The security of information (on computer support, paper and similar) is increasingly important in a world where it runs on internal and external media.

Information must therefore be managed and protected in such a way that it is: safe, correctly used and cannot damage any subject.

A way to organize, manage and monitor them, in reasonable safety, is given by the implementation of a management system in compliance with the standard 27001 UNI CEI EN ISO/IEC 27001 UNI CEI EN ISO/IEC 27001 – Information technology – Security techniques – Information security management systems – Requirements.

An information is realized through the following path: evidence, concretization on a support (file, writing, photograph, film, audio and similar), making available to interested parties (lawful and not), transmission, sharing, reception of contents, use of the same and so on until obsolescence, extinction and/or cancellation in time. The information security system must therefore be implemented along this path.

Information security, therefore, is not only an IT operation (reserved for specialists) but an organizational system where all stakeholders are actors in the management of security (not only insiders).

Therefore, an organizational and managerial approach is needed together with the contribution of the IT specialist (who provides the hardware and software means).

All, through their actions, can damage information and/or make it insecure. Therefore, information security does not only concern companies operating, strictly speaking, in the IT sector, but also all other organizations that deal with information. In other words, all organizations.

The study proposes the implementation of an information security system along the following lines:

1. Asset inventory.

• The process of formalizing information: creation, processing, storage, transmission, protection, destruction, etc;
• Intangible assets: Processing, communication, monitoring and control software, etc;
• Material assets: hardware to support, iron, for communication, for archives and the like;

2. definition of context

• Matrix by type of information related to assets;
• Matrix of primary assets related to tangible and intangible assets;
• Matrix of assets in relation to the points in Annex A of the standard (from A.5 Information security policies to A.18 Compliance);
• Context evaluation for internal and external factors;

3. Risk assessment and definition of mitigation actions:

• by hazard related by matrix for tangible and intangible assets, associated hazards (loss of confidentiality, integrity of information, availability of information, security of information and other) and consequent mitigation actions to be put in place (management activities, control activities, inspections and other);
• by type of damage related to consequent threats: type of risk (acceptable, deliberate, environmental and other) and consequent mitigation actions to be implemented (management, control, audit and other)
• by type of vulnerability and possible threat. Magnitude of risk and consequent mitigation actions (management, control, verification and other);
• By type of threat in connection with assets (tangible and intangible). Associated dangers (hackers and hacker pirates, cybercriminals, terrorists, industrial espionage (intelligence services, corporations, foreign governments, other government interests), internal (poorly trained, disgruntled, malicious, negligent, dishonest or fired employees), extent of risk and consequent mitigation actions (management, control, audit and other);
• Extrapolation of actions to be taken for management, control, verification and other activities;

4. implementation of management activities and operational control with regard to

• management and control of intangible assets (licenses, passwords, firewalls, internet, mail, cell phones, back up, data logger and similar, server configuration, data backup, management programs, calculation programs, Windows, office and similar)
• management of physical assets (physical environments, servers and nas, transmission network, switches, internet communication system;
• management of contracts with service companies in the IT and communications sector;
• management of communications with operators, also taking into account Annex A to the standard:
  • direct – internal staff and external operators on behalf of;
  • indirect – customers, suppliers, visitors;
• activation and management of Business Continuity and Disaster Recovery;
• management of telework and use of IT devices (laptops, cell phones, tablets and similar);
• integration of the GDPR in relation to privacy aspects following the implementation of the management system;

5. management of resources

• material – maintenance of premises and supports, networks, machinery and equipment;
• human resources – organization chart, profiles, appointments, training planning, training and information, etc.; 5;

6. system management

Non-compliant situations, complaints, inspections, standards and laws, corrective actions (including preventive and improvement), management meeting, management of relations with certification body);

7.assistance to certification activities

Request for quotations, evaluation – support for the choice of agency, organization of audit activities, etc.;

8. maintenance of the management system

Inspections, support for corrective actions / relations with the agency / management meetings and the like;

9. training and information activities.

The firm offers consultancy for both the full path and partial activities.

Contact us at +39 0425/410697 and/or send an email to info@studiogallian.net.