Your browser version is not updated, please update it.

IT security With a view to safeguarding business and achieving strategic and operational objectives, the Group considers it strategically important to guarantee the protection of the information assets of the Company, and of its customers and other stakeholders, and to ensure the security of transactions.

In a global scenario in which technology plays a crucial role in the development and continuity of the company’s business, Poste Italiane believes it is necessary to adopt effective security systems to protect the company’s information assets, avoiding the possibility that its IT infrastructure may be subject to attacks and consequent data breaches. Through its information security systems, the Group ensures the proper functioning and provision of its services and guarantees the confidentiality of data and information, preventing any type of access by unauthorised parties. 
With this in mind, the Corporate Affairs - Information Security function carries out monthly assessments of the company’s cyber risk, adopting a methodology that assesses the risk from a purely technological point of view, based on technical security audits carried out on individual applications or groups of applications. In particular, Poste Italiane implements three types of preventive security activities:
  • Vulnerability Assessment is the process of identifying, measuring and prioritising the vulnerabilities of a system. It is performed with special tools twice a year for each application;
  • Code Review (Static and Dynamic) represents the process of checking the source code of an application to verify that the correct security controls are in place and that they are working as intended. By means of special tools, the verification is carried out of both the source code (“Static CR”) and of the code in execution (“Dynamic CR”);
  • Penetration Test is the process of evaluating the security of a system or a network through the simulation of attacks that aim to gain undue access to the system. Being a time-consuming activity, it is performed on a specific perimeter of applications. 
In addition, the Group launched a series of additional initiatives during the year:
  • developed a Security Planning, defining and implementing a methodology for planning technical security audits (Penetration Tests, Static and Dynamic Code Review) deriving from regulatory/contractual requirements and from the Security By Design process;
  • extended the scope of Cyber Risk analysis to include BancoPosta, PostePay, PosteVita, Poste Assicura, Poste Welfare Servizi and other compliance/security areas;
  • set up the Information Security Committee - DTO, a periodic working table between the Information Security and Digital, Technology & Operations functions with the aim of jointly planning and directing security activities and identifying areas for improvement. 
Poste Italiane’s main projects within this area are “Personal data protection” and “The Computer Emergency Response Team (CERT) and business continuity”, which are detailed below.

Personal data protection

In order to ensure full compliance with the legislation on the protection of personal data and, in particular, with the provisions of the General Data Protection Regulation (GDPR), the Group has strengthened its corporate regulatory system, the reference point of which is represented by the Policy on Personal Data Protection and the Privacy Guidelines and Personal Data Protection Management System, the latter introduced with the aim of ensuring uniform data management at Group level. In particular, the Guidelines illustrate the Company’s privacy model, the principles of Privacy by Design and Privacy by Default, which establish the need for the Company to ensure adequate protection of personal data from the design of products/services and IT systems and to guarantee compliance with privacy legislation by default in processes for the collection and processing of data, as well as the main processes adopted by the Poste Italiane Group and the related responsibilities, with the aim of ensuring correct management of personal data protection risks.

In order to comply with these obligations and ensure the continuous improvement of the management system, Poste Italiane has defined a Privacy Framework capable of highlighting the main areas of interest on which to focus, the related organisational and technical measures developed, and to provide continuous monitoring of the progress achieved. 
sicurezza informatica

The Computer Emergency Response Team (CERT) and business continuity

In order to guarantee Group-wide supervision of cybersecurity and data protection activities, and to actively combat cybercrime, in 2013, Poste Italiane set up an ad hoc organisation called CERT (Computer Emergency Response Team). The team, which includes a number of IT security experts, carries out its functions by operating in real time, 24 hours a day, for risk prevention, the management of IT incidents affecting company systems and the development of actions in response to cyber events, thus strengthening the defence capacity of the entire Group.

In addition, in order to create a widespread culture throughout the country with reference to IT security issues, the CERT takes on the task of creating moments of awareness, both inside and outside the Company. The organisation is part of a wider network of similar structures, of national and international scope, with which it constantly interacts to share information, indicators of compromise and attack models in general. In this context, Poste Italiane collaborates with CNAIPIC (National Centre Against Cybercrime for the Protection of Critical Infrastructure) of the Postal Police.

CERT has structured its services in such a way as to ensure the overall protection of Poste Italiane’s business, acting on a number of levels:
  • External perimeter, which prevents attacks by collecting and exchanging information on threats and vulnerabilities that may affect the Group’s services;
  • Internal perimeter, which protects the corporate infrastructure and responds to potential IT events. 
Computer Emergency
The Business Control Center and the security agreement with the Postal Police are linked to the attention that Poste reserves for the protection of the security of all its customers and employees, in light of its leading role for the country and in constant synergy with the institutions. One of the main tasks of the structure is to monitor in real time, 24 hours a day, the services provided by Poste Italiane, to protect the security of customers in Post Offices and employees in all workplaces, to combat fraud and cybercrime, and to test the services offered by the Company.
As part of the management of the impacts deriving from the emergency context, Poste Italiane took security aspects into consideration from the earliest stages of the pandemic, from which the drivers used to implement IT security strategies were defined.

smart working
In this regard, with reference to security monitoring and verification activities, Poste Italiane has implemented a series of measures and interventions to safely manage the Covid-19 emergency, ensuring continuity in its remote working model. Specifically:
  • continuous monitoring of the number of VPN connections, type, purpose and security of remote access to the corporate Intranet;
  • monitoring of the level of updating, patching and security of the operating systems used, both for company PCs/laptops and BYOD (Bring Your Own Device);
  • monitoring of third-party access and related security aspects;
  • monitoring of AdS (System Administrators) accesses and related security aspects;
  • verification and eventual blocking of remote connections coming from foreign IP addresses and/or not reliable in terms of security.