Gestione integrata dei rischi e data protection: casestudy

Gestione integrata dei rischi e data protection: casestudy Bologna, 11 maggio 2017 Ing. Paolo Levizzani (Acantho) 1

AGENDA Acantho: chi siamo e cosa facciamo ENISA: Framework AgID: Misure minime PA ISO: standard 27001 2

ACANTHO: I NOSTRI SERVIZI Accesso Internet Voce (call management) Centralino IP Vdc e Vds Vpn Fibra Ottica Xdsl Dark Fiber Peering Internet RETE ACANTHO DATACENTER ACANTHO Housing / Hosting Backup / Disaster Rec. Saas / Cloud Videostreaming Security 4

6 ENISA: FRAMEWORK PER IMPLEMENTAZIONE

ENISA: FRAMEWORK PER IMPLEMENTAZIONE D1: Governance and risk management SO 1: Information security policy SO 2: Governance and risk management SO 3: Security roles and responsibilities SO 4: Security of third party assets D2: Human resources security SO 5: Background checks SO 6: Security knowledge and training SO 7: Personnel changes SO 8: Handling violations D3: Security of systems and facilities SO 9: Physical and environmental security SO 10: Security of supplies SO 11: Access control to network and information systems SO 12: Integrity of network and information systems D4: Operations management SO 13: Operational procedures SO 14: Change management SO 15: Asset management D5: Incident management SO 16: Incident management procedures SO 17: Incident detection capability SO 18: Incident reporting and communication D6: Business continuity management SO 19: Service continuity strategy and contingency plans SO 20: Disaster recovery capabilities D7: Monitoring, auditing and testing SO 21: Monitoring and logging policies SO 22: Exercise contingency plans SO 23: Network and information systems testing SO 24: Security assessments SO 25: Compliance monitoring 0

4 AgID: Misure minime di sicurezza ICT per PA

8 ISO: Standard 27001

9 ISO: Standard 27001

GAP ANALYSIS A.7 Human resources security A.7.1 Prior to employment Objective: To ensure that employees and contractors understand their responsibilities and are suitable for the roles for which they are considered A.7.1.1 Screening Control Background verification checks on all candidates for employment shall be carried out in accordance with relevant laws, regulations, and ethics, and shall be proportional to the business requirements, the classification of the information to be accessed, and the perceived risks. A.7.1.2 Terms and conditions of employment Control The contractual agreements with employees and contractors shall state their and the organization s responsibilities for information security. A.7.2 During employment Objective: To ensure that employees and contractors are aware of and fulfil their information security responsibilities. A.7.2.1 Management responsibilities Control Management shall require all employees and contractors to apply information security in accordance with the established policies and procedures of the organization. A.7.2.2 Information security awareness, education, and training Control All employees of the organization and, where relevant, contractors shall receive appropriate awareness education and training and regular updates in organizational policies and procedures, as relevant to their job function. A.7.2.3 Disciplinary process Control There shall be a formal and communicated disciplinary process in place to take action against employees who have committed an information security breach. A.7.3 Termination and change of employment Objective: To protect the organization s interests as part of the process of changing or terminating employment A.7.3.1 Termination or change of employment responsibilities Control Information security responsibilities and duties that remain valid after termination or change of employment shall be defined, communicated to the employee, or contractor and enforced. 0

GAP ANALYSIS Approccio a 360 1

4 ANALISI RISCHI: RISULTATI E VALUTAZIONI

Contatti Grazie per l attenzione! Ing. Paolo Levizzani paolo.levizzani@acantho.com 5