Quality and Information Security Policy

Information security objectives

Management defines and periodically reviews the information security objectives, consistent with this policy and the context of the organisation. The objectives are measurable, communicated to the relevant functions and updated during the management review. They include, but are not limited to:

• Reducing the number and impact of security incidents
• Maintaining the service availability levels agreed with clients (SLAs)
• Continuous alignment with applicable regulatory and contractual requirements
• Improving staff awareness of information security
• Reducing incident detection and response times (MTTD/MTTR)

Integrated cybersecurity

The QISMS adopts an integrated cybersecurity approach, focused on preventive protection, timely threat detection and coordinated incident response. The organisation applies principles such as access control, logical segmentation, continuous monitoring, digital risk management and the adoption of resilient architectures across the entire value chain.

Scope of application

The system applies to the delivery of cloud IT services, the ongoing management of clients' IT infrastructure and the provision of internet services, in accordance with stakeholder expectations and in compliance with applicable regulations. Management is committed to demonstrating its ability to provide secure and reliable services, minimising the risk of information loss or unavailability, ensuring operational planning and the continuity of the services provided. Risk analysis is carried out systematically, with periodic updates that take into account emerging threats and technical or organisational vulnerabilities.

Regulatory compliance

Compliance with applicable laws, contractual requirements and corporate procedures is an integral part of the system, as is the promotion of QISMS awareness among strategic suppliers involved in critical processes. The QISMS conforms to the controls set out in ISO/IEC 27001, ISO/IEC 27017 for cloud services and ISO/IEC 27018 for the protection of personal data in cloud environments, as well as Regulation (EU) 2016/679 (GDPR), insofar as the organisation acts as a Data Processor.

The organisation also operates in accordance with the requirements of Directive (EU) 2022/2555 (NIS2) and the provisions of the Italian National Cybersecurity Agency (ACN), as a qualified provider of cloud services for the Public Administration. The controls implemented take into account incident notification requirements, risk management and security governance as set out in the European regulatory framework.

Cloud service security

Business continuity

The organisation plans and maintains business continuity processes proportionate to the criticality of the services provided. Business continuity and disaster recovery plans are defined, documented, periodically tested and updated in line with the evolution of the infrastructure, services and threat landscape. The objective is to ensure service restoration within agreed timeframes (RTO) and with data loss contained within established limits (RPO).

Supply chain security

The organisation assesses and manages risks arising from the supply chain, with particular attention to suppliers that process client information or provide critical infrastructure components. Security requirements are defined contractually and compliance is verified through monitoring activities and periodic reviews, in accordance with control A.5.21 of ISO/IEC 27001:2022.

Artificial intelligence

The organisation is continuously committed to evaluating and, where appropriate, introducing artificial intelligence-based solutions, with the aim of enhancing threat detection capabilities, automating incident response and enabling predictive analysis, in compliance with the principles of transparency, proportionality and the protection of data subjects' rights.

Responsibility and continuous improvement

All parties involved, including external partners, are required to report any events that may compromise information security. This policy is communicated to all staff and made available to relevant interested parties. Management assumes full responsibility for the effectiveness of the QISMS and is committed to ensuring its implementation, continuous improvement and periodic review.