls are in place and that they are working as intended. By means of special tools, the verification is carried out of both the source code (“Static CR”) and of the code in execution (“Dynamic CR”);
- Penetration Test is the process of evaluating the security of a system or a network through the simulation of attacks (including hackers) that aim to gain undue access to the system. Being a time-consuming activity, it is performed on a specific perimeter of applications.
Poste Italiane combines these precautions with two other fundamental techniques in order to guarantee effective and efficient management of the Company’s IT risks: patching and hardening; together, these activities are aimed at resolving vulnerabilities while ensuring that operating systems, firmware and software are up to date, only activating the required ports and services and hiding system components that are easy to breach.
During 2022, the implementation of the new BCM (Business Continuity Management) model in the financial perimeter was started with the definition of the relevant Business Continuity Plan, Business Continuity Risk Analysis and Assessment Methodology.
In addition, the Group launched a series of additional initiatives during the year:
- developed a Security Planning, defining and implementing a methodology for planning technical security audits (Penetration Tests, Static and Dynamic Code Review) deriving from regulatory/contractual requirements and from the Security By Design process;
- extended the scope of Cyber Risk analysis to include BancoPosta, PostePay, PosteVita, Poste Assicura, Poste Welfare Servizi and other compliance/security areas;
- set up the Information Security Committee - DTO, a periodic working table between the Information Security and Digital, Technology & Operations functions with the aim of jointly planning and directing security activities and identifying areas for improvement.
- to ensure better management of the topic, responsibility for the Group’s IT security has been assigned to a Chief Information Security Officer (CISO).
In order to ensure business continuity for the management of crises following sector-wide incidents, company-related incidents or extensive catastrophes affecting the Group, Poste Italiane has defined and implemented a business continuity plan based on an appropriate identification of the most critical systems, the potential threats to them and the countermeasures to be adopted. This plan must, therefore, describe the criteria, procedures, technical and organisational measures and instruments adopted for emergency management (Contingency Plan) and for the recovery of the operating conditions prior to a damaging event (Disaster Recovery) in compliance with the Service Level Agreements (SLAs) agreed with internal customers. To ensure its efficacy over time, the business continuity plan is tested and updated periodically (at -35% leaks or data breaches compared to 2020 page 350 least every six months) and against relevant organisational, technological and infrastructural innovations or, in general, in any situation capable of generating new risks.
Poste Italiane’s main projects within this area are “Personal data protection” and “The Computer Emergency Response Team (CERT) and business continuity”, which are detailed below.
Poste Italiane’s main projects within this area are “Personal data protection” and “The Computer Emergency Response Team (CERT) and business continuity”, which are detailed below.
Personal Data Protection
Poste Italiane is constantly aware of the socio-economic developments of the community it operates in and for this reason has strengthened its data protection regulatory framework, ensuring full compliance with applicable legal provisions. Specifically, in order to fulfil the General Data Protection Regulation (GDPR), the Company has undertaken responsibility of the management review process at Group level, as envisaged by Art. 32. This regulatory system, formed of procedures, guidelines and policies, is also applied to relations with all partners and suppliers, in order to ensure correct risk management in relation to privacy across all Group operations. Failure to comply with the standards defined by the system, leading to violations, may see the disciplinary sanctions being imposed on employees envisaged by the Poste Italiane National Collective Bargaining Agreement, which become gradually more serious based on the severity of the violation (written warning, fine, suspension from service without salary, dismissal without notice, etc.).In this regard, Poste Italiane has issued a Company Policy on Personal Data Protection and Privacy Guidelines and a Personal Data Protection Management System, introduced with the aim of ensuring uniform data management across the Group. In particular, the Guidelines define the company privacy model and implement the principles of Privacy by Design and Privacy by Default; these principles firstly enforce respect for suitable data protection measures from the very beginning of the design process of products/services and information systems and secondly guarantee compliance with privacy regulations as standard in all data collection and processing procedures.
Furthermore, to ensure the highest standards of personal data protection, the Group conducts annual audits in order to verify the compliance of its privacy policy. Specifically, these audits are conducted both internally through the Group's functions and externally as part of the audits conducted to obtain and maintain ISO 27001 and ISO 20001 certifications.
Poste Italiane is furthermore committed to ensuring appropriate data protection risk management, by means of monitoring the main processes within the Poste Italiane Group and their relevant liabilities.
Poste Italiane’s Privacy Framework was established with the aim of guaranteeing compliance with the relevant obligations and striving towards continuous improvement in the management system. The framework defines the scope for intervention of the relevant organisational controls, developed with the aim of guaranteeing continuous monitoring of the achieved progresses.
Poste Italiane identifies for the entire Group the figure of the Data Protection Officer, a privacy expert who assumes responsibility for supervising compliance with the regulations on the protection of personal data by the data controller, as provided for by the GDPR, and who also ensures the drive towards continuous improvement.
The Computer Emergency Response Team (CERT) and business continuity
Poste Italiane established the Computer Emergency Response Team in 2013 with the aim of guaranteeing controls on cyber security and data protection at Group level and proactively tackling cyber crime. The team includes a number of IT security experts that carry out their functions in real time, 24 hours a day, for risk prevention, the management of IT incidents affecting company systems and the development of actions in response to cyber events, thus strengthening the defence capacity of the entire Company. The organisation is part of a wider network of similar departments, at national page 351 and international level, with which it constantly interacts to share information, indicators of compromise and attack models in general. In line with the above, Poste Italiane collaborates with CNAIPIC (National Centre Against Cybercrime for the Protection of Critical Infrastructure) of the Postal Police.CERT has structured its services in such a way as to ensure the overall protection of Poste Italiane’s business, acting on a number of levels:
- External perimeter, which prevents attacks by collecting and exchanging information on threats and vulnerabilities that may affect the Group’s services;
- Internal perimeter, which protects the corporate infrastructure and responds to potential IT events.
The Business Control Center and the security agreement with the Postal Police are linked to the attention that Poste reserves for the protection of the security of all its customers and employees, in light of its leading role for the country and in constant synergy with the institutions. One of the main tasks of the structure is to monitor in real time, 24 hours a day, the services provided by Poste Italiane, to protect the security of customers in Post Offices and employees in all workplaces, to combat fraud and cybercrime, and to test the services offered by the Company.
Poste Italiane recorded a 90% reduction of customers involved in IT security breaches compared to 2021. The figure confirms the effectiveness of the activities carried out by the Business Control Centre Group, the security pact with the Postal Police and further agreements with different institutions and finally, the prevention actions carried out on a daily basis.
Poste Italiane recorded a 90% reduction of customers involved in IT security breaches compared to 2021. The figure confirms the effectiveness of the activities carried out by the Business Control Centre Group, the security pact with the Postal Police and further agreements with different institutions and finally, the prevention actions carried out on a daily basis.
