About This Project
We support our clients in the protection of their information assets and in the outlining of their service continuity strategies.
We have accrued a large amount of competences in the various areas of cyber security and we are able to offer strategic support in the outlining, the design and the implementation of processes, structures and systems deemed necessary to improve the position and the security of our partners.
We accompany our clients throughout the outlining and the application of the Management System for Information Security, in line with ISO/IEC 27001 standards, by means of a continual management of the processes and controls that are required in order to guarantee the security of information and at the same time ensuring confidentiality, integrity and availability of information assets. The methodology that ICTC offers pursues a long-term strategy that is able to adapt itself both to the changes within the internal organisation of the company as well as to the changes that are created out of the surrounding environment – following a “Plan-Do-Check-Act” approach of continuous improvement.
We accompany our clients towards the organisation of a “Privacy System” that is suited to the situation in question and that is maintainable over time, applying what is laid down in the new GDPR European regulations (General Data Protection Regulation, or European Regulations on Data Protection – EU Regulation 2016/679) and by D.Lgs. 196/2003. The approach adopted by ICTC implements the standard of Privacy by Design and recognises the importance of the data protection integration and further considerations regarding privacy inside the operations of the organisation.
We are able to guide our clients in the outlining and in the design of Disaster Recovery and Business Continuity solutions thanks to our experience in the development of processes and architectural frameworks that maximise the resilience of the services offered.
We currently accompany our Italian and international partners with the following services:
- Assessment of security and related company processes.
- Privacy impact assessment and compliance with the GDPR (General Data Protection Regulation).
- Design of Business Continuity processes.
Assessment of security and related company processes
Main activities undertaken:
- Analysis of the eco-system that is the subject of the assessment through the identification of the information assets and the architectural framework and the outlining of the relations between processes, roles and responsibilities.
- Identification of scenarios of applicability of risk analysis and subsequent formalisation of the requisites and constraints of security.
- Design of the Management System for Information Security in line with the ISO/IEC 27001 standard and in accordance with the specific market best practice.
- Penetration Test & Vulnerability Assessments, by means of the analysis of the relevant vulnerabilities, the threats and the impact of the success of an attack and subsequent evaluation of the risks for the security of the information assets and connected processes.
- The outlining of the Remediation, by means of the singling out of the portfolio of interventions that enable the pursuing of the risk profile deemed most acceptable, in consideration of the technological interventions as well as of those based upon the use of human resources (for the support processes) with the double objective of minimising risks (both preventively and reactively) and the containing of costs.
- Remediation confirmation, by means of a further Penetration Test, in order to check the state of the counter-measures undertaken and the evaluation of the residual risk.
- Auditing activities, including the carrying out of internal audits and support during the visit by the certificating body.
- Governance activities, by means of the outlining and carrying out of processes related to the governing of the infrastructure, the construction of the system’s documentation apparatus and the planning of periodical checks upon the suitability, the efficiency and the updating – with respect to laws or to any potential changes in the organisation – of policy, infrastructures and processes.
Privacy impact assessment and compliance with GDPR regulations
Main activities undertaken:
- Gap analysis, by means of the analysis of the current state of GDPR regulation compliance and the subsequent singling out and evaluation of the intervention (technological and organisational) required in order to guarantee the full compliance with the law.
- Risk analysis, constructed upon the basis of evidence revealed during the period of gap analysis and with the aim of outlining a plan of sustainable intervention that takes into consideration both the costs required for the adjustment as well as the expected benefits. Identifying the risk level is realised by carrying out DPIA activities (Data Protection Impact Assessment), analysing the security level of the ICT assets utilised for the elaboration of critical data and evaluating the suitability of the security measures adopted, checking their correct implementation at the same time. These evaluations enable us to single out adaptation priorities and to decrease the risks of data breach.
- The application of the rights laid down by the regulations, with a specific focus upon the management of the consent to the use of personal data on behalf of the company and a focus upon the subsequent outlining of the intervention required in order to guarantee to those involved the observance of all those rights laid down in the GDPR (the right to oblivion, the right to access, the right to rectify and the right to limitation).
- The analysis of the Data processing, the identification of the personal data managed and the relative purpose of the processing as well as the processes involved and the ICT assets with which such data is processed. These various activities enable the updating of the Register of Data Processing and the inventory of ICT resources.
- Accountability, arranging for the designation of Processors, Sub-Processors and System Administrators, as well as for the drawing up/reviewing of the information in the consent modules; distribution of training courses for the workers.
- The implementation, through the filing of the Data Protection Impact Assessment according to the principle of Accountability, and the outlining of the plan for the implementation of the technical and organisational measures identified in the gap analysis.
- Auditing activities, by means of the periodical carrying out of audits of the processes managed by the client or entrusted to an external body, assistance during the visit of the certificating body and the distribution of training courses for managers and workers.
- Governance activities, by means of the outlining and the carrying out of the processes related to the governing of the organisation, the updating of the documentation and the support for the maintenance of the system with respect to the adjustments due to regulatory and organisational modifications as well as modifications to the objectives of the company.
The design of the Processes of Business Continuity and Disaster Recovery
Main activities undertaken:
- Support for the identification of the infrastructures and the critical assets for the organisation in order to single out the elements, the flows and the data to protect or reinstate should there be a fault or a momentary unavailability.
- The individuation of the financial, operative and legal impacts of a potential fault or a momentary unavailability of the infrastructures and the critical assets and subsequent outlining of a plan to mitigate the risk.
- Support for the outlining of an appropriate recovery strategy by means of the definition of priority levels to assign to the infrastructures and critical assets as well as the evaluation of trade-off costs/benefits related to asset protection.
- Outlining of dependencies that exist both internally as well as externally for the protection of assets and critical infrastructures as well as data in order to engage the appropriate interlocutors during di fault management activities.
- Outlining of fault management processes to set off in case of there being an obvious crisis situation.
- Support for the re-designing of infrastructural models in order to support on an architectural level the Business Continuity and Disaster Recovery standards.